APD/GBA (Belgium) - 86/2024

From GDPRhub
Revision as of 15:09, 11 June 2024 by Nzm (talk | contribs)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
APD/GBA - 86/2024
LogoBE.png
Authority: APD/GBA (Belgium)
Jurisdiction: Belgium
Relevant Law: Article 12(1) GDPR
Article 12(1) GDPR
Article 13 GDPR
Article 15(1) GDPR
Article 15(3) GDPR
Type: Complaint
Outcome: Upheld
Started: 24.12.2019
Decided: 27.05.2024
Published:
Fine: n/a
Parties: n/a
National Case Number/Name: 86/2024
European Case Law Identifier: n/a
Appeal: n/a
Original Language(s): French
Original Source: APD/GBA (in FR)
Initial Contributor: nzm

The APD issued a reprimand against a controller for responding orally to an access request and for not providing the information regarding the processing due to its apparent obviousness.

English Summary

Facts

On 1 June 2019, the mother of a pupil (‘data subject’) exercised her right of access with the school the data subject attended (‘controller’), and specifically requested the data held by the controller regarding the data subject, the purposes for which the data were processed, and how long the data were kept. She also requested that in the event that photos of the data subject were taken during a school trip and were then published, they be deleted.

On 2 June 2019, regarding the access request, the controller responded that it was subject to the control of an ad hoc person, and that it would only refer to them with regard to the processing. Regarding the deletion request, the controller replied that in the beginning of the school year, a document relating to image rights was submitted to the parents, committing them for the entire school year. This document was also published on the controller’s website.

On 26 August 2019, the mother wrote to the controller explaining that she was still awaiting a reply. On the same day, the controller responded that it had already replied on 2 June 2019. The data subject decided to lodge a complaint with the Belgian DPA (‘APD’).

The Litigation Department of the APD requested that the Inspection Department conduct an investigation. The latter followed these instructions and completed a report indicating that the controller (i) failed to comply with Articles 12(1), 15(1) and 15(3) GDPR by not providing the mother of the data subject with a copy of the personal data being processed and (ii) the controller failed to comply with Articles 12(1), 13 and 14 GDPR as the information relating to the data collected was absent from the documents transmitted in the beginning of the school year. This report, as well as the complaint, were forwarded to the Litigation Department.

The controller argued in particular that (i) a reply was given to the data subject’s mother by telephone and the written exchanges only reveal an incomplete part of the information communicated and (ii) the purpose of the controller’s collection always seems obvious and therefore did not seem to require any further explanation.

Holding

Regarding the access request, the APD explained that it has three components: first, under Article 15(1) GDPR, the data subject has the right to obtain confirmation from the controller as to whether or not personal data relating to them are being processed. Second, the data subject also has the right to obtain access to the personal data and the series of information listed in Article 15(1)(a) to 15(1)(h) GDPR. Third, the data subject has the right to obtain a copy of the personal data being processed.

Article 12(1) GDPR specifies that this information can be provided to the data subject either in writing or by other means, such as electronic means. The EDPB specified in its guidelines that the information – or copy of the personal data – provided to the data subject must be in a permanent form and sustainable over time.

In the present case, the controller claimed that it responded to the mother’s requests by telephone. The controller pointed out that it was appropriate to take the telephone exchanges in addition to the written exchanges it had with the mother.

However, the APD held that no evidence showed that the data subject requested an oral response to the exercise of her daughter’s rights. The APD considered that the alleged oral replies given by the controller could not supplement the absence of a written reply. Therefore, the APD considered that the controller did not provide a complete response to the mother’s access request and thus violates Articles 12(1), 15(1) and 15(3) GDPR.

Regarding the processing relating to the photos, although the controller published an information sheet on the ‘collection and processing of personal data’ on its website, the APD noted that the obligation to provide information must be fulfilled at the time of the collection of the data when it is a direct collection, or within one month of obtaining the data if it is indirect. Therefore, the APD considered that the apparent obviousness of a processing purpose did not relieve the controller of its obligation to inform the data subjects. Hence, the APD concluded that the controller breached Articles 12(1) and 13 GDPR.

In light of these violations, the APD issued a reprimand to the controller.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the French original. Please refer to the French original for more details.

1/9



                                                                      Litigation Chamber


                                           Decision on merits 86/2024 of May 27, 2024


File number: DOS-2019-04539


Subject: Complaint relating to an unsatisfactory response to a request for access and

lack of sufficient information



The Litigation Chamber of the Data Protection Authority, made up of Mr.

