APD/GBA (Belgium) - 117/2021

From GDPRhub
Revision as of 12:59, 9 November 2021 by FA (talk | contribs)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
APD/GBA (Belgium) - 117/2021
Authority: APD/GBA (Belgium)
Jurisdiction: Belgium
Relevant Law: Article 9 GDPR
Article 24(1) GDPR
Article 32(1) GDPR
Article 38(3) GDPR
Article 57(1)(f) GDPR
Article 58 WOG
Type: Complaint
Outcome: Rejected
Decided: 22.10.2021
Published: 22.10.2021
Fine: None
Parties: X, complainant
Y, defendant
National Case Number/Name: 117/2021
European Case Law Identifier: n/a
Appeal: Unknown
Original Language(s): Dutch
Original Source: Decision 117/2021 (in NL)
Initial Contributor: Matthias Smet

The Belgian DPA dismissed a complaint regarding unsecured contact forms on a hospital website because the complainant had not fill any of these forms, but was pursuing a general public concern without having a personal stake in the case.

English Summary[edit | edit source]

Facts[edit | edit source]

The Complainant in this case was a patient in a Belgian hospital. He noticed that the hospital was using unsecured contact forms on its website. In particular, these forms were sent to the hospital in an unencrypted manner and via an unsecured connection. As a result, the personal data contained in these forms, including sensitive health data, were potentially exposed to the risk of being intercepted by third parties and being read in the network traffic.

The Complainant therefore filed a complaint with the Belgian DPA, considering that such processing was unlawful. On the basis of this complaint, the Inspection Service of the Belgian DPA conducted an investigation. During this investigation, the following (additional) breaches of data protection legislation were identified:

  • the hospital implemented insufficient technical and organisational measures to guarantee the protection of (health) data (Article 32 GDPR);
  • the DPO of the hospital was not directly reporting to the highest management level of within the organization (Article 38(3) GDPR).

Holding[edit | edit source]

Admissibility of the complaint[edit | edit source]

The Belgian Law on the Establishment of the Data Protection Authority states that anybody can file a complaint with the Belgian DPA, provided that all the prescribed conditions in Article 60 of this law are met. In a previous decision, the Belgian DPA had already decided that an additional condition must be fulfilled, namely that the complainant demonstrates that he has sufficient interest.

In a recent case, the Belgium Supreme Court ruled that anyone who believes that their rights under the GDPR have been violated can lodge a complaint with the supervisory authority, even if their personal data have not been processed, given that the refusal to provide personal data resulted in a disadvantage for the data subject (e.g. not being able to use a certain service). According to the Litigation Chamber of the Belgian DPA, the difference in this case was that the Complainant could not prove to have suffered from any disadvantage by refusing to fill in the contact form on the hospital's website, since other alternatives existed to achieve the same objective, such has contacting the hospital via another mean or filling in paper forms.

Since the Complainant was pursuing a general public concern at the time the complaint was filed (i.e. the protection of the privacy rights of everyone who visits the defendant's website and possibly uses the contact forms on the website) without having a personal stake in the case, the DPA dismissed the complaint.

Other issues[edit | edit source]

Since the inspection report revealed a number of shortcomings, the Litigation Chamber still decided to stress in its decision that health data fall within special categories of personal data in the sense of Article 9 GDPR. Therefore, all possible technical and organizational measures should have been taken to protect health data, such as encrypted transmission. Furthermore, and opposite to the results of the investigation, the DPO should have been able to report directly to senior management and be given the opportunity to express a dissenting opinion concerning the processing (Article 38(3) GDPR)

Comment[edit | edit source]

Further Resources[edit | edit source]

Share blogs or news articles here!

English Machine Translation of the Decision[edit | edit source]

The decision below is a machine translation of the Dutch original. Please refer to the Dutch original for more details.


                                                                                 Dispute room

                                         Decision on the merits 117/2021 of 22 October 2021

File number : DOS-2020-05264

Subject: Complaint due to unsecured connection to hospital website

The Dispute Chamber of the Data Protection Authority, composed of Mr Hielke

Hijmans, chairman and Messrs Dirk Van Der Kelen and Frank De Smet, members;

Having regard to Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016

on the protection of natural persons with regard to the processing of

personal data and concerning the free movement of such data and until the withdrawal of the Directive
95/46/EC (General Data Protection Regulation), hereinafter GDPR;

In view of the law of 3 December 2017 establishing the Data Protection Authority,

hereinafter WOG;

Having regard to the internal rules of procedure, as approved by the Chamber of

Representatives on 20 December 2018 and published in the Belgian Official Gazette on

January 15, 2019;

Having regard to the documents in the file;

has taken the following decision regarding:

The complainant: X, hereinafter referred to as “the complainant”; .

