APD/GBA (Belgium) - 45/2023

From GDPRhub
APD/GBA - 45/2023
LogoBE.png
Authority: APD/GBA (Belgium)
Jurisdiction: Belgium
Relevant Law: Article 6(1)(a) GDPR
Article 6(1)(b) GDPR
Article 9(2)(a) GDPR
Article 20(3) GDPR
Article 254 KB 3 juli 1996
Type: Complaint
Outcome: Partly Upheld
Started: 27.04.2023
Decided: 27.04.2023
Published: 03.05.2023
Fine: n/a
Parties: X
la mutualité Y
National Case Number/Name: 45/2023
European Case Law Identifier: n/a
Appeal: Unknown
Original Language(s): French
Original Source: 45/2023 (in FR)
Initial Contributor: Matthias Smet

The complainant submits a complaint to the DPA after having repeatedly unsuccessfully addressed the controller to exercise his right to data portability in the context of switching to a new health insurance fund. The DPA rejects the complaints since the conditions in order to exercise the right to data portability were not met.

English Summary

Facts

The complainant wishes to change mutuality and asks the controller to transfer his data to the new mutuality. After several times unsuccessfully addressing the controller about this, he submits a complaint to the DPA in order to enforce a response from the controller to his request to send over the data to the new mutuality within the framework of the exercise of the right to data portability

Holding

3 cumulative conditions:

The exercise of the right to data portability is subject to three conditions that must be fulfilled cumulatively. 1. The data processing must be based on the consent of the data subject (Article 6(1)(a) GDPR and Article 9(2)(a) GDPR) or must be part of the performance of a contract (Article 6( 1)(b) GDPR)

2. According to the guidelines of working group 29 on data portability, the processed personal data must be obtained directly from the data subject. Derived or indirectly obtained data fall outside the scope of the right to data portability.

3. the processing is carried out using automated processes.

Conclusion of the DPA:

the DPA notes that the data processing carried out by the mutual insurance company is part of a legal obligation that rests on the controller, namely Article 254 of the Royal Decree 3 July 1996, which states that "every insurance institution must keep a file in the name of each beneficiary with at least the data specified in this provision". In other words, the processing is an extension of a legal obligation, rather than the performance of a contract and thus explicitly excluded from the right to data portability (Article 20(3) GDPR). It is found that the first of the cumulative conditions has not been met.

In addition, it has also been established that the file of the data subject also contains, among other things, information relating to the insurability of the data subject that has been derived on the basis of the data provided by the data subject. The second condition is therefore also not fulfilled in this case, since these data are only derived data (see guidelines previous WP29).

For the above reasons, the DPA concludes that the complainant cannot rely on the controller to make the transfer of his file to the new mutual insurance company and therefore dismisses the complaint.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the French original. Please refer to the French original for more details.

1/6



                                                                         Litigation Chamber


                                                           Decision 45/2023 of April 27, 2023



File number: DOS-2023-00609


Subject: Complaint relating to the alleged absence following the exercise of the right to data portability




The Litigation Chamber of the Data Protection Authority, made up of Mr Hielke
Hijmans, President, sitting alone;


Having regard to Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the

protection of natural persons with regard to the processing of personal data and

to the free movement of such data, and repealing Directive 95/46/EC (general regulation on the
data protection), hereinafter GDPR;


Having regard to the Law of 3 December 2017 establishing the Data Protection Authority (hereinafter

ACL);


Having regard to the Law of 30 July 2018 relating to the protection of natural persons with regard to
processing of personal data (hereinafter LTD);


Having regard to the Rules of Procedure as approved by the House of Representatives on 20

December 2018 and published in the Belgian Official Gazette on January 15, 2019;

Considering the documents in the file;



Made the following decision regarding:



The plaintiff: X, hereinafter “the plaintiff”;


The defendant: Y Assurances, hereinafter: “the defendant”. Decision 45/2023 - 2/6



I. Facts and procedure


 1. The complaint concerns the lack of response to the exercise of the right to portability relating to the

       personal data relating to an affiliation file with the Y mutual fund.

