APD/GBA (Belgium) - 52/2024
From GDPRhub
| APD/GBA - 52/2024 | |
|---|---|
 | |
| Authority: | APD/GBA (Belgium) |
| Jurisdiction: | Belgium |
| Relevant Law: | Article 5(1)(a) GDPR Article 5(1)(b) GDPR Article 5(1)(f) GDPR Article 6 GDPR Article 32(1)(b) GDPR |
| Type: | Complaint |
| Outcome: | Partly Upheld |
| Started: | |
| Decided: | |
| Published: | 03.04.2024 |
| Fine: | n/a |
| Parties: | n/a |
| National Case Number/Name: | 52/2024 |
| European Case Law Identifier: | n/a |
| Appeal: | n/a |
| Original Language(s): | Dutch |
| Original Source: | GBA (in NL) |
| Initial Contributor: | nzm |
The DPA found that wrongly addressing an email to a third person cannot be considered as a ‘further processing’ under Article 5(1)(b) GDPR, as forwarding data to the wrong person is not a ‘purpose’ but only a breach of security.
English Summary
Facts
In the context of the sale of a property, a notary (“controller”) sent the data subject’s personal details (name, address, civil status, date of birth, nation register numbers of their heirs) to an incorrect addressee. The latter informed all addressees by email that she had mistakenly received the email.
The data subject lodged a complaint with the Belgian DPA (“APD”).
Holding
Regarding the lawfulness of processing, under Article 5(1)(b) GDPR, the processing of personal data for purposes other than those for which the personal data were initially collected can be authorized if the processing is compatible with the purposes for which the personal data were initially collected. The APD went on to examine if the sending of the email to the third person was compatible with the initial processing.
The APD indicated that further processing is only lawful if there is a legal basis. The third person indicated that they were “wrongly addressed” and that the controller itself referred to the third person as “wrongly addressed”. Therefore, it could be understood that forwarding the personal data to the third person was not the controller’s purpose. Thus, the APD decided that the processing could be classified as an error and not as a processing for which the controller had established a legal basis in advance. The APD concluded that there may have been a breach of Articles 5(1)(a), 5(1)(b) and 6 GDPR.
Regarding the principle of integrity and confidentiality, Articles 5(1)(f) and 32(1)(b) GDPR establish that the controller must implement appropriate technical and organizational measures to ensure appropriate security of the personal data. The APD considered that there was a breach of confidentiality, namely an unauthorized disclosure of personal data. Therefore, the APD held that the technical and organizational measures taken by the controller may have been insufficient to avoid such a breach, violating Articles 5(1)(f) and 32(1)(b) GDPR.
Regarding the notification of the data breach to the supervisory authority, Article 33(1) GDPR provides that the controller is obliged to notify the competent national supervisory authority without undue delay and where feasible, no longer than 72 hours after becoming aware of it, unless the breach is not likely to pose a risk to the rights and freedoms of the data subjects. In the present case, the APD noted that the controller received confirmation that the third person did not open the attachments to the email and immediately deleted it. Therefore, the APD considered that the data breach was unlikely to pose a risk to the rights and freedoms of the data subject and that there was no obligation to notify the DPA.
The APD decided, prima facie, that there may have been violations of Articles 5(1)(a), 5(1)(b), 5(1)(f), 6 and 32 GDPR and issued a warning against the controller.
Comment
As this is a 'prima facie' decision, not much information is available. The Litigation Chamber of the DPA has ruled solely based on the complaint without having a procedure. The controller could demand for a procedure within 30 days after the decision.
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Dutch original. Please refer to the Dutch original for more details.
1/7
Dispute Chamber
Decision52/2024 of April 3, 2024
File number: DOS-2024-00220
Subject: Complaint due to sending an e-mail with personal data of the
complainant to wrong addressee
The Disputes Chamber of the Data Protection Authority, composed of Mr
Hielke HIJMANS, sole chairman;
Having regard to Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016
on the protection of natural persons with regard to the processing of
personal data and regarding the free movement of such data and to the revocation of
Directive 95/46/EC (General Data Protection Regulation), hereinafter “GDPR”;
Having regard to the law of 3 December 2017 establishing the Data Protection Authority,
hereinafter “WOG”;
In view of the internal rules of order, as approved by the House of Representatives
Representatives on December 20, 2018 and published in the Belgian Official Gazette on
January 15, 2019;
Considering the documents in the file;
Has made the following decision regarding:
Complainant: X, hereinafter “the complainant”
The defendant: Y, hereinafter “the defendant” Decision 52/2024 — 2/7
I. Facts and procedure
1. On January 5, 2024, the complainant submits a complaint to the Data Protection Authority
against the defendant.
2. The subject of the complaint concerns the sending by the defendant of an e-mail with
personal data of the complainant to an incorrect addressee. The defendant resigned
acts as a notary in the context of the sale of real estate of a testator. On 30
In November 2023, the defendant sent an email to the heirs with attachments
the draft of the deed of sale and the settlement. These attachments contain the names,
addresses, marital statuses, dates of birth, and national register numbers of the 17 heirs,
including the complainant. The defendant also sent this email to a wrong person
third person addressee. This person sent an email to all on December 1, 2023
recipients know that they received the email in error.
