APD/GBA (Belgium) - 11/2024

From GDPRhub
Revision as of 08:51, 19 March 2024 by Nzm (talk | contribs) (Nzm moved page APD/GBA (Belgium) - DOS-2023-02597 to APD/GBA (Belgium) - 11/2024)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
APD/GBA - DOS-2023-02597
LogoBE.png
Authority: APD/GBA (Belgium)
Jurisdiction: Belgium
Relevant Law: Article 5(2) GDPR
Article 12(2) GDPR
Article 12(3) GDPR
Article 15 GDPR
Article 24 GDPR
Type: Investigation
Outcome: Violation Found
Started: 14.06.2023
Decided: 22.01.2024
Published: 22.01.2024
Fine: n/a
Parties: n/a
National Case Number/Name: DOS-2023-02597
European Case Law Identifier: n/a
Appeal: Unknown
Original Language(s): French
Original Source: Autorité de protection des données Gegevensbeschermingsautoriteit (in FR)
Initial Contributor: Diana Rosu

The Belgian DPA found the controller to have breached Article 15 GDPR in conjunction with Article 12(3) and (4) GDPR for having replied to the complainant's access request after the one-month deadline.

English Summary

Facts

On 23 March 2023, an employee of the controller consulted an extract of the data subject's personal data stored in the Belgian National Register, which refers to the information processing system that records, memorizes and communicates information relating to the identification of Belgian citizens.

After that, the data subjectfiled an access request with the controller, requesting clarification into who accessed their data and for what purpose. Due to not receiving any response regarding the access request, the data subject filed a complaint with the Belgian DPA on 14 June 2023.

On 7 August 2023, the controller replied to the access request, acknowledging that it consulted the National Register records of the data subject and that the processing was performed by a professional with specific authorization. However, due to professional secrecy, the controller could not disclose the professional's identity or assess whether the consultation complied with legal and ethical obligations.

Holding

The Belgian DPA stressed that the controller, in its capacity, must comply with a request made by a data subject pursuant to Articles 15 to 22 GDPR, in compliance with the conditions set out in Article 12 GDPR, and to provide the data subject with information on the measures taken, as soon as possible and in any event within one month of receipt of the request.

Furthermore, the DPA noted that pursuant to Article 5(2) GDPR and Article 24 GDPR, the controller should be able to demonstrate its compliance with the data protection principles.

In light of the facts of the case, considering that the complainant clearly exercised their right to access under Article 15 GDPR, that on 14 June 2023, the data subject complained to have not received any answer and that the controller only replied on 7 August 2023, the controller exceeded the deadline established in Article 12(3) and (4) GDPR.

Therefore, the Belgian DPA found the controller to have breached Article 15 GDPR in conjunction with Article 12(3) and (4) GDPR, and it mandated the controller to comply with the data subject's access request within 30 days from the notification of the decision. Additionally, the controller was ordered to inform the DPA about the actions taken in response to the decision within the same timeframe.

Comment

This decision emphasizes the right of access under GDPR, particularly highlighting the obligations of data controllers to provide data subjects with access to their personal data and the importance of complying with data subject rights within a timely manner.

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the French original. Please refer to the French original for more details.

1/8



                                                                        Litigation Chamber


                                                        Decision 11/2024 of January 22, 2024




File number: DOS-2023-02597


Subject: Complaint relating to the lack of response to the exercise of the right of access concerning the

consultation of the National Register



The Litigation Chamber of the Data Protection Authority, made up of Mr.

Hielke HIJMANS, president;

Having regard to Regulation (EU) 2016/679 of the European Parliament and of the Council of April 27, 2016 relating to the

protection of natural persons with regard to the processing of personal data and

to the free movement of these data, and repealing Directive 95/46/EC (General Regulation on the

data protection), hereinafter “GDPR”;

Having regard to the Law of December 3, 2017 establishing the Data Protection Authority, hereinafter

“ACL”;


Having regard to the Law of July 30, 2018 relating to the protection of individuals with regard to

processing of personal data, hereinafter “LTD”;

Considering the internal regulations as approved by the House of Representatives on 20

December 2018 and published in the Belgian Official Gazette on January 15, 2019;


Considering the documents in the file;


Has taken the following decision regarding:



The complainant: X, Belgium, hereinafter “the complainant”; .

