APD/GBA (Belgium) - 03/2021
From GDPRhub
| APD/GBA - 03/2021 | |
|---|---|
 | |
| Authority: | APD/GBA (Belgium) |
| Jurisdiction: | Belgium |
| Relevant Law: | Article 5(1)(b) GDPR Article 6(1)(f) GDPR Article 6(4) GDPR Article 24(1) GDPR Article 24(2) GDPR Article 25(1) GDPR Article 25(2) GDPR |
| Type: | Complaint |
| Outcome: | Upheld |
| Started: | |
| Decided: | 13/01/2021 |
| Published: | 13/01/2021 |
| Fine: | None |
| Parties: | n/a |
| National Case Number/Name: | 03/2021 |
| European Case Law Identifier: | n/a |
| Appeal: | n/a |
| Original Language(s): | Dutch |
| Original Source: | Beslissing ten gronde 03/2020 van 13 januari 2021 (in NL) |
| Initial Contributor: | Enzo |
The Belgian DPA (APD/GBA) held that sending a newsletter to the parents of school children with all email addresses visible in CC was a breach of the Article 5(1)(b), as this was not within the reasonable expectations of the parents to have their email address distributed.
Furthermore, the school cannot rely on legitimate interest (Article 6(1)(f)) as other measures exist to not share the contact details with the other parents (BCC) and the parents do not expect their personal data from being further processed.
As such, the school does not comply with their responsibilities as controller nor does uphold the principles of data protection by design and default (Articles 24 and 25).
English Summary
Facts
A school sent a newsletter to all parents with all email addresses of those parents visible in Carbon Copy (cc) as opposed to Blind Carbon Copy (BCC).
The school said that internal policies dictate that sending in BCC is mandatory in such cases. They also added that the time to unsend a email has been changed from 5 seconds to 30 seconds. The school also apologises.
The complainant later adds that even after the school said they implemented those measures, they still continue to send out emails with the email addresses in CC.
Dispute
Can email addresses of parents of children of a school be made public under Article 5(1)(b) if this was not the initial purpose for which the personal data was collected?
If not, can the school rely on legitimate interest under Article 6(1)(f)?
Holding
The school communicates with the parents on ground of contractual necessity based on Article 6(1). Without the contact details, it is impossible for the school to communicate with the parents. As such, there is no free choice.
Article 5 GDPR
The DPA then states that it is possible to process the contact details for other purpose than initially processed if the purpose is compatible with the original purpose and that it will assess whether it is possible to rely on Article 5(1)(b) in this case.
However, the DPA states that this is not within the reasonable expectations of the parents, as they only provided their contact details relative to the school. The other parents are not included in this relationship. As such, these purposes are incompatible.
As every processing of personal data needs to rely on a legal basis from Article 6(1), this processing is unlawful.
Article 6 GDPR
The DPA then assesses whether the school could rely on the legal basis of legitimate interest under Article 6(1)(f). It confirms earlier case law of the CJEU in which three requirements have to be fulfilled, cumulatively; legitimate interest pursued by controller, necessity of the processing and fundamental rights and freedoms of the data subject do not override the legitimate interest.
Assessment of legitimate interest
Reaching all parents, simultaneously, can serve as a legitimate interest. However, the means to reach this goal are not necessary and a simple technical measure exists to not make the mail addresses visible (BCC). As stated above, the reasonable expectations of the parents are in their relationship to the school, and not to other parents. The parents do not expect any other processing.
As such, requirement two and three are not fulfilled.
The school breaches Article 6(1)(b) in combination with Article 6(4) and Article 6(1)
Articles 24 and 25 GDPR
Furthermore, as the school continued their processing, despite promising they wouldn't and despite the fact that they have internal policies regulating this, they failed to comply to Article 24(1) and (2) GDPR and Article 25(1) and (2) GDPR.
No fine was imposed, but a reprimand and clear instructions to implement the necessary measures to become compliant within 3 months.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Dutch original. Please refer to the Dutch original for more details.
