APD/GBA (Belgium) - 04/2023
| APD/GBA - 04/2023 | |
|---|---|
 | |
| Authority: | APD/GBA (Belgium) |
| Jurisdiction: | Belgium |
| Relevant Law: | Article 5(1)(c) GDPR Article 5(2) GDPR Article 12(2) GDPR Article 17(1) GDPR |
| Type: | Complaint |
| Outcome: | Upheld |
| Started: | 06.01.2023 |
| Decided: | 25.01.2023 |
| Published: | 27.01.2023 |
| Fine: | n/a |
| Parties: | n/a |
| National Case Number/Name: | 04/2023 |
| European Case Law Identifier: | n/a |
| Appeal: | Unknown |
| Original Language(s): | Dutch |
| Original Source: | Gegevensbeschermingsautoriteit (in NL) |
| Initial Contributor: | Enzo Marquet |
The DPA determined that the controller breached Articles 5(2), 12(2) and 17(1) GDPR, because it was unable to remove the data subject's e-mail from its mailing list. The DPA ordered the controller to comply with the erasure request pursuant of Article 58(2)(c) GDPR.
English Summary
Facts
The data subject requested the controller to erase his e-mail address, because he kept receiving unwanted marketing e-mails from the controller. The nature of the controller was not specified in this decision.
The data subject requested the controller to remove his e-mail address from its address list. The controller stated it was not able to do so because this e-mail address was not included in the controller's list in the first place. The controller asked the data subject if he maybe had another e-mail address, that was coupled to the one the data subject was using currently. This coupling of e-mail addresses could potentially explain the situation. When an e-mail was received by this 'middle man' email-address, it would be forwarded to the data subject's current e-mail address. That could be the reason why the data subject was receiving e-mails on his current e-mail address, despite the fact it was not registered by the controller.
The data subject stated that he could not answer this question of the controller because the controller used the 'BCC' feature for sending its marketing e-mails, which made it impossible for the recipient of an e-mail to see other recipients of the same e-mail. It was therefore not possible for the data subject to verify if another of his e-mail addresses was included in the controller's list of recipients. The data subject kept receiving direct marketing messages after this exchange with the controller on his current e-mail address.
The data subject filed a complaint at the Belgian DPA at 6 January 2023, because the controller could not comply with his erasure request.
Holding
The DPA confirmed that the data subject correctly exercised his right to erasure. It also reiterated that the controller had explicitly stated that it had been unable to delete the e-mail address of the data subject from its address list. Thus, the DPA determined that the controller did not fulfil the principle of accountability under Article 5(2) GDPR, because it did not show that it could comply with the data subject's erasure request and was also unable to show that it facilitated the exercise of data subject's rights in Articles 15 - 22 GDPR, in this case, the right of erasure.
The DPA held that a by not granting the request to erasure, the controller had violated Articles 5(2) GDPR, 12(2) GDPR and 17(1) GDPR.
The DPA also determined that the controller's action of asking the data subject for additional e-mail addresses violated Article 5(1)(c) GDPR, the principle of data minimization. A controller had to be able to erase personal data from its database without asking additional e-mail addresses of data subjects. However, the DPA also confirmed that the controller's practice of sending mails using the 'BCC' feature was in line with the data minimisation principle, because this made it possible to e-mail different recipients without disclosing the identities of all recipients in the e-mail.
The DPA ordered the controller to comply with the erasure request pursuant of Article 58(2)(c) GDPR.
Comment
This was a preliminary (prima facie) decision according to Article 95 WOG, prior to a decision on the merits.
The decision incorrectly refers to Article 5(c) GDPR instead of Article 5(1)(c) GDPR in point 5.
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Dutch original. Please refer to the Dutch original for more details.
1/7
Litigation room
Decision 04/2023 of 25 January 2023
File number : DOS-2023-00161
Subject : Refusal to comply with data erasure request
The Disputes Chamber of the Data Protection Authority, composed of Mr Hielke Hijmans,
sole chairman;
Having regard to Regulation (EU) 2016/679 of the European Parliament and Council of 27 April 2016 on
the protection of natural persons with regard to the processing of personal data and
on the free movement of such data and repealing Directive 95/46/EC (general
Data Protection Regulation), hereinafter GDPR;
Having regard to the law of 3 December 2017 establishing the Data Protection Authority, hereinafter WOG;
Having regard to the rules of internal order, as approved by the Chamber of Representatives
on December 20, 2018 and published in the Belgian Official Gazette on January 15, 2019;
Having regard to the documents in the file;
has taken the following decision regarding:
.
The complainant: Mr X, hereinafter referred to as “the complainant”; .
.
The controller: Y, hereinafter “the controller” Substantive decision 04/2023 - 2/7
I. Factual Procedure
1. On January 6, 2023, the complainant filed a complaint with the Data Protection Authority against the
controller.
