APD/GBA (Belgium) - 57/2024

From GDPRhub
APD/GBA - 57/2024
LogoBE.png
Authority: APD/GBA (Belgium)
Jurisdiction: Belgium
Relevant Law: Article 12 GDPR
Type: Complaint
Outcome: Upheld
Started:
Decided: 18.04.2024
Published: 18.04.2024
Fine: n/a
Parties: n/a
National Case Number/Name: 57/2024
European Case Law Identifier: n/a
Appeal: n/a
Original Language(s): Dutch
Original Source: GBA (in NL)
Initial Contributor: nzm

The DPA held that the controller failed to comply with the transparency principle by requesting an ID document as a deposit when renting a mobility aid, whilst failing to present an existing alternative to the data subject.

English Summary

Facts

On 25 June 2022, the data subject was asked for his identity card as a deposit when renting an mobility aid to visit the controller's estate. He would get his identity card back upon returning the device. The data subject pointed out to the controller that this practice was not in accordance with the law. The controller replied that everyone surrendered their ID card as a deposit. Therefore, the data subject proceeded to do so and received a ticket in exchange.

On the same day, the data subject filed a complaint using the controller's email address for privacy related matters. Three days later, the controller responded that the use of an ID document was allowed as no copies or scans would be made.

The data subject responded by indicating that internal regulations mentioned an alternative deposit of 100€ for those who did not have or did not want to provide proof of identity, an option which he was not proposed. He also referred to the Belgian DPA website ("GBA") which read that an ID card cannot be kept as a deposit, as it prevents the data subject from fulfilling it's legal obligation to carry their card (Royal Decree of 25 March 2003 on Identity cards - KB van 25 maart 2003 betreffende de identiteitskaarten).

On 5 July 2022, the data subject filed a complaint with the GBA.

Holding

Firstly, regarding the material scope of the GDPR, the GBA indicated that under Article 2(1) GDPR, the latter shall apply to the processing of personal data by automatic means or which form part of a filing system. The CJEU clarified the concept of "file" by holding that "the concept of a ‘filing system’ [...] covers a set of personal data collected in the course of door-to-door preaching, consisting of the names and addresses and other information concerning the persons contacted, if those data are structured according to specific criteria which, in practice, enable them to be easily retrieved for subsequent use." (CJEU, 10 July 2018, Jehovan todistajat).

In the present case, the DPA considered that the controller seems to structure the ID cards based on the number of the device in order to retrieve them easily when the device is returned. Since an ID card contains personal data, this practice falls within the scope of the GDPR.

Secondly, the DPA pointed out that national Belgian Law (Article 1 Royal Decree of 25 March 2003 on identity cards) establishes that every Belgian of 15 years or more must hold an identity card. The website of the Federal Government Department of Home affairs adds that withholding an ID card would make this request impossible and that there is no justification for withholding the ID card for the duration of a visit.

The GBA therefore held that even if the controller had sufficient legal basis, this practice does not comply with national Belgian law.

Finally, regarding transparency, the data subject noted that he was in no way informed of the alternative to the processing of his personal data, even when he was opposed to the processing. This alternative was not mentioned in the ticket received in exchange for his ID card either. The GBA found that the processing was not sufficiently transparent.

The DPA therefore issued a warning against the controller. This was a prima facie decision.

Comment

As this is a 'prima facie' decision, not much information is available. The Litigation Chamber of the DPA has ruled solely based on the complaint without having a procedure. The controller can still demand for a procedure if it does not agree.

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Dutch original. Please refer to the Dutch original for more details.

