APD/GBA (Belgium) - 115/2023: Difference between revisions
From GDPRhub
mNo edit summary |
m (→Comment) |
||
| Line 71: | Line 71: | ||
The Belgian DPA dismissed the case on ''"policy grounds"'', mainly on the basis that no personal or social impact was caused as a result of the GDPR violations. The DPA notes that ''"in order to evaluate the foregoing'' [complaint] ''... the'' [DPA] ''... takes into account the criteria that European Data Protection Authorities handle processing operations with a 'high risk' within the meaning of Article 35 GDPR."'' | The Belgian DPA dismissed the case on ''"policy grounds"'', mainly on the basis that no personal or social impact was caused as a result of the GDPR violations. The DPA notes that ''"in order to evaluate the foregoing'' [complaint] ''... the'' [DPA] ''... takes into account the criteria that European Data Protection Authorities handle processing operations with a 'high risk' within the meaning of Article 35 GDPR."'' | ||
Firstly, the Belgian DPA created a test of "major social and/or personal impact" as a criteria for evaluating complaints. Moreover, the DPA takes the concept of high risk processing from Article 35 GDPR, which is an article directed at controllers and uses it as a basis for evaluating the | Firstly, the Belgian DPA created a test of "major social and/or personal impact" as a criteria for evaluating complaints. Moreover, the DPA takes the concept of high risk processing from Article 35 GDPR, which is an article directed at controllers and uses it as a basis for evaluating the admissibility of complaints. [[Article 35 GDPR]] imposes an obligation upon controllers to conduct a risk assessment of their processing activities, where the processing is likely to result in a high risk to the rights and freedoms of natural persons (Data protection impact assessment or DPIA). The Belgian DPA has taken the concept of high risk processing and has extended it to its criteria used in evaluating complaints. | ||
Secondly, the Belgian DPA read Article 35 GDPR in line with Article 77 GDPR. The DPA | Secondly, the Belgian DPA read Article 35 GDPR in line with Article 77 GDPR. The DPA interpreted the right to lodge a complaint with a supervisory authority under [[Article 77 GDPR|Article 77 GDPR ]], concluding that the right to lodge a complaint is not absolute. On this point, the Belgian DPA stated that: | ||
''"However, this objective right of complaint does not imply that every complaint can and will be thoroughly investigated by the competent authority, given its intrinsic nature and lack of resources. The Belgian legislator has in this regard explicitly recognised 'the need for theData protection authority to be able to act selectively with a view to an effective and efficient enforcement policy.'"'' | ''"However, this objective right of complaint does not imply that every complaint can and will be thoroughly investigated by the competent authority, given its intrinsic nature and lack of resources. The Belgian legislator has in this regard explicitly recognised 'the need for theData protection authority to be able to act selectively with a view to an effective and efficient enforcement policy.'"'' | ||
| Line 84: | Line 84: | ||
''(General criteria "Your complaint is not detailed enough or is not supported by evidence that could enable the Dispute Chamber to decide whether or not there is a breach of the GDPR AND your complaint has no major social and/or personal impact.”)'' | ''(General criteria "Your complaint is not detailed enough or is not supported by evidence that could enable the Dispute Chamber to decide whether or not there is a breach of the GDPR AND your complaint has no major social and/or personal impact.”)'' | ||
Article 57 GDPR sets out the tasks afforded to supervisory | Article 57 GDPR sets out the tasks afforded to supervisory authorities under the Regulation. A primary task of supervisory authorities is to ''"monitor and enforce the application of this Regulation"'' (Article 57(1)(a) GDPR), therefore there is an obligation upon supervisory authorities to enforce against breaches of the GDPR. Commentators recognise that due to the limited resources afforded to DPAs, DPAs often need to prioritise the complaints brought to them. Hijmans contends that "the need for effectiveness and accountability justifies the conclusion that strategic approaches are not just optional for DPAs but required by the GDPR."<ref>Hijmans, Hielke, ' Article 57 Tasks', in Christopher Kuner and others (eds), ''The EU General Data Protection Regulation (GDPR): A Commentary'' (New York, 2020; online edn, Oxford Academic), <nowiki>https://doi.org/10.1093/oso/9780198826491.003.0099</nowiki>, accessed 6 Sept. 2023.</ref><ref>To note, Prof Dr ''Hielke Hijmans'' is President of the Belgian Data Protection Authority.</ref> Therefore, the evaluation and prioritisation of complaints by the Belgian DPA is not contrary to the GDPR. However, its reliance on Article 35 GDPR to do so, is questionable. | ||
