APD/GBA (Belgium) - 27/2023
From GDPRhub
| APD/GBA - 27/2023 | |
|---|---|
 | |
| Authority: | APD/GBA (Belgium) |
| Jurisdiction: | Belgium |
| Relevant Law: | Article 12(3) GDPR Article 12(4) GDPR Article 15(1) GDPR Article 34(1) GDPR |
| Type: | Complaint |
| Outcome: | Partly Upheld |
| Started: | 03.03.2020 |
| Decided: | 13.03.2023 |
| Published: | |
| Fine: | n/a |
| Parties: | n/a |
| National Case Number/Name: | 27/2023 |
| European Case Law Identifier: | n/a |
| Appeal: | n/a |
| Original Language(s): | French |
| Original Source: | GBA (in FR) |
| Initial Contributor: | kv33 |
The Belgian DPA emphasizes that the controller is responsible for replying to data subject access requests, regardless of employee circumstances such as long-term sick leaves or simply forgetting about it.
English Summary
Facts
This decision concerned a landlord (controller) who did not respond to an access request of a tenant (data subject).
On 2 December 2019, the data subject filed an access request with the controller. On 31 December 2019, almost one month later, the controller notified the data subject that it would use the possibility in Article 12(3) GDPR to extend the normal deadline of one month with two additional months. On 3 March 2020, the data subject filed a complaint with the Belgian DPA against the controller because no answer had been provided at that point.
On 2 September 2020, almost 10 months after the data subject had filed the original access request, the controller provided a reply. However, the data subject complained that the controller had not answered all the questions of the data subject. These questions concerned the existence of possible leaks of personal data, the security protocols of the controller and, lastly, the security and organisational measures relating to processing by the controller's employees or contractors. The controller refused to answer these questions, stating that these would not fall within the scope of Article 15(1) GDPR and the controller was therefore not obligated to answer these questions.
On 29 September 2020, the controller clarified its position to the DPA. The controller acknowledged that no timely answer had been provided to the data subject because the controller's employee in charge of the data subjects file had been on a long term sick leave. The access request was then simply forgotten, according to the controller.
Holding
The DPA first reiterated the legal requirements of Article 15 GDPR. In particular, the DPA stressed the importance of the right of access under Article 15 GDPR, since this right allowed data subjects to check the lawfulness of each processing activity and, if necessary, to have the processed personal data rectified or deleted.
Assessing the facts of the case, the DPA confirmed that the controller did not respond to the access request within the provided deadline, also not after the extension. The fact that the responsible employee had been on long term sick leave and the fact that the access request was then simply forgotten was not a valid exoneration for the controller to not fulfill its obligations towards the data subject. This practice constituted a breach of Articles 15(1), 12(3) and 12(4) GDPR. The DPA reprimanded the controller for these violations.
Concerning the refusal from the controller to answer questions, the DPA considered that these questions were indeed outside of the scope of Article 15. The controller's respond was therefore not incomplete.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the French original. Please refer to the French original for more details.
1/7
Litigation Chamber
Decision on the merits 27/2023 of 13 March 2023
File number: DOS-2020-01123
Subject: Lack of satisfactory response to the exercise of the right of access
The Litigation Chamber of the Data Protection Authority, made up of Mr. Hielke
Hijmans, chairman, and Messrs. Yves Poullet and Christophe Boeraeve, members;
Having regard to Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the
protection of natural persons with regard to the processing of personal data and
to the free movement of such data, and repealing Directive 95/46/EC (General Regulation on the
data protection), hereinafter "GDPR";
Having regard to the Law of 3 December 2017 establishing the Data Protection Authority (hereinafter
ACL);
Having regard to the internal regulations as approved by the House of Representatives on 20
December 2018 and published in the Belgian Official Gazette on January 15, 2019;
Considering the documents in the file;
Made the following decision regarding:
The plaintiff: X, hereinafter “the plaintiff”;
The defendant: Y, hereinafter: "the defendant". Decision on the merits 27/2023 – 2/7
I. Facts and procedure
1. On March 3, 2020, the complainant lodged a complaint with the Data Protection Authority
given against the defendant.
The subject of the complaint concerns the lack of a satisfactory response to the exercise of the right
complainant's access, outside the extended two-month period. On December 2, 2019,
the plaintiff exercised his right of access to the defendant, his former
owner. The defendant notified him on December 31, 2019 of the extension of the
two month response. The defendant did not subsequently respond to the plaintiff's request
as September 2, 2020.
2. On March 9, 2020, the complaint was declared admissible by the Front Line Service on the
basis of Articles 58 and 60 of the LCA and the complaint is forwarded to the Litigation Chamber
pursuant to Article 62, § 1 of the LCA.
er
3. On September 18, 2020, the Litigation Chamber decides, pursuant to Article 95, § 1, 1° and
of article 98 of the LCA, that the case can be dealt with on the merits.
