APD/GBA (Belgium) - 51/2024
| APD/GBA - 51/2024 | |
|---|---|
 | |
| Authority: | APD/GBA (Belgium) |
| Jurisdiction: | Belgium |
| Relevant Law: | Article 5(1)(a) GDPR Article 5(1)(b) GDPR Article 6 GDPR Article 13(1) GDPR Article 27 GDPR |
| Type: | Complaint |
| Outcome: | Partly Upheld |
| Started: | |
| Decided: | |
| Published: | 02.04.2024 |
| Fine: | n/a |
| Parties: | n/a |
| National Case Number/Name: | 51/2024 |
| European Case Law Identifier: | n/a |
| Appeal: | n/a |
| Original Language(s): | Dutch |
| Original Source: | GBA (in NL) |
| Initial Contributor: | nzm |
The DPA issued a warning against a controller for, among other things, using personal data obtained via the data subject’s erasure request to send them marketing emails, and for not designating a representative in the EU.
English Summary
Facts
The controller offers services that allow a device user to remain identified even when browsing in incognito mode or using a VPN by assigning them a unique identifier. A demo on the controller’s website showed that a unique ID is assigned to each visitor of the website, which, when combined with the user’s location, allows to track, among other things, the number of visits.
The data subject sent an access request and indicated that he may decide to delete this data after receiving the access request. Since contacting the controller, the data subject had been receiving marketing emails.
The data subject lodged a complaint with the Belgian DPA (“APD”). The complaint was twofold: on the one hand, the data subject criticized the services provided by the controller and considered that there was probably no legal basis for these processing operations. On the other hand, they challenged the controller’s failure to provide a positive response to their erasure request.
The data subject also indicated that other parties could potentially use the same technology in a way that does not comply with the GDPR.
The data subject attached a mail summary which shows an email exchange between the data subject and the controller, but the actual content of the email exchange was not shared with the APD.
Holding
Regarding the legal basis of the processing operations, the APD noted that the controller’s privacy policy did not clearly state the legal basis under Article 6 GDPR. The APD found a possible violation of Article 13(1) GDPR which requires the controller to inform the data subject of the legal basis.
Moreover, the APD pointed out that this processing, which uses, among other things, location and IP address to assign a unique ID to a visitor, must in principle be based on consent. The APD therefore found a possible breach of Articles 5(1)(a) and 6 GDPR.
Regarding the use by other parties of the technology, the APD indicated that the complaint is specifically directed towards the controller, and that it is up to each controller to ensure that their processing activities are in compliance with the GDPR. Therefore, the APD only examined the activities that took place under the responsibility of the controller.
Regarding the access and erasure request, the APD considered that it appeared from the elements provided that there was an email exchange between the data subject and the controller, but as the content of this communication had not been provided, the DPA could not assess whether the controller’s response met the requirements of the GDPR.
Nonetheless, the controller added that if personal data is obtained by submitting an erasure request, it cannot be used thereafter to send out marketing emails, under the principle of purpose limitation under Article 5(1)(b) GDPR. The APD therefore found a possible violation of Article 5(1)(b) GDPR.
Finally, the APD also noted that the controller had not appointed a representative in the European Union under Article 27 GDPR.
Thus, the APD issued a warning for (i) failing to comply with the information obligation under Article 13 GDPR, (ii) for using the contact details of the data subject to send marketing emails and thus possibly violating Article 5(1)(b) GDPR, (iii) for failing to appoint a representative in the European Union under Article 27 GDPR and (iv) for possibly violating Articles 6 and 5(1)(a) GDPR.
Comment
As this is a 'prima facie' decision, not much information is available. The Litigation Chamber of the DPA has ruled solely based on the complaint without having a procedure. The controller could demand for a procedure within 30 days after the decision.
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Dutch original. Please refer to the Dutch original for more details.
1/7
Dispute Chamber
Decision 51/2024 of April 2, 2024
File number: DOS-2023-03422
Subject: warning due to failure to appoint a representative in the
Union and conducting a demo (online fingerprinting)
The Disputes Chamber of the Data Protection Authority, composed of Mr
Hielke HIJMANS, sole chairman;
Having regard to Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016
on the protection of natural persons with regard to the processing of
personal data and regarding the free movement of such data and to the revocation of
Directive 95/46/EC (General Data Protection Regulation), hereinafter “GDPR”;
Having regard to the law of 3 December 2017 establishing the Data Protection Authority,
hereinafter “WOG”;
In view of the internal rules of order, as approved by the House of Representatives
Representatives on December 20, 2018 and published in the Belgian Official Gazette on
January 15, 2019;
Considering the documents in the file;
Has made the following decision regarding:
The complainant:
The defendant: Y, hereinafter “the defendant” Decision 51/2024 — 2/7
I. Facts and procedure
1. The defendant offers services that enable a user of a device
1
continue to identify you, even when surfing in incognito mode or using a VPN.