== Further Resources == | == Further Resources == | ||
''Share blogs or news articles here!'' | ''Share blogs or news articles here!'' | ||
Latest revision as of 06:45, 14 September 2023
| APD/GBA - 115/2023 | |
|---|---|
 | |
| Authority: | APD/GBA (Belgium) |
| Jurisdiction: | Belgium |
| Relevant Law: | Article 35 GDPR |
| Type: | Complaint |
| Outcome: | Rejected |
| Started: | 04.07.2023 |
| Decided: | 16.08.2023 |
| Published: | |
| Fine: | n/a |
| Parties: | n/a |
| National Case Number/Name: | 115/2023 |
| European Case Law Identifier: | n/a |
| Appeal: | n/a |
| Original Language(s): | Dutch |
| Original Source: | Gegevensbeschermingsautoriteit (in NL) |
| Initial Contributor: | Enzo Marquet |
The Belgian DPA dismissed a complaint, despite the existence of GDPR violations. The DPA was of the opinion that the breaches did not result in a "major social and/or personal impact," thus the resources required to investigate the complaint would be disproportionate.
English Summary
Facts
The complaint concerned an alleged data breach. The data subject tried to submit a document to his personal profile on the controller's platform twice but it was submitted to his employer's company account instead. The data subject argued that the information incorrectly registered included payment details and the data subject's power of attorney.
On 4 July 2023, the data subject submitted a complaint to the Belgian DPA.
Holding
The Belgian DPA dismissed the case on "policy grounds", mainly on the basis that no personal or social impact was caused as a result of the GDPR violations. The DPA notes that "in order to evaluate the foregoing [complaint] ... the [DPA] ... takes into account the criteria that European Data Protection Authorities handle processing operations with a 'high risk' within the meaning of Article 35 GDPR."
Firstly, the Belgian DPA created a test of "major social and/or personal impact" as a criteria for evaluating complaints. Moreover, the DPA takes the concept of high risk processing from Article 35 GDPR, which is an article directed at controllers and uses it as a basis for evaluating the admissibility of complaints. Article 35 GDPR imposes an obligation upon controllers to conduct a risk assessment of their processing activities, where the processing is likely to result in a high risk to the rights and freedoms of natural persons (Data protection impact assessment or DPIA). The Belgian DPA has taken the concept of high risk processing and has extended it to its criteria used in evaluating complaints.
Secondly, the Belgian DPA read Article 35 GDPR in line with Article 77 GDPR. The DPA interpreted the right to lodge a complaint with a supervisory authority under Article 77 GDPR , concluding that the right to lodge a complaint is not absolute. On this point, the Belgian DPA stated that:
"However, this objective right of complaint does not imply that every complaint can and will be thoroughly investigated by the competent authority, given its intrinsic nature and lack of resources. The Belgian legislator has in this regard explicitly recognised 'the need for theData protection authority to be able to act selectively with a view to an effective and efficient enforcement policy.'"
The Belgian DPA dismissed the complaint as it found a lack of "major social and/or personal impact," a test which the DPA has drawn from Article 35 GDPR. It argued that as a result, there was no reason to further investigate the complaint, despite having acknowledged the existence of prima facie violations of the GDPR.
Comment
https://www.dataprotectionauthority.be/publications/sepotbeleid-van-de-geschillenkamer.pdf
(General criteria "Your complaint is not detailed enough or is not supported by evidence that could enable the Dispute Chamber to decide whether or not there is a breach of the GDPR AND your complaint has no major social and/or personal impact.”)