4. On August 18, 2020, the parties concerned are informed by registered letter of the
provisions as set out in article 95, § 2 as well as in article 98 of the LCA. They are
also informed, pursuant to Article 99 of the LCA, of the deadlines for transmitting their
conclusions.
For findings relating to the subject of the complaint, the deadline for receipt of
conclusions in response of the defendant was set for September 29, 2020, that for
the complainant's submissions in reply to October 20, 2020 and finally that for the
submissions in reply of the defendant on November 10, 2020.
5. On August 19, 2020, the Complainant agrees to receive all communications relating to
the matter electronically.
6. On August 26, 2020, the defendant agrees to receive all communications relating
to the case electronically and expresses its intention to make use of the possibility of being
heard, this in accordance with article 98 of the LCA
7. On September 29, 2020, the Litigation Chamber receives the submissions in response from the
defendant with regard to the findings relating to the subject-matter of the complaint. There
defendant does not contest the lack of response to the exercise of the right of access by the
complainant. The defendant would have consulted lawyers in order to provide an answer
satisfactory to the complainant. The response would never have been sent due to the absence
of one of its employees. The complainant's request was then forgotten, but a response was
finally brought on September 2, 2020. Decision on the merits 27/2023 – 3/7
8. On October 9, 2020, the Litigation Chamber received the conclusions in response from the complainant.
The complainant emphasizes the lateness of the response. Moreover, the defendant refused to
answer some of his questions.
9. On November 10, 2020, the Litigation Chamber receives the submissions in reply from the
of the defendant concerning the findings relating to the subject matter of the complaint. There
defendant repeats that forgetting to answer was not voluntary. The defendant has
actually refused to answer part of the complainant's questions because she would not
not legally obliged to respond under Article 15 of the GDPR.
10. On February 8, 2023, the parties are informed that the hearing will take place on 02/24/2023.
11. On February 24, 2023, the parties are heard by the Litigation Chamber.
12. On March 2, 2023, the minutes of the hearing are submitted to the parties. Bedroom
Litigation did not receive any remarks from the defendant relating to the minutes that she
decides to resume its deliberation.
II. Motivation
II.1. On the violation of the right of access (articles 15.1, 12.3 and 12.4 of the GDPR)
II.1.1. Content and scope of the right of access
13. In its capacity as data controller, the defendant is required to comply with the
data protection principles and must be able to demonstrate that these are
respected. It must also implement all the necessary measures for this purpose.
(principle of responsibility – articles 5.2 and 24 of the GDPR).
14. The right of access has three components. First, under Article 15.1 of the GDPR,
the data subject has the right to obtain from the controller confirmation that
personal data concerning him are or are not processed.
Secondly, when there is processing of personal data, the person
concerned has the right to obtain access to said personal data as well as to a
series of information listed in Article 15.1 a) - h) such as the purpose of the processing of its
data, the possible recipients of his data as well as information relating to
the existence of his rights, including the right to request the rectification or erasure of his
data or that of filing a complaint with the DPA. Third, under
15.3 GDPR, the data subject also has the right to obtain a copy of the
personal data which is the subject of the processing. Article 15.4 of the GDPR provides
that this right to copy may not infringe the rights and freedoms of others. Decision on the merits 27/2023 – 4/7
15. The Litigation Chamber emphasizes the importance of respecting the right of access of persons
concerned. This right allows data subjects to control the legality of each
processing activity and, where appropriate, to have the personal data rectified or erased
staff processed.
II.1.2. Terms of the right of access
16. Article 12 of the GDPR relating to the procedures for exercising their rights by persons
concerned provides that the controller must facilitate the exercise of
their rights by the data subject (article 12.2 of the GDPR) and provide them with information
on the measures taken following his request as soon as possible and at the latest
the period of one month from its request (article 12.3 of the GDPR). For more requests
complex, or when the controller receives a large number of
requests, this initial period of one month can be extended by two months (article 12.3 of the GDPR).
When the data controller does not intend to respond to the request, he must
notify its refusal within one month accompanied by the information that a
appeal against this refusal may be lodged with the supervisory authority for the protection of
data (12.4 GDPR).
II.1.3. As for the defendant's belated response to the exercise of the right of access by the
plaintiff
17. It appears from the documents in the file that the complainant did indeed exercise his right of access to the
defendant on December 2, 2019. On December 31, 2019, the defendant notified the
complainant of the extension of its two-month deadline for reply. The defendant did not
however, did not respond within this two-month period: the complainant only received a response in
September 2020. The Litigation Chamber also notes that the defendant has not
followed up on the complainant's request that shortly after receiving a letter from the
Litigation Division, informing the parties of a procedure on the merits. There
Nor does the defendant dispute the absence of a satisfactory response from it.
18. To explain this delay, the Respondent indicates that it intended to respond to the
plaintiff's request, but, the employee responsible for processing the plaintiff's file being then
absent due to long-term sick leave, no response was sent
to the complainant. The plaintiff's request was then forgotten. This fortuitous circumstance
cannot, however, exonerate a data controller from his obligations with regard to the
persons concerned. It is therefore a violation on the part of the defendant of the
articles 15.1, 12.3 and 12.4 of the GDPR.