1/8



                                                                          Dispute Chamber


                                                    Decision 57/2024 of April 18, 2024


File number: DOS-2022-02875


Subject: requesting an identity card as guarantee



The Disputes Chamber of the Data Protection Authority, composed of Mr

Hielke HIJMANS, sole chairman;

Having regard to Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016

on the protection of natural persons with regard to the processing of

personal data and regarding the free movement of such data and to the revocation of

Directive 95/46/EC (General Data Protection Regulation), hereinafter “GDPR”;


Having regard to the law of 3 December 2017 establishing the Data Protection Authority,

hereinafter “WOG”;

In view of the internal rules of order, as approved by the House of Representatives

Representatives on December 20, 2018 and published in the Belgian Official Gazette on

January 15, 2019;


Considering the documents in the file;


Has made the following decision regarding:


Complainant: X, hereinafter “the complainant”


The defendant: Y, hereinafter “the defendant” Decision 57/2024 — 2/8


I. Facts and procedure


 1. The subject of the complaint concerns the use of the complainant's identity card as

       guarantee for the loan of an aid when visiting the domain

       defendant.

 2. On 5 July 2022, the complainant submits a complaint to the Data Protection Authority against the

       defendant.

               On June 25, 2022, the complainant was asked to provide his identity card as security

               renting a tool to visit the defendant's domain. He would

               get his identity card back when returning the aid. The

               The complainant pointed out to the defendant that handing over his identity card would not
               was in accordance with the law, but the defendant replied that everyone is

               provided an identity card as security. The complainant has his identity card on it

               delivered and received back at the end of the day.


               The complainant submitted a complaint to the defendant via privacy on the same day
               defendant's email address. The complainant had a photo of the rental ticket and the

               statement is attached. The rental ticket shows the name of the customer and the date

               and the number of the aid used. The number of the

               identity card and signature are not completed. This ticket also states:

               stated: “An ID will be retained as a guarantee.”

               On June 28, 2022, the defendant responded that the use of a

               proof of identity was indeed allowed on the private domain of the

               defendant when no copies or scans would be made. She would do this
               checked with the competent government authorities. The confirmed

               defendant that no additional registrations or actions have been made with the

               identity card. The defendant further pointed to the internal regulations in which:

               Article 6 did indeed mention an alternative guarantee for those who do not

               had or wanted to hand over proof of identity, i.e. €100.

               That same day, the complainant responded with a reference to the website

               Data Protection Authority which read: “You can use the ID card

               not to hold a person as surety. This practice is not acceptable because you

               this prevents the data subject from complying with his legal obligation to
               carry your identity card on sight. Taking a copy of your identity card

               in these circumstances also poses problems with regard to the

               compatibility with the GDPR.” Decision 57/2024 — 3/8



 3. On July 26, 2022, the First Line Service contacted the complainant with the question

       add contact details of the controller to the complaint

       to be able to handle them correctly. On July 31, 2022, the complainant sent the

       contact details of the defendant. In a second e-mail, the defendant sent the complainant again

       continued communication with the defendant and separately confirmed that he had

       alternative of €100 as a deposit was not offered when he initially resisted

       handing over his identity card.

 4. On August 1, 2022, the complaint will be declared admissible by the First Line Service

       on the basis of articles 58 and 60 of the WOG and the complaint is filed on the basis of article 62, § 1

       of the WOG transferred to the Disputes Chamber. 2


 5. In accordance with Article 95, § 2, 3° of the WOG as well as Article 47 of the internal regulations

       order of the GBA, the parties can request a copy of the file. If one

       both parties wish to make use of the opportunity to consult and

       copying the file, he or she must contact the secretariat of the

       Disputes Chamber, preferably via litigationchamber@apd-gba.be.



II. Justification


 6. Article 2.1 of the GDPR determines the material scope of the GDPR:


       “This regulation applies to the fully or partially automated

       processing, as well as the processing of personal data contained in a file

       included or intended to be included therein.”