3. On January 30, 2024, the complaint will be declared admissible by the First Line Service on
on the basis of articles 58 and 60 of the WOG and the complaint is filed on the basis of article 62, § 1
2
of the WOG transferred to the Disputes Chamber.
4. In accordance with Article 95, § 2, 3° of the WOG as well as Article 47 of the internal regulations
order of the GBA, the parties can request a copy of the file. If one
both parties wish to make use of the opportunity to consult and
copying the file, he or she must contact the secretariat of the
Disputes Chamber, preferably via litigationchamber@apd-gba.be.
II. Justification
II.1. The lawfulness of the processing
5. In accordance with Article 5.1.a) and Article 6.1 of the GDPR, any processing of
personal data is based on a legal basis prior to processing
determined by the controller.
6. In the present case, the defendant acted as a notary in the context of the sale of
immovable property of a testator. To this end, the defendant processed, among other things, the
personal data of the complainant, as the latter was an heiress. The complaint
relates to the fact that the defendant in that context has accessed the personal data of the
1In accordance with Article 61 of the WOG, the Disputes Chamber hereby informs the parties that the complaint is admissible
declared.
2In accordance with Article 95, § 2 of the WOG, the Disputes Chamber hereby informs the parties that the file will be sent to
has been transferred to her as a result of this complaint. Decision 52/2024 — 3/7
complainant forwarded it to a third person by email. The Disputes Chamber will follow suit
to determine whether this further processing can be considered lawful.
7. To begin with, the Disputes Chamber notes that the addressed third person, after the
received the email, it sent the following to all recipients: “Wrong email
address this is not for me”. In her email to the complainant on December 4, 2023, refers
furthermore, the defendant also refers to the third person as “the wrong addressee”.
Since the third person - as the defendant also indicates - was incorrectly addressed
was, it can be understood that sending the email to the third person does not lead to
the original purpose of the processing of the personal data.
8. In accordance with Article 5.1.b) GDPR, the processing of personal data for other
purposes other than those for which the personal data was initially collected
be permitted if the processing is compatible with the purposes for which the
personal data was initially collected. Taking the criteria into account
included in article 6.4 GDPR and recital 50 GDPR, it must be determined whether
the further processing, in this case the sending of the email to the third person, then
is not compatible with the initial processing in the context of the sale of the property
property of the testator. When assessing this, the reasonable expectations of the
person concerned plays an important role. In the present case, the complainant could not reasonably have done so
expect that the defendant would share the data with the third person, since
this person is not involved in the sale of the property.
9. This leads to the conclusion that there may be an incompatible further
processing. In that case, a separate legal basis would be required for it
sending the complainant's personal data to the third party as lawful
could be considered.
10. Processing of personal data, including incompatible processing
processing as – possible – in the present case, is only lawful if there is such a reason
legal basis exists. For incompatible further processing
reverted to Article 6.1 GDPR. Article 6.1 of the GDPR stipulates that the processing must
take place on the basis of one of the following legal bases: the data subject has
has given permission for the processing of his personal data for one or more
specific purposes (Article 6.1.a) GDPR); the processing is necessary for the execution
of an agreement to which the data subject is a party or for the execution of
pre-contractual measures taken at the request of the data subject (Article 6.1.b)
GDPR); the processing is necessary to comply with a legal obligation
controller is subject (Article 6.1.c) GDPR); the processing is
necessary for the vital interests of the data subject or of another natural person
to protect (Article 6.1.d) GDPR); the processing is necessary for the fulfillment of a Decision 52/2024 - 4/7
task of general interest or a task in the context of the performance of public duties
authority vested in the controller (Article 6.1.e) GDPR) or the
processing is necessary for the pursuit of the legitimate interests of the
controller or of a third party, except where the interests or
fundamental rights and freedoms of the data subject which are intended to protect
personal data outweigh those interests, especially when the
the data subject is a child (Article 6.1.f) GDPR).
11. As noted in paragraphs 7 and 8 of this decision, the third person was
“wrongly” addressed. Since the defendant himself also refers to the third person
refers to as the “wrong recipient”, it can be interpreted as forwarding
of the personal data to the third person was not the purpose of the defendant. The
the processing in question could thus be regarded as an error, and not as
a processing for which the defendant had established a legal basis at the outset. On
on this basis, the Disputes Chamber is of the opinion that the defendant is prima facie opting out
can rely on any legal basis from which the lawfulness of the processing would appear.
12. Based on the foregoing reasoning, the Disputes Chamber judges that it is possible
Article 5.1.a), Article 5.1.b) and Article 6.1 of the GDPR has been infringed.
II.2. The basic principle of integrity and confidentiality
13. According to Article 5.1.f) and Article 32.1.b) GDPR, personal data must be “by taking
appropriate technical or organizational measures in such a way
processes that appropriate security is guaranteed, and that they, among other things,
are protected against unauthorized or unlawful processing and against accidental processing
loss, destruction or damage”.
