APD/GBA (Belgium) - 60/2024

From GDPRhub
APD/GBA - 60/2024
LogoBE.png
Authority: APD/GBA (Belgium)
Jurisdiction: Belgium
Relevant Law: Article 5(1)(f) GDPR
Article 24 GDPR
Article 32 GDPR
Type: Complaint
Outcome: Upheld
Started:
Decided:
Published: 22.04.2024
Fine: n/a
Parties: n/a
National Case Number/Name: 60/2024
European Case Law Identifier: n/a
Appeal: n/a
Original Language(s): French
Original Source: APD (in FR)
Initial Contributor: nzm

The DPA held that a controller failed unlawfully disclosed the data subject's client number in order to consult a public body's database to determine if the data subject could benefit from a preferential price. However, the latter had never made such a request.

English Summary

Facts

On 24 October 2023, the data subject received a notification from a public body stating that, after examination of the documents she had submitted to apply for a price reduction with the controller (a private company) in light of her low income ("social tariff"), it had been concluded that she did not meet the criteria. The data subject was a client of the controller.

On 25 October 2023, the data subject responded, indicating that she had not submitted a request of verification with the public body.

On 26 October 2023, the public body responded that the requests were initiated by the controller and provided a summary of the data subject's file containing all the requests made by the controller. It also informed the data subject that another application was pending and that she should lodge a complaint with the controller if these applications had been made by mistakes.

On the same day, the data subject asked that these applications be closed as she never gave consent for them. A day later, she received a new notification from the public body stating, once again, that she did not meet the criteria.

The data subject lodged a complaint with the Belgian DPA ("APD") against the controller for an unlawful transfer of personal data. On 17 November 2023, the controller's DPO indicated that the controller consulted the public body's database to determine the eligibility of another customer, but mistakenly used the data subject's client number. The controller also explained that the public body misunderstood the data subject's request of 26 October 2023 and thought the latter requested a new check to confirm the first request, which led to two refusal notifications. The controller also argued that there was no disclosure of personal data to the public body, and it was simply a consultation of its database, carried out by the controller.

The data subject indicated that her personal data should have never been in the public body's database in the first place.

Holding

Firstly, under Article 5(1)(f) GDPR, the controller must process data in a manner that ensures appropriate security, including protection against unlawful processing, by using appropriate technical or organisational measures. Secondly, Article 24 GDPR establishes that the controller must implement appropriate technical and orgnaisational measures and review and update them when necessary. Finally, Article 32 GDPR gives a non-exhaustive list of these measures.

The APD noted that the controller acknowledged itself that personal data had been transferred to the public body by error. The DPA held that this illustrates that the controller might have breached Articles 5(1)(f), 24 and 32 GDPR by failing to establish technical and organisational measures such as to prevent personal data from being erroneously communicating a customer's personal data such a large number of times.

Therefore, the APD adopted a warning against the controller. This was a prima facie decision.

Comment

As this is a 'prima facie' decision, not much information is available. The Litigation Chamber of the DPA has ruled solely based on the complaint without having a procedure. The controller can still demand for a procedure if it does not agree.

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the French original. Please refer to the French original for more details.

1/6



                                                                        Litigation Chamber


                                                          Decision 60/2024 of April 22, 2024


File number: DOS-2023-04811


Subject: Complaint relating to the unlawful sharing of personal data without consent

prior



The Litigation Chamber of the Data Protection Authority, made up of Mr.

Hielke HIJMANS, president;

Having regard to Regulation (EU) 2016/679 of the European Parliament and of the Council of April 27, 2016 relating to the

protection of natural persons with regard to the processing of personal data and

to the free movement of these data, and repealing Directive 95/46/EC (General Regulation on the

data protection), hereinafter “GDPR”;

Having regard to the Law of December 3, 2017 establishing the Data Protection Authority, hereinafter

“ACL”;


Considering the internal regulations as approved by the House of Representatives on 20

December 2018 and published in the Belgian Official Gazette on January 15, 2019;

Considering the documents in the file;



Has taken the following decision regarding:


The complainant:



The defendant: Y, hereinafter: “the defendant” Decision 60/2024 — 2/6


I. Facts and procedure


 1. On October 26, 2023, the complainant filed a complaint with the Protection Authority

       data (hereinafter “the DPA”) against the defendant party, Y (hereinafter “the

       defendant"), of whom she is a customer.