       The term 'file' is defined in Article 4.6) of the GDPR:


       “file: any structured set of personal data that is collected according to certain criteria

       accessible, regardless of whether it is completely centralized, decentralized or on

       functional or geographical grounds;”


 7. The European Court of Justice clarified the scope of the concept of 'file' in its
                       3
       judgment “Jehova”:

       “The answer to the second question must therefore be that Article 2(c) of Directive

       95/46 must be interpreted as meaning that the term used in that provision

       “truce” also falls entirely within the context of a door-to-door proclamation

       collected personal data, consisting of the name and address of and others




1In accordance with Article 61 of the WOG, the Disputes Chamber hereby informs the parties that the complaint is admissible
declared.
2In accordance with Article 95, § 2 of the WOG, the Disputes Chamber hereby informs the parties that the file will be sent to

has been transferred to her as a result of this complaint.
3See ECJ judgment C-25/17, Jehovan Todistajat, EU:C:2018:551; marginal number 62. Decision 57/2024 — 4/8


       information about the people visiting the home, when this data is structured

       according to specific criteria that make it easy to obtain this data in practice

       retrieved for later use. To fall under this concept, one has to

       There are no index cards, specific lists or other organizing systems of this kind

       include." (own underlining)

 8. The defendant rents out several resources within his domain. As a guarantee for these

       aids, the defendant asked for the complainant's identity card. Next to the tool

       the complainant also received a ticket with the identification number of the

       tool and its name. It is therefore possible that the identity cards received by the

       defendant are structured based on the number of the device, in order

       this can be easily found when the device is returned. It

       structuring identity cards based on the criteria 'type of aid' and/or
       'number of the device' could become like a file on functional grounds

       considered. Since an identity card contains personal data, this practice would

       fall within the material scope of the GDPR.


 9. Article 4.2) of the GDPR defines the concept of 'processing' as follows:

       “an operation or set of operations relating to personal data or

       a set of personal data, whether or not carried out via automated processes,

       such as collecting, recording, organizing, structuring, storing, updating or modifying,

       retrieve, consult, use, provide by transmission, disseminate or

       otherwise make available, align or combine, shield, erase or

       destruction of data;”

 10. The defendant requests the identity card for safekeeping. Since the

       the identity card details of the bearing company contain, can be requested and stored

       be considered as processing personal data.

 11. Article 5.1.a) of the GDPR states: “Personal data must be processed in a

       manner that is lawful, fair and transparent with regard to the data subject

       (“legality, propriety and transparency”).”


 12. With regard to legality and propriety, the Disputes Chamber refers to Article 1 of the
                                                         4
       royal decree on identity cards, which states: “Every Belgian has the full fifteen
       years old, must be the holder of an identity card that serves as proof of registration in the

       population register applies in the event of loss, theft or destruction of that card

       certificate issued in accordance with Article 6. […] One of these two documents must

       be submitted at any request by the police, [...] and, in general, whenever the

       holder must provide proof of his identity.” On the Federal website


4KB of March 25, 2003 regarding identity cards. Decision 57/2024 — 5/8



       Government Department of the Interior can be found under the FAQ on identity documents
       read: “The provisions of Article 1 of the Royal Decree regarding the

       identity cards dated March 25, 2003 state that each person is at all times

       must be able to present an identity card to a person who does so for legal reasons

       requests. However, withholding the identity card would make this request impossible.

       It is therefore not justified to keep the identity card during the period

       visit.”5


 13. To the extent that the defendant would have a sufficient legal basis for the identity card

       of the complainant, this does not seem appropriate since the complainant is on the domain of the
       defendant cannot comply with Article 1 of the Royal Decree regarding the

       identity cards, whatever the complainant would have declared before his

       identity card has been issued.


 14. With regard to transparency, the complainant declares that at the time of requesting his

       ID card was not informed in any way about an alternative to processing

       of his personal data, even if he initially opposed this

       processing. This alternative was also not mentioned on the ticket the complainant received in return

       for his identity card. Despite the inclusion of this alternative in the park regulations, it seems
       the processing is not sufficiently transparent.