The Defendant: Y, (formerly called [..]), hereinafter “the Defendant”; Decision on the merits 117/2021 - 2/12

I. Facts procedure

            1. On 14 November 2021, the complainant lodged a complaint with the

                Data Protection Authority against Defendant.

            2. The complainant is a patient at the hospital of the defendant. The subject of the complaint

                concerns the fact that the website (…), which belongs to the defendant, was used

                made of a contact form and a form for the ombudsman service of the

                Hopital. The form that could be filled in by the website visitors, according to

                complainant are sent to the hospital in an unencrypted manner. By using

                making an unsecured connection, third parties could, according to the complainant,

                taking the (health) data.

            3. On November 16, 2021, the complaint will be declared admissible by the Frontline Service on

                pursuant to Articles 58 and 60 WOG and the complaint pursuant to art. 62 § 1 WOG

                submitted to the Disputes Chamber.

            4. On December 16, 2020, in accordance with art. 96, §1 WOG the request of the

                Dispute chamber to conduct an investigation transferred to the

                Inspection service, together with the complaint and the inventory of the documents.

            5. The inspection will be completed by the Inspectorate on January 26, 2020, it will be

                report attached to the file and the file is reviewed by the Inspector General

                forwarded to the Chairman of the Disputes Chamber (art.91, §1 and §2 WOG). The report

                contains findings with regard to the subject matter of the complaints, decision that there is

                of infringements of Article 32(1), (2) and (4) of the GDPR and of 24(1) of the GDPR

                due to taking insufficient measures to ensure the safety of the

                (special) personal data which are processed via the defendant's website


            6. The report also contains findings that go further than the object of the complaint.

                The Inspectorate determines, in broad terms, that there have been infringements of the articles

                24 paragraph 1, 38 paragraphs 1 and 3 and to Article 39 of the GDPR due to the provision of advice

                by the data protection officer to the general manager and not to the

                board of directors while this body is the highest management within the organization of

                defendant. According to the Inspectorate, the information and advice provided by the

                Data Protection Officer has provided pursuant to Article 38(1) Decision on the substance 117/2021 - 3/12

    and Article 39 of the GDPR on the security measures for the website (…)

    insufficiently convincing.

7. On April 7, 2021, the Disputes Chamber will decide on the basis of art. 95, §1, 1° and art. 98 WOG dat

    the file is ready for treatment on the merits.

8. The Disputes Chamber decides on the file on the basis of the report of the Inspectorate

    to be divided into two separate cases:

9. Pursuant to art. 92, 1° WOG, the Disputes Chamber will make a decision on the merits with

    relating to the subject matter of the complaint.

10. Pursuant to art. 92, 3° WOG, the Disputes Chamber will make a decision on the merits according to

    as a result of the findings made by the Inspectorate outside the

    scope of the complaint.

11. On 7 April 2021, the concerned parties will be notified of the provisions as

    mentioned in article 95, §2, as well as of those in art. 98 WOG. They are also, on the basis of

    art. 99 WOG of the time limits for submitting their defences.

12. With regard to the findings as to the subject-matter of the complaint, the

    deadline for receipt of the defendant's response

    laid down on 19 May 2021, this for the complainant's reply on 9 June 2021

    and, finally, those for the defendant's statement of reply on June 30, 2021.

13. On 9 April 2021, the complainant requests a copy of the file (art. 95, §2, 3° WOG), which

    it was transferred on April 12, 2021.

14. On 11 May 2021, the complainant electronically accepts all communication regarding the case and

    he indicates that he wishes to make use of the opportunity to be heard,

    in accordance with article 98 WOG.

15. On April 20, 2021, the defendant electronically accepts all communications regarding the case

    and expresses his wish to make use of the opportunity to be heard,

    in accordance with article 98 WOG.