Hielke HIJMANS, president, and gentlemen Romain Robert and Christophe Boeraeve, members;


Having regard to Regulation (EU) 2016/679 of the European Parliament and of the Council of April 27, 2016 relating to the
protection of natural persons with regard to the processing of personal data and

to the free movement of these data, and repealing Directive 95/46/EC (General Regulation on the

data protection), hereinafter “GDPR”;


Having regard to the Law of December 3, 2017 establishing the Data Protection Authority (hereinafter

“LCA”);

Considering the internal regulations as approved by the House of Representatives on

December 20, 2018 and published in the Belgian Official Gazette on January 15, 2019;


Considering the documents in the file;


Has taken the following decision regarding:



The complainant:


The defendant: Y, represented by Maîtres Marc U YTTENDAELE, Patricia M INSIER and Hélène

                    DEBATY, hereinafter “the defendant” Decision on the merits 86/2024 — 2/9


I. Facts and procedure


 1. On September 8, 2019, the complainant filed a request for mediation, transformed into

       complaint on December 24, 2019, to the Data Protection Authority against the

       defendant.

 2. The subject of the request concerns an unsatisfactory response to a request for access as well

       than a lack of sufficient information.


 3. The complainant is the mother of a student who attended the school of the

       defendant.

 4. On June 1, 2019, the complainant exercised her right of access to the defendant, and did more

       specifically requests: data held by the defendant concerning the complainant

       and her daughter ; the purposes pursued in the processing of this data; and, finally,

       the retention period of the latter. In addition, it requires – in the event that
       photos of his daughter taken as part of the school excursion would have been or were to be

       published on Facebook – their deletion.


 5. On June 2, 2019, the defendant responded, concerning the request for access, that it was submitted

       under the control of an ad hoc person and that he must only refer to him alone for what

       concerns the control of the processing of personal data. About the
       ask about photos, she answers that at the start of the school year, a document

       relating to “image rights” was submitted to the attention of parents, committing them for the year

       entire school.


 6. On August 26, 2019, the plaintiff wrote to the defendant that she was still waiting for a response.
       The same day, the defendant replied having already replied June 2, 2019. Always the same

       day, the complainant told him that she intended to contact the APD on this subject.


 7. On September 8, 2019, the complainant filed a request for mediation with the APD.

 8. On October 3, 2019, the Front Line Service declared the request for mediation admissible.


 9. On December 24, 2019, the complainant decided to transform her request for mediation into

       complaint.

 10. On January 6, 2020, the complaint was declared admissible by the Front Line Service on the

       based on articles 58 and 60 of the LCA and the complaint is transmitted to the Litigation Chamber
                                  er
       under article 62, § 1 of the LCA.

 11. On January 27, 2020, in accordance with article 96, § 1 of LCA, the request of the Chamber

       Contentious to carry out an investigation is transmitted to the Inspection Service, likewise

       as the complaint and the parts inventory.                                                                         Decision on merits 86/2024 — 3/9


12. On March 6, 2020, the investigation by the Inspection Service was closed, the report was attached to the file

      and this is transmitted by the inspector general to the President of the Litigation Chamber

      (art. 91, § 1 and § 2 of the LCA).

      The report includes findings relating to the subject matter of the complaint and concludes that:


         A. The defendant failed to comply with Articles 12.1, 15.1 and 15.3 of the GDPR in this

             that she did not communicate to the complainant all the information listed in article

             15.1 of the GDPR and that it has also not provided a copy of the personal data
             personnel undergoing treatment;


         B. The defendant failed to comply with articles 12.1, 13 and 14 of the GDPR because it

             acknowledges, through the prefect of the school in question, that

             information relating to the data collected is missing from the documents to be made
             complete and sign by parents, as well as its website.


13. On September 1, 2020 the Litigation Chamber decides, under article 95, § 1, 1°etr

      of article 98 of the LCA, that the file can be processed on its merits.

14. On the same date, the parties concerned are informed by registered mail of the

      provisions as set out in article 95, § 2 as well as article 98 of the LCA. They are

      also informed, under article 99 of the LCA, of the deadlines for transmitting their

      conclusions.The deadline for receipt of conclusions in response from the defendant

      was set for October 13, 2020, that for the complainant's reply conclusions on October 3, 2020.

      November 2020 and that for the defendant's rejoinder submissions on 24
      November 2020.


15. Still on the same date, the defendant agrees to receive all communications

      relating to the case electronically. By the same email, she requests a copy of the

      file (art. 95, §2, 3° LCA), which was sent to him on September 4, 2020.

16. On September 4, 2020, the complainant agreed to receive all communications

      relating to the case electronically.

17. On October 9, 2020, the defendant’s lawyer requested a copy of the file (art. 95, §2, 3°

      LCA), which was sent to him on October 12, 2020.


18. On October 13, 2020, the Litigation Chamber received the conclusions in response from

      of the defendant. The latter having submitted summary conclusions, its
      The argument is summarized in point 20 below.