                                                                                                        .
                                                                                                        .
The defendant: Y, Belgium, hereinafter “the defendant”. Decision 11/2024 — 2/8


I. Facts and procedure


 1. On June 14, 2023, the complainant filed a complaint with the Data Protection Authority.

       data (hereinafter “APD”) against the defendant, Y

 2. This complaint concerns the lack of response to the complainant's request for access regarding

       consultation of the National Register (hereinafter “RN”) by the defendant.

 3. On March 23, 2023, the defendant consulted the plaintiff's RN.


 4. On June 14, 2023, in the initial complaint form, the complainant explained that he did not obtain

       no response as to the reasons for consulting his RN and the identity of the
       person who carried out this consultation.


 5. On July 3, 2023, the Front Line Service (hereinafter “SPL”) encouraged the complainant to

       exercise their rights with the defendant and provide a copy of this correspondence.

 6. On an unknown date, the complainant contacted the defendant to ask her

       the identity of the person who consulted their RN as well as the reasons for such consultation.

 7. On August 7, 2023, the defendant responded to the complainant that it was indeed a professional who

       carried out the consultation of his RN. According to the defendant, this consultation is permitted

       by deliberation no. 22/2012 of March 14, 2012 of the Sectoral Committee of the National Register of

       the Privacy Protection Commission. And, by virtue of this authorization,

       defendant may have permanent access to the information referred to in Article 3, first
       and second paragraph of the law of August 8, 1983 organizing a National Register of Persons

       physical. The defendant specified that this access is authorized for the sole purpose of

       communicate to professionals of this order the information they need in the

       framework of the tasks that they carry out as (..) in accordance with the said law. However, the

       defendant explained that she could not communicate the identity of the professional who
       consulted his data due to professional secrecy in accordance with article 11 of the said

       law. Furthermore, the defendant explained that it was not competent to examine whether, in the

       framework of this consultation, this professional respected the legal obligations and

       ethical. Therefore, the defendant informed the plaintiff that “..” of the Order whose

       depends on the professional concerned who will carry out these checks and the assessment will be

       communicated.

 8. On September 29, 2023, the complainant explained to the SPL that he was not satisfied with the response from

       the defendant. She also affirmed that, since August 7, 2023, she has not yet

       was contacted regarding the checks that the defendant was to carry out. Decision 11/2024 — 3/8



 9. On October 27, 2023, the complaint was declared admissible by the SPL on the basis of articles 58
                        1
       and 60 of the LCA and the complaint is transmitted to the Litigation Chamber under article
             st 2
       62, § 1 of the LCA.



II. Motivation


 10. Pursuant to Article 4, § 1 of the LCA, the APD is responsible for monitoring the principles

       data protection contained in the GDPR and other laws containing

       provisions relating to the protection of the processing of personal data.

 11. In application of article 33, § 1 of the LCA, the Litigation Chamber is the body of

       administrative litigation of the APD. It receives complaints that the SPL sends to it in

       application of article 62, § 1 of the LCA, or admissible complaints. In accordance with

       Article 60 paragraph 2 of the LCA, complaints are admissible if they are drawn up in one

       national languages, contain a statement of the facts and the necessary information for

       identify the processing of personal data to which they relate and which

       fall under the jurisdiction of the APD.


 12. Pursuant to articles 51 et seq. of the GDPR and article 4, § 1 of the LCA, it is up to the

       Litigation Chamber as an administrative litigation body of the APD, to exercise

       effective control of the application of the GDPR and to protect freedoms and rights

       fundamentals of natural persons with regard to the processing and to facilitate the free flow

       personal data within the Union.

 13. Pursuant to article 95 § 2, 3° of the LCA as well as article 47 of the order regulations

       internal to the DPA, a copy of the file may be requested by the parties. If one of the

       parties wish to make use of the possibility of consulting the file, they are required to

       contact the secretariat of the Litigation Chamber, preferably via the address

       litigationchamber@apd-gba.be.