19. The Litigation Division notes however, on the basis of the evidence provided by the
defendant, that the defendant had indeed begun to prepare a response to the
plaintiff with the help of lawyers. The defendant also claims to have adopted Decision on the merits 27/2023 – 5/7
organizational measures to guarantee access to the personal data of
his clients. During the hearing, the defendant explained that it had created a mailbox
where access requests from other data subjects are forwarded. This box of
messaging is accessible to several employees of the defendant in order to prevent a
request of this kind remains unanswered. The Litigation Chamber will take into
take these elements into consideration when adopting a sanction.
II.1.4. As for the defendant's incomplete response to the right of access of the
plaintiff
20. In his submissions, the Complainant raises the fact that the Respondent refused to answer
to some of the complainant's questions. These questions concerned the existence
possible leaks of the complainant's data following security flaws, the protocols
information security measures adopted by the complainant as well as the security and
organizational arrangements relating to the processing of personal data by the
employees or contractors of the defendant (respectively questions 7, 8 and 9
of the complainant). The defendant refused to answer these questions because the information
requested would not fall within the scope of Article 15.1 of the GDPR.
21. Regarding the refusal to answer questions 8 and 9, a data controller is not
not required to share information regarding security protocols and
organizational measures because this information is not included in article 15,
paragraph 1, items (a) to (h) or by Article 13, paragraphs 1 to 2. The defendant was therefore
not required to answer questions relating to this information.
22. With regard to question 7, a data leak is defined by the GDPR as a
data security breach. Under Article 34.1 of the GDPR, a data controller
processing is only obliged to notify the data subject when “a breach of
personal data is likely to create a high risk for the rights
and freedoms of a natural person". It does not appear in any part of the file that such
breach of the complainant's data has occurred. The defendant therefore did not have to answer
to question 7.
23. The Litigation Chamber thus follows the reasoning of the defendant as it was
not obliged to answer questions 7, 8 and 9 of the plaintiff.
was therefore late but complete.
1 Art. 4.12 of the GDPR: “a breach of security resulting, accidentally or
unlawful, destruction, loss, alteration, unauthorized disclosure of personal data transmitted,
stored or otherwise processed, or unauthorized access to such data”. Decision on the merits 27/2023 – 6/7
24. Furthermore, the Litigation Division notes that, despite the absence of an obligation to respond
to questions 7, 8 and 9, the defendant nevertheless provided the complainant with an answer to these
questions from the hearing of February 24, 2023.
III. Sanction
25. The Litigation Division notes that it is a question of the violation of Articles 15.1, 12.3 and
12.4 GDPR. Although the defendant responded to the exercise of the right of access of the
complainant, it was found that breaches of the GDPR had taken place.
of the right of access of data subjects is fundamental in the protection of
data.
26. The Litigation Division considers that there are sufficient elements to formulate a
reprimand, which constitutes a light and sufficient sanction in light of the violations of the
GDPR observed in this file. When determining the penalty, the Chamber
Litigation takes into account the fact that the defendant has rectified the situation and the efforts
of the defendant to guarantee in the future the right of access of the persons concerned.
IV. Publication of the decision
27. Given the importance of transparency regarding the decision-making process of the Chamber
Litigation, this decision is published on the website of the Protection Authority
Datas. However, it is not necessary for this purpose that the identification data
of the parties are communicated directly.
FOR THESE REASONS,
The Litigation Chamber of the Data Protection Authority decides, after
deliberation:
- Pursuant to Article 100, §1, paragraph 5° of the LCA, to issue a reprimand to
towards the defendant as regards the violation of Article 15, paragraph 1,
of Article 12, paragraphs 3 and 4, of the GDPR.
In accordance with Article 108, § 1 of the LCA, an appeal against this decision may be lodged,
within thirty days of its notification, to the Court of Markets (court
d'appel de Bruxelles), with the Data Protection Authority as defendant. Decision on the merits 27/2023 – 7/7
Such an appeal may be introduced by means of an interlocutory request which must contain the
information listed in article 1034ter of the Judicial Code. The interlocutory motion must be
filed with the registry of the Court of Markets in accordance with article 1034quinquies of the C. jud. , or 3
via the e-Deposit information system of the Ministry of Justice (article 32ter of the C. jud.).
(Sr.) Hielke H IJMANS
President of the Litigation Chamber
2The request contains on penalty of nullity:
(1) indication of the day, month and year;
2° the surname, first name, domicile of the applicant, as well as, where applicable, his qualities and his national register number or
Business Number;
3° the surname, first name, domicile and, where applicable, the capacity of the person to be summoned;
(4) the object and summary statement of the means of the request;
(5) the indication of the judge who is seized of the application;
6° the signature of the applicant or his lawyer.
3
The request, accompanied by its appendix, is sent, in as many copies as there are parties involved, by letter
recommended to the court clerk or filed with the court office.
