APD/GBA (Belgium) - 11/2019 | |
---|---|
Authority: | APD/GBA (Belgium) |
Jurisdiction: | Belgium |
Relevant Law: | Article 5(1)(b) GDPR Article 5(1)(e) GDPR Article 6(4) GDPR LCA |
Type: | Complaint |
Outcome: | Upheld |
Started: | |
Decided: | 25.11.2019 |
Published: | |
Fine: | 5,000 EUR |
Parties: | Anonymous |
National Case Number/Name: | 11/2019 |
European Case Law Identifier: | n/a |
Appeal: | Unknown Court of Appeal of Brussels (Belgium) |
Original Language(s): | French Dutch |
Original Source: | APD (in FR) GBA (in NL) |
Initial Contributor: | n/a |
The Belgian DPA (APD/GBA) imposed a fine of EUR 5000 for violation of the principle of purpose limitation.
English Summary
Facts
The complainant received a letter from his veterinarian including his personal data (the address) to promote the veterinarian's political campaign for the local election in 2018. The complainant submitted a complaint before the DPA arguing that his personal data was processed by the veterinarian unlawfully. He argued that his personal data was processed for an illegitimate purpose, knowing that the controller used the complainant’s personal address for electoral propaganda purposes.
Dispute
Can a controller who processed personal data in a professional context, re-use the same personal data for political purposes?
Holding
The DPA/GBA confirmed the complainant's arguments and found that the processing carried out by the controller violated Articles 5(1)(b), 5(1)(e) and 6(4) GDPR and imposed a fine accordingly.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the original. Please refer to the French or Dutch original for more details.
File Number: DOS-2018-03587 Subject: Complaint for failure to delete personal data obtained in the context of an applicationThe Litigation Chamber of the Data Protection Authority, composed of Mr H. Hijmans, President, and Mr D. Van Der Kelen and F. De Smet, Members ;Having regard to Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC (General Data Protection Regulation) (hereinafter the "DGPS");Considering the law of 3 December 2017 establishing the Data Protection Authority, hereinafter referred to as the LCA; Considering the internal regulations as approved by the House of Representatives on 20 December 2018 and published in the Belgian Official Gazette on 15 January 2019; Considering the documents in the file;..... 2/111.Facts and Procedure-On July 10, 2018, the complainant filed a complaint with the Data Protection Authority against the defendant concerning the defendant's failure to act on the request to delete the personal data provided by the complainant in the context of his application to the defendant. In the context of the complainant's exercise of the right to delete data, he received as an answer from the defendant: "The following message is not a mailing but a response to your own application" - On 23 July 2018, the complaint is declared admissible on the basis of Articles 58 and 60 of the ICA, the complainant is informed thereof pursuant to Article 61 of the ICA and the complaint is forwarded to the Disputes Chamber pursuant to Article 62, §1er of the ICA.-On 14 November 2018, the Disputes Chamber decided to request an investigation from the Inspection Service, pursuant to Articles 63, 2° and 94, 1° of the ICA.On 21 November 2018, in accordance with Article 96 § 1 of the ICA, the request of the Litigation Chamber to conduct an investigation was forwarded to the Inspection Service, together with the complaint and the minutes of that decision.On 27 May 2019, the Inspectorate's investigation was closed, the report was attached to the file and it was forwarded by the Inspector General to the President of the Litigation Chamber (Article 91, § 1 and § 2 of the LCA), the report contained findings relating to the subject matter of the complaint and concluded that the defendant had not complied with the obligations relating to the right to erase data (Articles 12.3 and 4 and Article 17 of the RGPD) and contained findings going further than the subject of the complaint. The Inspection Service notes, in general terms, that: 1. the defendant has not complied with the obligations arising from Articles 5.1(e) and 5.2 of the DGPS and Article 6 of the DGPS; 2.the defendant has not complied with the obligations imposed by sections 12.1. and 12.2. of the DGPS and sections 13.1.(b) and 13.2.(b) of the DGPS ;3. the defendant has not complied with the obligations imposed by sections 24.1., 28.1. and 30.1. of the DGPS ; -On 11 June 2019, the Disputes Chamber decides, pursuant to Article 95, § 1, 1° and 98 of the ICA, that the case may be dealt with on the merits. On the basis of the Inspection Service's report, the Litigation Chamber decides to divide the case into two separate cases: 1. pursuant to Article 92, 1° of the ICA, the Litigation Chamber will take a decision on the merits with regard to the subject matter of the complaint2. pursuant to Article 92, 3° of the ICA, the Litigation Chamber will take a decision on the merits following the findings made by the Inspection Service outside the scope of the complaint.-On 13 June 2019, the parties concerned shall be informed by registered mail of the provisions as set out in Article 95 § 2 and Article 98 of the ICA. They are also informed, pursuant to Article 99 of the ICA, of the time limits for submitting their conclusions. For findings relating to the subject matter of the complaint, the deadline for receipt of submissions in response from the complainant was 11 July 2019, and for submissions in response from the respondent was 12 August 2019. With regard to findings going beyond the subject-matter of the complaint, the deadline for receipt of submissions in response to the defendant's complaint has been set at 11 July 2019. 