APD/GBA (Belgium) - 91/2024

From GDPRhub
Revision as of 11:44, 26 June 2024 by Nzm (talk | contribs)
APD/GBA - 91/2024
LogoBE.png
Authority: APD/GBA (Belgium)
Jurisdiction: Belgium
Relevant Law: Article 77 GDPR
Type: Complaint
Outcome: Rejected
Started:
Decided:
Published: 03.06.2024
Fine: n/a
Parties: n/a
National Case Number/Name: 91/2024
European Case Law Identifier: n/a
Appeal: n/a
Original Language(s): Dutch
Original Source: APD/GBA (in NL)
Initial Contributor: nzm

The DPA dismissed a case considering that the objective right to lodge a complaint does not imply that every complaint can and will be thoroughly investigated by the competent authority, which can choose to handle complaints selectively with a view to an effective and efficient enforcement policy.

English Summary

Facts

The data subject’s parents leased a property to a relative. Upon termination of the residential lease, a release of the rental deposit was agreed. The data subject was asked by a bank (‘controller’) to provide a copy of the identity cards of her parents, or for her parents to go to the bank in person for the purpose of identification.

The data subject refused to do so, arguing that neither the anti-money laundering legislation, nor the legislation on residential tenancy imposed such a requirement for the release of the rental deposit. Moreover, due to their health condition, her parents could not visit the controller in person.

The data subject still provided a copy of her parents’ identity card; expressly stating that this action did not imply her agreement with the requirement to present these documents. She lodged a complaint with the Belgian DPA (‘GBA’) against the controller.

Holding

The GBA explained that the DPA can decide to dismiss a case and that there are two types of dismissals: (i) a ‘technical dismissal’ if the case file contains no or insufficient elements that could lead to a conviction or (ii) a ‘policy dismissal’ if, despite the presence of elements that could lead to a sanction, the continuation of the examination of the complaint does not seem appropriate in the light of the priorities of the DPA. In the present case, the GBA adopted such a ‘policy dismissal’.

First, the GBA did not consider it appropriate to conduct a hearing on the merits because of the low probability of success of the complaint. The DPA explained that it was clear from the submissions made by the data subject that the controller processed identity cards in the context of the obligations imposed on financial banking institutions under the Anti-Money Laundering Act. This regulation requires banks to identify and verify persons at the beginning of the business relationship, but also on an ongoing basis when occasional transactions occur.

The DPA referred to the duty of identification (know your customer principle) and to the duty of vigilance (Anti-Money Laundering Act) and considered that due to the existence of such a legal obligation on the controller, it was not appropriate to deal with the complaint in a hearing on the merits.

Second, the GBA decided not to follow up on the case for reasons of expediency. The DPA indicated that under Article 77 GDPR, any data subject whose personal data are processed within the territorial scope of the GDPR has the right to lodge a complaint. However, the GBA held that this objective right to lodge a complaint does not imply that every complaint can and will also be thoroughly investigated by the competent authority, given the intrinsic lack of resources and referred to CJEU, 16 July 2020, DPC v Facebook Ireland and Maximilan Schrems, C-311/18, §112 for this argument. The DPA pointed out that in this regard, the Belgian legislator has explicitly recognised the need for the DPA to be able to act selectively with a view to an effective and efficient enforcement policy in an explanatory memorandum to a legislative measure proposal.

Finally, the GBA considered that the context of the complaint made it more appropriate for it to be dealt with by another competent authority.

Comment

The GDPR in no way states that the objective right to lodge a complaint does not imply that every complaint can and will be thoroughly investigated. The GBA referenced §112 of the Schrems II case which indicates the following:

Although the supervisory authority must determine which action is appropriate and necessary and take into consideration all the circumstances of the transfer of personal data in question in that determination, the supervisory authority is nevertheless required to execute its responsibility for ensuring that the GDPR is fully enforced with all due diligence.”

This in no way confirms the argument that the DPA is trying to put forward. Therefore, referencing this CJEU case to argue that a DPA does not have to thoroughly investigate the complaint given the intrinsic lack of resources is quite peculiar.

In fact, the CJEU has even confirmed in the Schufa judgement that DPAs are required to deal with data subject complaints with all due diligence, and must react appropriately in order to remedy GDPR violations. The DPAs maintain a margin of discretion as to the choice of the appropriate means. Therefore, there is a choice of appropriate means, not a choice of (in)action.

But even if it was said in an explanatory memorandum that the Belgian DPA must be able to act selectively with a view to an effective and efficient enforcement policy, such a practice would evidently be contrary to the GDPR and CJEU case-law.

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Dutch original. Please refer to the Dutch original for more details.