1/11
Litigation chamber
Decision on the merits 03/2020 of 13 January 2021
File number: DOS-2020-00608
Subject: Sending by school of a global e-mail with all recipients
To Be Visible
The Disputes Chamber of the Data Protection Authority, composed of Mr Hielke
Hijmans, chairman and Messrs. Christophe Boeraeve and Frank De Smet, members;
Having regard to Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016
on the protection of natural persons with regard to the processing of
personal data and on the free movement of such data and repealing Directive
95/46 / EC (General Data Protection Regulation), hereinafter GDPR;
In view of the law of 3 December 2017 establishing the Data Protection Authority, hereinafter
WOG;
Having regard to the rules of internal procedure, as approved by the Chamber of
Representatives on December 20, 2018 and published in the Belgian Official Gazette on
January 15, 2019;
Considering the documents in the file;
.
.
. Decision on the merits 03/2021 - 2/11
has taken the following decision regarding:
- X, hereinafter “the complainant”
- Y, hereinafter “the defendant”
1. Facts and procedure
1. On January 30, 2020, the complainant lodged a complaint with the Data Protection Authority against the
defendant.
2. The subject of the complaint concerns the sending by the defendant of an email with
newsletter addressed to the parents of students throughout the school including all email addresses
be visible to all recipients of the email concerned.
3. On February 17, 2020, the complaint will be declared admissible under Articles 58 and 60
WOG and the complaint on the basis of art. 62, §1 WOG submitted to the Disputes Chamber.
4. On April 3, 2020, the Disputes Chamber will decide on the basis of art. 95, §1, 1 ° and art. 98 WOG that it
file is ready for treatment on the merits.
5. On April 3, 2020, the parties concerned will be notified by registered mail of the
provisions as stated in article 95, §2, as well as those in art. 98 WOG. They are also on
based on art. 99 WOG of the time limits for submitting their defenses.
The deadline for receipt of the defendant's statement of response was thereby
recorded on 18 May 2020, this for the complainant's reply on 8 June 2020 and
this for the statement of defense of the defendant on 29 June 2020.
6. On May 18, 2020, the Disputes Chamber will receive the statement of defense from the defendant.
In it, he confirms that Y will receive an email with the monthly news items on January 30, 2020
sent which concerned communication about the start-up of the nursery department by the municipality
and a report that the school would be closed the next day. When sending the message
the addresses of the parents were incorrectly placed in the field “Carbon Copy” (CC) instead
from “Blind Carbon Copy” (BCC). The error was seen too late and an attempt to send it
Undoing or withdrawing the mail failed. It was according to the defendant
by no means the intention to put all addresses in CC. Decision on the merits 03/2021 - 3/11
7. Furthermore, the defendant adds three documents containing guidelines on the
sending emails to external persons stating each time that email addresses are in
BCC must be placed when sending an email in bulk. In addition, the
default value to unsend an email, which is initially 5 seconds
was now set to 30 seconds, so if in doubt the mail can still be sent
withdrawn.
8. The defendant also apologizes to the complainant for disseminating his
email address.
9. On 20 May 2020, the Disputes Chamber received the statement of reply from the complainant in which he stated
that prior to the email of 30 January 2020 that is the subject of the complaint
several times received e-mails from the defendant in which it had to establish that
the email addresses were visible to all recipients. Notwithstanding the efforts
which the defendant would have done, the complainant adds an email sent by the
defendant on April 22, 2020, which shows that even after January 30, 2020, all e-mail addresses
are visible to all recipients.
10. On May 22, 2020, the Disputes Chamber received the statement of reply from the defendant
in which he indicates that he will take the necessary steps to ensure follow-up.
2. Legal basis
- Article 5.1. b) GDPR:
“Personal data must: […] b) for specified, explicitly defined and
legitimate purposes are collected and may not be further used with
those purposes are processed in an incompatible manner; further processing for the purpose of
archiving in the public interest, scientific or historical research or statistical
purposes in accordance with Article 89 (1) are not considered incompatible with the
original purposes ('purpose limitation'); '
- Article 6.1. AVG
The processing is only lawful if and insofar as at least one of the
the following conditions are met:
[…] Decision on the merits 03/2021 - 4/11
f) the processing is necessary for the representation of the legitimate interests of
the controller or of a third party, except where the interests or the
fundamental rights and freedoms of the data subject that protect
personal data outweigh those interests, especially where the
the person concerned is a child.