2. The object of the complaint concerns the lack of appropriate action on the part of the
controller at the request of the complainant to erase his
personal data, in particular his e-mail address which is provided by the controller
is used to send the complainant unsolicited advertising. The complainant indicates that he
repeatedly requested that data be erased. The
controller has responded to this by indicating that the e-mail address
with which the complainant addresses the controller with the request for deletion,
being the address […], is not included in his listing/address list. This has led to the
controller requested the complainant to indicate whether he has any other concerns
has an email address associated with […]. The complainant then argued that the unwanted e-mails were passed on
be sent to the controller in "bcc", so that the complainant cannot
answers to this. Notwithstanding the complainant's repeated request to erase its
e-mail address in order to stop receiving unwanted advertising messages, remains the complainant
however, unwanted direct marketing e-mails from the controller
receive.
3. On January 11, 2023, the complaint will be declared admissible by the First Line Service on the basis of
Articles 58 and 60 WOG and the complaint is based on art. 62, §1 WOG transferred to the
Litigation room.
II. Motivation
4. The Disputes Chamber determines on the basis of the documents that support the complaint that the complainant is entitled
has exercised on data erasure, but the controller has failed to do so
to follow it up appropriately. As a result, the controllers acted in
1 2 3
contravenes Articles 5.2 and 12.2 GDPR, as well as Article 17.1 GDPR.
1 Article 5.2 GDPR. The controller is responsible for and can demonstrate compliance with paragraph 1
(“accountability”).
2Article 12 GDPR
[…]
2. The controller shall facilitate the exercise of the data subject's rights under Articles 15 to
22. In the cases referred to in Article 11(2), the controller may not refuse to comply with the request of
the data subject to exercise his or her rights under Articles 15 to 22, unless the controller demonstrates
that he is unable to identify the person concerned.
[…]
3Article 17 GDPR Substantive decision 04/2023 - 3/7
expressly to not be able to delete the e-mail address via which
the complainant receives the unwanted direct marketing messages. This means that the
controller does not have the accountability obligation as stipulated in Article 5.2 GDPR
complies, as the controller fails to demonstrate appropriate
to comply with the request of the complainant and to be able to exercise his right to
data erasure (article 17.1 GDPR), notwithstanding the obligation of the
controller to facilitate the exercise of the rights of the
data subject pursuant to Articles 15 to 22 GDPR, in this case the right of the complainant
on data erasure.
5. Although the sending of advertising messages by the controller through
of e-mail where the recipients are listed in "bcc", making them unknown to each other
remain in line with the data minimization principle (Article 5.c)
GDPR), the controller does not act in accordance with this principle
moment that other e-mail addresses available to the complainant are requested in order to
may proceed to remove the e-mail address that, if necessary, leads to the complainant
receive unwanted messages. In order to facilitate the exercise of rights, the
controller in a system without compromising the principle of
minimal data processing is ignored. The controller thus submits
to be able to delete the e-mail address that gave rise to the unwanted
mailings without the complainant having to provide additional e-mail addresses.
1. The data subject shall have the right of the controller to erase his data without undue delay
obtain personal data and the controller is obliged to erase personal data without undue delay
when one of the following applies:
a) the personal data are no longer necessary for the purposes for which they were collected or otherwise processed;
(b) the data subject withdraws the consent on which the processing is based in accordance with point (a) of Article 6(1) or point (a) of Article 9(2);
and there is no other legal basis for the processing;
c) the data subject objects to the processing in accordance with Article 21(1) and there are no overriding compelling
legitimate grounds for the processing, or the data subject objects to the processing in accordance with Article 21(2);
d) the personal data have been processed unlawfully;
e) the personal data must be erased to comply with a legal requirement laid down in Union or Member State law
obligation incumbent on the controller;
f) the personal data have been collected in connection with the offer of information society services as referred to in Article 8 paragraph
1.
4See Recital 59 GDPR. Arrangements should be in place to enable the data subject to exercise his rights under these
Regulation, such as mechanisms to request, in particular, access to, rectification or erasure of
personal data and, if applicable, to obtain it free of charge, as well as to exercise the right to object. The
controller should also provide means to submit requests electronically, especially when personal data
be processed electronically.
[…] Decision on the substance 04/2023 - 4/7
6. The Disputes Chamber is of the opinion that on the basis of the above analysis it should be
concluded that the controller has committed a breach of the provisions of the
GDPR was committed, which justifies taking a
decision pursuant to Article 95, §1, 5° WOG, more specifically the controller in
order to comply with the exercise by the bearer of his right to data erasure
(Article 17.1 GDPR) and this in particular in view of the documents submitted by the complainant
it appears that the complainant has requested the controller to proceed with the
deletion of his data, without appropriate action being taken by the
controller.
7. This decision is a prima facie decision taken by the Litigation Chamber
in accordance with Article 95 WOG on the basis of the complaint submitted by the complainant, in the context of
5
the 'procedure prior to the decision on the merits' and no decision on the merits of the
Disputes Chamber within the meaning of Article 100 WOG.
