APD/GBA (Belgium) - 51/2024
APD/GBA - 51/2024 | |
---|---|
Authority: | APD/GBA (Belgium) |
Jurisdiction: | Belgium |
Relevant Law: | Article 5(1)(a) GDPR Article 5(1)(b) GDPR Article 6 GDPR Article 13(1) GDPR Article 27 GDPR |
Type: | Complaint |
Outcome: | Partly Upheld |
Started: | |
Decided: | |
Published: | 02.04.2024 |
Fine: | n/a |
Parties: | n/a |
National Case Number/Name: | 51/2024 |
European Case Law Identifier: | n/a |
Appeal: | n/a |
Original Language(s): | Dutch |
Original Source: | GBA (in NL) |
Initial Contributor: | nzm |
The DPA issued a warning against a controller for, among other things, using personal data obtained via the data subject’s erasure request to send them marketing emails, and for not designating a representative in the EU.
English Summary
Facts
The controller offers services that allow a device user to remain identified even when browsing in incognito mode or using a VPN by assigning them a unique identifier. A demo on the controller’s website showed that a unique ID is assigned to each visitor of the website, which, when combined with the user’s location, allows to track, among other things, the number of visits.
The data subject sent an access request and indicated that he may decide to delete this data after receiving the access request. Since contacting the controller, the data subject had been receiving marketing emails.
The data subject lodged a complaint with the Belgian DPA (“APD”). The complaint was twofold: on the one hand, the data subject criticized the services provided by the controller and considered that there was probably no legal basis for these processing operations. On the other hand, they challenged the controller’s failure to provide a positive response to their erasure request.
The data subject also indicated that other parties could potentially use the same technology in a way that does not comply with the GDPR.
The data subject attached a mail summary which shows an email exchange between the data subject and the controller, but the actual content of the email exchange was not shared with the APD.
Holding
Regarding the legal basis of the processing operations, the APD noted that the controller’s privacy policy did not clearly state the legal basis under Article 6 GDPR. The APD found a possible violation of Article 13(1) GDPR which requires the controller to inform the data subject of the legal basis.
Moreover, the APD pointed out that this processing, which uses, among other things, location and IP address to assign a unique ID to a visitor, must in principle be based on consent. The APD therefore found a possible breach of Articles 5(1)(a) and 6 GDPR.
Regarding the use by other parties of the technology, the APD indicated that the complaint is specifically directed towards the controller, and that it is up to each controller to ensure that their processing activities are in compliance with the GDPR. Therefore, the APD only examined the activities that took place under the responsibility of the controller.
Regarding the access and erasure request, the APD considered that it appeared from the elements provided that there was an email exchange between the data subject and the controller, but as the content of this communication had not been provided, the DPA could not assess whether the controller’s response met the requirements of the GDPR.
Nonetheless, the controller added that if personal data is obtained by submitting an erasure request, it cannot be used thereafter to send out marketing emails, under the principle of purpose limitation under Article 5(1)(b) GDPR. The APD therefore found a possible violation of Article 5(1)(b) GDPR.
Finally, the APD also noted that the controller had not appointed a representative in the European Union under Article 27 GDPR.
Thus, the APD issued a warning for (i) failing to comply with the information obligation under Article 13 GDPR, (ii) for using the contact details of the data subject to send marketing emails and thus possibly violating Article 5(1)(b) GDPR, (iii) for failing to appoint a representative in the European Union under Article 27 GDPR and (iv) for possibly violating Articles 6 and 5(1)(a) GDPR.
Comment
As this is a 'prima facie' decision, not much information is available. The Litigation Chamber of the DPA has ruled solely based on the complaint without having a procedure. The controller could demand for a procedure within 30 days after the decision.
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Dutch original. Please refer to the Dutch original for more details.