 15. The Disputes Chamber is of the opinion that on the basis of the above analysis

       concluded that the defendant may have violated the provisions of the GDPR

       were committed, which justifies taking action in this case

       a decision on the basis of Article 95, § 1, 4° of the WOG, more specifically a warning

       to formulate with regard to the defendant that requesting and maintaining the

       a visitor's identity card as a guarantee for a tool may constitute an infringement

       determine the lawfulness, fairness and transparency of the processing.

 16. This decision is a prima facie decision taken by the Disputes Chamber

       in accordance with Article 95 of the WOG on the basis of the complaint submitted by the complainant,

       in the context of the “procedure prior to the decision on the merits” 6 and none

       decision on the merits of the Disputes Chamber within the meaning of Article 100 of the WOG.

       The Disputes Chamber has thus decided, on the basis of Article 58.2.a) GDPR and

       Article 95, § 1, 4° of the WOG, to formulate a warning with regard to the

       defendant with regard to the legality, propriety and transparency of the

       requesting and keeping the identity card as guarantee for the use of a

       tool in the domain of the defendant.



5https://ibz.rrn.fgov.be/nl/identitydocuments/eid/faq/ ; more specifically under the question: “Is one allowed at the reception of a
public building, ask for an identity card and keep it up to date?”
6Section 3, Subsection 2 of the WOG (Articles 94 to 97). Decision 57/2024 — 6/8



 17. The purpose of this decision is to inform the defendant of the fact that this

       may have committed an infringement of the provisions of the GDPR and this in the

       the opportunity to still comply with the aforementioned provisions.

 18. If the defendant does not agree with the content of this prima facie case

       decision and is of the opinion that it can put forward factual and/or legal arguments that

       could lead to a new decision, it can request a reconsideration

       submit to the Disputes Chamber in accordance with the procedure established in Articles 98 in conjunction

       99 of the WOG, known as a “treatment on the merits”. This request must be

       sent to the email address litigationchamber@apd-gba.be within a period of 30

       days after notification of this primafacie decision. If applicable, implementation will take place

       of this decision is suspended for the above-mentioned period.


 19. In the event of a continuation of the merits of the case, the

       Disputes Chamber the parties on the basis of Articles 98, 2° and 3° in conjunction with Article 99 of the

       invite WOG to submit their defenses and any documents they consider useful

       to be added to the file. If necessary, the present decision will become final

       suspended.


 20. Finally, for the sake of completeness, the Disputes Chamber points out that a hearing on the merits

       of the case may lead to the imposition of the measures referred to in Article 100 of the
             7
       WOG .



III. Publication of the decision


 21. Considering the importance of transparency with regard to decision-making

       Dispute Chamber, this decision will be published on the website of the






7Article 100. § 1. The Disputes Chamber has the authority to:
 1° to dismiss a complaint;
 2° to order the dismissal of prosecution;
 3° order the suspension of the ruling;
 4° to propose a settlement;
 5° formulate warnings and reprimands;
 6° order that the data subject's requests to exercise his rights be complied with;
 7° to order that the person concerned is informed of the security problem;
 8° order that processing be temporarily or permanently frozen, restricted or prohibited;
 9° to order that the processing be brought into compliance;
 10°the rectification, limitation or deletion of data and its notification to the recipients of the data

    recommend data;
 11° order the withdrawal of the recognition of certification bodies;
 12° to impose penalty payments;
 13° to impose administrative fines;
 14° the suspension of cross-border data flows to another State or an international institution
    command;
 15° to transfer the file to the public prosecutor's office in Brussels, who will inform it of the
    follow-up given to the file;
 16° decide on a case-by-case basis to publish its decisions on the website of the
    Data Protection Authority. Decision 57/2024 — 8/8


                                                            9
in accordance with Article 1034quinquies of the Dutch Civil Code. ,or via the Deposit Information System

the Ministry of Justice (Article 32ter of the Judicial Code).







(get). Hielke H IJMANS

Chairman of the Disputes Chamber





































































9The petition with its attachment will be sent by registered letter in as many copies as there are parties involved
deposited with the clerk of the court or at the registry.