[…]
- Article 6.4. GDPR:
“When the processing is for a purpose other than that for which the personal data are
collected is not based on the consent of the data subject or on any provision of Union law
or a provision under member state law that is necessary in a democratic society and
is a proportionate measure to ensure the benefits referred to in Article 23 (1)
objectives, the controller keeps in assessing whether the
processing for another purpose is compatible with the purpose for which the personal data
initially collected include:
a) any link between the purposes for which the personal data was collected and the
purposes of the intended further processing;
b) the framework in which the personal data were collected, in particular what the relationship between
concerns the data subjects and the controller;
c) the nature of the personal data, in particular or special categories of
personal data are processed, in accordance with Article 9, and / or personal data about
criminal convictions and offenses are processed in accordance with Article
10;
d) the possible consequences of the intended further processing for the data subjects;
e) the existence of appropriate safeguards, which may include encryption or
pseudonymization. ”
- Art. 24.1 and 2. GDPR:
“1. Taking into account the nature, scope, context and purpose of the processing,
as well as with the varying risks to rights and
freedoms of natural persons, the controller takes appropriate action
technical and organizational measures to ensure and be able to demonstrate that the
processing is carried out in accordance with this regulation. Those measures
are evaluated and updated if necessary.
2. When proportionate to processing activities, the data referred to in paragraph 1
measures an appropriate data protection policy adopted by the
controller is executed. " Decision on the merits 03/2021 - 5/11
- Art. 25.1 and 2. AVG:
“1. Taking into account the state of the art, the implementation costs, and the nature, the
scope, context and purpose of the processing as well as with the probability and
serious risks to the rights and freedoms of individuals
the processing are connected, affects the controller, both in the determination
of the processing means as in the processing itself, appropriate technical and
organizational measures, such as pseudonymization, which are designed with the aim of the
data protection principles, such as data minimization, in an effective way
way and build in the necessary safeguards in the processing for compliance
of the requirements of this Regulation and to protect the rights of the
involved.
2. The controller takes appropriate technical and organizational
measures to ensure that, in principle, only personal data are processed
necessary for each specific purpose of the processing. That obligation applies to the
amount of personal data collected, the extent to which they are processed, the period
for which they are stored and their accessibility. These measures ensure
in particular, ensure that in principle personal data does not occur without human intervention
an unlimited number of natural persons are made accessible. "
3. Justification
11. The defendant has the contact details of the parents of students, including the
complainant, in order to be able to communicate with them about information that is important in the
context of the defendant's relationship with the students' parents. The
The Disputes Chamber assumes that there is a legal basis for obtaining this information
exists, as referred to in Article 6.1 of the GDPR, namely the necessity of the implementation of the
agreement between the complainant and the defendant (Article 6.1.b). After all, it does not seem right in principle
possible for students to receive education from a school, without the school having the email
have data from (one of) the parents of the student. For that reason, consent is like
legal basis in accordance with the conditions of Articles 4 (7) and 7 GDPR is not conceivable
for obtaining the data. After all, parents of children do not have the freedom to choose
whether or not to submit their contact details to the school.
12. The Disputes Chamber will examine to what extent the defendant can access the complainant's contact details
with third parties, in the present case the parents of other students. Decision on the merits 03/2021 - 6/11
13. In accordance with article 5.1. b) GDPR may allow the processing of personal data for other
purposes other than those for which the personal data were initially collected
permitted if the processing is compatible with the purposes for which the personal data
initially collected. Taking into account the criteria included in article 6.4. AVG and
Recital 50 of the GDPR must thus be ascertained whether the further processing, in this case the
communicating the complainant's contact details to the parents of others by e-mail
learners, whether or not it is compatible with the initial processing consisting of the set of
the complainant's contact details in the context of direct contact between the parents
of students and the school. The Disputes Chamber comes to the decision that the complainant is
has provided contact details within the framework of its relationship with the school (being the
defendant) and it could not reasonably be expected that the school would do the same
would share data with third parties who have their own link with the school, since it
parents of other pupils, but who are outside the relationship between the complainant and the school
stand.
