APD/GBA (Belgium) - 49/2024

From GDPRhub
Revision as of 15:05, 7 August 2024 by Fb (talk | contribs)
APD/GBA - 49/2024
LogoBE.png
Authority: APD/GBA (Belgium)
Jurisdiction: Belgium
Relevant Law: Article 17(3)(e) GDPR
Article 10(1)(3) Wet betreffende de bescherming van natuurlijke personen met betrekking tot de verwerking van persoonsgegevens
Type: Complaint
Outcome: Rejected
Started:
Decided: 29.03.2024
Published:
Fine: n/a
Parties: n/a
National Case Number/Name: 49/2024
European Case Law Identifier: n/a
Appeal: Unknown
Original Language(s): Dutch
Original Source: APD/GBA (in NL)
Initial Contributor: wp

The DPA found a controller rightfully declined an erasure request in accordance with Article 17(3)(e) GDPR since the controller demonstrated that the data is needed for future criminal proceedings against the data subject.

English Summary

Facts

A data subject requested access to and erasure of their personal data. A fear of a “major negative personal impact”, including possible defamation was indicated as a reason for the request to erase the data.

The data controller rejected the erasure request, because the data subject gave consent to the data processing and, afterwards, the controller needed to keep the data for an overriding public interest.

The data subject filed a complaint with Dutch DPA (APD/GBA).

During the examination proceedings, the controller argued that the decision to reject the erasure request was based on Article 10 (1)(1) and Article 10 (1)(3) of the Dutch Personal Data Protection Law (Wet betreffende de bescherming van natuurlijke personen met betrekking tot de verwerking van persoonsgegevens). This law authorized the controller to process the data contrary to data subject’s request, since the data subject would potentially be accused of criminal offences and the controller would be involved in the proceedings. Hence, as a party to the proceedings, the controller could provide the authority with necessary evidence.

In addition, the data controller explained that an overriding public interest referred to a type of potential proceedings.

Holding

The DPA considered that the compliant consisted of two separate issues, namely the refusal answer the access request and the refusal to fulfil the erasure request.

The DPA rejected the alleged refusal to act on the access request. According to the DPA, the controller did not respond to data subject access request, but during the proceedings the controller confirmed their readiness to do so.

On the allegation of the erasure request refusal, the DPA found it manifestly unfounded. The DPA referred to the wording of Article 17(3)(e) GDPR, which excluded the application of right to erasure in cases where data are necessary “for the establishment, exercise or defence of legal claims.”. The controller proved it was reasonably plausible the data at hand would be used for future (possible) criminal proceedings against data subject. Also, the scope of data requested by the data subject suggested a future proceedings with the data subject were likely.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Dutch original. Please refer to the Dutch original for more details.

1/7



                                                                          Dispute Chamber


                                                  Decision 49/2024 of March 29, 2024


File number: DOS-2024-00015


Subject: complaint for failure to respond to a request for access and refusal

erasure of data for reasons of important public interest



The Disputes Chamber of the Data Protection Authority, composed of Mr

Hielke HIJMANS, sole chairman;


Having regard to Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016

on the protection of natural persons with regard to the processing of
personal data and regarding the free movement of such data and to the revocation of

Directive 95/46/EC (General Data Protection Regulation), hereinafter “GDPR”;


Having regard to the law of 3 December 2017 establishing the Data Protection Authority,

hereinafter “WOG”;


In view of the internal rules of order, as approved by the House of Representatives

Representatives on December 20, 2018 and published in the Belgian Official Gazette on
January 15, 2019;


Considering the documents in the file;



Has made the following decision regarding:



Complainant: X, hereinafter “the complainant”;


The defendant: Y, represented by master K RISTIEN V ANDERHEIDEN, hereinafter “de

                   defendant".                                                                            Decision 49/2024 — 2/7


I. Facts and procedure


 1. The subject of the complaint concerns the failure to respond to a request for access and the

      refuse erasure of data for reasons of important public interest.

 2. On December 30, 2023, the complainant filed a complaint with the

      Data Protection Authority against the defendant.