1/7 Dispute Chamber Decision 51/2024 of April 2, 2024 File number: DOS-2023-03422 Subject: warning due to failure to appoint a representative in the Union and conducting a demo (online fingerprinting) The Disputes Chamber of the Data Protection Authority, composed of Mr Hielke HIJMANS, sole chairman; Having regard to Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and regarding the free movement of such data and to the revocation of Directive 95/46/EC (General Data Protection Regulation), hereinafter “GDPR”; Having regard to the law of 3 December 2017 establishing the Data Protection Authority, hereinafter “WOG”; In view of the internal rules of order, as approved by the House of Representatives Representatives on December 20, 2018 and published in the Belgian Official Gazette on January 15, 2019; Considering the documents in the file; Has made the following decision regarding: The complainant: The defendant: Y, hereinafter “the defendant” Decision 51/2024 — 2/7 I. Facts and procedure 1. The defendant offers services that enable a user of a device 1 continue to identify you, even when surfing in incognito mode or using a VPN. This provides a demo on the website, giving the visitor to the website a unique experience ID is assigned. 2. The subject of the complaint concerns the processing that takes place in the context of the running this demo on the defendant's website. The complainant criticizes it assigning the unique ID. 3. On March 22, 2023, the complainant would submit a request for access, together with a request for erasure of data, addressed to the defendant. The request was as follows formulated: “I want a copy of all the information you have about me and my decide [sic] (as per GDPR regulation) after which I want all data to be deleted. Thanks. Also please stop this service." 4. The email overview that the complainant has added to the complaint shows how a email exchange takes place between the complainant and the defendant on March 23, 2023 March 29, 2023. The actual content of this email exchange was not communicated to the Shared dispute room. 5. Since contacting the defendant, the complainant has been receiving marketing emails, starting from May 23, 2023. At the time of filing the complaint, the last email dated August 10, 2023. 6. On August 13, 2023, the complainant submits a complaint to the Data Protection Authority against the defendant. 7. On August 30, 2023, the complaint will be declared admissible by the First Line Service on 2 on the basis of Articles 58 and 60 WOG and the complaint is filed on the basis of Article 62, § 1 WOG 3 transferred to the Disputes Chamber. 8. In accordance with Article 95, §2,3°WOG as well as Article 47 of the internal order regulations The parties can request a copy of the file from the GBA. If either parties wish to make use of the option to consult and copy the file, he must contact the secretariat of the Disputes Chamber, at preferably via litigationchamber@apd-gba.be. 1[…] 2In accordance with Article 61 of the WOG, the Disputes Chamber hereby informs the parties that the complaint is admissible declared. 3In accordance with Article 95, § 2 of the WOG, the Disputes Chamber hereby informs the parties that the file will be sent to has been transferred to her as a result of this complaint. Decision 51/2024 — 3/7 II. Justification 9. The complaint is twofold; on the one hand, the complainant criticizes the services provided by the defendant grants, on the other hand, it points out that the defendant has failed to provide a (favorable) response her request for data erasure. 10. The complaint primarily concerns the legality of the defendant's services. These are demonstrated, among other things, on the home page of the website defendant shown. This demonstration assigns a unique ID to each visitor to the website, which in combination with the user's location allows (under other) to keep track of the number of visits. The complainant indicates that there is probably none there is a legal basis for this processing. 11. When checking whether the processing in this case was carried out lawfully, the Disputes Chamber noted Please note that the defendant's privacy policy does not clearly state the legal basis of Article 6 GDPR they base their processing activities. As a result, the Disputes Chamber determines a possible violation of Article 13.1.c) GDPR, whereby the controller is obliged to inform the data subject processing purposes for the processing of personal data. 12. Furthermore, the Disputes Chamber notes that such processing, including: the location and IP address are used to assign a unique ID to a visitor, in principle must be based on the consent of a data subject. This seems fine not necessarily satisfied. The Disputes Chamber therefore notes a possible infringement to articles 5.1.a) and 6 GDPR. 13. The complainant also emphasized in her complaint that other parties may have the same could use technology in a way that does not comply with the GDPR. It is However, it is important to note that the complaint is specifically directed against the defendant, and the It is up to each controller to ensure that their own processing activities are in accordance with the GDPR, as specified in Article 24 of the GDPR. Therefore, the Dispute Chamber will only investigate the activities that take place under the responsibility of the defendant, and will not elaborate further on possible processing activities that may be carried out by any other entities executed. It is up to each controller to check each time whether their processing activities are carried out in accordance with the GDPR. 14. In addition, the complainant indicates in her complaint that she has submitted a request for access data erasure in accordance with Articles 15 and 17 GDPR has been submitted to the defendant, but has not received a favorable response. When viewing the 4 See […] (consulted on March 8, 2024). Decision 51/2024 — 4/7 documents added to the complaint show that there was indeed email contact between the complainant and the defendant. So it appears that the defendant has responded to the complainant's requests, but the content of this communication is not provided to the Disputes Chamber. That is why the Disputes Chamber cannot assess whether the defendant's response meets the requirements of the GDPR. 15. In this context, the Dispute Chamber recalls that the right to erasure of data Article 17 GDPR is not an absolute right. The first paragraph of Article 17 GDPR lists an exhaustive list number of situations in which the controller is obliged to implement indicate the right to erasure of data of a data subject. A request for erasure in accordance with Article 17.1 of the GDPR should not be carried out by the controller if there is an exception in accordance with the third paragraph this article applies. It is unclear whether the defendant is in this case invokes an exception. The Disputes Chamber cannot therefore rule on one potential violation of Article 17 GDPR on the part of the defendant. 