14. This leads to the conclusion that there is no compatible further processing, so that
a separate legal basis is required for the communication of the contact details of the
the complainant could be considered legitimate to the parents of other students.
15. Processing of personal data, including incompatible further processing
as in the present case, is only lawful if there is a legal basis for this.
For incompatible further processing operations, it is necessary to fall back on article 6.1. AVG and
recital 50 GDPR. Recital 50 of the GDPR states that this is a separate legal basis
required for the processing of personal data for other purposes that are incompatible
with the purposes for which the personal data was initially collected. That
separate legal grounds on the basis of which a processing, including
incompatible further processing, which can be considered lawful, are provided in
article 6.1. AVG.
1 Recital 50 GDPR: […] To determine whether a purpose of further processing is compatible with the purpose for which the
personal data were initially collected, the controller must, after he has complied with all rules on
lawfulness of the original processing, including taking into account: a possible link
between those purposes and the purposes of the intended further processing; the framework in which the data was collected;
in particular, the reasonable expectations of data subjects based on their relationship with the controller
regarding its further use; the nature of the personal data; the consequences of the intended further
processing for data subjects; and appropriate safeguards for both the original and the intended further ones
processing.
2
Recital 50 GDPR: The processing of personal data for purposes other than those for which the personal data
initially collected should only be allowed if the processing is compatible with the purposes for which
the personal data was initially collected. In such case, no separate legal basis other than that on
grounds for which the collection of personal data was permitted. […] Decision on the merits 03/2021 - 7/11
16. To this end, the Disputes Chamber will investigate to what extent the legal grounds as determined in Article 6.1.
GDPR can be invoked by the defendant in order to further process the
justify personal data relating to the complainant.
17. The defendant himself does not state any legal basis which would allow him to surrender
proceed to the data processing that is the subject of the complaint, being the communication
from the complainant's e-mail address to the parents of other students. In addition, the
defendant expressly admits that this communication was an error and it was by no means intended
was to put all email addresses in CC. The defendant does not therefore argue that the
communication should take place and therefore does not try to justify it by itself
rely on any legal basis.
18. On the basis of the factual elements present in the file, the Disputes Chamber proceeds ex officio
whether, if necessary, a legal ground can be invoked that would allow the defendant
to proceed with the sending of the mail containing it visible to all recipients
e-mail address of the complainant. To this end, the Disputes Chamber will investigate whether the notification of the
The complainant's e-mail address can be based on any legitimate interest on account of the
defendant (Article 6.1. f) GDPR).
The other legal grounds included in Article 6.1. points a), b), c), d) and e) GDPR are in
present case not applicable.
19. In accordance with Article 6.1 f) GDPR and the case law of the Court of Justice of the European
Union (hereinafter “the Court”) three cumulative conditions must be fulfilled for a
controller can validly invoke this ground of lawfulness, “te
know, in the first place, the promotion of a legitimate interest of the
controller or of the third party (ies) to whom the data are provided, in the
second, the necessity of the processing of personal data for the purpose of
the legitimate interest, and, thirdly, the condition that the fundamental rights
and freedoms of the person concerned with data protection do not prevail ”(judgment
“Rigas”).
20. In order to be able to rely on the lawfulness ground of the
"Legitimate interest", in other words, must be indicated by the controller
show that:
3HvJEU, 4 May 2017, C-13/16, Valsts policijas Rīgas reģiona pārvaldes Kārtības policijas pārvalde v Rīgas pašvaldības SIA
'Rīgas satiksme', recital 28. See also CJEU, 11 December 2019, C-708/18, TK t / Asociaţia de Proprietari bloc M5A-ScaraA,
recital 40. Decision on the substance 03/2021 - 8/11
1) the interests pursued by this processing can be recognized as justified
(the “target key”);
2) the intended processing is necessary for the realization of these interests (the
“Necessity test”); and
3) the balancing of these interests against the interests, fundamental freedoms and
fundamental rights of data subjects weighs in favor of the
controller (the “balancing test”).