19. On November 10, 2020, the complainant confirmed that she had not filed any conclusions in

      replica.

20. On November 23, 2020, the Litigation Chamber receives the summary conclusions of the

      part of the defendant. These summary conclusions can be summarized as follows: Decision on merits 86/2024 — 4/9


           • A response would have been given to the complainant, whether orally or

               telephone, the written exchanges revealing only an incomplete part of the

               information communicated;

           • The purpose pursued by the collection of data carried out by the defendant made it

               always seemed obvious, so that it did not seem to require further

               ample explanations;

           • The defendant emphasizes that, without denying the absence of prior information relating to

               the collection of medical data, she has always answered questions from

               parents of students regarding retention and archiving deadlines or even on

               the identity of the recipients of data transfers;

           • It has now – during the present procedure – put in place a policy of

               Data protection ;


           • Documents not legally required, such as forms for

               school excursions, were destroyed at the end of the 2018-2019 school year, following the
               departure of the plaintiff's daughter from the defendant's establishment;


           • The defendant provides in annex a table established by its organizing authority

               which illustrates the different data retention obligations that

               are his responsibility.

           • Finally, the defendant lists – for the first time since the first contact by

               the complainant – the list of data relating to the complainant's daughter of which she

               still has and their retention period.

 21. Given the workload of the Litigation Chamber, this decision was taken

       more time than expected. In view of the facts relating to this case, the Chamber considers

       always useful to comment on it.



II. Motivation


    II.1. As for the breach of articles 12.1, 15.1 and 15.3 of the GDPR

                                                                                                     er
 22. It appears from the documents in the file that the complainant exercised her right of access in writing on 1
       June 2019.


 23. The right of access has three components. First, under Article 15.1 of the GDPR,

       the data subject has the right to obtain from the controller confirmation that
       personal data concerning him or her are or are not processed.

       Secondly, when personal data is processed, the person

       concerned has the right to obtain access to said personal data as well as to a Decision on the merits 86/2024 — 5/9


       series of information listed in article 15.1. a) – h). Third, under Article 15.3

       of the GDPR, the data subject also has the right to obtain a copy of the data to be

       personal character which are the subject of the processing.


 24. Article 12.1 of the GDPR specifies that the information provided to the data subject in
       under article 15.1 of the same Regulations may be communicated either in writing or

       by other means such as electronic means.


 25. The European Data Protection Board (hereinafter “EDPB”) has specified, in its

       guidelines, that the information – or copy of personal data –

       provided to the data subject within the scope of Article 15 of the GDPR must be
       a permanent form and thus durable over time. 1


 26. Article 12.1 of the GDPR further provides that the data controller may take action

       to the exercise of the right of access of a data subject orally under the double-

       provided that this is done at the initiative of the person concerned and that the identity of this

       the latter is demonstrated by other means.

 27. In addition, article 5.2 of the GDPR specifies that it is up to the data controller to

       demonstrate that it complies with the basic principles of the GDPR enshrined in Article 6.1, which

       include the obligation of transparency and explicit purpose.

 28. In the present case, the defendant claims to have responded in particular to the

       requests from the complainant by telephone. The defendant specifies that it is therefore appropriate to

       take into account these vocal and telephone exchanges that she had with the complainant

       to written exchanges held within the same framework.

 29. However, no element from the documents in the file makes it possible to demonstrate that the complainant

       requested a response to the exercise of his right of oral access.


 30. Furthermore, it should be noted that the defendant provides for the first time in its

       conclusions of synthesis of information on the data still in its possession, their

       purpose, or their shelf life. Finally, she herself confirms that she did not think it was right

       to state the purposes of the processing on the grounds that they seemed obvious to him.

 31. Therefore, the Litigation Chamber can only consider the alleged oral responses

       given by the defendant could have supplemented the absence of a written response which emerges from the

       case.

 32. As raised by the SI (see point 12), the Litigation Chamber notes that the

       defendant did not provide a complete response to the complainant's request and that she

       also did not provide a copy of the processed personal data.



1EuropeanDataProtectionBoard,Guidelines01/2022ondatasubjectrights –Rightofaccess,point150,availableinEnglish
at: https://www.edpb.europa.eu/system/files/2023-04/edpb guidelines 202201 data subject rights access v2 en.pdf.                                                                      Decision on merits 86/2024 — 6/9


33. Furthermore, if the defendant responds several times that it “responded” to the requests

      of the complainant, this response must still be relevant and include the

      information referred to in Article 15 of the GDPR, quod no.

34. Finally, the fact that, as the defendant communicated to the plaintiff, the teachers

      do not have access to this information and are subject to professional secrecy

      not this observation.