       The plaintiff was affiliated with mutual health insurance Y, the defendant. The complainant subsequently

       changed health insurance and requested the transfer of his file to the defendant on January 1

       2023. The transfer of his file would not have taken place, which would prevent the complainant from

       receive compensation. On February 3, 2023, the plaintiff exercised his right to portability

       with the defendant, ordering it to transfer its file to its new health insurance fund.

       This request would have gone unanswered.


 2. On March 6, 2023, the complainant filed a complaint with the Data Protection Authority.

 3. On March 9, 2023, the Front Line Service of the Data Protection Authority

       declares the complaint admissible on the basis of articles 58 and 60 of the LCA, and transmits it

       to the Litigation Division in accordance with Article 62, § 1 of the LCA.



II. Motivation


 4. Based on the facts described in the complaint file as summarized above, and on the

       basis of the powers attributed to it by the legislator under Article 95, § 1

       of the LCA, the Litigation Chamber decides on the follow-up to be given to the file; as it happens,

       the Litigation Chamber decides to proceed with the dismissal of the complaint,

       in accordance with Article 95, § 1, 3° of the LCA, for the reasons set out below.

 5. In matters of dismissal, the Litigation Chamber is required to justify its

       step-by-step decision and:


             - to pronounce a classification without technical continuation if the file does not contain or not

                 sufficient elements likely to lead to a sanction or if it includes a

                 technical obstacle preventing him from rendering a decision;


             - or pronounce a classification without further opportunity, if despite the presence

                 elements likely to lead to a sanction, the continuation of the examination of the

                 file does not seem to him to be appropriate given the priorities of the Autorité de
                 data protection as specified and illustrated in the Privacy Policy

                 dismissal of the Litigation Chamber. 2






1
 Market Court (Brussels Court of Appeal), September 2, 2020, judgment 2020/AR/329, p. 18.
2In this respect, the Litigation Chamber refers to its policy of dismissal as developed and published on
the website of the Data Protection Authority: https://www.autoriteprotectiondonnees.be/publications/politique-de-
classification-without-continuation-of-the-litigation-chamber.pdf. Decision 45/2023 - 3/6



 6. In the event of dismissal based on several reasons for dismissal, these


        last (respectively, classification without technical continuation and classification without continuation
                                                                          3
        opportunity) should be addressed in order of importance .


 7. In this case, the Litigation Chamber decides to proceed with a classification without follow-up

        the complaint on technical grounds. The decision of the Litigation Chamber is based more

        specifically on the fact that the GDPR and other personal data protection laws

        are not applicable to the complainant's grievances. The Litigation Chamber decides in

        consequence of not carrying out, inter alia, an examination of the case on the merits.


 8. The right to portability allows a data subject to receive or have transferred

        their personal data from one controller to another. order 4

        to apply the right to portability of Article 20 of the GDPR to the present case, the Chambre

        Litigation must verify whether the following three cumulative conditions are met: 5


        - Firstly: the data processing must be based on the consent of the

            data subject (Article 6.1.a or 9.2.a of the GDPR) or necessary for the execution of a


            contract (article 6.1.b of the GDPR);

        - Second: the personal data processed must have been provided

            by the data subject. The right to portability does not include data derived or


            deduced by the controller from the information provided by the
                                   6
            concerned person ;


        - Third: the processing is carried out using automated processes.

 9. With regard to the first condition, the defendant, as an insurer,


        guarantees the execution of the compulsory health care and indemnity insurance, of which the

        is governed by the coordinated law of 14 July 1994 relating to compulsory health care insurance
                              7 8
        health and allowances . It therefore executes one of the branches of social security.


 10. In order to benefit from compulsory health care and indemnity insurance, membership of one of the
                                                      9
        insurers is mandatory. Social security beneficiaries can

        choose the insurer, but this affiliation remains one of the conditions for granting

        social security services mentioned.