 2. The subject of the complaint concerns unlawful sharing of personal data by the

       defendant without the consent of the plaintiff to a federal public interest organization

       (hereinafter “Z”), in order to verify its eligibility for “social tariff” status.

 3. On October 24, 2023, the complainant received a notification from Z, indicating that, after review

       of the documents she had submitted to request the social tariff from Y, it had been concluded

       that it did not meet the conditions set out in article (..) (hereinafter “refusal 1 of the TS”).

 4. On October 25, 2023, the defendant reacted to a request from the plaintiff with reference to

       the notification of the “refusal1 of the TS” from “Z”, specifying that she had not submitted a request

       verification at Z.

 5. On October 26, 2023, Z responded to a request from the complainant regarding the verification

       of its status for the social tariff. Z reiterated the information previously communicated,

       in particular by explaining that the verification requests were initiated by the

       defendant (Y) and not by Z himself. Z also provided a summary of the file of the
       plaintiff, mentioning all requests made by the defendant, including

       a first request dated 10/16, closed by Zfollowing the email of October 24, 2023, as well

       that a new request “introduced twice by (the defendant) dated 10/25”.

       Finally, Z explained the procedure followed by applicants when requesting

       verification of the conditions for granting the social tariff. Z informed the complainant that another
       request was in progress and that she should file a complaint with the defendant if

       these requests had been submitted in error.


 6. The same day, the complainant requested the closure of all requests for “tariff” status
       social” in her name, because she had never given her consent for such requests.

       She also asked Z to warn the defendant to stop all requests

       similar.


 7. On October 27, 2023, the complainant received further notification from Z stating that, following
       upon examination of the documents she had submitted to request the social rate from Y, it had been

       concluded that it did not meet the necessary conditions (hereinafter “refusal 2 of the TS”). THE

       same day, the plaintiff filed a complaint against the defendant for illicit transfer

       of its data.

 8. On November 17, 2023, the data protection officer (hereinafter “DPO”) of the

       defendant explained to the complainant that Y consulted Z’s database by mistake Decision 60/2024 — 3/6



       to determine eligibility for the social tariff using their customer number, instead of that

       from another customer who had requested it. Following the complainant’s first complaint,
       The complaint was handled by the same customer service agent who misunderstood the

       request and had requested on October 25, 2023 a new verification of the basis of

       data from Z to confirm the first request for eligibility for the social tariff dated 16

       October 2023. These errors led to two refusal notifications from Z. The DPO held

       to clarify that this was not a disclosure of the complainant's personal data

       to Z, but of a consultation carried out by Y, and he apologized for the inconvenience caused.

       The same day, the complainant reiterated that his data should never have been found in

       Z's database.


 9. On November 27, 2023, the complaint was declared admissible by the Front Line Service
                                                       1
       on the basis of articles 58 and 60 of the ACL and the complaint was transmitted to the Chamber
                                                 st 2
       Litigation under article 62, § 1 of the LCA.

 10. Pursuant to article 95 § 2, 3° of the LCA as well as article 47 of the order regulations

       internal to the DPA, a copy of the file may be requested by the parties. If one of the

       parties wish to make use of the possibility of consulting the file, they are required to

       contact the secretariat of the Litigation Chamber, preferably via the address

       litigationchamber@apd-gba.be.



II. Motivation


 11. The Litigation Chamber notes that article 5.2 of the GDPR provides that any responsible

       processing must be able to demonstrate compliance with the first paragraph of the same

       article (principle commonly called “accountability”).

 12. Point f) of Article 5.1 of the GDPR more specifically provides that the person responsible for

       processing must ensure that “technical or organizational measures are put in place

       "appropriate", that is to say measures capable of guaranteeing sufficient security of

       personal data relating to a data subject, thereby protecting these

       of unauthorized or unlawful processing, and accidental events such as their

       loss or destruction, in particular.