Article 57 GDPR sets out the tasks afforded to supervisory authorities under the Regulation. A primary task of supervisory authorities is to "monitor and enforce the application of this Regulation" (Article 57(1)(a) GDPR), therefore there is an obligation upon supervisory authorities to enforce against breaches of the GDPR. Commentators recognise that due to the limited resources afforded to DPAs, DPAs often need to prioritise the complaints brought to them. Hijmans contends that "the need for effectiveness and accountability justifies the conclusion that strategic approaches are not just optional for DPAs but required by the GDPR."[1][2] Therefore, the evaluation and prioritisation of complaints by the Belgian DPA is not contrary to the GDPR. However, its reliance on Article 35 GDPR to do so, is questionable.
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Dutch original. Please refer to the Dutch original for more details.
1/6
Litigation room
Decision 115/2023 of 16 August 2023
File number : DOS-2023-02893
Subject : Complaint due to the repeated occurrence of a data breach
The Disputes Chamber of the Data Protection Authority, composed of Mr Hielke
Hijmans, sole chairman;
Having regard to Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016
on the protection of natural persons with regard to the processing of
personal data and on the free movement of such data and revocation of
Directive 95/46/EC (General Data Protection Regulation), hereinafter GDPR;
Having regard to the law of 3 December 2017 establishing the Data Protection Authority,
hereafter WOG;
Having regard to the rules of internal order, as approved by the Chamber of
Representatives on 20 December 2018 and published in the Belgian Official Gazette on
January 15, 2019;
Having regard to the documents in the file;
Made the following decision regarding:
The complainant: Mr. X, hereinafter “the complainant”
The defendant: Y, hereinafter “the defendant” Decision 115/2023 - 2/6
I. Factual Procedure
1. The object of the complaint concerns the repeated occurrence of a data breach. complainant
wanted to have a document registered on his personal […] user profile, but
the payment request and the actual power of attorney were both initially (incorrectly)
registered on the account of the company […]instead of the personal[…]-
user profile of the complainant as an individual citizen.
The personal data that was available through the […] user profile is at least the
names of the relevant principals and holders of [the document].On the basis of the documents
attached to the complaint, it is unclear whether the contents of [the document] are also available
wash (see below). If this was the case, then the national register number and the
addresses of those involved can be consulted.
2. On July 4, 2023, the complainant submits a complaint to the Data Protection Authority against
defendant.
3. On August 14, 2023, the complaint will be declared admissible by the First Line Service on
pursuant to Articles 58 and 60 of the WOG and the complaint is settled pursuant to Art. 62, § 1 WOG
submitted to the Disputes Chamber.
II. Motivation
4. On the basis of the elements in the file known to the Litigation Chamber, and on the basis
of the powers conferred on it by the legislator pursuant to Article 95, § 1 WOG
assigned, the Litigation Chamber decides on the further follow-up of the file; in this case
the Disputes Chamber will proceed to dismiss the complaint in accordance with Article 95,
§ 1, 3° WOG, on the basis of the following motivation.
5. When a complaint is dismissed, the Disputes Chamber makes its decision
step-by-step motivation and:
- declare a technical dismissal if the file is not sufficient or not sufficient
contains elements that could lead to a conviction, or if there are not enough
there is a prospect of a conviction for a technical impediment,
as a result of which it cannot reach a decision;
- or pronounce a policy dismissal, if despite the presence of elements
which may lead to a sanction, the continuation of the investigation of the
dossier does not seem appropriate in the light of the priorities of the
1Court of Appeal Brussels, Section Marktenhof, 19 Chamber A, Chamber for Market Affairs, Judgment 2020/AR/329, 2 September 2020,
p. 18. Decision 115/2023 - 3/6
Data Protection Authority, as specified and explained in the
dismissal policy of the Litigation Chamber . 2
6. In the present file, the Disputes Chamber proceeds to dismiss the complaint,
based on policy grounds for dismissal. What follows is the basis of the
decision of the Disputes Chamber why it considers it undesirable to take further action
to the file and therefore decides not to proceed, inter alia, with a treatment
ground.
7. First of all, the Disputes Chamber checks, in accordance with its dismissal policy, whether the submitted
complaint contains grievances with a major social and/or personal impact . 4
In order to evaluate the foregoing, the Litigation Chamber takes into account the criteria that
European data protection authorities handle processing operations with a “high
risk” within the meaning of Article 35 GDPR.