 14. Based on the facts described in the complaint file as summarized above, and on

       basis of the powers assigned to it by the legislator pursuant to article 95,

       § 1 of the LCA, the Litigation Chamber decides on the follow-up to be given to the complaint; in

       the occurrence, the Litigation Chamber decides on the basis of article 58.2.a) of the GDPR and
       of article 95, § 1, 4° of the LCA, to send a warning concerning a possible

       breach of articles 12.3, 12.4 and article 15 of the GDPR (right of access), for

       reasons set out below. Furthermore, in accordance with article 58.2.c) of the GDPR and article

       95, § 1, 5° of the LCA, the Litigation Chamber decides to order the party

       defendant to comply with the request of the data subject to exercise their


1Pursuant to article 61 LCA, the Litigation Chamber informs the parties by this decision of the fact that the complaint has been declared
admissible.
2Pursuant to article 95, § 2 LCA, by this decision, the Litigation Chamber informs the parties of the fact that following this complaint,
the file was sent to him. Decision 11/2024 — 4/8


       rights, more specifically the right of access, within 30 days from the date of

       notification of this decision.


 15. The Litigation Chamber takes into consideration the grievance raised by the complainant regarding

       the lack of response from the defendant to its request for access, including the


       precise date was not specified, but whose response was provided by the defendant on August 7

       2023 (see point 7) as well as the recommendations of the SPL dated July 3, 2023 (see point

       5) clearly confirm its exercise, in accordance with Article 15 of the GDPR.


 16. Article 4(7) of the GDPR defines the “data controller” as “the person

       physical or legal entity, public authority, service or other body which, alone or
                                                                                              3
       jointly with others, determines the purposes and means of the processing.


 17. The Litigation Chamber recalls that the data controller must follow up on the request.

       request made pursuant to articles 15 to 22 of the GDPR by the data subject,

       in this case an access request provided for by Article 15 of the GDPR, in compliance with the

       conditions set out in article 12 of the GDPR.4


 18. Under Article 12.1 of the GDPR, it is the responsibility of the data controller to take “

       appropriate measures to provide any information referred to in Articles 13 and 14 as well as

       to make any communication under Articles 15 to 22 and Article 34 with regard to

       concerns the processing of the data subject in a concise, transparent manner,

       understandable and easily accessible, in clear and simple terms [...]. ".


 19. The Litigation Chamber also emphasizes that it is the responsibility of the data controller

       to provide the data subject with information on the measures taken following a

       request made in application of articles 15 to 22 of the GDPR, as soon as possible and

       in any event within one month of receipt of the request. 5


       Article 12.3 of the GDPR provides that this period may, if necessary, be extended by two months,
                                                                     6
       given the complexity and number of requests. In such a case, the person responsible

       processing informs the data subject of this extension and the reasons for the postponement
                                                                            7
       within one month of receipt of the request.


 20. In the event that the data controller does not respond to the request made

       by the person concerned, he informs him without delay and at the latest within one

       months from receipt of the request of the reasons for its inaction and the possibility





3
 According to Article 4, 2) of the GDPR, “processing” of personal data means “any operation or set of operations
carried out or not using automated processes and applied to personal data or sets of data, such as
that the collection, recording, organization, structuring, conservation, adaptation or modification, extraction, consultation,
use, communication by transmission, broadcasting or any other form of making available, rapprochement or interconnection,
4a limitation, erasure or destruction”.
5GDPR, art. 12.
6GDPR, art. 12.2 and 12.3.
7GDPR, art. 12.3.
 GDPR, art. 12.3. Decision 11/2024 — 5/8


       to lodge a complaint with a supervisory authority and lodge an appeal

       jurisdictional.


 21. In addition, the Chamber also recalls that in its capacity as data controller, the party

       defendant is required to respect the principles of data protection and must be in

       able to demonstrate that these are respected. It must also implement

       all measures necessary for this purpose (principle of liability – articles 5.2 and 24 of the

       GDPR).

