APD/GBA (Belgium) - 86/2024
APD/GBA - 86/2024 | |
---|---|
Authority: | APD/GBA (Belgium) |
Jurisdiction: | Belgium |
Relevant Law: | Article 12(1) GDPR Article 12(1) GDPR Article 13 GDPR Article 15(1) GDPR Article 15(3) GDPR |
Type: | Complaint |
Outcome: | Upheld |
Started: | 24.12.2019 |
Decided: | 27.05.2024 |
Published: | |
Fine: | n/a |
Parties: | n/a |
National Case Number/Name: | 86/2024 |
European Case Law Identifier: | n/a |
Appeal: | n/a |
Original Language(s): | French |
Original Source: | APD/GBA (in FR) |
Initial Contributor: | nzm |
The APD issued a reprimand against a controller for responding orally to an access request and for not providing the information regarding the processing due to its apparent obviousness.
English Summary
Facts
On 1 June 2019, the mother of a pupil (‘data subject’) exercised her right of access with the school the data subject attended (‘controller’), and specifically requested the data held by the controller regarding the data subject, the purposes for which the data were processed, and how long the data were kept. She also requested that in the event that photos of the data subject were taken during a school trip and were then published, they be deleted.
On 2 June 2019, regarding the access request, the controller responded that it was subject to the control of an ad hoc person, and that it would only refer to them with regard to the processing. Regarding the deletion request, the controller replied that in the beginning of the school year, a document relating to image rights was submitted to the parents, committing them for the entire school year. This document was also published on the controller’s website.
On 26 August 2019, the mother wrote to the controller explaining that she was still awaiting a reply. On the same day, the controller responded that it had already replied on 2 June 2019. The data subject decided to lodge a complaint with the Belgian DPA (‘APD’).
The Litigation Department of the APD requested that the Inspection Department conduct an investigation. The latter followed these instructions and completed a report indicating that the controller (i) failed to comply with Articles 12(1), 15(1) and 15(3) GDPR by not providing the mother of the data subject with a copy of the personal data being processed and (ii) the controller failed to comply with Articles 12(1), 13 and 14 GDPR as the information relating to the data collected was absent from the documents transmitted in the beginning of the school year. This report, as well as the complaint, were forwarded to the Litigation Department.
The controller argued in particular that (i) a reply was given to the data subject’s mother by telephone and the written exchanges only reveal an incomplete part of the information communicated and (ii) the purpose of the controller’s collection always seems obvious and therefore did not seem to require any further explanation.
Holding
Regarding the access request, the APD explained that it has three components: first, under Article 15(1) GDPR, the data subject has the right to obtain confirmation from the controller as to whether or not personal data relating to them are being processed. Second, the data subject also has the right to obtain access to the personal data and the series of information listed in Article 15(1)(a) to 15(1)(h) GDPR. Third, the data subject has the right to obtain a copy of the personal data being processed.
Article 12(1) GDPR specifies that this information can be provided to the data subject either in writing or by other means, such as electronic means. The EDPB specified in its guidelines that the information – or copy of the personal data – provided to the data subject must be in a permanent form and sustainable over time.
In the present case, the controller claimed that it responded to the mother’s requests by telephone. The controller pointed out that it was appropriate to take the telephone exchanges in addition to the written exchanges it had with the mother.
However, the APD held that no evidence showed that the data subject requested an oral response to the exercise of her daughter’s rights. The APD considered that the alleged oral replies given by the controller could not supplement the absence of a written reply. Therefore, the APD considered that the controller did not provide a complete response to the mother’s access request and thus violates Articles 12(1), 15(1) and 15(3) GDPR.
Regarding the processing relating to the photos, although the controller published an information sheet on the ‘collection and processing of personal data’ on its website, the APD noted that the obligation to provide information must be fulfilled at the time of the collection of the data when it is a direct collection, or within one month of obtaining the data if it is indirect. Therefore, the APD considered that the apparent obviousness of a processing purpose did not relieve the controller of its obligation to inform the data subjects. Hence, the APD concluded that the controller breached Articles 12(1) and 13 GDPR.
In light of these violations, the APD issued a reprimand to the controller.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the French original. Please refer to the French original for more details.