35. Consequently, the Litigation Chamber finds that the defendant violated

      in Articles 12.1, 15.1 and 15.3 of the GDPR.



   II.2. As for the breach of articles 12.1 and 13 of the GDPR


36. The Litigation Chamber takes note of the fact that the defendant has published, on its website

      Internet, an information sheet relating to the collection and processing of data
      personal” before the start of the 2020-2021 school year.


37. The Litigation Chamber nevertheless finds a violation of articles 12.1 and 13 of the GDPR,

      point for which it agrees with the opinion of the SI (see point 12).

38. There is in fact no debate in this case as to the absence of prior information relating to

      the collection of data from the complainant’s daughter – particularly concerning the duration of

      conservation of –’s health data, this being recognized by the defendant.

39. In this regard, the defendant declares that it has always answered the parents' questions

      of students relating to retention and archiving deadlines as well as the identity of the

      recipients of this same data.

40. However, this cannot have any impact in the present case. The obligation

      information is a positive obligation incumbent on the data controller, and which

      must be accomplished at the time of data collection when this is direct, or

      within one month after obtaining this data when this is indirect,

      unless there is communication carried out with the person concerned on the basis of the
      data collected or there is a communication of these same data to another

      recipient, in which cases the one-month period established by article 14.3.a) may be reduced.


41. The Litigation Chamber adds that transparency is a fundamental principle of law

      to the protection of personal data. It allows the persons concerned not to
      only to become aware of the processing of their personal data

      personal, but also, by itself, to be able to exercise control – this one being able to lead

      to the taking of certain actions by the person concerned, where applicable.


42. It is also precisely for this reason that the European legislator, in the GDPR,
      sharpened the obligation to inform the persons concerned of the processing of their Decision on the merits 86/2024 — 7/9


       personal data by attaching additional qualities to it such as the

       conciseness, transparency, understandability and easy accessibility (see article 12.1 of the

       GDPR).


 43. This information is all the more crucial as it is a condition allowing
       persons concerned to have genuine freedom of choice in situations when

       which they would be required to consent to the processing of their personal data

       staff .


 44. The defendant also does not invoke any of the exceptions referred to in Article 13.4 of the GDPR.

 45. Furthermore, it cannot be accepted under any circumstances that the apparent evidence of a

       purpose of processing – at least for the controller – would discharge the

       data controller of its obligation to inform the persons concerned. By

       Consequently, the Litigation Chamber finds that the defendant violated the

       articles 12.1 and 13 of the GDPR.



III. Corrective measures and sanctions

 46. Under the terms of article 100 of the LCA, the Litigation Chamber has the power to:


       1° dismiss the complaint;

       2° order the dismissal of the case;

       3° pronounce a suspension of the sentence;

       4° propose a transaction;

       5° issue warnings and reprimands;
       6° order to comply with the requests of the data subject to exercise their rights

       ;

       7° order that the person concerned be informed of the security problem;

       8° order the freezing, limitation or temporary or definitive ban on processing;

       9° order compliance of the processing;

       10° order the rectification, restriction or erasure of the data and the notification of

       these to the recipients of the data;

       11° order the withdrawal of the approval of certification bodies;
       12° give fines;

       13° issue administrative fines;

       14° order the suspension of cross-border data flows to another State or a

       international body;





2C.J.U.E., November 11, 2020, Orange Romania SA v. National Authority for Supraveghere a Prelucrării Datelor cu Character
Personal (ANSPDCP), aff. C-61/19, point 41. Decision on merits 86/2024 — 9/9



In accordance with article 108, § 1 of the LCA, an appeal against this decision may be lodged,

within thirty days from its notification, to the Court of Markets (court

of Appeal of Brussels), with the Data Protection Authority as defendant.


Such an appeal may be introduced by means of an interlocutory request which must contain the

                                                                               3
information listed in article 1034ter of the Judicial Code. The interlocutory request must be
                                                                                                                       4
filed with the registry of the Court of Markets in accordance with article 1034quinquies of the C. jud. , Or

via the e-Deposit information system of the Ministry of Justice (article 32ter of the C. judic.).







(sé). Hielke H IJMANS

President of the Litigation Chamber
















































3The request contains barely any nullity:
  1° indication of the day, month and year;

  2° the name, first name, domicile of the applicant, as well as, where applicable, his qualifications and his national register number or
     Business Number;
  3° the surname, first name, address and, where applicable, the status of the person to be summoned;
  4° the object and summary of the grounds of the request;
  5° indication of the judge who is seized of the request;

the signature of the applicant or his lawyer.
4
  The request, accompanied by its annex, is sent, in as many copies as there are parties involved, by letter
recommended to the court clerk or filed with the court registry.