16. On 19 May 2021, the Disputes Chamber will receive the statement of defense from the

    defendant with regard to the findings with regard to the subject matter of the Decision on the merits 117/2021 - 4/12

    complaint. Defendant argues that the protection of personal data is becoming sufficient

    guaranteed by the statutory duty of confidentiality as well as by the

    labor regulations, provisions regarding confidentiality, minimum

    data processing and purpose limitation. Therefore, the defendant argues that only data

    may be processed to the extent necessary to achieve the intended purpose.

    According to the work regulations, failure to comply with the aforementioned provisions

    sanctions. According to the defendant, the complainant does not demonstrate that personal data, which

    relating to him, have been processed via the (non-secure) website. To previous

    reason there is no requisite interest in filing a complaint. The Inspectorate refers

    in its report to another file vis-à-vis the defendant. Defendant points out that no

    to have knowledge of the contents of the aforementioned file; that is why that file is in

    irrelevant in the present case.

17. According to the defendant, Article 24 paragraph 1 GDPR has indeed been implemented. First of all

    Defendant indicates that he has started a project with the ultimate goal of ISO27001

    certification. According to the defendant, this certification can be regarded as the

    global standard for information security. Second, according to the defendant,

    from the various agreements it has concluded with processors of

    personal data that a detailed analysis has been carried out with regard to the

    personal data to be processed in the context of the various

    processing agreements. The processor must also always complete a questionnaire

    after which information security and data protection are evaluated and

    appropriate measures are taken.

18. In addition, according to the defendant, the Inspectorate incorrectly establishes that the

    confidentiality obligation by the hospital as a controller not

    is complied with nor has it been demonstrated that violations of the

    confidentiality obligations can be effectively sanctioned. According to

    defendant has indeed been sanctioned and in case of violation of the

    professional secrecy by a doctor, even dismissal is possible. According to the defendant, the

    Inspectorate does not indicate that there is actually personal data, let alone

    health data, is processed via the non-secure form on the website.

    According to the defendant, it has also not been demonstrated that unauthorized persons have gained access

    to the aforementioned data. Defendant indicates already on December 22, 2020

    decided of its own accord to delete the contact forms.

    Defendant is a not-for-profit association and at the time of filing it was called

    of the complaint [..]. Subsequently, the institution expanded its activities with a

    rehabilitation center. Since then it continues under the name Y. Decision on the merits 117/2021 - 5/12

19. The defendant is of the opinion that it also meets the requirements of Articles 24 and 32 GDPR

    complies with the internal systems used

    within the hospital. Since there is a link between the hospital's website

    on the one hand and the internal systems on the other hand, according to the defendant, a choice has been made for a

    “two-factor” authentication. According to the defendant, it is apparent from the foregoing, among other things, that

    adequate security measures have been taken.

20. One of the findings of the Inspectorate outside the scope of the complaint is that the

    data protection officer would not have issued advice and would not

    have reported to the highest body within the institution on the

    security measures within the hospital. Defendant believes at all times

    have been aware of the importance of the data protection officer and

    has therefore always called upon the data protection officer.

    According to the defendant, the foregoing is apparent, among other things, from the fact that the officer always

    is closely involved in cases where a processing agreement is concluded

    between the defendant and its processors. The officer is also consulted and

    involved in the construction of the new website in order to be sure that future

    processing via the website complies with the legal provisions, according to the defendant.

    In addition, the data protection officer is part of the

    so-called Information Security Committee which has a preparatory and advisory role

    acts towards the executive committee regarding privacy matters within the

    Hopital. According to the defendant, the general manager is indeed the highest

    managerial authority within the hospital

    of a violation of Article 38 (3) GDPR.

21. In addition, the defendant submits that it was never the intention that the

    contact forms on the website would serve to exchange health data

    to switch. After all, the electronic patient file is strictly secured, according to

    defendant. According to the defendant, there is also no processing of

    personal data on a large scale through the contact forms, as determined by

    the Inspection Service. Defendant points out that it should not be overlooked that

    a form could be filled in on the website which ends up at the

    ombudsman service and is therefore separate from the patient file. Defendant requests

    take into account a number of mitigating circumstances, namely that there is no

    personal data have been consulted by third parties in unauthorized ways and that, when

    personal data end up in the hospital or on the hospital's servers, the

    institution makes every effort to keep that data very secure. Decision on the merits 117/2021 - 6/12

22. Defendant indicates that it is aware that a security certificate for the

    web form should have been implemented faster when pointed out.

