APD/GBA (Belgium) - 51/2023
APD/GBA - DOS-2022-01864 | |
---|---|
Authority: | APD/GBA (Belgium) |
Jurisdiction: | Belgium |
Relevant Law: | Article 5(1)(b) GDPR Article 5(1)(c) GDPR Article 13(1)(a) GDPR Article 13(1)(b) GDPR Article 37(7) GDPR |
Type: | Complaint |
Outcome: | Partly Upheld |
Started: | 26.04.2022 |
Decided: | 04.05.2022 |
Published: | 04.05.2022 |
Fine: | n/a |
Parties: | n/a |
National Case Number/Name: | DOS-2022-01864 |
European Case Law Identifier: | n/a |
Appeal: | Unknown |
Original Language(s): | French |
Original Source: | Autorité de protection des données (in FR) |
Initial Contributor: | Philipp Karner |
The Belgian Data Protection Authority ordered a company to comply with Article 13(1)(b) GDPR and to publish the contact details of their DPO on their website.
English Summary
Facts
The data subject wanted to apply online for a job at the controller. The data subject found many of the required information (such as nationality or postal address) unnecessary for the purpose of identifying the best candidate for the job.
The data subject wanted to get in touch with the controller, but could not find any contact information of the DPO. There was only an online form available.
They wrote an email to the controller and asked to reveal the contact details of their DPO on 24 March 2022 which remained unanswered.
On 25 April 2022 the data subject lodged a complaint with the Data Protection Authority which was declared admissible on 26 April 2022.
Holding
First, the DPA held that collecting unnecessary data which is not required to fulfil the purpose violated Article 5(1)(b) GDPR (purpose limitation) as well as Article 5(1)(c) GDPR (data minimisation). Since the controller edited the application form in the meantime and deleted the unnecessary requests, the form was in compliance with GDPR at the time of the decision and the DPA did not impose any further orders.
Second, the DPA held that according to Article 13(1)(b) GDPR the controller must state the contact details of the DPO on their website. There is a similar obligation under Article 37(7) GDPR. The DPA ordered the controller to comply with his obligations under Article 13(1)(b) GDPR and Article 37(7) GDPR and to publish the contact details of their DPO.
Third, the DPA held that the controller violated the data subjects right to information as enshrined in Article 13(1)(a) GDPR when they did not answer the data subjects request for the contact details of the DPO. The DPA ordered the controller to reply to the data subjects request.
Comment
It might depend which information is required for the application for a job. For highly sensitve jobs in the official administration or the armed forces it might be permissable to ask for the nationality of the applicant.
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the French original. Please refer to the French original for more details.
1/6 Litigation Chamber Decision 51/2023 of May 4, 2023 File number: DOS- 2022-01864 Subject: Complaint relating to the personal data required via an online form aimed at applying for a job with the defendant, and the obligation to inform of an email address of the DPO The Litigation Chamber of the Data Protection Authority, constituted by Mr. Hielke Hijmans, President, sitting alone; Having regard to Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and the free movement of such data, and repealing Directive 95/46/EC (general regulation on the protection data), hereinafter GDPR; Having regard to the Law of 30 July 2018 relating to the protection of natural persons with regard to the processing of personal data (hereinafter LTD); Having regard to the law of 3 December 2017 establishing the Data Protection Authority (hereinafter LCA); Internal regulations as approved by the Chamber of Representatives on December 20, 2018 and published in the Belgian Official Gazette on January 15, 2019; Considering the documents in the file; made the following decision regarding: The complainant: X, hereinafter “the complainant”. ; The defendant: Y, hereinafter "the defendant" Decision 51/2023 - 2/6 I. Facts and procedural history 1. The subject of the complaint concerns the collection of unnecessary personal data (nationality, national register number, postal address) as part of the form to be completed to apply for a job on the defendant's website (a health insurance fund). The complainant also raises the absence indication of the email address of the Data Protection Officer (DPO) on the defendant's site, and underlines that questions relating to the protection of personal data can only be asked via an online form. 2. On April 25, 2022, the complainant filed his complaint with the Data Protection Authority (hereafter after DPA) against the defendant. 3. On April 26, 2022, the complaint was declared admissible by the First Line Service of the Authority of data protection (hereinafter SPL) on the basis of Articles 58 and 60 of the LCA and the complaint is forwarded to the Litigation Division under Article 62§ 1 of the LCA. 2 4. Pursuant to Article 95 § 2, 3° of the LCA as well as Article 47 of the Internal Rules of DPA, a copy of the file may be requested by the parties. If one of the parties wishes to use of the possibility of consulting the file, the latter is required to contact the secretariat of the Litigation Chamber, preferably via litigationchamber@apd-gba.be. II. Motivation II.1 - Principle of minimization 5. In accordance with Article 5.1.c) of the GDPR, the personal data must be adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (data minimization). 