1/6



                                                                          Dispute Chamber


                                                     Decision 91/2024 of June 13, 2024


File number: DOS-2024-00832


Subject: Complaint regarding the obligation to submit (a copy).

of) of the identity card at a financial banking institution for fraud prevention



The Disputes Chamber of the Data Protection Authority, composed of Mr

Hielke HIJMANS, sole chairman;

Having regard to Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016

on the protection of natural persons with regard to the processing of

personal data and regarding the free movement of such data and to the revocation of

Directive 95/46/EC (General Data Protection Regulation), hereinafter “GDPR”;


Having regard to the law of 3 December 2017 establishing the Data Protection Authority,
hereinafter “WOG”;


In view of the internal rules of order, as approved by the House of Representatives

Representatives on December 20, 2018 and published in the Belgian Official Gazette on

January 15, 2019;


Considering the documents in the file;


Has made the following decision regarding:



Complainant: X, hereinafter “the complainant”


The defendant: Y, hereinafter “the defendant” Decision 91/2024 — 2/6


I. Facts and procedure


    1. On 29 November 2023, the complainant lodges a complaint with the Data Protection Authority

        against the defendant.


    2. The complainant's parents rented a property to a family member. Upon termination

        of the housing lease became a release of the rental deposit
        agreed. In this context, the defendant, a bank branch, informed the complainant

        asked to either provide a copy of the landlord's identity card, i.e.

        her parents, or that both parents would go to the bank office in person

        for the purpose of identification. The complainant initially refused this because she stated that

        neither the anti-money laundering legislation nor the legislation on residential rentals has any such effect

        requirement in the context of the release of the rental deposit. Besides, it was for

        her parents are unable to attend in person due to their health

        defendant. With a view to a quick release of the guarantee, the complainant has

        provided a copy of her parents' identity card, expressly stating:
        indicates that this action does not imply that she agrees with the requirement to do so

        to submit documents.


    3. On February 14, 2024, the complaint will be declared admissible by the First Line Service on

        on the basis of Articles 58 and 60 WOG and the complaint is filed on the basis of Article 62, § 1 WOG

        transferred to the Disputes Chamber.


II. Justification


    4. On the basis of the elements in the file that are known to the Disputes Chamber, and on the basis

        of the powers granted to it by the legislature on the basis of Article 95, § 1 WOG

        assigned, the Disputes Chamber will decide on the further follow-up of the file; in this case

        the Disputes Chamber will dismiss the complaint in accordance with Article 95,

        § 1, 3° WOG, based on the following justification.

    5. If a complaint is dismissed, the Disputes Chamber will make its decision

        to motivate gradually and:


           - to issue a technical dismissal if the file does not exist or is insufficient

               contains elements that could lead to a conviction, or if there is insufficient
               there is a prospect of a conviction due to a technical obstacle,

               which prevents her from reaching a decision;






1Court of Appeal Brussels, Market Court Section, 19 Chamber A, Chamber for Market Affairs, judgment 2020/AR/329, September 2, 2020,
p. 18. Decision 91/2024 — 3/6



            - or declare a policy rejection, if despite the presence of elements

                that could lead to a sanction, the continuation of the investigation

                dossier does not seem appropriate in the light of the priorities of the

                Data Protection Authority, as specified and explained in the

                dismissal policy of the Disputes Chamber. 2


    6. In the event of dismissal on more than one ground, the grounds for dismissal (resp.
                                                                                                3
        technical dismissal and policy dismissal) should be treated in order of importance.

    7. In the present file, the Disputes Chamber will dismiss the complaint,

        on the basis of policy grounds for dismissal. Below is an explanation of the


        reasoning of the Disputes Chamber that is the basis for the decision as to why

        considers it undesirable to take further action on the file and therefore decides not to proceed

        proceed to, inter alia, a substantive treatment.

    8. In this case, the Disputes Chamber does not consider it appropriate to proceed with a hearing

        due to the low risk of the complaint. In accordance with Article 6 of the GDPR

        There are six possible legal grounds on which a controller can carry out processing

        can base. This is clearly evident from the documents submitted by the complainant

        The defendant's processing of the complainant's identity card is part of the obligations

        be imposed on a financial banking institution in accordance with the Wet tot

        prevention of money laundering and the financing of terrorism

        of the use of cash of October 6, 2017 (hereinafter: the Anti-Money Laundering Act).