14. Based on the documents from the file, the Disputes Chamber determines that the
personal data of the complainant without legal basis was communicated to a
third person. There has been a breach of confidentiality, namely a
unauthorized or unintended disclosure of or access to personal data.
It can therefore be concluded that the technical and organizational measures that
the defendant had or had not taken were insufficient to justify such an infringement
It is therefore possible that the defendant has failed to take appropriate technical measures
to establish organizational measures.
15. Based on the foregoing reasoning, the Disputes Chamber judges that it is possible
Article 5.1.f) and Article 32.1.b) GDPR have been infringed. Decision 52/2024 — 5/7
II.3. Notification of a personal data breach to the supervisory authority
authority
16. A data breach as defined in Article 4.12 GDPR is “a
security breach more accidentally or unlawfully leads to destruction,
the loss, alteration, unauthorized disclosure or unauthorized access
to data transmitted, stored or otherwise processed”.
17. The Disputes Chamber recalls that when such an infringement occurs in connection with
personal data occurs, Article 33.1 GDPR stipulates that the
controller is obliged to do this “without unreasonable delay and, if
possible, no later than 72 hours after [the controller] becomes aware of it
taken” to the competent national supervisory authority, unless it is not
it is likely that the data breach poses a risk to the
rights and freedoms of natural persons. If the infringement is likely to be a high
poses a risk to the rights and freedoms of natural persons
controller on the basis of Article 34.1 GDPR, Gook obliges this infringement
to the persons whose personal data the infringement relates to.
18. In the present case, the Disputes Chamber notes that the defendant has legal action
undertaken to avert risks to the rights and freedoms of natural persons.
In her email of December 4, 2023 to the complainant, the defendant indicates that
it has received confirmation from the misdirected third party that this
last but not least, the attachments to the email (the draft of the deed of sale and the settlement).
opened it and immediately deleted the email. On that basis it can be
understood that it is prima facie not likely that the infringement in connection with
personal data poses a risk to the rights and freedoms of natural persons.
In that case, there would be no obligation to report the infringement to the
Data Protection Authority, or to communicate the infringement to the persons affected by it
personal data the infringement relates to.
III. Decision
19. The Disputes Chamber is of the opinion that on the basis of the above analysis
concluded that the defendant may have violated the provisions of the GDPR
committed, which justifies taking a decision in this case
decision on the basis of Article 95, § 1, 4° of the WOG, more specifically the defendant
warn that providing personal data to a third person without
any applicable legal basis, constitutes unlawful processing and a
constitutes an infringement of the integrity and confidentiality of the processing. Decision 52/2024 — 6/7
20. This decision is a prima facie decision taken by the Disputes Chamber
in accordance with Article 95 of the WOG on the basis of the complaint submitted by the complainant,
in the context of the “procedure prior to the decision on the merits” 3 and none
decision on the merits of the Disputes Chamber within the meaning of Article 100 of the WOG.
21. The purpose of this decision is to inform the defendant of the fact that
it may have committed an infringement of the provisions of the GDPR and this is in the
the opportunity to still comply with the aforementioned provisions.
22. If the defendant does not agree with the content of this prima facie case
decision and is of the opinion that it can put forward factual and/or legal arguments that
could lead to a new decision, it can request a reconsideration
submit to the Disputes Chamber in accordance with the procedure established in Articles 98 in conjunction
99 of the WOG, known as a “treatment on the merits”. This request must be
sent to the email address litigationchamber@apd-gba.be within a period of 30
days after notification of this primafacie decision. If applicable, implementation will take place
of this decision is suspended for the above-mentioned period.
23. In the event of a continuation of the merits of the case, the
Dispute Chamber the parties on the basis of Articles 98, 2° and 3° in conjunction with Article 99 WOG
invite them to submit their defenses as well as any documents they consider useful in the case
file to add. If necessary, the present decision will be permanently suspended.
24. Finally, for the sake of completeness, the Disputes Chamber points out that a hearing on the merits
4
of the case may lead to the imposition of the measures stated in Article 100 of the WOG.
3Section 3, Subsection 2 of the WOG (Articles 94 to 97).
4Article 100. § 1. The Disputes Chamber has the authority to:
1° to dismiss a complaint;
2° to order the dismissal of prosecution;
3° order the suspension of the ruling;
4° to propose a settlement;
5° formulate warnings and reprimands;
6° order that the data subject's requests to exercise his rights be complied with;
7° to order that the person concerned is informed of the security problem;
8° order that processing be temporarily or permanently frozen, restricted or prohibited;
9° to order that the processing be brought into compliance;
10°the rectification, limitation or deletion of data and its notification to the recipients of the data
recommend data;
11° order the withdrawal of the recognition of certification bodies;
12° to impose penalty payments;
13° to impose administrative fines;
14° the suspension of cross-border data flows to another State or an international institution
command;
15° to transfer the file to the public prosecutor's office in Brussels, who will inform it of the
follow-up given to the file;
16° decide on a case-by-case basis to publish its decisions on the website of the
Data Protection Authority.