 13. Article 24 of the GDPR specifies that these measures must be subject to review and review.

       updating if necessary, and that they must be adopted with regard to “the nature, the





1
 Pursuant to article 61 LCA, the Litigation Chamber informs the parties by this decision of the fact that the complaint has been
declared admissible.
2Pursuant to article 95, § 2 LCA, by this decision, the Litigation Chamber informs the parties of the fact that following
this complaint, the file was sent to him. Decision 60/2024 — 4/6


       scope, context and purposes of the processing as well as the risks, including the degree of

       probability and severity varies, for the rights and freedoms of natural persons.


 14. Article 32 of the GDPR illustrates – without being exhaustive – this obligation to take measures

       appropriate technical or organizational arrangements, giving the following examples: “a) the
       pseudonymization and encryption of personal data; b) means

       to ensure confidentiality, integrity, availability and resilience

       constants of processing systems and services; c) means enabling

       restore the availability of and access to personal data in

       appropriate deadlines in the event of a physical or technical incident; (d) a procedure aimed at testing,

       to regularly analyze and evaluate the effectiveness of technical measures and

       organizational measures to ensure the security of the processing. »

 15. In the present case, the Litigation Chamber notes that the defendant’s DPO recognized

       itself that the personal data of the complainant were transferred by

       error in Z with three occurrences (see point 8). In this way, it appears that the defendant

       could have disregarded articles 5.1.f), 24 and 32 of the GDPR by not having established

       technical or organizational measures such as to avoid

       communicate in error the personal data of a client such a number of
       times.


 16. The Litigation Chamber considers that on the basis of the above-mentioned facts, there is reason to

       conclude that the defendant may have committed a violation of the provisions of the GDPR, which

       which justifies that in this case, a decision is taken in accordance with article
              er
       95, § 1, ° of the LCA, more precisely the adoption of a warning decision, and this in

       particular seen:

 17. This decision is a prima facie decision taken by the Litigation Chamber

       in accordance with article 95 of the LCA on the basis of the complaint lodged by the complainant,
                                                                         3
       within the framework of the “procedure prior to the substantive decision” and not a decision on the

       merits of the Litigation Chamber within the meaning of article 100 of the LCA.

 18. The purpose of this decision is to inform the defendant, presumed responsible for the

       processing, due to the fact that it may have committed a violation of the provisions of the GDPR,

       in order to enable it to still comply with the aforementioned provisions.

 19. If, however, the defendant does not agree with the content of this decision

       prima facie and considers that it can put forward factual and/or legal arguments which

       could lead to another decision, it may address to the Litigation Chamber a

       request for processing on the merits of the case via the email address litigationchamber@apd-

       gba.be, within 30 days of notification of this decision. The case


3Section 3, Subsection 2 of the LCA (articles 94 to 97 inclusive). Decision 60/2024 — 6/6


Litigation a request for processing on the merits of the case via the email address

litigationchamber@apd-gba.be, within 30 days of notification of this

decision. If applicable, the execution of this decision is suspended for the period


mentioned above.

And, on the other hand, the defendant may lodge an appeal against this decision in accordance with

Article 108, § 1 of the LCA, within 30 days from its notification, to the Court


of Markets (Brussels Court of Appeal), with the Data Protection Authority as a party

defendant. Such an appeal may be introduced by means of an interlocutory request which must
                                                                          5
contain the information listed in article 1034ter of the Judicial Code. The request

interlocutory must be filed at the registry of the Court of Markets in accordance with article

1034quinquies of the C. jud. , or via the e-Deposit information system of the Ministry of Justice

(article 32ter of the Judicial Code).









(sé). Hielke H IJMANS

President of the Litigation Chamber
































5The request contains barely any nullity:
 1° indication of the day, month and year;
 2° the name, first name, domicile of the applicant, as well as, where applicable, his qualifications and his national register number or
     Business Number;

 3° the surname, first name, address and, where applicable, the status of the person to be summoned;
 4° the object and summary of the grounds of the request;
 5° indication of the judge who is seized of the request;
 6° the signature of the applicant or his lawyer.
6
  The request, accompanied by its annex, is sent, in as many copies as there are parties involved, by letter
recommended to the court clerk or filed with the court registry.