                                                                           9
 22. Finally, the Litigation Chamber recalls that the right of access is one of the requirements

       major aspects of the right to data protection, it constitutes the “entrance door” which allows

       the exercise of other rights that the GDPR confers on the data subject, such as the right to

       rectification, the right to restriction of processing or the right to erasure.


 23. Under the terms of article 15.3 of the GDPR, the person concerned also has the right to obtain a

       copy of the personal data which is the subject of the processing. Article 15.4 of

       GDPR provides that this right to copy cannot infringe the rights and freedoms of others.


 24. On the basis of the documents supporting the complaint, the Litigation Chamber finds that the complainant

       has effectively exercised his right of access, in accordance with article 15.1 of the GDPR (see points

       5, 6, 7, 15). SPL recommendations dated July 3, 2023, combined with the response

       of the defendant dated August 7, 2023, clearly confirm the exercise of this right. There

       Litigation Chamber adds that the defendant indicated, in its letter of August 7

       2023, that the “..” of the Order to which this professional concerned depends will carry out

       verifications and will communicate the results resulting from these verifications. Bedroom

       Contentious note that the complainant submitted his complaint to the APD on September 29, 2023,

       thus exceeding the response times allocated to the data controller under the

       articles 12.3 and 12.4 of the GDPR. Finally, the Litigation Chamber emphasizes that if the party

       defendant had fully complied with the requirements set out in Article 12 of the GDPR, it

       would have taken into account the request for access by communicating the aforementioned assessment (see

       point 8).This approach would have potentially avoided the complainant having to initiate a procedure

       in front of the ODA.


 25. Following the above-mentioned analysis, the Litigation Chamber considers that the party

       defendant could have committed a violation of the following provisions: article 15 of the



8GDPR, art. 12.4.
9Under the terms of this article 15, the data subject has the right to obtain from the data controller confirmation that the data to be
personal nature concerning them are or are not processed and, when they are, access to said personal data as well as
that the following information (article 15.1. of the GDPR): the purposes of the processing (a), the categories of personal data (b), the
recipients or categories of recipients of the data (c), the retention period (d), information relating to other rights that
confers the GDPR (e), the right to lodge a complaint with the data protection authority (f), any information relating to the source
data when this has not been collected from the person concerned (g) and the existence of automated decision-making
(h). Article 15.2 of the GDPR provides that if the data is transferred to a third country or an international organization, the person
concerned has the right to be informed of the appropriate guarantees regarding this transfer, in accordance with Article 46 of the GDPR. Article 15.3.
of the GDPR provides that the data controller must provide a copy of the personal data subject to processing. He
may charge a reasonable fee for additional copies. If the data subject makes their request electronically, the
Information must be provided in a standard electronic form, unless the individual requests otherwise. Decision 11/2024 — 6/8



       GDPR, combined with articles 12.3 and 12.4 of the GDPR; what justifies making a decision

       prima facie by the Litigation Chamber which is as follows: under article

       58.2.c) of the GDPR and article 95, §1, 5° of the LCA, to order the defendant to

       comply with the complainant’s request to exercise their right of access.


 26. This decision is a prima facie decision taken by the Litigation Chamber

       in accordance with article 95 of the LCA on the basis of the complaint lodged by the complainant,

       as part of the “procedure prior to the substantive decision” and does not constitute a

       decision on the merits of the Litigation Chamber within the meaning of article 100 of the LCA.


 27. The purpose of this decision is to inform the defendant, presumed responsible

       of the processing, due to the fact that it may have committed a violation of the provisions of the GDPR,


       in order to enable it to still comply with the aforementioned provisions.

 28. If, however, the defendant party does not agree with the content of this


       prima facie decision and considers that it can put forward factual arguments and/or

       legal issues which could lead to another decision, it may address to the Chamber

       Litigation a request for processing on the merits of the case via the email address

       litigationchamber@apd-gba.be, within 30 days after notification of the

       this prima facie decision. If applicable, the execution of this decision is

       suspended for the aforementioned period.