8. The purpose of this decision is to inform the controller of the
fact that it may have committed a breach of the provisions of the GDPR and put it in the
possibility to still comply with the aforementioned provisions.
9. However, if the controller does not agree with the content of this
prima facie decision and considers that it may leave factual and/or legal arguments
funds that could lead to a different decision, this can be done via the e-mail address
litigationchamber@apd-gba.be to submit a request for consideration of the merits of the case to the
Litigation Chamber and this within the period of 30 days after notification of this decision. The
enforcement of this decision will, if necessary, take place during the aforementioned period
suspended.
10. In the event of a continuation of the handling of the case on the merits, the Disputes Chamber
the parties pursuant to Articles 98, 2° and 3° in conjunction with Article 99 WOG invite their
submit defenses as well as attach any documents they deem useful to the file. The
the present decision will, if necessary, be definitively suspended.
5Section 3, Subsection 2 WOG (Articles 94 to 97 inclusive). Decision on the substance 04/2023 - 5/7
11. The Disputes Chamber points out for the sake of completeness that a treatment on the merits of the case is possible
6
lead to the imposition of the measures referred to in Article 100 WOG.
12. Finally, the Disputes Chamber points out the following:
If one of the parties wishes to make use of the possibility to consult and
copying the file (art. 95, §2, 3° WOG), he must turn to the secretariat
of the Disputes Chamber, preferably via litigationchamber@apd-gba.be, in order to make an appointment
to capture.
13. If a copy of the file is requested, the documents will be sent electronically if possible
or otherwise delivered by regular mail. 7
III. Publication of the decision
14. Given the importance of transparency with regard to decision-making by the
Litigation Chamber, this decision will be published on the website of the
Data Protection Authority. However, it is not necessary for this to include the identification data
of the parties are disclosed directly.
6
1° to dismiss a complaint;
2° to order the exclusion of prosecution;
3° order the suspension of the judgment;
4° propose a settlement;
5° formulate warnings and reprimands;
6° order that the data subject's requests to exercise his rights be complied with;
7° order that the data subject be informed of the security problem;
8° order that the processing be temporarily or permanently frozen, restricted or prohibited;
9° order that the processing be brought into compliance;
10° the rectification, restriction or deletion of data and the notification thereof to the recipients of the data
command;
11° to order the withdrawal of the accreditation of certification bodies;
12° to impose penalty payments;
13° to impose administrative fines;
14° order the suspension of cross-border data flows to another State or an international institution;
15° transfer the file to the Public Prosecutor's Office of the Crown Prosecutor in Brussels, who informs it of the follow-up to the
file is given;
16° decide on a case-by-case basis to publish its decisions on the website of the Data Protection Authority.
7 Due to the extraordinary circumstances due to COVID-19, the possibility of collection at the secretariat of the
Dispute room NOT provided. In addition, all communication takes place electronically in principle. Decision on the substance 04/2023 - 6/7
FOR THESE REASONS,
the Disputes Chamber of the Data Protection Authority decides, subject to the
submission of a request by the controller for treatment on the merits
in accordance with Article 98 et seq. WOG, to:
- on the basis of Article 58.2, c) GDPR and Article 95, § 1, 5 ° WOG, the controller
order that the data subject's request to exercise his rights be complied with, more
stipulates the right to erasure (article 17.1 GDPR), and to delete the
concerning personal data, and this within a period of 30 days from the
notification of this decision;
- to order the controller to notify the Data Protection Authority
(Dispute Chamber) by e-mail within the same term of the result
of this decision via the e-mail address litigationchamber@apd-gba.be; and
- in the absence of timely implementation of the above by the
controller, to handle the case ex officio on the merits in accordance with
articles 98 et seq. WOG.
Pursuant to Article 108, § 1 of the WOG, within a period of thirty days from the notification
this decision may be appealed to the Marktenhof (Brussels Court of Appeal), with the
Data Protection Authority as defendant.
Such an appeal may be lodged by means of an inter partes petition that the in art
1034terofthe Judicial Codemustcontainenumeratedenumerations.
contradictions must be submitted to the Registry of the Market Court in accordance with Article
8
The petition states under penalty of nullity:
1° the day, month and year;
2° the surname, first name, place of residence of the applicant and, where applicable, his capacity and his national register or
enterprise number;
3° the surname, first name, place of residence and, where appropriate, the capacity of the person to be summoned;
4° the object and brief summary of the means of the claim;
5° the court before which the action is brought;
6° the signature of the applicant or his lawyer. Substantive decision 04/2023 - 7/7
1034quinquiesvanhetGer.W. , or via the Deposit Information System of Justice (article 32ter of
the Ger.W.).
(get). Hilke Hijmans
Chairman of the Litigation Chamber
9 The petition with its annex, in as many copies as there are parties involved, is sent by registered letter to the
clerk of the court or deposited with the clerk of the court.