    9. Reference should therefore be made to the Anti-Money Laundering legislation that applies to

        financial banking institutions (in particular Article 8, §2, 1°, Article 19, §1, 1° and 3°, Article 21,

        §1 and 26, §1 and 27 and articles 30, 33 and 35). These provisions oblige banks to provide persons

        to identify and verify, not only at the beginning of the business relationship, but also

        continuously when occasional transactions occur (which is the case in this case).     4


    10. The Disputes Chamber refers in this case to the identification obligation (according to the Know-Your-

        Customer/Know-Your-Customer principle), as well as to the duty of vigilance provided for in
                                   5
        the Anti-Money Laundering legislation. The Disputes Chamber does not consider the current complaints procedure to be appropriate




2In this context, the Disputes Chamber refers to its dismissal policy as explained in detail on the GBA website:
https://www.gegevensbeschermingsautoriteit.be/publications/sepotbeleid-van-de-geschikkamer.pdf
3
  Cf. Title 3 – In which cases is my complaint likely to be dismissed by the Disputes Chamber? from the
dismissal policy of the Disputes Chamber.
4G. GOYVAERTS and V. SEYNAEVE, “[Preventive part of the anti-money laundering legislation] The law of 18 September 2017” in A.
TIBERGHIEN, Handbook of Tax Law, Wolters Kluwers Belgium, Mechelen, 2023, 3056.
5
 Act of 18 September 2018 on the prevention of money laundering and the financing of terrorism and on limiting
of the use of cash, hereinafter “Anti-Money Laundering Act”:

https://www.ejustice.just.fgov.be/eli/wet/2017/09/18/2017013368/justel;enReglementvandeNationaleBankvanBelgiëvan
November 21, 2017 on the prevention of money laundering and terrorist financing; D. Goens, Data
protection at financial institutions, Intersentia, Antwerp, 2018, 442 et seq. Decision 91/2024 — 4/6


        prevents the defendant from refusing to issue the requested release of the rental deposit

        if the complainant continues to refuse the requested identification documents from her parents

        and/or provide the update of these identification documents to the defendant and

        that in the light of the aforementioned Anti-Money Laundering legislation. The Dispute Chamber points out

        Please note that the institutions subject to these anti-money laundering obligations have a

        have developed procedural processing activity that is plausible and that it

        presentation of (a copy of) the electronic identity card

        anti-money laundering purposes are not questioned by the Disputes Chamber. Also the

        necessary/legal updating of the personal data via another copy or


        reading of the identity card is not questioned by the Disputes Chamber.

    11. It is because of the existence of such a legal obligation under

        defendant that the Disputes Chamber does not consider it appropriate to file the relevant complaint

        ground to be treated. Primafacie, they cannot establish a violation of the GDPR.


    12. The Disputes Chamber decides not to follow up on the matter for expediency reasons

        file. Under Article 77 of the GDPR, every data subject whose personal data

        are processed within the territorial scope of the GDPR, of a

        right of complaint. However, this objective right to complain does not imply that every complaint also applies

        can and will be thoroughly investigated by the competent authority, given the intrinsic nature

        lack of resources.    7 The Belgian legislator has recognized in this regard “the need for the

        Data protection authority to be able to act selectively with a view to a

        effective and efficient enforcement policy” is explicitly recognised. 8


    13. Secondly, and in a subordinate order, the Disputes Chamber determines that the complaint is appropriate

        in a broader context which it is more appropriate to be dealt with by a

        other competent authority. The Disputes Chamber determines that the complaint must be framed

        are in the broader context of the release of the rental deposit and the applicable

        procedures set up for this purpose by the defendant in accordance with applicable legislation

        about this. The Disputes Chamber does not consider it appropriate for it to suspend the procedures of


        to test the defendant regarding the release of the rental deposit against the applicable

        legislation in this regard. Bearing this in mind, the Disputes Chamber rules that its intervention in

        in this case is not strictly necessary and that it is more expedient for the complainant to




6See in particular Article 35 of the Anti-Money Laundering Act

7Cf. Court of Justice EU, judgment of 16 July 2020, DPC v. Facebook Ireland & Maximillian Schrems, C-311/18, para. 112
8
 Own emphasis in quotation, cf. Belgian Chamber of Representatives, Explanatory Memorandum to the
Draft law establishing the Data Protection Authority, Doc. 2648/001 (Parliamentary term 54), available via:

https://www.dekamer.be/kvvcr/showpage.cfm?section=/flwb&language=nl&cfm=/site/wwwcfm/flwb/flwbn.cfm?lang=N&leg
islat=54&fileID=2648, 51
9
   Ground for dismissal B.3 of the dismissal policy of the Disputes Chamber, dated. June 18, 2021, available via
https://www.gegevensbeschermingsautoriteit.be/publications/sepotbeleid-van-de-geschikkamer.pdf.                                                                                               Decision 91/2024 — 6/6



in accordance with Article 1034quinquies of the Dutch Civil Code. , or via the e-Deposit

IT system of Justice (Article 32ter of the Judicial Code).


To enable the complainant to consider other possible remedies, the

Disputes Chamber will refer the complainant to the explanation in its dismissal policy.            15







(get). Hielke H IJMANS


Chairman of the Disputes Chamber































































14The application and its attachment will be sent by registered letter in as many copies as there are parties involved
deposited with the clerk of the court or at the registry.

15Cf. Title 4 – What can I do if my complaint is closed? of the dismissal policy of the Disputes Chamber.