In this case, the Disputes Chamber establishes that the processing in question is subject to the complaint
The allegations filed by the complainant prima facie cannot be accommodated
one of the cases listed in Article 35.3 GDPR. 5
8. The Disputes Chamber also takes into account that the principal of [the document] (Z)
does not submit a complaint himself and that the email address used by the complainant refers to the
relevant company (…) which may explain the cause of the error/mistake. although
such an error (particularly if it occurs twice)
is regrettable, the Disputes Chamber is of the opinion that the complaint does not fall under one of the
criteria taken into account to identify major data processing operations
societal and/or personal impact, such as through the
Data Protection Authority described in its dismissal policy. The Dispute Room
weighs the personal consequences of the circumstances of the complaint for the
fundamental rights and freedoms of the complainant against the effectiveness of her
action when it decides whether it considers it appropriate to deal with the complaint further.
9. This does not mean that the Dispute Chamber lawfully determines that there has been no violation
occurred, but that the resources required to deal with the complaint are provided
2
In this regard, the Litigation Chamber refers to its dismissal policy as set out in detail on the website of the GBA:
https://www.dataprotectionauthority.be/publications/sepotbeleid-van-de-geschillenkamer.pdf
3It concerns 3.2.1 (General criteria for gr“Your complaint is not detailed enough or is not supported by evidence
that could enable the Dispute Chamber to decide whether or not there is a breach of the GDPR AND your
complaint has no major social and/or personal impact.”
4Ibid, Section 3.2.1. p. 9.
5A) A systematic and comprehensive assessment of personal aspects of natural persons, which is based on
automated processing, including profiling, and on which decisions are based on which the natural
person have legal consequences or which similarly significantly affect the natural person;
b) Large-scale processing of special categories of personal data as referred to in Article 9(1) or of data
in relation to criminal convictions and offenses referred to in Article 10; or
c) Systematic and large-scale monitoring of publicly accessible spaces. Decision 115/2023 - 4/6
be (possibly) excessive, as the complaint does not involve any major social and/or
6
has a personal impact.
10. In addition, the Disputes Chamber is of the opinion that ground for dismissal B.5 applies.
Since it has already been shown that there does not seem to be a large
social and/or personal impact, the Disputes Chamber only checks whether there is
case, there is sufficient detailed evidence to support a decision of the
Litigation room possible.
11. The complainant informs the Disputes Chamber that access is via the […] user profile
would have been possible until [the] completed [document], but this does not appear as such
from the documents – here only a blank [document] is linked to the […]
user profile. The Disputes Chamber also learns that the complainant is in contact
recorded with the defendant via the online complaint form of […], but none here
further heeded. However, the complainant has not attached a copy of this complaint
and it is therefore unclear to the Litigation Chamber whether the complainant has rights in this complaint
under theGDPR is merely mentioning the alleged dataseemsancillary
measures (the dismissal of the employee in question), independent of the GDPR.
12. Despite the fact that the Disputes Chamber can establish prima facie that there are indeed
breaches of the GDPR have occurred, the Litigation Chamber must take into account
the lack of documentary evidence and the lack of a high existence
personal/social impact conclude that the complaint in this case has not been dealt with
fundamentally required. The Disputes Chamber decides not to act for reasons of expediency
give to the file. Under Article 77 GDPR, every data subject whose
personal data is processed within the territorial scope of the GDPR,
of a complaint law. However, this objective right of complaint does not imply that every complaint is also
can and will be thoroughly investigated by the competent authority, given its intrinsic nature
lack of resources. 7 The Belgian legislator has in this regard “the need for the
Data protection authority to be able to act selectively with a view to a
effective and efficient enforcement policy” explicitly recognized .
13. However, the Litigation Chamber points out that, in the event of the receipt of repeated
similar complaints concerning the same practices/or controller,
a targeted investigation into the data controller concerned is possible
be requested from the Inspection Service of the Data Protection Authority. It itself
6
https://www.dataprotectionauthority.be/publications/sepotpolicy-van-de-geschillenkamer.pdf, section 3.2.2, point
B.5., p. 15.