21. With regard to the first condition (the so-called “target test”), the Disputes Chamber of
judge that the purpose is to simultaneously treat all the parents of the students
reach by sending a single email is to be considered
carried out with a legitimate interest in mind. The interest that the defendant as
controller may in itself, in accordance with Recital 47 GDPR, be
considered justified. Hence, the first condition is satisfied
in Article 6.1, f) GDPR.
22. In order to meet the second condition, it must be demonstrated that the processing
necessary for the achievement of the objectives pursued. This means more
stipulates that the question should be asked whether the same result can be achieved by other means
are achieved without processing of personal data or without unnecessarily invasive
processing for the data subjects.
23. Based on the purpose of reaching the parents of students in a single email
mail, the Dispute Chamber must establish that there is a simple technical means that
allows you to reach the intended recipients of the e-mail in a single movement without
that the email addresses of everyone are visible, namely the transmission in BCC instead of in
CC. The second condition is thus not satisfied because of the principle of minimal
data processing (Article 5.1. c) GDPR) has not been complied with.
24. In order to verify whether the third condition of Article 6.1, f) GDPR - the so-called
“Balancing test” between the interests of the controller, on the one hand, and the
fundamental freedoms and fundamental rights of the person concerned, on the other hand - can be fulfilled, should
reasonable, in accordance with Recital 47 GDPR
expectations of the data subject. More specifically, it should be evaluated whether “data subject
at the time and in the context of the collection of the personal data is reasonably permitted
expect processing to take place for that purpose ”.4
4
Recital 47 GDPR. Decision on the merits 03/2021 - 9/11
25. This is also emphasized by the Court in its judgment “TK t / Asociaţia de Proprietari bloc M5A-
ScaraA ”of December 11, 2019, in which it states:
“Also relevant to this assessment are the reasonable expectations of the data subject that are or
her personal data will not be processed when, in the circumstances of
the case, the data subject cannot reasonably further process the data
expect".
26. With regard to this third condition, the Disputes Chamber can only establish that the complainant is on
could not expect any moment of sharing his email address with the parents of others
pupils.
27. The Disputes Chamber is of the opinion that the totality of the elements set out demonstrates that
the defendant cannot rely on any legal basis proving its legality
of the data processing as set up by him. In addition, the defendant disputes
not the facts and states that in the relevant e-mail that is the subject of the complaint
the complainant's e-mail address was placed in the field “CC” instead of “BCC” (BCC), although
this was not done intentionally. By doing so, he indicates that he has committed an infringement of the
processing of the complainant's personal data. The Disputes Chamber thus concludes that the
infringement of Article 5.1.b) in conjunction with Article 6.4. GDPR, and Article 6.1. AVG has been proven.
28. Despite the fact that it appears from the documents submitted by the defendant that there is within the school
general guidelines have been drawn up whereby the recipients must be entered in BCC in global emails
the complainant shows that these guidelines are not being put into practice.
Not only the email dated January 30, 2020 to which the complaint relates, respects it
Directive, but also in the e-mail dated April 22, 2020 enclosed by the complainant in his opinion
of reply, that rule is not applied. The defendant does not disprove this, but merely states that
the case will be followed up. The Disputes Chamber is of the opinion that the violation of art.
24.1 and 2, and art. 25.1. and 2. AVG is proven.
29. Moreover, the Disputes Chamber is of the opinion that a school should be transparent about the
way in which it processes (communication) data from parents and develops a policy for this purpose.
The Disputes Chamber therefore recommends that the defendant develop such a policy,
which serves to ensure that communication with parents takes place in accordance with art.
24.1 and 2, and art. 25.1. and 2. GDPR.
