APD/GBA (Belgium) - 51/2024

From GDPRhub
Revision as of 08:26, 17 April 2024 by Nzm (talk | contribs)
APD/GBA - 51/2024
LogoBE.png
Authority: APD/GBA (Belgium)
Jurisdiction: Belgium
Relevant Law: Article 5(1)(a) GDPR
Article 5(1)(b) GDPR
Article 6 GDPR
Article 13(1) GDPR
Article 27 GDPR
Type: Complaint
Outcome: Partly Upheld
Started:
Decided:
Published: 02.04.2024
Fine: n/a
Parties: n/a
National Case Number/Name: 51/2024
European Case Law Identifier: n/a
Appeal: n/a
Original Language(s): Dutch
Original Source: GBA (in NL)
Initial Contributor: nzm

The DPA issued a warning against a controller for, among other things, using personal data obtained via the data subject’s erasure request to send them marketing emails, and for not designating a representative in the EU.

English Summary

Facts

The controller offers services that allow a device user to remain identified even when browsing in incognito mode or using a VPN by assigning them a unique identifier. A demo on the controller’s website showed that a unique ID is assigned to each visitor of the website, which, when combined with the user’s location, allows to track, among other things, the number of visits.

The data subject sent an access request and indicated that he may decide to delete this data after receiving the access request. Since contacting the controller, the data subject had been receiving marketing emails.

The data subject lodged a complaint with the Belgian DPA (“APD”). The complaint was twofold: on the one hand, the data subject criticized the services provided by the controller and considered that there was probably no legal basis for these processing operations. On the other hand, they challenged the controller’s failure to provide a positive response to their erasure request.

The data subject also indicated that other parties could potentially use the same technology in a way that does not comply with the GDPR.

The data subject attached a mail summary which shows an email exchange between the data subject and the controller, but the actual content of the email exchange was not shared with the APD.

Holding

Regarding the legal basis of the processing operations, the APD noted that the controller’s privacy policy did not clearly state the legal basis under Article 6 GDPR. The APD found a possible violation of Article 13(1) GDPR which requires the controller to inform the data subject of the legal basis.

Moreover, the APD pointed out that this processing, which uses, among other things, location and IP address to assign a unique ID to a visitor, must in principle be based on consent. The APD therefore found a possible breach of Articles 5(1)(a) and 6 GDPR.

Regarding the use by other parties of the technology, the APD indicated that the complaint is specifically directed towards the controller, and that it is up to each controller to ensure that their processing activities are in compliance with the GDPR. Therefore, the APD only examined the activities that took place under the responsibility of the controller.

Regarding the access and erasure request, the APD considered that it appeared from the elements provided that there was an email exchange between the data subject and the controller, but as the content of this communication had not been provided, the DPA could not assess whether the controller’s response met the requirements of the GDPR.

Nonetheless, the controller added that if personal data is obtained by submitting an erasure request, it cannot be used thereafter to send out marketing emails, under the principle of purpose limitation under Article 5(1)(b) GDPR. The APD therefore found a possible violation of Article 5(1)(b) GDPR.

Finally, the APD also noted that the controller had not appointed a representative in the European Union under Article 27 GDPR.

Thus, the APD issued a warning for (i) failing to comply with the information obligation under Article 13 GDPR, (ii) for using the contact details of the data subject to send marketing emails and thus possibly violating Article 5(1)(b) GDPR, (iii) for failing to appoint a representative in the European Union under Article 27 GDPR and (iv) for possibly violating Articles 6 and 5(1)(a) GDPR.

Comment

As this is a 'prima facie' decision, not much information is available. The Litigation Chamber of the DPA has ruled solely based on the complaint without having a procedure. The controller could demand for a procedure within 30 days after the decision.

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Dutch original. Please refer to the Dutch original for more details.

1/7



                                                                          Dispute Chamber


                                                      Decision 51/2024 of April 2, 2024


File number: DOS-2023-03422


Subject: warning due to failure to appoint a representative in the

Union and conducting a demo (online fingerprinting)



The Disputes Chamber of the Data Protection Authority, composed of Mr

Hielke HIJMANS, sole chairman;

Having regard to Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016

on the protection of natural persons with regard to the processing of

personal data and regarding the free movement of such data and to the revocation of

Directive 95/46/EC (General Data Protection Regulation), hereinafter “GDPR”;


Having regard to the law of 3 December 2017 establishing the Data Protection Authority,
hereinafter “WOG”;


In view of the internal rules of order, as approved by the House of Representatives

Representatives on December 20, 2018 and published in the Belgian Official Gazette on

January 15, 2019;


Considering the documents in the file;


Has made the following decision regarding:


The complainant:



The defendant: Y, hereinafter “the defendant” Decision 51/2024 — 2/7



I. Facts and procedure


 1. The defendant offers services that enable a user of a device
                                                                                                  1
       continue to identify you, even when surfing in incognito mode or using a VPN.
       This provides a demo on the website, giving the visitor to the website a unique experience

       ID is assigned.