13 June 2019, pursuant to Article 48(2) of the Rules of Procedure, the Inspection Service is informed of the letter sent to the defendant following findings made outside the scope of the complaint.On 21 June 2019, the defendant requests a copy of the file (Article 95, § 2, 3° of the ICA); on 28 June 2019, a copy of the file is sent to the defendant; on 10 July 2019, the Litigation Chamber receives the submissions in response to the defendant's response with regard to findings going beyond the subject of the complaint. On 23 July 2019, new deadlines were set for the submissions on the findings concerning the subject matter of the complaint, since following his change of address, the complainant did not receive the timetable initially set for the submissions. The final date for receiving the submissions in response from the plaintiff has thus been set for 6 August 2019 and the final date for the submissions in response from the defendant for 26 August 2019. -On 21 August 2019, the Litigation Chamber received the Respondent's reply submissions concerning the findings of the Inspection Service relating to the subject matter of the complaint. On 6 September 2019, the parties were informed that the hearing would take place on 17 September 2019. - On 17 September 2019, the parties were heard by the Litigation Chamber. 2. Legal basis - Articles 12.3. and 12.4. of the DSR "3. The controller shall provide the data subject with information on the measures taken in response to a request made pursuant to Articles 15 to 22 as soon as possible and in any event within one month of receipt of the request. If necessary, this time limit may be extended by 2 months, taking into account the complexity and number of requests. The controller shall inform the data subject of such extension within one month of receipt of the request. Where the data subject submits his or her request in electronic form, the information shall be provided by electronic means where possible, unless the data subject requests otherwise. 4. If the controller does not comply with the data subject's request, he or she shall inform the data subject without delay and at the latest within 1 month of receipt of the request of the reasons for his or her inaction and of the possibility of lodging a complaint with a supervisory authority and filing a judicial remedy 5/11-Article 13(2)(b) of the DSR "In addition to the information referred to in paragraph 1, the controller shall provide the data subject, at the time the personal data are obtained, with the following additional information necessary to ensure fair and transparent processing: (b) the existence of the right to request the controller to grant access to, rectify or delete personal data, or a limitation of the processing operation relating to the data subject, or the right to object to the processing operation and the right to data portability; - Article 30(1)(d) and (g)1. Each controller and, where applicable, the representative of the controller shall keep a record of the processing activities carried out under their responsibility. This register shall include all the following information: (d) the categories of recipients to whom the personal data have been or will be disclosed, including recipients in third countries or international organisations; (g) as far as possible, a general description of the technical and organisational security measures referred to in Article 32(1). In this Decision, the Litigation Chamber shall only include those provisions of the DGPS for which a breach is established, not the other provisions discussed below. MotivationA. The subject-matter of the complaint essentially concerns the exercise of the complainant's right to erase data. The complaint therefore relates first of all to the alleged violation of Article 17 of the DGPS by the defendant by failing to comply with the request to delete the personal data provided by the complainant in the context of his application. However, since the defendant firmly denies that he ever recorded the complainant's data in his data file and since, for the Litigation Chamber, it has not been demonstrated in any way that these data would still be included, the personal data cannot therefore be erased, as requested by the complainant, and the Litigation Chamber cannot establish a violation of Article 17 of the DGPS, although the Litigation Chamber subsequently examined to what extent the complainant had been informed in accordance with the DGPS requirements. The Respondent acknowledges that the wording of the response to the request for erasure of data could have been clearer. The defendant argues that by the form used, it was meant that the person concerned had received the e-mail in question only in response The Litigation Chamber considers that only unambiguous information on the outcome of the request for erasure of the data can be accepted. In addition, this information must be provided within the time limit set out in Article 12(3) of the DGPS. This deadline was not respected by the defendant. If the controller does not comply with a request to erase the data, he is required to inform the data subject of the reasons for his inaction (Article 12(4) of the DGPS). Rather than stating that it was not possible to delete the complainant's personal data because the data of the data subject would not have been recorded in its data file, the defendant should also have informed the complainant of this element, but this was not done.The Litigation Chamber decides that the violation of Articles 12.3. and 12.4. of the DSR is proven and that the sanction mentioned below is appropriate. B. For each of the Inspection Service's findings going beyond the subject matter of the complaint, the