16. It is clear that if personal data is obtained by submitting a request for data deletion, it cannot subsequently be used for the purpose sending out marketing emails. This is in line with the purpose limitation principle of Article 5.1.b) GDPR. The purpose limitation principle requires that the purpose of the processing be defined at the time the data is collected and writes as a starting point for all successive processing operations may not exceed the defined purpose. 17. In this context, the Disputes Chamber must determine that the further use of the contact details of the complainant for marketing purposes, cannot be seen as compatible further processing within the meaning of Article 6.4 GDPR. She therefore proposes a possible violation of Article 5.1.b) GDPR. 18. Finally, the Disputes Chamber notes that there is no representative of the controller is appointed on European territory. This obligation is included in Article 27 GDPR. 19. The foregoing is all the more striking because the defendant does on his website advertises that it meets the requirements of the GDPR (“GDPR compliant”). From the This appears prima facie not to be the case. 20. The Disputes Chamber is of the opinion that on the basis of the above analysis concluded that the defendant may have violated the provisions of the GDPR was committed, which justifies taking one in this case decision on the basis of Article 95, § 1, 4°, WOG, more specifically the defendant to issue a warning for failure to comply with the information obligation of Article 13 GDPR, for the use of the complainant's contact details for Decision 51/2024 - 5/7 sending marketing emails and thus Article 5.1.b) of the GDPR violations, as well as for failing to appoint a representative in the Union in accordance with Article 27 GDPR. The Disputes Chamber also proposes a possible violation of Article 6 GDPR j° Article 5.1.a) GDPR is established, due to the existence of a possible unlawful processing, for which they also charge the defendant gives a warning. Finally, the Disputes Chamber warns on the basis of Article 95, §1, 4°, WOG, if still relevant, to comply with the request for data erasure (and access) from the complainant. 22. This decision is a prima facie decision taken by the Disputes Chamber in accordance with Article 95 of the WOG on the basis of the complaint submitted by the complainant complaint, in the context of the “procedure prior to the decision on the merits” and none decision on the merits of the Disputes Chamber within the meaning of Article 100 of the WOG. The Disputes Chamber thus warns the defendant that an infringement is likely is committed on Article 5.1.a)j°Article 6GDPR,Article 5.1.b),Article 5.1.a)j°Article 13andArticle 27 GDPR due to the current processing activities. 23. The purpose of this decision is to inform the defendant of the fact that this may have committed an infringement of the provisions of the GDPR and this in the the opportunity to still comply with the aforementioned provisions. 24. If the defendant does not agree with the content of the present primafacie decision and is of the opinion that it can apply factual and/or legal arguments that could lead to a different decision, this can be done via the e-mail address litigationchamber@apd-gba.be send a request to hear the merits of the case to the Disputes Chamber within 30 days after notification of this decision. The implementation of this decision will, if necessary, continue for a period of time suspended for the aforementioned period. 25. In the event of a continuation of the merits of the case, the Dispute Chamber the parties on the basis of Articles 98, 2° and 3° in conjunction with Article 99 WOG invite them to submit their defenses as well as any documents they consider useful in the case file to add. If necessary, the present decision will be permanently suspended. 26. Finally, for the sake of completeness, the Disputes Chamber points out that a hearing on the merits of the case may lead to the imposition of the measures stated in Article 100 of the WOG. 6 5 Section 3, Subsection 2 of the WOG (Articles 94 to 97). 6Article 100. § 1. The Disputes Chamber has the authority to: 1° to dismiss a complaint; 2° to order the dismissal of prosecution; 3° order the suspension of the ruling; Decision 51/2024 — 7/7 Such an appeal can be lodged by means of an inter partes petition 7 must contain statements listed in Article 1034ter of the Judicial Code. It an objection petition must be submitted to the registry of the Market Court 8 in accordance with Article 1034quinquies of the Dutch Civil Code. , or via the e-Deposit IT system of Justice (Article 32ter of the Judicial Code). (get). Hielke H IJMANS Chairman of the Disputes Chamber 7The petition states, under penalty of nullity: 1° the day, month and year; 2° the surname, first name, place of residence of the applicant and, where applicable, his capacity and his national register or company number; 3° the surname, first name, place of residence and, where applicable, the capacity of the person to be summoned; 4° the subject matter and brief summary of the grounds of the claim; 5° the judge before whom the claim is brought; 6° the signature of the applicant or his lawyer. 8The application with its attachment will be sent by registered letter in as many copies as there are parties involved deposited with the clerk of the court or at the registry.