This provides a demo on the website, giving the visitor to the website a unique experience
ID is assigned.
2. The subject of the complaint concerns the processing that takes place in the context of the
running this demo on the defendant's website. The complainant criticizes it
assigning the unique ID.
3. On March 22, 2023, the complainant would submit a request for access, together with a request for
erasure of data, addressed to the defendant. The request was as follows
formulated: “I want a copy of all the information you have about me and my decide [sic] (as
per GDPR regulation) after which I want all data to be deleted. Thanks. Also please stop this
service."
4. The email overview that the complainant has added to the complaint shows how a
email exchange takes place between the complainant and the defendant on March 23, 2023
March 29, 2023. The actual content of this email exchange was not communicated to the
Shared dispute room.
5. Since contacting the defendant, the complainant has been receiving marketing emails,
starting from May 23, 2023. At the time of filing the complaint, the
last email dated August 10, 2023.
6. On August 13, 2023, the complainant submits a complaint to the
Data Protection Authority against the defendant.
7. On August 30, 2023, the complaint will be declared admissible by the First Line Service on
2
on the basis of Articles 58 and 60 WOG and the complaint is filed on the basis of Article 62, § 1 WOG
3
transferred to the Disputes Chamber.
8. In accordance with Article 95, §2,3°WOG as well as Article 47 of the internal order regulations
The parties can request a copy of the file from the GBA. If either
parties wish to make use of the option to consult and copy
the file, he must contact the secretariat of the Disputes Chamber, at
preferably via litigationchamber@apd-gba.be.
1[…]
2In accordance with Article 61 of the WOG, the Disputes Chamber hereby informs the parties that the complaint is admissible
declared.
3In accordance with Article 95, § 2 of the WOG, the Disputes Chamber hereby informs the parties that the file will be sent to
has been transferred to her as a result of this complaint. Decision 51/2024 — 3/7
II. Justification
9. The complaint is twofold; on the one hand, the complainant criticizes the services provided by the defendant
grants, on the other hand, it points out that the defendant has failed to provide a (favorable) response
her request for data erasure.
10. The complaint primarily concerns the legality of the defendant's services.
These are demonstrated, among other things, on the home page of the website
defendant shown. This demonstration assigns a unique ID to each visitor to the
website, which in combination with the user's location allows (under
other) to keep track of the number of visits. The complainant indicates that there is probably none
there is a legal basis for this processing.
11. When checking whether the processing in this case was carried out lawfully, the Disputes Chamber noted
Please note that the defendant's privacy policy does not clearly state the legal basis
of Article 6 GDPR they base their processing activities. As a result, the
Disputes Chamber determines a possible violation of Article 13.1.c) GDPR, whereby the
controller is obliged to inform the data subject
processing purposes for the processing of personal data.
12. Furthermore, the Disputes Chamber notes that such processing, including:
the location and IP address are used to assign a unique ID to a visitor, in
principle must be based on the consent of a data subject. This seems fine
not necessarily satisfied. The Disputes Chamber therefore notes a possible infringement
to articles 5.1.a) and 6 GDPR.
13. The complainant also emphasized in her complaint that other parties may have the same
could use technology in a way that does not comply with the GDPR. It is
However, it is important to note that the complaint is specifically directed against the defendant, and the
It is up to each controller to ensure that their own
processing activities are in accordance with the GDPR, as specified in Article 24 of
the GDPR. Therefore, the Dispute Chamber will only investigate the activities that take place
under the responsibility of the defendant, and will not elaborate further on possible
processing activities that may be carried out by any other entities
executed. It is up to each controller to check each time
whether their processing activities are carried out in accordance with the GDPR.
14. In addition, the complainant indicates in her complaint that she has submitted a request for access
data erasure in accordance with Articles 15 and 17 GDPR has been submitted to the
defendant, but has not received a favorable response. When viewing the
4
See […] (consulted on March 8, 2024). Decision 51/2024 — 4/7
documents added to the complaint show that there was indeed email contact
between the complainant and the defendant. So it appears that the defendant has
responded to the complainant's requests, but the content of this communication is
not provided to the Disputes Chamber. That is why the Disputes Chamber cannot assess whether
the defendant's response meets the requirements of the GDPR.
15. In this context, the Dispute Chamber recalls that the right to erasure of data
Article 17 GDPR is not an absolute right. The first paragraph of Article 17 GDPR lists an exhaustive list
number of situations in which the controller is obliged to implement
indicate the right to erasure of data of a data subject. A request for erasure
in accordance with Article 17.1 of the GDPR should not be carried out by the
controller if there is an exception in accordance with the third paragraph
this article applies. It is unclear whether the defendant is in this case
invokes an exception. The Disputes Chamber cannot therefore rule on one
potential violation of Article 17 GDPR on the part of the defendant.