 2. The subject of the complaint concerns the processing that takes place in the context of the

       running this demo on the defendant's website. The complainant criticizes it

       assigning the unique ID.

 3. On March 22, 2023, the complainant would submit a request for access, together with a request for

       erasure of data, addressed to the defendant. The request was as follows

       formulated: “I want a copy of all the information you have about me and my decide [sic] (as

       per GDPR regulation) after which I want all data to be deleted. Thanks. Also please stop this

       service."


 4. The email overview that the complainant has added to the complaint shows how a
       email exchange takes place between the complainant and the defendant on March 23, 2023

       March 29, 2023. The actual content of this email exchange was not communicated to the

       Shared dispute room.


 5. Since contacting the defendant, the complainant has been receiving marketing emails,

       starting from May 23, 2023. At the time of filing the complaint, the

       last email dated August 10, 2023.

 6. On August 13, 2023, the complainant submits a complaint to the

       Data Protection Authority against the defendant.


 7. On August 30, 2023, the complaint will be declared admissible by the First Line Service on
                                             2
       on the basis of Articles 58 and 60 WOG and the complaint is filed on the basis of Article 62, § 1 WOG
                                             3
       transferred to the Disputes Chamber.

 8. In accordance with Article 95, §2,3°WOG as well as Article 47 of the internal order regulations

       The parties can request a copy of the file from the GBA. If either

       parties wish to make use of the option to consult and copy

       the file, he must contact the secretariat of the Disputes Chamber, at

       preferably via litigationchamber@apd-gba.be.





1[…]

2In accordance with Article 61 of the WOG, the Disputes Chamber hereby informs the parties that the complaint is admissible
declared.
3In accordance with Article 95, § 2 of the WOG, the Disputes Chamber hereby informs the parties that the file will be sent to
has been transferred to her as a result of this complaint. Decision 51/2024 — 3/7


II. Justification


 9. The complaint is twofold; on the one hand, the complainant criticizes the services provided by the defendant

       grants, on the other hand, it points out that the defendant has failed to provide a (favorable) response

       her request for data erasure.

 10. The complaint primarily concerns the legality of the defendant's services.

       These are demonstrated, among other things, on the home page of the website

       defendant shown. This demonstration assigns a unique ID to each visitor to the

       website, which in combination with the user's location allows (under

       other) to keep track of the number of visits. The complainant indicates that there is probably none

       there is a legal basis for this processing.

 11. When checking whether the processing in this case was carried out lawfully, the Disputes Chamber noted

       Please note that the defendant's privacy policy does not clearly state the legal basis

       of Article 6 GDPR they base their processing activities. As a result, the

       Disputes Chamber determines a possible violation of Article 13.1.c) GDPR, whereby the

       controller is obliged to inform the data subject
       processing purposes for the processing of personal data.


 12. Furthermore, the Disputes Chamber notes that such processing, including:

       the location and IP address are used to assign a unique ID to a visitor, in

       principle must be based on the consent of a data subject. This seems fine
       not necessarily satisfied. The Disputes Chamber therefore notes a possible infringement

       to articles 5.1.a) and 6 GDPR.


 13. The complainant also emphasized in her complaint that other parties may have the same

       could use technology in a way that does not comply with the GDPR. It is

       However, it is important to note that the complaint is specifically directed against the defendant, and the
       It is up to each controller to ensure that their own

       processing activities are in accordance with the GDPR, as specified in Article 24 of

       the GDPR. Therefore, the Dispute Chamber will only investigate the activities that take place

       under the responsibility of the defendant, and will not elaborate further on possible

       processing activities that may be carried out by any other entities

       executed. It is up to each controller to check each time

       whether their processing activities are carried out in accordance with the GDPR.

 14. In addition, the complainant indicates in her complaint that she has submitted a request for access

       data erasure in accordance with Articles 15 and 17 GDPR has been submitted to the

       defendant, but has not received a favorable response. When viewing the



4
 See […] (consulted on March 8, 2024). Decision 51/2024 — 4/7


     documents added to the complaint show that there was indeed email contact

     between the complainant and the defendant. So it appears that the defendant has

     responded to the complainant's requests, but the content of this communication is

     not provided to the Disputes Chamber. That is why the Disputes Chamber cannot assess whether
     the defendant's response meets the requirements of the GDPR.


15. In this context, the Dispute Chamber recalls that the right to erasure of data

     Article 17 GDPR is not an absolute right. The first paragraph of Article 17 GDPR lists an exhaustive list

     number of situations in which the controller is obliged to implement
     indicate the right to erasure of data of a data subject. A request for erasure

     in accordance with Article 17.1 of the GDPR should not be carried out by the

     controller if there is an exception in accordance with the third paragraph

     this article applies. It is unclear whether the defendant is in this case

     invokes an exception. The Disputes Chamber cannot therefore rule on one

     potential violation of Article 17 GDPR on the part of the defendant.