7cf. Court of Justice EU, Judgment of 16 July 2020, DPC v. Facebook Ireland & Maximillian Schrems, C-311/18, para. 112.
8 Own emphasis in quote, cf. Belgian Chamber of Representatives, Explanatory Memorandum to the
Draft law establishing the Data Protection Authority, Doc. 2648/001 (Parliamentary term 54), available from:
https://www.dekamer.be/kvvcr/showpage.cfm?section=/flwb&language=nl&cfm=/site/wwwcfm/flwb/flwbn.cfm?lang=N&leg
islat=54&dossierID=2648, 51. Decision 115/2023 - 5/6
after all, the repeated occurrence of such an incident may point to an earlier one
systemic violation of Articles 25 and/or 32 GDPR, due to the lack of
appropriate technical and organizational measures to ensure confidentiality and
to ensure the security of personal data.
14. In addition, the Disputes Chamber points to the general obligation cf. article 33 AVG vande
Y to report data leaks to the Data Protection Authority via the appropriate
channel provided in the event that the incident poses risks to the fundamental
rights and freedoms of those involved, although the Disputes Chamber cannot immediately determine
that such risks exist in the present case. Every incident serves
on the other hand, to be included in the incident register provided for this purpose,
in accordance with Article 33.5 GDPR.
III. Publication and communication of the decision
15. Given the importance of transparency with regard to decision-making by the
Litigation Chamber, this decision will be published on the website of the
Data Protection Authority. This will include the personal data of the complainant
anonymized.
16. In accordance with its filing policy, the Litigation Chamber will give the decision to the defendant
9
to transfer . After all, the Disputes Chamber has decided to dismiss its decisions
ex officio notification to the defendants. However, the Disputes Chamber waives it
such notification when the complainant has requested anonymity with respect to it
of the defendant (and the notification of the decision to the defendant, even if
it is pseudonymised, nevertheless makes it possible to inform the complainant
(re)identify . However, that is not the case in the present case.
FOR THESE REASONS,
the Disputes Chamber of the Data Protection Authority decides, after deliberation,
to dismiss the present complaint pursuant to Article 95, § 1, 3° of the WOG.
9Cf. Title 5 – Will the dismissal of my complaint be published? Will the counterparty be notified?
of the dismissal policy of the Litigation Chamber.
10Ibid. Decision 115/2023 - 6/6
Pursuant to Article 108, § 1 of the WOG, within a period of thirty days from the
notification against this decision may be appealed to the Marktenhof (court of
Brussels appeal), with the Data Protection Authority as defendant.
Such an appeal may be made by means of an inter partes petition
must contain the information listed in Article 1034ter of the Judicial Code . It 11
a contradictory petition must be submitted to the Registry of the Market Court
12
in accordance with article 1034quinquies of the Ger.W. , or via the e-Deposit
IT system of Justice (Article 32ter of the Ger.W.).
To enable the complainant to consider other possible remedies, the
Litigation Chamber the complainant to the explanation in its dismissal policy . 13
(get). Hielke HIJMANS
Chairman of the Litigation Chamber
11 The petition states under penalty of nullity:
1° the day, month and year;
2° the surname, first name, place of residence of the applicant and, where applicable, his capacity and his national register or
enterprise number;
3° the surname, first name, place of residence and, if applicable, the capacity of the person to be
summoned;
4° the object and brief summary of the means of the claim;
5° the court before which the action is brought;
6° the signature of the applicant or his lawyer.
12The application with its annex is sent by registered letter, in as many copies as there are parties involved
deposited with the clerk of the court or at the clerk's office.
13Cf. Title 4 – What can I do if my complaint is closed? of the dismissal policy of the Litigation Chamber.
- ↑ Hijmans, Hielke, ' Article 57 Tasks', in Christopher Kuner and others (eds), The EU General Data Protection Regulation (GDPR): A Commentary (New York, 2020; online edn, Oxford Academic), https://doi.org/10.1093/oso/9780198826491.003.0099, accessed 6 Sept. 2023.
- ↑ To note, Prof Dr Hielke Hijmans is President of the Belgian Data Protection Authority.