3
 See Title 3 – In which cases is my complaint likely to be dismissed by the Litigation Chamber? of the
dismissal policy of the Litigation Chamber.
4Article 20.2 of the GDPR.
5O.TAMBOU, Manual of European law on the protection of personal data, Brussels, Larcier, 2020, p.203-
205.
6Article 29 Working Party, Guidelines on the right to data portability, page 12.
7
 Article 3 of the law of August 6, 1990 relating to mutual societies and national unions of mutual societies, M.B. of September 28, 1990.
As a result, a mutuality which performs one of the branches of social security must be distinguished from a company
private insurance whose legal regime is established by the law of 4 April 2014 relating to insurance.
8 See in particular Articles 3 and 21.1° of the law of 29 June 1981 establishing the general principles of social security
salaried workers, M.B. of July 2, 1981.
9Article 118, paragraph 1 of the coordinated law of 14 July 1994 on compulsory health care and compensation insurance,
M.B. of August 27, 1994. Decision 45/2023 - 4/6



                                                          10 11
  11. Both the financing of benefits, the beneficiaries, the conditions for granting
                       12
        benefits and interventions of compulsory health care insurance and allowances

        are determined by legal provisions. The mutuality also has the obligation to keep

        a file for each beneficiary, file whose content and personal data

        personnel to be treated are determined by article 254 of the royal decree of July 3, 1996

        implementation of the coordinated law of 14 July 1994 relating to compulsory health care insurance

                                                                                              13
        health and allowances (hereinafter “the Royal Decree of 3 July 1996”). The change of

        mutuality is also regulated by the royal decree of July 3, 1996: mutuals must

        respect a certain procedure established by the Royal Decree of 3 July 1996 so that the

        change of mutuality is effective, which implies the transfer of the affiliate's file. 14


  12. Since the mutuals are obliged to provide the benefits of the compulsory insurance

        health care and allowances, the Litigation Chamber judges that these treatments of

        personal data is necessary for compliance with a legal obligation within the meaning

        of article 6.1.c of the GDPR. The Litigation Chamber notes that the nature and the object

        processing of the data of a beneficiary of compulsory insurance is explicitly


        mentioned in the legal provisions mentioned above.


  13. Insurers may also offer complementary services
                        15
        insurance, the content of which is of their choice. These additional services are

        offered to affiliates in the form of insurance contracts.


  14. Based on the elements mentioned above, the Litigation Division finds that the

        data processing carried out by the defendant for the management of the plaintiff's file

        is justified, within the framework of the compulsory health care and indemnity insurance, on the basis of

        a legal obligation within the meaning of Article 6.1.c of the GDPR and, in the context of insurance

        supplementary, on the basis of an insurance contract within the meaning of article 6.1.b of the GDPR.





10Article 191 of the coordinated law of July 14, 1994 on compulsory health care and compensation insurance.
11Article 32 of the coordinated law of 14 July 1994 on compulsory health care and compensation insurance.
12See Chapter I of Title VI “Conditions for granting benefits” of the coordinated law of 14 July 1994 relating to

13Compulsory health care insurance and allowances.
  Article 254: "The insurer establishes, in the name of each holder, a file containing the application for registration, as well as
a sheet that reproduces the following data:
1. the date and the registration number of the holder, his identity as well as that of the dependents and their address as well as
their identification number in the National Register;
2. any change in the number and quality of dependents;

3. the nature of the contribution documents, the type of data transmission and the data contained therein relating to
insurability;
4. the amount and nature of the personal contributions and additional contributions, the date of their payment and the
period to which they relate;
5. a statement of the penalties imposed on the holder and his dependents.
This file also contains all the documents relating to the status of beneficiary of the holder and the dependents.
The file is kept at the level of the health insurance fund or the regional office.