    However, as yet it has not been shown that damage has occurred in respect of

    person concerned. There has been no unauthorized access to

    personal data.

23. In addition, some key employees have been cut off due to the pandemic, causing

    there has been a delay in integrating certain measures. The defendant is not

    previously convicted of GDPR violations and started a project with as

    ultimate goal of obtaining an ISO 27001 certification and asks to take into account

    the aforesaid elements as mitigating circumstances.

24. On 14 June 2021, the Disputes Chamber will receive the statement of reply from the complainant, which

    concerns the findings with regard to the subject matter of the complaint. The complainant is from

    believes that the change in the structure and composition of the hospital does not matter

    could have resulted in the website not complying with the principles of data processing.

    After all, the GDPR already came into effect in 2018, as a result of which the defendant has already been inactive for two years

    is a violation of the GDPR. In response to the defendant's argument that visitors do not

    are obliged to use the contact form, the complainant submits that there is

    website visitors cannot be expected to exercise caution when filling out

    an online contact form that is facilitated by the defendant. Now there use

    is made from a form, the connection of the website must be secured. Which

    according to the complainant, obligations of confidentiality apply to the employees, it is also irrelevant,

    now the personal data sent via the contact form is unsecured

    and are exposed to the risk of being intercepted by third parties and

    read in the network traffic. The complainant shares the view of the respondent that he does not

    would have no interest in submitting a complaint. After all, the form is online

    without this being secured and can be filled in and sent by anyone. It's possible

    according to the complainant, it is not the intention that he should track down those involved who

    have completed the form and then ask them to submit a complaint to the


25. On 26 July 2021, the parties will be notified that the hearing will be

    take place on October 4, 2021.

26. On October 4, 2021, the defendant will be heard by the Disputes Chamber. Although

    duly summoned and confirmation that they would be present, the complainant did not appear. Decision on the merits 117/2021 - 7/12

            27. On October 11, 2021, the minutes of the hearing will be sent to the parties


            28. On October 18, 2021, the Disputes Chamber will receive the following from the defendant:

                comments with regard to the official report: the defendant has at the hearing

                indicated that the new website is currently online and indicated that the

                data protection officer reports to the audit committee composed of

                a representation of the Board of Directors.

II. Admissibility of complaint

            29. The Disputes Chamber first examines the question of whether the complaint is admissible. Defendant

                argues that the complainant has no interest in complaining about the website and the

                contact form of the defendant because there is no processing of his

                personal data by the defendant. For this reason, according to the defendant, the complaint

                be declared inadmissible or unfounded.

            30. Article 58 WOG provides: “Anyone may submit a complaint in writing, dated and signed”

                or submit a request to the Data Protection Authority”. In accordance with article 60,

                Paragraph 2 WOG, a complaint is admissible if it: -is drawn up in one of the national languages;

                -contains a statement of the facts, as well as the necessary indications for the identification of

                the processing to which it relates; -it falls under the jurisdiction of the

                Data Protection Authority”.

            31. The Disputes Chamber has considered as follows in a previous decision regarding this

                matter :

                    “While the GDPR approaches the 'complaint' from the point of view of the data subject, the

                    impose obligations on supervisory authorities when a person makes a complaint

                    submits (see Articles 57, 1., f) and 77 of the GDPR), the GDPR does not prevent the national

                    right to give persons other than the data subjects the opportunity to lodge a complaint

                    should be submitted to the national supervisory authority. The possibility of such

                    pending furthermore corresponds to the assignments imposed by the GDPR

                    the control authorities are assigned

                    each control authority for: the monitoring and enforcement of the application of the

                    GDPR (Article 57, 1., a) GDPR), and the performance of all other tasks related to Decision on the merits 117/2021 - 8/12

                     with the protection of personal data (Article 57, 1., v) GDPR).” The condition is

                     that the complainant appears to have sufficient interest.

             32. The complainant indicated in the complaint form that he searched the website for the

                 data from his treating physician and then noted that an unsecured

                 connection was used for both the website and the contact forms. However, there is not

                 it appears that the complainant's data has been processed.