      On October 13, 2023, the complainant submitted a request for access and subsequent deletion of his

      personal data submitted to the defendant. After all, the complainant feared a “major

      negative personal impact” in the form of possible defamation and defamation. On October 22

      2023, the defendant replied that he had received the requests and would submit them

      with his counsel. On December 30, 2023, the defendant replied that he had no action
      could grant his request for data erasure because the complainant agreed upon registration

      had given to process his data and because the defendant needed the data

      retained for the sake of an important public interest.


 3. On January 9, 2024, the complaint was declared admissible by the First Line Service on the grounds
      of Articles 58 and 60 WOG and the complaint was dismissed on the basis of Article 62, § 1 WOG

      transferred to the Disputes Chamber.


 4. On February 23, 2024, the Disputes Chamber asked 3 questions for clarification
      defendant:


           - On what exception does the defendant base his refusal to inspect?

               the complainant's personal data in his possession, as the defendant,
               based on the documents, does not appear to grant access?


           - On what “prior agreement”, as mentioned in the email of December 30

               2023, the defendant relies on the inspection and/or deletion of
               refuse personal data?


           - On what “important public interest”, as cited in the email of 30

               December 2023, the defendant believes he can support the erasure of
               refuse personal data and what legal basis he believes he has for this

               can invoke, given that the term 'substantial public interest' is used in the GDPR

               used in the context of processing special categories of

               facts?

       The Disputes Chamber also points out to the defendant Article 15.4 GDPR and recital 63 GDPR

       which states that the complainant should not be withheld all information.


       The complainant confirmed receipt of these requests for clarification to the same day
       defendant.                                                                              Decision 49/2024 — 3/7


 5. On March 6, 2024, the defendant responded to the questions of the Disputes Chamber. The

       the complainant also received a copy of this response.

           - The defendant had not allowed access because of a possible danger

               the privacy of others, partly because the police will open a file in June 2023

               would have been opened against the complainant. The defendant wanted to handle the

               personal data, but is now prepared to provide access to the data of the

               complainant.

           - The “prior agreement” concerns the privacy statement that the complainant has

               signed. The defendant does not rely on this document to justify the erasure

               to refuse.

           - The grounds used by the defendant to refuse the erasure are based on Article

               10, §1, 1° and 3° of the Act on the Protection of Natural Persons

               regarding the processing of personal data from July 30, 2018. The
               the complainant would have been accused of criminal offences, in which the

               defendant would be involved as a party or in which the defendant

               could contribute evidence or crucial precedents in favor of

               the common interest. The heavy weight of the common interest is explained by the

               fact that it contains details of criminal convictions or criminal offences
               Re.


           The defendant adds that Article 15.4 GDPR was complied with by signing

           of the privacy policy document by the complainant.


II. Justification


 6. From the documents available to the Disputes Chamber, it concludes that the complaint consists of:

       2 parts. On the one hand, the defendant did not respond to a request for access

       the complainant's personal data. On the other hand, the defendant refused the

       to erase personal data of the complainant upon his request. The Dispute Chamber
       will treat the 2 parts separately in its motivation.


 7. On the basis of the elements in the file that are known to the Disputes Chamber, and on the basis

       of the powers granted to it by the legislature on the basis of Article 95, § 1 WOG

       assigned, the Disputes Chamber will decide on the further follow-up of the file; in this case
       the Disputes Chamber will dismiss the complaint in accordance with Article 95,

       § 1, 3° WOG, based on the following justification.                                                                                   Decision 49/2024 — 4/7



 8. If a complaint is dismissed, the Disputes Chamber will make its decision
                                 1
       to motivate gradually and:

            - to issue a technical dismissal if the file does not exist or is insufficient

                contains elements that could lead to a conviction, or if there is insufficient

                there is a prospect of a conviction due to a technical obstacle,

                which prevents her from reaching a decision;


            - or declare a policy rejection, if despite the presence of elements

                that could lead to a sanction, the continuation of the investigation

                dossier does not seem appropriate in the light of the priorities of the

                Data Protection Authority, as specified and explained in the

                dismissal policy of the Disputes Chamber. 2


 9. In the event of dismissal on more than one ground, the grounds for dismissal (resp.

       technical dismissal and policy dismissal) should be treated in order of importance.   3