All medical information relating to the holder and his dependents is kept by the doctor-
advice in a special case. »
14Articles 255 and 257 to 274 of the Royal Decree of 3 July 1996.
15Article 3, paragraph §1, b) and c) of the coordinated law of 14 July 1994 on compulsory health care insurance and
allowances read in conjunction with Article 67 of the law of April 26, 2010 on the provisions regarding the organization of
supplementary health insurance, M.B. of 28 May 2010. Decision 45/2023 - 5/6



 15. However, Article 20 paragraph 3 explicitly excludes the right to data portability for

       data processed necessary for compliance with a legal obligation. There is therefore no right
       general to portability when data processing operations do not merge

       on consent or on a contract.


 16. Consequently, the Litigation Chamber concludes that the right to portability cannot be

       invoked by the plaintiff to demand the transfer of his file to his new health insurance fund, because

       the processing of the data necessary for the management of the complainant's file finds its basis

       of lawfulness in a legal obligation. The first condition for applying the right to

       portability is then not respected.

 17. Furthermore, the Litigation Division notes that the second condition for invoking the right

       portability is not met either. Indeed, the data included in the file of the

       complainant include, among other things, data related to the insurability of the complainant. Gold

       insurability – which concerns the determination of entitlement to insurance benefits

       mandatory healthcare and disability - is assessed by the health insurance fund using information

       provided by the beneficiary. These are therefore personal data deduced

       data provided by the complainant.



III. Publication and communication of the decision


 18. Given the importance of transparency with regard to the process

       decision-making and the decisions of the Litigation Chamber, this decision will be published on the

       website of the Data Protection Authority. However, it is not necessary for this

       so that the identification data of the parties are directly communicated.

 19. In accordance with its policy of dismissal, the Litigation Chamber

       communicate the decision to the defendant. Indeed, the Litigation Chamber decided

       to communicate the decisions of classification without follow-up to the defendants by default. There

       However, the Litigation Chamber refrains from such communication when the complainant

       requested anonymity vis-à-vis the defendant and when the communication of the

       decision to the defendant, even pseudonymised, nevertheless risks allowing its re-

       identification . This is not the case in the present case.













16Cf. Title 5 – Will the ranking without follow-up be published? Will the opposing party be informed? of the policy of
dismissal of the Litigation Chamber.
17Ibid. Decision 45/2023 - 6/6







    FOR THESE REASONS,


    the Litigation Chamber of the Data Protection Authority decides, after deliberation,

    to close this complaint without further action pursuant to Article 95, § 1, 3° of the LCA.





In accordance with Article 108, § 1 of the LCA, an appeal against this decision may be lodged,

within thirty days of its notification, to the Court of Markets (court

d'appel de Bruxelles), with the Data Protection Authority as defendant.


Such an appeal may be introduced by means of an interlocutory request which must contain the

information listed in article 1034ter of the Judicial Code. The interlocutory motion must be

filed with the registry of the Court of Markets in accordance with article 1034quinquies of the C. jud. , or 19


via the e-Deposit information system of the Ministry of Justice (article 32ter of the C. jud.).

To allow him to consider any other possible course of action, the Litigation Chamber sends

the complainant to the explanations provided in its dismissal policy. 20


The Litigation Chamber underlines that the classifications without action taken are likely

to be taken into account by the Data Protection Authority in order to set its future priorities


and/or could inspire future investigations of the Inspection Authority's own initiative.

Data protection.







(se). Hielke HIJMANS


President of the Litigation Chamber













18The motion contains on pain of nullity:
 (1) indication of the day, month and year;
 2° the surname, first name, domicile of the applicant, as well as, where applicable, his qualities and his national register number or

     Business Number;
 3° the surname, first name, domicile and, where applicable, the capacity of the person to be summoned;
 (4) the object and summary statement of the means of the request;
 (5) the indication of the judge who is seized of the application;
 6° the signature of the applicant or his lawyer.
19The request, accompanied by its annex, shall be sent, in as many copies as there are parties involved, by letter
recommended to the court clerk or filed with the court office.
20cf. Title 4 – What can I do if my complaint is dismissed? of the Chamber's policy of classification without follow-up

Litigation.