1/9 Litigation Chamber Decision on merits 86/2024 of May 27, 2024 File number: DOS-2019-04539 Subject: Complaint relating to an unsatisfactory response to a request for access and lack of sufficient information The Litigation Chamber of the Data Protection Authority, made up of Mr. Hielke HIJMANS, president, and gentlemen Romain Robert and Christophe Boeraeve, members; Having regard to Regulation (EU) 2016/679 of the European Parliament and of the Council of April 27, 2016 relating to the protection of natural persons with regard to the processing of personal data and to the free movement of these data, and repealing Directive 95/46/EC (General Regulation on the data protection), hereinafter “GDPR”; Having regard to the Law of December 3, 2017 establishing the Data Protection Authority (hereinafter “LCA”); Considering the internal regulations as approved by the House of Representatives on December 20, 2018 and published in the Belgian Official Gazette on January 15, 2019; Considering the documents in the file; Has taken the following decision regarding: The complainant: The defendant: Y, represented by Maîtres Marc U YTTENDAELE, Patricia M INSIER and Hélène DEBATY, hereinafter “the defendant” Decision on the merits 86/2024 — 2/9 I. Facts and procedure 1. On September 8, 2019, the complainant filed a request for mediation, transformed into complaint on December 24, 2019, to the Data Protection Authority against the defendant. 2. The subject of the request concerns an unsatisfactory response to a request for access as well than a lack of sufficient information. 3. The complainant is the mother of a student who attended the school of the defendant. 4. On June 1, 2019, the complainant exercised her right of access to the defendant, and did more specifically requests: data held by the defendant concerning the complainant and her daughter ; the purposes pursued in the processing of this data; and, finally, the retention period of the latter. In addition, it requires – in the event that photos of his daughter taken as part of the school excursion would have been or were to be published on Facebook – their deletion. 5. On June 2, 2019, the defendant responded, concerning the request for access, that it was submitted under the control of an ad hoc person and that he must only refer to him alone for what concerns the control of the processing of personal data. About the ask about photos, she answers that at the start of the school year, a document relating to “image rights” was submitted to the attention of parents, committing them for the year entire school. 6. On August 26, 2019, the plaintiff wrote to the defendant that she was still waiting for a response. The same day, the defendant replied having already replied June 2, 2019. Always the same day, the complainant told him that she intended to contact the APD on this subject. 7. On September 8, 2019, the complainant filed a request for mediation with the APD. 8. On October 3, 2019, the Front Line Service declared the request for mediation admissible. 9. On December 24, 2019, the complainant decided to transform her request for mediation into complaint. 10. On January 6, 2020, the complaint was declared admissible by the Front Line Service on the based on articles 58 and 60 of the LCA and the complaint is transmitted to the Litigation Chamber er under article 62, § 1 of the LCA. 11. On January 27, 2020, in accordance with article 96, § 1 of LCA, the request of the Chamber Contentious to carry out an investigation is transmitted to the Inspection Service, likewise as the complaint and the parts inventory. Decision on merits 86/2024 — 3/9 12. On March 6, 2020, the investigation by the Inspection Service was closed, the report was attached to the file and this is transmitted by the inspector general to the President of the Litigation Chamber (art. 91, § 1 and § 2 of the LCA). The report includes findings relating to the subject matter of the complaint and concludes that: A. The defendant failed to comply with Articles 12.1, 15.1 and 15.3 of the GDPR in this that she did not communicate to the complainant all the information listed in article 15.1 of the GDPR and that it has also not provided a copy of the personal data personnel undergoing treatment; B. The defendant failed to comply with articles 12.1, 13 and 14 of the GDPR because it acknowledges, through the prefect of the school in question, that information relating to the data collected is missing from the documents to be made complete and sign by parents, as well as its website. 13. On September 1, 2020 the Litigation Chamber decides, under article 95, § 1, 1°etr of article 98 of the LCA, that the file can be processed on its merits. 14. On the same date, the parties concerned are informed by registered mail of the provisions as set out in article 95, § 2 as well as article 98 of the LCA. They are also informed, under article 99 of the LCA, of the deadlines for transmitting their conclusions.The deadline for receipt of conclusions in response from the defendant was set for October 13, 2020, that for the complainant's reply conclusions on October 3, 2020. November 2020 and that for the defendant's rejoinder submissions on 24 November 2020. 15. Still on the same date, the defendant agrees to receive all communications relating to the case electronically. By the same email, she requests a copy of the file (art. 95, §2, 3° LCA), which was sent to him on September 4, 2020. 16. On September 4, 2020, the complainant agreed to receive all communications relating to the case electronically. 17. On October 9, 2020, the defendant’s lawyer requested a copy of the file (art. 95, §2, 3° LCA), which was sent to him on October 12, 2020. 