 29. In the event of continued processing of the case on the merits, under Articles 98, 2° and 3°

       juncto article 99 of the LCA, the Litigation Chamber will invite the parties to introduce their


       conclusions and attach to the file all the documents they consider useful. If applicable, the

       This decision is permanently suspended.


 30. With a view to transparency, the Litigation Chamber finally emphasizes that a

       treatment of the case on the merits may lead to the imposition of the measures mentioned in

       section 100 of the LCA .11


 31. Finally, the Litigation Chamber further draws attention to the following:



1Section 3, Subsection 2 of the LCA (articles 94 to 97 inclusive).
1Art. 100. § 1. The litigation chamber has the power to

 1° close the complaint without further action;
 2° order the dismissal of the case;
 3° pronounce the suspension of the sentence;
 4° propose a transaction;
 5° issue warnings and reprimands;
 6° order to comply with the requests of the person concerned to exercise their rights;
 7° order that the person concerned be informed of the security problem;
 8° order the freezing, limitation or temporary or definitive ban on processing;

 9° order compliance of the processing;
 10° order the rectification, restriction or erasure of the data and the notification thereof to the recipients of the data;
 11° order the withdrawal of the approval of certification bodies;
 12° give fines;
 13° issue administrative fines;
 14° order the suspension of cross-border data flows to another State or an international body;
 15° transmit the file to the public prosecutor of the King of Brussels, who will inform it of the action taken in the file;
 16° decide on a case-by-case basis to publish its decisions on the website of the Data Protection Authority. Decision 11/2024 — 7/8


       If one of the two parties wishes to use the possibility of consulting and copying the file

       (article 95, § 2, 3° of the LCA), it must contact the secretariat of the Litigation Chamber,

       preferably via the email address litigationchamber@apd-gba.be, in order to set up an appointment

       you. If a copy of the file is requested, the documents will if possible be sent by

       electronically or, failing that, by ordinary mail



III. Publication of the decision


 32. Given the importance of transparency regarding the decision-making process of the Chamber

       Contentious, this decision is published on the website of the Protection Authority

       Datas. However, it is not necessary for this purpose that the identification data

       parts are directly communicated.



    FOR THESE REASONS    ,


    the Litigation Chamber of the Data Protection Authority decides, subject to

    the submission of a request by the defendant for treatment on the merits

    in accordance with articles 98 e.s. of the LCA:

        - under article 58.2.c) of the GDPR and article 95, §1, 5° of the LCA,

           to order the defendant to comply with the person's request

           concerned to exercise their rights, more specifically the right of access, by providing the

           bilitive result as indicated in the email of August 7, 2023; and this within the deadline

           30 days from the date of notification of this decision;

        - to order the defendant to inform the Protection Authority by e-mail

           data (Litigation Chamber) of the follow-up given to this decision,

           within the same period, via the email address litigationchamber@apd-gba.be; And


        - if the defendant does not comply in a timely manner with what is requested of him

           above, to deal ex officio with the case on the merits, in accordance with articles 98 e.s.

           of the LCA.



In accordance with article 108, § 1 of the LCA, an appeal against this decision may be lodged,

within thirty days from its notification, to the Court of Markets (court

of Appeal of Brussels), with the Data Protection Authority as defendant.


Such an appeal may be introduced by means of an interlocutory request which must contain the
information listed in article 1034ter of the Judicial Code. The interlocutory request must be


12
 The request barely contains nullity:
 2° the name, first name, domicile of the applicant, as well as, where applicable, his qualifications and his national register number or number
    business; Decision 11/2024 — 8/8



filed with the registry of the Court of Markets in accordance with article 1034quinquies of the C. jud. , or 13


via the e-Deposit information system of the Ministry of Justice (article 32ter of the C. judic.).







(sé). Hielke H IJMANS


President of the Litigation Chamber



































































  3° the surname, first name, address and, where applicable, the status of the person to be summoned;
  4° the object and summary of the grounds of the request;

  5° indication of the judge who is seized of the request;
136° the signature of the applicant or his lawyer.
  The request, accompanied by its annex, is sent, in as many copies as there are parties involved, by registered letter to
clerk of the court or filed with the registry.