             33. Superfluously, the Disputes Chamber refers in this regard to a recent decision by the Court of

                 Supreme Court judgment. In that judgment, the Court of Appeal ruled that any person involved who

                 believes there has been an infringement of its rights under the GDPR make a complaint

                 can file with the supervisory authority. However, data subjects whose

                 personal data have not been processed in certain cases file a complaint. The

                 however, this is subject to the condition that this data subject receives a certain advantage or a certain

                 has not been able to obtain service because due to the existence of the alleged

                 infringing practice, has refused to consent to the processing. In this case 2

                 cannot be argued, according to the Dispute Chamber, that there was non-use

                 of a service, now that there were also other options such as telephone

                 contact or filling in the forms on the spot.

             34. The complainant did not appear at the hearing, as a result of which the Disputes Chamber did not

                 explanation from the complainant. Based on the description of the

                 complaint by the complainant and the documents submitted, the Disputes Chamber must determine that

                 when submitting the complaint, the complainant pursued a general public interest existing

                 from the protection of the privacy rights of anyone who uses the website of the defendant

                 visits and possibly uses the contact forms on the website. the complainant

                 has not shown that it has any personal interest. The fact that he

                 was a patient of the relevant hospital in the given circumstances, in which not

                 it appears that his personal data has been processed via the contact form and neither

                 that he intended to use that contact form, insufficient to do this

                 importance to determine.

2Decision 80/2020 dated 17 December 2020 of the Disputes Chamber. See also decision 30/2020 of the Disputes Chamber.
 Judgment Court of Cassation c.20.0323.N/1 dated 7 October 2021 Decision on the merits 117/2021 - 9/12

            35. After examination of the complaint in the substantive proceedings, it has thus become apparent that the complaint was not

                meets the conditions for admissibility. The Disputes Chamber therefore concludes

                that the complaint is inadmissible and was for lack of personal interest. Therefore

                the Disputes Chamber will process the complaint and the subsequent findings of the

                inspection service within and outside the scope of the complaint are not prevented from

                imposing administrative sanctions. The Disputes Chamber therefore decides to transfer
                go to a technical shutdown.

II. General considerations

    Technical and organizational measures

            36. This does not alter the fact that the Inspection Report reveals a number of shortcomings

                in the way in which the defendant processes data. On the basis of the

                findings in the Inspectorate Report, the Disputes Chamber wishes a number of general

                to devote considerations to the matter of taking sufficient

                security measures to ensure the safe processing of personal data

                guarantee. With this, the Disputes Chamber implements the general assignment of

                the DPA to contribute to a high level of data protection.

            37. Article 24(1) of the GDPR provides: “Taking into account the nature, scope, context and

                the purpose of the processing, as well as with the varying degrees of probability and severity

                risks to the rights and freedoms of natural persons, the processing

                responsible take appropriate technical and organizational measures to

                guarantee and be able to demonstrate that the processing is in accordance with this

                regulation is being implemented. Those measures are evaluated and if necessary


               Article 32(1) of the GDPR provides ”Taking into account the state of the art, the

               implementation costs, as well as the nature, scope, context and

               processing purposes and the likelihood and severity of varying risks to the

               rights and freedoms of individuals, affect the controller and the

               processor takes appropriate technical and organizational measures to

               ensure an appropriate level of security, which, where appropriate, includes the following

               include: a) the pseudonymization and encryption of personal data; b) it

               ability to maintain confidentiality, integrity, availability and

 Dismissal Policy Disputes Chamber of 18 June 2021 under 3.1.A.5 Decision on the merits 117/2021 - 10/12

ensure resilience of processing systems and services; c) the ability to

in the event of a physical or technical incident, the availability of and access to the

restore personal data in a timely manner; d) a procedure for the regular

testing, assessing and evaluating the effectiveness of the technical and

organizational measures to secure the processing.

2. In assessing the appropriate level of security, particular account shall be taken of

account of the processing risks, in particular as a result of the destruction, loss,

modification or unauthorized disclosure of or access to

data transmitted, stored or otherwise processed, either accidentally or


3. Joining an approved code of conduct as referred to in Article 40 or a

approved certification mechanism as referred to in Article 42 can be used as

element to demonstrate that the requirements referred to in paragraph 1 of this Article are met

complied with.