18. On October 13, 2020, the Litigation Chamber received the conclusions in response from of the defendant. The latter having submitted summary conclusions, its The argument is summarized in point 20 below. 19. On November 10, 2020, the complainant confirmed that she had not filed any conclusions in replica. 20. On November 23, 2020, the Litigation Chamber receives the summary conclusions of the part of the defendant. These summary conclusions can be summarized as follows: Decision on merits 86/2024 — 4/9 • A response would have been given to the complainant, whether orally or telephone, the written exchanges revealing only an incomplete part of the information communicated; • The purpose pursued by the collection of data carried out by the defendant made it always seemed obvious, so that it did not seem to require further ample explanations; • The defendant emphasizes that, without denying the absence of prior information relating to the collection of medical data, she has always answered questions from parents of students regarding retention and archiving deadlines or even on the identity of the recipients of data transfers; • It has now – during the present procedure – put in place a policy of Data protection ; • Documents not legally required, such as forms for school excursions, were destroyed at the end of the 2018-2019 school year, following the departure of the plaintiff's daughter from the defendant's establishment; • The defendant provides in annex a table established by its organizing authority which illustrates the different data retention obligations that are his responsibility. • Finally, the defendant lists – for the first time since the first contact by the complainant – the list of data relating to the complainant's daughter of which she still has and their retention period. 21. Given the workload of the Litigation Chamber, this decision was taken more time than expected. In view of the facts relating to this case, the Chamber considers always useful to comment on it. II. Motivation II.1. As for the breach of articles 12.1, 15.1 and 15.3 of the GDPR er 22. It appears from the documents in the file that the complainant exercised her right of access in writing on 1 June 2019. 23. The right of access has three components. First, under Article 15.1 of the GDPR, the data subject has the right to obtain from the controller confirmation that personal data concerning him or her are or are not processed. Secondly, when personal data is processed, the person concerned has the right to obtain access to said personal data as well as to a Decision on the merits 86/2024 — 5/9 series of information listed in article 15.1. a) – h). Third, under Article 15.3 of the GDPR, the data subject also has the right to obtain a copy of the data to be personal character which are the subject of the processing. 24. Article 12.1 of the GDPR specifies that the information provided to the data subject in under article 15.1 of the same Regulations may be communicated either in writing or by other means such as electronic means. 25. The European Data Protection Board (hereinafter “EDPB”) has specified, in its guidelines, that the information – or copy of personal data – provided to the data subject within the scope of Article 15 of the GDPR must be a permanent form and thus durable over time. 1 26. Article 12.1 of the GDPR further provides that the data controller may take action to the exercise of the right of access of a data subject orally under the double- provided that this is done at the initiative of the person concerned and that the identity of this the latter is demonstrated by other means. 27. In addition, article 5.2 of the GDPR specifies that it is up to the data controller to demonstrate that it complies with the basic principles of the GDPR enshrined in Article 6.1, which include the obligation of transparency and explicit purpose. 28. In the present case, the defendant claims to have responded in particular to the requests from the complainant by telephone. The defendant specifies that it is therefore appropriate to take into account these vocal and telephone exchanges that she had with the complainant to written exchanges held within the same framework. 29. However, no element from the documents in the file makes it possible to demonstrate that the complainant requested a response to the exercise of his right of oral access. 30. Furthermore, it should be noted that the defendant provides for the first time in its conclusions of synthesis of information on the data still in its possession, their purpose, or their shelf life. Finally, she herself confirms that she did not think it was right to state the purposes of the processing on the grounds that they seemed obvious to him. 31. Therefore, the Litigation Chamber can only consider the alleged oral responses given by the defendant could have supplemented the absence of a written response which emerges from the case. 32. As raised by the SI (see point 12), the Litigation Chamber notes that the defendant did not provide a complete response to the complainant's request and that she also did not provide a copy of the processed personal data. 1EuropeanDataProtectionBoard,Guidelines01/2022ondatasubjectrights –Rightofaccess,point150,availableinEnglish at: https://www.edpb.europa.eu/system/files/2023-04/edpb guidelines 202201 data subject rights access v2 en.pdf. Decision on merits 86/2024 — 6/9 33. Furthermore, if the defendant responds several times that it “responded” to the requests of the complainant, this response must still be relevant and include the information referred to in Article 15 of the GDPR, quod no. 34. Finally, the fact that, as the defendant communicated to the plaintiff, the teachers do not have access to this information and are subject to professional secrecy not this observation. 