16. It is clear that if personal data is obtained by submitting a

     request for data deletion, it cannot subsequently be used for the purpose

     sending out marketing emails. This is in line with the purpose limitation principle of Article 5.1.b)

     GDPR. The purpose limitation principle requires that the purpose of the processing be defined
     at the time the data is collected and writes as a starting point for all

     successive processing operations may not exceed the defined purpose.


17. In this context, the Disputes Chamber must determine that the further use of the
     contact details of the complainant for marketing purposes, cannot be seen as

     compatible further processing within the meaning of Article 6.4 GDPR. She therefore proposes a

     possible violation of Article 5.1.b) GDPR.


18. Finally, the Disputes Chamber notes that there is no representative of the
     controller is appointed on European territory. This

     obligation is included in Article 27 GDPR.


19. The foregoing is all the more striking because the defendant does on his website

     advertises that it meets the requirements of the GDPR (“GDPR compliant”). From the
     This appears prima facie not to be the case.


20. The Disputes Chamber is of the opinion that on the basis of the above analysis

     concluded that the defendant may have violated the provisions of the GDPR
     was committed, which justifies taking one in this case

     decision on the basis of Article 95, § 1, 4°, WOG, more specifically the defendant

     to issue a warning for failure to comply with the information obligation

     of Article 13 GDPR, for the use of the complainant's contact details for Decision 51/2024 - 5/7



       sending marketing emails and thus Article 5.1.b) of the GDPR

       violations, as well as for failing to appoint a representative in the Union
       in accordance with Article 27 GDPR. The Disputes Chamber also proposes a possible

       violation of Article 6 GDPR j° Article 5.1.a) GDPR is established, due to the existence of a

       possible unlawful processing, for which they also charge the defendant

       gives a warning.


       Finally, the Disputes Chamber warns on the basis of Article 95, §1, 4°, WOG, if still

       relevant, to comply with the request for data erasure (and access) from the

       complainant.

 22. This decision is a prima facie decision taken by the Disputes Chamber

       in accordance with Article 95 of the WOG on the basis of the complaint submitted by the complainant

       complaint, in the context of the “procedure prior to the decision on the merits” and none

       decision on the merits of the Disputes Chamber within the meaning of Article 100 of the WOG.


       The Disputes Chamber thus warns the defendant that an infringement is likely

       is committed on Article 5.1.a)j°Article 6GDPR,Article 5.1.b),Article 5.1.a)j°Article 13andArticle

       27 GDPR due to the current processing activities.

 23. The purpose of this decision is to inform the defendant of the fact that this

       may have committed an infringement of the provisions of the GDPR and this in the

       the opportunity to still comply with the aforementioned provisions.


 24. If the defendant does not agree with the content of the present primafacie

       decision and is of the opinion that it can apply factual and/or legal arguments

       that could lead to a different decision, this can be done via the e-mail address

       litigationchamber@apd-gba.be send a request to hear the merits of the case

       to the Disputes Chamber within 30 days after notification of this
       decision. The implementation of this decision will, if necessary, continue for a period of time

       suspended for the aforementioned period.


 25. In the event of a continuation of the merits of the case, the

       Dispute Chamber the parties on the basis of Articles 98, 2° and 3° in conjunction with Article 99 WOG

       invite them to submit their defenses as well as any documents they consider useful in the case

       file to add. If necessary, the present decision will be permanently suspended.

 26. Finally, for the sake of completeness, the Disputes Chamber points out that a hearing on the merits

       of the case may lead to the imposition of the measures stated in Article 100 of the WOG. 6



5
 Section 3, Subsection 2 of the WOG (Articles 94 to 97).
6Article 100. § 1. The Disputes Chamber has the authority to:
 1° to dismiss a complaint;
 2° to order the dismissal of prosecution;
 3° order the suspension of the ruling; Decision 51/2024 — 7/7


Such an appeal can be lodged by means of an inter partes petition

                                                                                                        7
must contain statements listed in Article 1034ter of the Judicial Code. It

an objection petition must be submitted to the registry of the Market Court
                                                                       8
in accordance with Article 1034quinquies of the Dutch Civil Code. , or via the e-Deposit

IT system of Justice (Article 32ter of the Judicial Code).







(get). Hielke H IJMANS

Chairman of the Disputes Chamber

















































7The petition states, under penalty of nullity:

 1° the day, month and year;
 2° the surname, first name, place of residence of the applicant and, where applicable, his capacity and his national register or
     company number;
 3° the surname, first name, place of residence and, where applicable, the capacity of the person to be
     summoned;
 4° the subject matter and brief summary of the grounds of the claim;

 5° the judge before whom the claim is brought;
 6° the signature of the applicant or his lawyer.
8The application with its attachment will be sent by registered letter in as many copies as there are parties involved
deposited with the clerk of the court or at the registry.