6. The Litigation Chamber recalls that the principle of minimization within the framework of a recruitment implies that the information requested from candidates must have the sole purpose to assess the candidate's ability to occupy the position to be filled or his professional skills. 7. In addition, Article 5.1.b) of the GDPR provides that personal data must be “collected for specified, explicit and legitimate purposes and not to be processed subsequently in a manner incompatible with those purposes; […] (limitation of purposes)”. 1 Pursuant to Article 61 LCA, the Litigation Chamber informs the parties by this decision of the fact that the complaint has been declared admissible 2 Pursuant to article 95, §2 LCA, by this decision, the Litigation Chamber informs the parties of the fact that following this complaint, the file was forwarded to him. Decision 51/2023 - 3/6 8. In the present case, the complainant denounces that the form to be completed online on the website of the defendant to apply for a job requires unnecessary personal data (the nationality, national register number, postal address). The Litigation Chamber finds that on the day of this decision, the form to be completed to apply for jobs on the site the defendant's internet no longer requires the personal data denounced by the plaintiff (the nationality, national register number, postal address). It therefore appears, a priori, that the defendant has adapted the personal data required via this form on its site. 9. In view of the foregoing, the Litigation Chamber classifies without follow-up the grievances relating to the articles 5.1.b) and 5.1.c) of the GDPR in accordance with its discontinued policy of June 18, 2021 (B.6). II.2- The information obligation 10. According to Article 13 of the GDPR, “where the personal data relating to a data subject are collected from this person, the controller provides, at the time the data in question is obtained, all of the following information: -a) The identity and contact details of the controller and, where applicable, the representative of the controller -b) Where applicable, the contact details of the data protection officer; […]”. 11. In addition, Article 37.7 of the GDPR requires the controller or processor to publish the contact details of the DPO and communicates them to the supervisory authority. 12. The Litigation Chamber recalls that the aforementioned requirements are intended to ensure that persons concerned and the supervisory authorities can easily and directly contact the DPO without having to contact another department of the organization. 13. Working Party 29 further states that “The contact details of the DPO should contain information allowing the persons concerned and the supervisory authorities to reach it easily (a postal address, a specific telephone number and/or an e-mail address specific electronics). Where appropriate, for the purposes of communication with the public, other means of communication could also be provided, for example, assistance by specific telephone, or a specific contact form addressed to the DPO on the website of the organism. (the Litigation Chamber emphasises) 14. In the complaint form, the complainant indicates that it is not possible to reach directly by e-mail the Data Protection Officer (DPO), that no e-mail address is indicated on the 3Article 29 Data Protection Working Party, Guidelines for Data Protection Officers (DPOs), WP 236, page 15, 5 April 2017, https://ec.europa.eu/newsroom/article29/items/612048/en Decision 51/2023 - 4/6 defendant's website, and that the only way to ask questions related to the protection of data consists of filling out a form on the defendant's website. The complainant has elsewhere sent (March 24, 2022) an email to the Defendant's Legal Department requesting the e-mail address of the DPO, but indicates that no follow-up has been given to his request by the defendant. 15. The Litigation Chamber finds that the defendant did not provide the information requested by the complainant, as provided for in Article 13.1.b of the GDPR. She did not give him the contact details. of the DPO. 16. The Litigation Chamber therefore notes, and on the basis of the above considerations, that it is necessary to conclude that the Respondent may have committed a breach of the provisions of Article 13.1(b) of the GDPR, which justifies that in this case, the Litigation Chamber proceeds to take a decision on the basis of article 95, § 1, 5° of the LCA, namely to order compliance with the request of the complainant to exercise his right to information (Article 13 of the GDPR). 