35. Consequently, the Litigation Chamber finds that the defendant violated in Articles 12.1, 15.1 and 15.3 of the GDPR. II.2. As for the breach of articles 12.1 and 13 of the GDPR 36. The Litigation Chamber takes note of the fact that the defendant has published, on its website Internet, an information sheet relating to the collection and processing of data personal” before the start of the 2020-2021 school year. 37. The Litigation Chamber nevertheless finds a violation of articles 12.1 and 13 of the GDPR, point for which it agrees with the opinion of the SI (see point 12). 38. There is in fact no debate in this case as to the absence of prior information relating to the collection of data from the complainant’s daughter – particularly concerning the duration of conservation of –’s health data, this being recognized by the defendant. 39. In this regard, the defendant declares that it has always answered the parents' questions of students relating to retention and archiving deadlines as well as the identity of the recipients of this same data. 40. However, this cannot have any impact in the present case. The obligation information is a positive obligation incumbent on the data controller, and which must be accomplished at the time of data collection when this is direct, or within one month after obtaining this data when this is indirect, unless there is communication carried out with the person concerned on the basis of the data collected or there is a communication of these same data to another recipient, in which cases the one-month period established by article 14.3.a) may be reduced. 41. The Litigation Chamber adds that transparency is a fundamental principle of law to the protection of personal data. It allows the persons concerned not to only to become aware of the processing of their personal data personal, but also, by itself, to be able to exercise control – this one being able to lead to the taking of certain actions by the person concerned, where applicable. 42. It is also precisely for this reason that the European legislator, in the GDPR, sharpened the obligation to inform the persons concerned of the processing of their Decision on the merits 86/2024 — 7/9 personal data by attaching additional qualities to it such as the conciseness, transparency, understandability and easy accessibility (see article 12.1 of the GDPR). 43. This information is all the more crucial as it is a condition allowing persons concerned to have genuine freedom of choice in situations when which they would be required to consent to the processing of their personal data staff . 44. The defendant also does not invoke any of the exceptions referred to in Article 13.4 of the GDPR. 45. Furthermore, it cannot be accepted under any circumstances that the apparent evidence of a purpose of processing – at least for the controller – would discharge the data controller of its obligation to inform the persons concerned. By Consequently, the Litigation Chamber finds that the defendant violated the articles 12.1 and 13 of the GDPR. III. Corrective measures and sanctions 46. Under the terms of article 100 of the LCA, the Litigation Chamber has the power to: 1° dismiss the complaint; 2° order the dismissal of the case; 3° pronounce a suspension of the sentence; 4° propose a transaction; 5° issue warnings and reprimands; 6° order to comply with the requests of the data subject to exercise their rights ; 7° order that the person concerned be informed of the security problem; 8° order the freezing, limitation or temporary or definitive ban on processing; 9° order compliance of the processing; 10° order the rectification, restriction or erasure of the data and the notification of these to the recipients of the data; 11° order the withdrawal of the approval of certification bodies; 12° give fines; 13° issue administrative fines; 14° order the suspension of cross-border data flows to another State or a international body; 2C.J.U.E., November 11, 2020, Orange Romania SA v. National Authority for Supraveghere a Prelucrării Datelor cu Character Personal (ANSPDCP), aff. C-61/19, point 41. Decision on merits 86/2024 — 9/9 In accordance with article 108, § 1 of the LCA, an appeal against this decision may be lodged, within thirty days from its notification, to the Court of Markets (court of Appeal of Brussels), with the Data Protection Authority as defendant. Such an appeal may be introduced by means of an interlocutory request which must contain the 3 information listed in article 1034ter of the Judicial Code. The interlocutory request must be 4 filed with the registry of the Court of Markets in accordance with article 1034quinquies of the C. jud. , Or via the e-Deposit information system of the Ministry of Justice (article 32ter of the C. judic.). (sé). Hielke H IJMANS President of the Litigation Chamber 3The request contains barely any nullity: 1° indication of the day, month and year; 2° the name, first name, domicile of the applicant, as well as, where applicable, his qualifications and his national register number or Business Number; 3° the surname, first name, address and, where applicable, the status of the person to be summoned; 4° the object and summary of the grounds of the request; 5° indication of the judge who is seized of the request; the signature of the applicant or his lawyer. 4 The request, accompanied by its annex, is sent, in as many copies as there are parties involved, by letter recommended to the court clerk or filed with the court registry.