16. It is clear that if personal data is obtained by submitting a
request for data deletion, it cannot subsequently be used for the purpose
sending out marketing emails. This is in line with the purpose limitation principle of Article 5.1.b)
GDPR. The purpose limitation principle requires that the purpose of the processing be defined
at the time the data is collected and writes as a starting point for all
successive processing operations may not exceed the defined purpose.
17. In this context, the Disputes Chamber must determine that the further use of the
contact details of the complainant for marketing purposes, cannot be seen as
compatible further processing within the meaning of Article 6.4 GDPR. She therefore proposes a
possible violation of Article 5.1.b) GDPR.
18. Finally, the Disputes Chamber notes that there is no representative of the
controller is appointed on European territory. This
obligation is included in Article 27 GDPR.
19. The foregoing is all the more striking because the defendant does on his website
advertises that it meets the requirements of the GDPR (“GDPR compliant”). From the
This appears prima facie not to be the case.
20. The Disputes Chamber is of the opinion that on the basis of the above analysis
concluded that the defendant may have violated the provisions of the GDPR
was committed, which justifies taking one in this case
decision on the basis of Article 95, § 1, 4°, WOG, more specifically the defendant
to issue a warning for failure to comply with the information obligation
of Article 13 GDPR, for the use of the complainant's contact details for Decision 51/2024 - 5/7
sending marketing emails and thus Article 5.1.b) of the GDPR
violations, as well as for failing to appoint a representative in the Union
in accordance with Article 27 GDPR. The Disputes Chamber also proposes a possible
violation of Article 6 GDPR j° Article 5.1.a) GDPR is established, due to the existence of a
possible unlawful processing, for which they also charge the defendant
gives a warning.
Finally, the Disputes Chamber warns on the basis of Article 95, §1, 4°, WOG, if still
relevant, to comply with the request for data erasure (and access) from the
complainant.
22. This decision is a prima facie decision taken by the Disputes Chamber
in accordance with Article 95 of the WOG on the basis of the complaint submitted by the complainant
complaint, in the context of the “procedure prior to the decision on the merits” and none
decision on the merits of the Disputes Chamber within the meaning of Article 100 of the WOG.
The Disputes Chamber thus warns the defendant that an infringement is likely
is committed on Article 5.1.a)j°Article 6GDPR,Article 5.1.b),Article 5.1.a)j°Article 13andArticle
27 GDPR due to the current processing activities.
23. The purpose of this decision is to inform the defendant of the fact that this
may have committed an infringement of the provisions of the GDPR and this in the
the opportunity to still comply with the aforementioned provisions.
24. If the defendant does not agree with the content of the present primafacie
decision and is of the opinion that it can apply factual and/or legal arguments
that could lead to a different decision, this can be done via the e-mail address
litigationchamber@apd-gba.be send a request to hear the merits of the case
to the Disputes Chamber within 30 days after notification of this
decision. The implementation of this decision will, if necessary, continue for a period of time
suspended for the aforementioned period.
25. In the event of a continuation of the merits of the case, the
Dispute Chamber the parties on the basis of Articles 98, 2° and 3° in conjunction with Article 99 WOG
invite them to submit their defenses as well as any documents they consider useful in the case
file to add. If necessary, the present decision will be permanently suspended.
26. Finally, for the sake of completeness, the Disputes Chamber points out that a hearing on the merits
of the case may lead to the imposition of the measures stated in Article 100 of the WOG. 6
5
Section 3, Subsection 2 of the WOG (Articles 94 to 97).
6Article 100. § 1. The Disputes Chamber has the authority to:
1° to dismiss a complaint;
2° to order the dismissal of prosecution;
3° order the suspension of the ruling; Decision 51/2024 — 7/7
Such an appeal can be lodged by means of an inter partes petition
7
must contain statements listed in Article 1034ter of the Judicial Code. It
an objection petition must be submitted to the registry of the Market Court
8
in accordance with Article 1034quinquies of the Dutch Civil Code. , or via the e-Deposit
IT system of Justice (Article 32ter of the Judicial Code).
(get). Hielke H IJMANS
Chairman of the Disputes Chamber
7The petition states, under penalty of nullity:
1° the day, month and year;
2° the surname, first name, place of residence of the applicant and, where applicable, his capacity and his national register or
company number;
3° the surname, first name, place of residence and, where applicable, the capacity of the person to be
summoned;
4° the subject matter and brief summary of the grounds of the claim;
5° the judge before whom the claim is brought;
6° the signature of the applicant or his lawyer.
8The application with its attachment will be sent by registered letter in as many copies as there are parties involved
deposited with the clerk of the court or at the registry.