Litigation Chamber examined to what extent it was a violation of the relevant provisions of the DSR.1With regard to the lawfulness of the processing (Article 6 of the DGPS) and liability (Article 5(2) of the DGPS) The Inspection Service states that the defendant does not justify what is or was the legal basis for the collection of personal data from candidates whose data were already in the defendant's database prior to the entry into force of the DGPS, and the defendant replies that all those who have an interesting profile for future missions are included in its database. They have been explicitly informed and have given their unequivocal consent. Since the DGMP came into force, this consent has been requested from candidates at the time they apply. Candidates who were already in the database before the entry into force of the DGPS received a mailing inviting them to give their explicit consent to continue to be included in the database and to be informed of the defendant's privacy statement. A sufficient legal basis therefore clearly underlies the processing operation, namely the consent of the candidates, and no violation of Articles 6 and 5(2) of the DGPS can be established. With regard to the data of candidates that were already included in the database before -With regard to the principle of retention limitation (Article 5.1(e) of the DGPS) The Inspectorate states that the defendant does not justify the need to retain the personal data of the data subject for 10 years after the last use if no contract is concluded; the defendant explains that the retention period of 10 years after the last use corresponds to the limitation period for contractual actions. The database includes not only data of persons who have applied for a specific project and have not been assigned to it, but also of persons who have already been hired for a project and to whom the contractual limitation period applies. For the sake of clarity, the relevant part of the privacy statement has been adapted, as it appears from the documents that the retention period is legitimate and has been sufficiently differentiated between unsuccessful applicants and persons engaged for a particular project, explicitly stating that the 10-year retention period only applies to the latter, no violation of Article 5(1)(e) of the DGPS can be established.2With regard to the transparency of information, communication and modalities for the exercise of the rights of the person concerned (Articles 12.1. and 12.2. of the DGPS) The Inspection Service notes that the defendant's privacy statement includes a disclaimer to limit damage caused by information on the website. The privacy statement also states that the content of the site may be adapted, modified or extended at any time without prior notice or announcement. The defendant claims that its privacy statement concerns the use of the website and has no relation to the rights that can be exercised by the data subjects under the rules on the protection of personal data. The documents submitted by the Respondent indicate that the provisions relating to the use of the website have been included in a separate document and deleted from the privacy statement. The internal procedure in the context of a request by a data subject to unsubscribe has also been included in a written notice, which leads the Litigation Chamber to note that, given the clarifications provided by the defendant, there is no question of any violation of Articles 12.1. and 12.2. of the DGPS. -As regards the information to be provided when personal data are obtained from the data subject (Article 13(1)(b) and Article 13(2)(b) of the DGPS), the Inspection Service notes that the respondent's privacy statement does not mention the contact details of the Data Protection Officer, and the respondent replies that the obligation to appoint a Data Protection Officer does not apply to him. Only one person responsible for privacy issues has been designated. According to the defendant, it would therefore not be necessary to mention the contact details of this person in the privacy statement. However, the defendant has taken steps to ensure that the contact information of the person in question is included in his privacy statement. Since it does not appear from the inspection report that the defendant has an obligation to appoint a data protection officer, the Litigation Chamber therefore considers that there is no violation of Article 13(1)(b) of the DGPS. Although Recommendation No. 04/2017 of 24 May 20171 and the Guidelines for Data Protection Officers 2 indicate that even for organisations that do not fall under the obligation to appoint a Data Protection Officer, it is good practice to appoint such a representative, this is not a legal obligation.With regard to the Inspection Service's finding that the defendant does not mention the right to limit the processing of data, the defendant points out that the necessary steps have meanwhile been taken to also include this right in its declaration of confidentiality, thus acknowledging that the declaration of confidentiality was incomplete on this point, which forces the Litigation Chamber to find a violation of Article 13(1)(b) of the DGPS.3As regards the responsibility of the controller, the relationship with the processor (Articles 24(1) and 28(1) of the DGPS) The Inspection Service notes that when asked for information on the contractual guarantees between it and X, the defendant merely refers to the contract X without giving any justification. It is clear from the contract between the defendant and X that when personal data are received following an application for a job offer published by X at the defendant's request, X acts as a subcontractor for the defendant. Article 1.2. of the Additional Conditions for Advertising contains a description of the parX service, where it appears that X declares that the data are 1Recommendation on the appointment of a Data Protection Officer in accordance with the General Data Protection Regulations (DGPS), in particular the admissibility of combining this function with other functions including that of security advisor.2 Article 29 Group Guidelines, adopted on 13 December 2016 and last revised on 5 April 2017. 