17. This decision is a prima facie decision taken by the Litigation Division in accordance with to Article 95 of the LCA on the basis of the complaint lodged by the plaintiff, within the framework of the 4 “procedure prior to the substantive decision”, to be distinguished from a decision on the merits of the Chamber Litigation within the meaning of Article 100 of the LCA. 18. If, however, the controller does not agree with the content of this decision prima facie and believes that it can make factual and/or legal arguments that could lead to another decision, the latter may submit to the Litigation Chamber a request for processing on the merits of the case via the e-mail address litigationchamber@apd-gba.be, and this in the 30 days after notification of this decision. If necessary, the execution of the this Decision is suspended for the above-mentioned period. 19. In the event of further processing of the case on the merits, pursuant to Articles 98, 2° and 3° juncto Article 99 of the LCA, the Litigation Chamber will invite the parties to introduce their conclusions and to attach to the file all the documents they deem useful. If applicable, this decision is permanently suspended. 20. With a view to transparency, the Litigation Chamber finally emphasizes that a processing of the case on the merits may lead to the imposition of the measures mentioned in Article 100 of the LCA. 5 4 Section 3, Subsection 2 of the ACL (articles 94 to 97 inclusive). 5 4 Art. 100. § 1. The litigation chamber has the power to 1° dismiss the complaint without follow-up; 2° order the dismissal; 3° pronouncing the suspension of the pronouncement; 4° to propose a transaction; 5° issue warnings and reprimands; 6° order to comply with requests from the data subject to exercise his or her rights; (7) order that the person concerned be informed of the security problem; Decision 51/2023 - 5/6 III. Publication and communication of the decision 21. Given the importance of transparency with regard to the decision-making process and the decisions of the Litigation Chamber, this decision will be published on the DPA website by deleting the direct identification data of the parties and the persons cited, whether physical or moral. FOR THESE REASONS, the Litigation Chamber of the Data Protection Authority decides, subject to the introduction of a request by the defendant for treatment on the merits in accordance with the articles 98 e.s. of the ACL: - to close without further action the grievances relating to Articles 5.1.b) and 5.1.c) of the GDPR pursuant to Article 95, §1, 3° of the LCA; - pursuant to Article 58.2.c) of the GDPR and Article 95, § 1, 5° of the LCA, to order the defendant to comply with the request of the person concerned with regard to his right to information, within 30 days of notification of the this Decision; - pursuant to Article 58.2.c) of the GDPR and Article 95, § 1, 4° of the LCA, to formulate a warning to the defendant so that it complies in the future with the obligation provided for by article 13.1.b) of the GDPR, to publish a contact email of the DPO; - to order the defendant to inform the Data Protection Authority by e-mail (Litigation Division) of the follow-up given to this decision, within the same period, via the e-mail address litigationchamber@apd-gba.be; and - if the defendant does not comply in due time with what is requested of it above, to deal ex officio with the case on the merits, in accordance with articles 98 e.s. of the ACL. 8° order the freezing, limitation or temporary or permanent prohibition of processing; 9° order compliance of the processing; 10° order the rectification, restriction or erasure of the data and the notification thereof to the recipients of the data ; 11° order the withdrawal of accreditation from certification bodies; 12° to issue periodic penalty payments; 13° to issue administrative fines; 14° order the suspension of cross-border data flows to another State or an international body; 15° forward the file to the public prosecutor's office in Brussels, who informs it of the follow-up given to the file; 16° decide on a case-by-case basis to publish its decisions on the website of the Data Protection Authority. Decision 51/2023 - 6/6 In accordance with Article 108, § 1 of the LCA, an appeal against this decision may be lodged, within a thirty days from its notification, to the Court of Markets (Court of Appeal of Brussels), with the Data Protection Authority as defendant. Such an appeal may be brought by means of an interlocutory request which must contain the information 6 listed in article 1034ter of the Judicial Code. The interlocutory motion must be filed with the court office 7 of the Court of Markets in accordance with article 1034quinquies of the C. jud. , or through the system e-Deposit information system of the Ministry of Justice (article 32ter of the C. jud (se). Hielke Hijmans President of the Litigation Chamber 6 The request contains on pain of nullity: (1) indication of the day, month and year; 2° the surname, first name, domicile of the applicant, as well as, where applicable, his qualities and his national register number or business; 3° the surname, first name, domicile and, where applicable, the capacity of the person to be summoned; (4) the object and summary statement of the means of the request; (5) the indication of the judge who is seized of the application; 6° the signature of the applicant or his lawyer. 7 The request, accompanied by its appendix, is sent, in as many copies as there are parties involved, by letter recommended to the court clerk or filed with the court office.