 Part 1: failure to respond to a request for access to personal data

 10. In the present file, the Disputes Chamber will dismiss this part

       1 of the complaint for reasons of expediency, which makes it undesirable to continue

       to follow up on the file and therefore decide not to proceed with, inter alia, one

       treatment on the merits. The Disputes Chamber weighs the personal consequences of the

       circumstances of the complaint affect the fundamental rights and freedoms of the complainant

       against the effectiveness of its action, when it decides whether it considers it appropriate

       to handle the complaint further. In this case, the subject of the complaint has disappeared as a result

       of the measures taken by the defendant.      4


 11. Although the defendant did not respond to the request for access submitted by the complainant

       on October 13, 2023, the defendant responded to the

       The Disputes Chamber has still declared its willingness to grant access to the complainant:

                “The client is now prepared to grant [the complainant] access to the file in question

                his personal data. The Client will make the necessary practical arrangements for this

                with [the complainant].”


 Part 2: refusing to erase data for compelling general reasons

       interest



1Court of Appeal Brussels, Market Court Section, 19 Chamber A, Chamber for Market Affairs, judgment 2020/AR/329, September 2, 2020,
p. 18.

2In this context, the Disputes Chamber refers to its dismissal policy as explained in detail on the GBA website:
https://www.gegevensbeschermingsautoriteit.be/publications/sepotbeleid-van-de-geschikkamer.pdf
3 Cf. Title 3 – In which cases is my complaint likely to be dismissed by the Disputes Chamber? from the

dismissal policy of the Disputes Chamber.
4Cf. criterion B.6 in the dismissal policy of the Disputes Chamber.                                                                                 Decision 49/2024 — 5/7


 12. In the present file, the Disputes Chamber will dismiss this part

       2 of the complaint on the basis of a technical dismissal. After all, she judges that part 2 of

       the complaint is manifestly unfounded, as a result of which it considers it undesirable to take further action

       to the file and therefore decides not to proceed with, inter alia, a hearing at

       ground.

 13. The complaint is manifestly unfounded as the right to erasure of data according to Article

       17, § 3, e) GDPR does not apply if the processing is necessary “for the establishment,

       exercise or substantiation of a legal claim”. The defendant makes it

       sufficiently plausible in the documents that such a legal action will result in the future

       the possibilities, resulting in the deletion of the complainant's data

       could prevent substantiation of this possible legal claim.

 14. In addition, the complainant also indirectly points out facts that may be of such a nature that a

       legal action is possible


            - to state in his complaint that it concerns “unproven facts”;

            - to state in his request that he wants access to the following documents:


                    o “The report of the day of the complaint itself […]”

                    o “A copy of the procedure for dealing with cross-border

                        behaviour […]"

                    o “A copy of the so-called “logbook”, in which all the events step

                        are described step by step […]”


 15. Given the nature of the alleged facts, in particular transgressive behavior, it is not

       unthinkable that criminal proceedings could be initiated against the complainant.

       Because of the secrecy of the research, it would not be unusual for the
       defendant would not be aware of this investigation. For these reasons the

       Dispute Chamber it is sufficient that there is a 'possible' legal action

       take place in the future to justify that the complainant's data is not

       be deleted on the basis of Article 17.3.e) GDPR. The Disputes Chamber points out the same point

       also on the defendant's responsibility to exercise due care and appropriateness

       the complainant's personal data, especially given the circumstances of this situation. In

       in particular, the Disputes Chamber points out the defendant's duty to:

       ensure confidentiality and integrity of the personal data, as provided

       in Article 5.1.f) GDPR.






5Cf. criterion A.2 in the dismissal policy of the Disputes Chamber.                                                                                          Decision 49/2024 — 7/7



To enable the complainant to consider other possible remedies, the

Disputes Chamber will refer the complainant to the explanation in its dismissal policy.       10







 (get). Hielke H IJMANS


 Chairman of the Disputes Chamber





































































10Cf. Title 4 – What can I do if my complaint is closed? of the dismissal policy of the Disputes Chamber.