9/11 immediately sent to the employer and subject to the employer's confidentiality policy, in this case the defendant, and the fact is that X's General Terms and Conditions contain a separate heading "Additional conditions for data processing by X" specifically guaranteeing that processing by X is carried out in accordance with the obligations of the DGMP, in particular Article 28 of the DGMP. It is clear from Article 1.5 of the "Additional conditions for data processing by X" that this heading is applicable to the contract between the defendant and X. Among other things, it stipulates that X takes all organisational and technical measures to protect the personal data of the data subjects (Article 3(3) of the Additional Conditions for Data Processing by X) and that X guarantees the protection of the rights of the data subjects (Article 3(7) of the Additional Conditions for Data Processing by X).In addition, all this is described in X's privacy statement, which is brought to the attention of the data subject if he or she registers with X. On the basis of the documents submitted by the defendant, the Litigation Chamber decides that it is sufficiently demonstrated that there is no violation of Articles 24.With regard to the register of processing activities (Article 30(1)(d) and (g) of the DGPS), the Inspection Service notes that in the file "GDPR-register" as attached by the defendant, the categories of recipients to whom personal data are or will be provided are missing, as well as a general description of the technical and organisational security measures as defined in Article 32.With regard to the register of processing activities, the defendant points out that a general description of the technical and organisational measures within the meaning of Article 32(1) of the DGPS is only optional (Article 30(1)(g) of the DGPS). As regards the categories of addressees, the defendant acknowledges that they have not been listed, but points out that this is now the case (Article 30(1)(d) of the DGPS).The Litigation Division notes that the defendant did take the necessary steps to put the register of processing activities in order, but that previously it did not meet all the requirements, so that there is a violation of Article 30(1)(d) of the DSR and Article 30(1)(g) of the DSR. As regards technical and organisational measures, these were certainly mentioned in general terms in the adapted version of the register of processing activities, and could be further specified.4 As regards the appointment of the Data Protection Officer (Articles 37.5. and 37.7. of the DGPS) 10/11The Inspection Service notes that the defendant has not complied with the obligations imposed by Articles 37.5. and 37.7. of the DGPS. The Litigation Chamber repeats (see points B.2 above)(pp. 7-8) that since there is no evidence in the file that the respondent has an obligation to appoint a Data Protection Officer and that it therefore has no indication that the respondent would fall within the scope of Article 37(1)(b) or (c) of the DGPS, it considers that there is no breach of Articles 37(5) and 37(7) of the DGPS.All the measures taken by the defendant to respond to the findings made by the Inspection Service which went beyond the subject matter of the complaint lead the Litigation Chamber to consider that the defendant has taken appropriate action on each of these findings in order to remedy the problems identified, with the effect that on these particular points the defendant has brought the data processing for which he is the controller into conformity with the requirements of the DSR. Nevertheless, prior to the adaptations, the violation of Articles 13.2(b), 30.1(d) and 30.1(g) of the DGPS is established and the sanctions set out below must be regarded as appropriate.in determining the nature of the sanctions to be imposed following the violations established in this decision, the Litigation Chamber nevertheless takes into account the fact that the defendant is an undertaking whose activity must be regarded as rather modest. In addition, the Litigation Chamber attaches particular importance to the spirit of collaboration shown by the defendant in order to adapt on points that could be improved, in order to comply more transparently with these points and to act in accordance with the requirements of the DGPS. In this respect, the Complaint Chamber also observes that even before the procedure initiated in the complaint, the defendant had clearly made efforts to process personal data in accordance with the DGPS. -11/11 BY THESE REASONS, the Litigation Chamber of the Data Protection Authority decides, after deliberation, to impose sanctions concerning the violation of Articles 12.3., 12.4., 13.2.b), 30.1.d) and 30.1.g) of the DGPS: - pursuant to section 100, § 1, 5° of the ICA, issue a reprimand for the violation of sections 12.3., 12.4., 13.2.b), 30.1.d) and 30.1.g) of the DGPS ;-publish this decision on the website of the Data Protection Authority, pursuant to Article 100, § 1, 16° of the VVG, albeit after anonymisation; pursuant to Article 108, § 1 of the Law of 3 December 2017, this decision may be appealed within thirty days of notification to the Court of Contracts, with the Data Protection Authority as respondent