5 CJEU, 11 December 2019, C-708/18, TK to Asociaţia de Proprietari bloc M5A-ScaraA, recital 58. Decision on the substance 03/2021 - 10/11
30. Since this problem affects all schools in Belgium, the Disputes Chamber considers it
decision as an incentive for schools to handle parental data with care
and to develop a policy to this end. An important part of that would be further processing
of data, whereby - in the cases in which Article 6.1. f) GDPR cannot be
applied, consent can be used as a legal basis. For example when that data
processed for the purpose of communication between parents.
31. It is important here that schools bear in mind that, as a general rule, it should come first
that if consent has been given, further processing is only possible within the scope
of that consent. After all, consent must be granular. If parents consent
for the use of communication data by the school in the context of communication
with other parents, the same data may not be passed on to third parties, for example
for direct marketing (for eg school books). If the school wanted that information anyway
pass it on for direct marketing purposes, the school must give it permission again
ask the parents. This is also in accordance with the guidelines of the European Committee
for Data Protection (EDPB) regarding consent which contains in essence
that the controller prior to the collection of personal data
must determine the legal basis on which the processing is based and cannot switch to the
legal basis "legitimate interest", when the further processing does not fit within the initial
legal basis "consent" on the basis of which the data was collected.
32. The Disputes Chamber is of the opinion that the following sanctions are sufficient, also in view of the
the fact that the defendant himself admits that an error has occurred and is willing to do the same
avoid facts in the future.
6 Recital 43 GDPR: […] Consent is deemed not freely given if no separate consent
can be given for different personal data processing operations despite the fact that this is appropriate in the individual case
is, or if the performance of an agreement, including the provision of a service, depends on the
consent despite the fact that such consent is not necessary for that performance.
7 Guidelines 05/2020 on consent under Regulation 2016/679 (for the time being there is no official Dutch translation
available) https://edpb.europa.eu/sites/edpb/files/files/file1/edpb_guidelines_202005_consent_en.pdf:
121. Article 6 sets the conditions for a lawful personal data processing and describes six lawful bases on which a
controller can rely. The application of one of these six bases must be established prior to the processing activity and in relation
to a specific purpose.
122. It is important to note here that if a controller chooses to rely on consent for any part of the processing, they must be
prepared to respect that choice and stop that part of the processing if an individual withdraws consent. Sending out
the message that data will be processed on the basis of consent, while actually some other lawful basis is relied on, would be
fundamentally unfair to individuals.
123. In other words, the controller cannot swap from consent to other lawful bases. For example, it is not allowed to
retrospectively utilize the legitimate interest basis in order to justify processing, where problems have been encountered
with the validity of consent. Because of the requirement to disclose the lawful basis, which the controller is relying upon at
the time of collection of personal data, controllers must have decided in advance of collection what the applicable lawful
base is. Decision on the merits 03/2021 - 11/11
33. Considering the importance of transparency with regard to the decision-making of the
Disputes Chamber, this decision is made in accordance with Article 100, §1, 16 ° WOG
published on the website of the Data Protection Authority with the omission of the
identification data of the parties, given that identification data is not necessary and
relevant in the publication of the decision.
FOR THESE REASONS,
the Disputes Chamber of the Data Protection Authority decides, after deliberation, to:
- to formulate a reprimand on the basis of Article 100, §1, 5 ° WOG with regard to the
defendant.
- on the basis of Article 100, §1, 9 ° WOG, order the defendant to commence processing
to bring it into line with Article 24.1. and 2. GDPR and Articles 25.1 and 2. GDPR.
The Disputes Chamber gives the defendant a period of three months for this and expects the
Disputes Chamber that the defendant will report to it by March 31, 2021 on the
bringing the processing into line with the aforementioned provisions.
Against this decision on the basis of art. 108, §1 WOG, appeals are lodged within one
term of thirty days, from the notification, at the Marktenhof, with the
Data protection authority as defendant.
(get.) Hielke Hijmans
Chairman of the Disputes Chamber