4. The controller and the processor take measures to ensure that

ensure that any natural person acting under the authority of the

controller or of the processor and has access to

personal data, these only on behalf of the controller

processed, unless he is required to do so under Union or Member State law.”

35. According to Article 9 of the GDPR, health data belongs to special

    personal data. Recital 51 of the GDPR defines that data as: ”

    Personal data that are, by their nature, particularly sensitive with regard to the

    fundamental rights and fundamental freedoms deserve specific protection since

    the context of their processing may pose significant risks to the

    fundamental rights and fundamental freedoms.” Therefore, the processing of

    health data should be accompanied by the greatest care and should make every possible

    technical and organizational measures must be taken to protect this data

    to protect. The main task of a hospital is to provide medical care. It

    It is therefore not implausible that patients used these

    contact forms for information about their health situation with the hospital

    to share. In addition, the form for the ombudsman service often serves to:

    express dissatisfaction and complaints, especially about treatment in the

    hospital and which are indirectly related to that medical treatment, resulting in

    often provide health information. Decision on the merits 117/2021 - 11/12

    36. As can be seen from the above articles, the controller is obliged to

        to take the necessary technical and organizational measures in order to guarantee

        that data processing is carried out in accordance with the GDPR.

        Hospitals whose main task is to provide medical care, process on a regular basis

        basic and large amounts of health data. They should therefore be extra vigilant

        and to ensure that this data is processed in accordance with

        the AVG. The Disputes Chamber points out that data relating to health

        (and the transfer thereof) must be sufficiently secured and that the data is therefore

        and, among other things, must be sent from the computer with sufficiently strong encryption

        from the user to the server that serves a website with a form. This is possible

        done by using a security certificate.

    37. In addition to the above, recital 83 of the GDPR provides: “In order to

        ensure security and prevent the processing from infringing these

        regulation, the controller or the processor must comply with the processing

        assess inherent risks and take measures, such as encryption, to

        mitigate risks. Those measures should provide an appropriate level of security, including

        including confidentiality, taking into account the state of the

        technique and the implementation costs compared to the risks and the nature of the

        protect personal data. When assessing data security risks

        attention should be paid to risks arising from

        personal data processing, such as the destruction, loss, alteration,

        unauthorized disclosure or access to the transmitted,

        stored or otherwise processed data, whether accidentally or unlawfully,

        which may lead in particular to physical, material or immaterial damage.”

Reporting by Data Protection Officer

    38. The Data Protection Officer Directive provides the following explanation

        reporting to the most senior manager as referred to in Article 38 paragraph 3:

        ”If the controller or processor makes decisions that are not in the

        line with the General Data Protection Regulation and the advice of the

        data protection officer, the latter should be given the opportunity to

        make dissenting views clear to senior management and those who

        make the decisions. In that regard, Article 38(3) provides that the official

        data protection "reports directly to the highest

        supervisor of the controller or processor". Through such Decision on the merits 117/2021 - 12/12

               direct reporting ensures that senior management (e.g. the board of directors)

               is aware of the advice and recommendations that the official

               data protection provided as part of its mission to

               to inform and advise the controller or the processor. From the

               the text quoted above therefore shows that the official for

               data protection should be able to report directly to the highest

               manager. The Disputes Chamber does not rule out the possibility that this may be the general manager

               inside a hospital

            39. The Disputes Chamber recalls that the accountability obligation laid down in

               Article 5.2 GDPR entails that the controller can demonstrate

               that he complies with the obligations as described in the GDPR.

    IV. Publication of the decision

            40. Given the importance of transparency in the decision-making of the

               Litigation Chamber, this decision is published on the website of the

               Data Protection Authority. However, it is not necessary for the

               identifiers of the parties are disclosed directly.


   the Disputes Chamber of the Data Protection Authority decides, after deliberation, to:

   - To dismiss the present complaint pursuant to Article 100 § 1, 1° WOG.

   Against this decision, pursuant to art. 108, §1 WOG, appeals must be lodged within a

   period of thirty days, from the notification, to the Marktenhof, with the

   Data Protection Authority as Defendant.

(get). Hielke Hijmans

Chairman of the Disputes Chamber

 Guidelines for the Data Protection Officer of the Working Group 29, WP 243 rev.01, p. 18