APD/GBA (Belgium) - 117/2021
|APD/GBA (Belgium) - 117/2021|
|Relevant Law:||Article 9 GDPR|
Article 24(1) GDPR
Article 32(1) GDPR
Article 38(3) GDPR
Article 57(1)(f) GDPR
Article 58 WOG
|National Case Number/Name:||117/2021|
|European Case Law Identifier:||n/a|
|Original Source:||Decision 117/2021 (in NL)|
|Initial Contributor:||Matthias Smet|
The Belgian DPA dismissed a complaint regarding unsecured contact forms on a hospital website because the complainant had not fill any of these forms, but was pursuing a general public concern without having a personal stake in the case.
English Summary[edit | edit source]
Facts[edit | edit source]
The Complainant in this case was a patient in a Belgian hospital. He noticed that the hospital was using unsecured contact forms on its website. In particular, these forms were sent to the hospital in an unencrypted manner and via an unsecured connection. As a result, the personal data contained in these forms, including sensitive health data, were potentially exposed to the risk of being intercepted by third parties and being read in the network traffic.
The Complainant therefore filed a complaint with the Belgian DPA, considering that such processing was unlawful. On the basis of this complaint, the Inspection Service of the Belgian DPA conducted an investigation. During this investigation, the following (additional) breaches of data protection legislation were identified:
- the hospital implemented insufficient technical and organisational measures to guarantee the protection of (health) data (Article 32 GDPR);
- the DPO of the hospital was not directly reporting to the highest management level of within the organization (Article 38(3) GDPR).
Holding[edit | edit source]
Admissibility of the complaint[edit | edit source]
The Belgian Law on the Establishment of the Data Protection Authority states that anybody can file a complaint with the Belgian DPA, provided that all the prescribed conditions in Article 60 of this law are met. In a previous decision, the Belgian DPA had already decided that an additional condition must be fulfilled, namely that the complainant demonstrates that he has sufficient interest.
In a recent case, the Belgium Supreme Court ruled that anyone who believes that their rights under the GDPR have been violated can lodge a complaint with the supervisory authority, even if their personal data have not been processed, given that the refusal to provide personal data resulted in a disadvantage for the data subject (e.g. not being able to use a certain service). According to the Litigation Chamber of the Belgian DPA, the difference in this case was that the Complainant could not prove to have suffered from any disadvantage by refusing to fill in the contact form on the hospital's website, since other alternatives existed to achieve the same objective, such has contacting the hospital via another mean or filling in paper forms.
Since the Complainant was pursuing a general public concern at the time the complaint was filed (i.e. the protection of the privacy rights of everyone who visits the defendant's website and possibly uses the contact forms on the website) without having a personal stake in the case, the DPA dismissed the complaint.
Other issues[edit | edit source]
Since the inspection report revealed a number of shortcomings, the Litigation Chamber still decided to stress in its decision that health data fall within special categories of personal data in the sense of Article 9 GDPR. Therefore, all possible technical and organizational measures should have been taken to protect health data, such as encrypted transmission. Furthermore, and opposite to the results of the investigation, the DPO should have been able to report directly to senior management and be given the opportunity to express a dissenting opinion concerning the processing (Article 38(3) GDPR)
Comment[edit | edit source]
Further Resources[edit | edit source]
Share blogs or news articles here!
English Machine Translation of the Decision[edit | edit source]
The decision below is a machine translation of the Dutch original. Please refer to the Dutch original for more details.
1/12 Dispute room Decision on the merits 117/2021 of 22 October 2021 File number : DOS-2020-05264 Subject: Complaint due to unsecured connection to hospital website The Dispute Chamber of the Data Protection Authority, composed of Mr Hielke Hijmans, chairman and Messrs Dirk Van Der Kelen and Frank De Smet, members; Having regard to Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and concerning the free movement of such data and until the withdrawal of the Directive 95/46/EC (General Data Protection Regulation), hereinafter GDPR; In view of the law of 3 December 2017 establishing the Data Protection Authority, hereinafter WOG; Having regard to the internal rules of procedure, as approved by the Chamber of Representatives on 20 December 2018 and published in the Belgian Official Gazette on January 15, 2019; Having regard to the documents in the file; has taken the following decision regarding: The complainant: X, hereinafter referred to as “the complainant”; . . . The Defendant: Y, (formerly called [..]), hereinafter “the Defendant”; Decision on the merits 117/2021 - 2/12 I. Facts procedure 1. On 14 November 2021, the complainant lodged a complaint with the Data Protection Authority against Defendant. 2. The complainant is a patient at the hospital of the defendant. The subject of the complaint concerns the fact that the website (…), which belongs to the defendant, was used made of a contact form and a form for the ombudsman service of the Hopital. The form that could be filled in by the website visitors, according to complainant are sent to the hospital in an unencrypted manner. By using making an unsecured connection, third parties could, according to the complainant, taking the (health) data. 3. On November 16, 2021, the complaint will be declared admissible by the Frontline Service on pursuant to Articles 58 and 60 WOG and the complaint pursuant to art. 62 § 1 WOG submitted to the Disputes Chamber. 4. On December 16, 2020, in accordance with art. 96, §1 WOG the request of the Dispute chamber to conduct an investigation transferred to the Inspection service, together with the complaint and the inventory of the documents. 5. The inspection will be completed by the Inspectorate on January 26, 2020, it will be report attached to the file and the file is reviewed by the Inspector General forwarded to the Chairman of the Disputes Chamber (art.91, §1 and §2 WOG). The report contains findings with regard to the subject matter of the complaints, decision that there is of infringements of Article 32(1), (2) and (4) of the GDPR and of 24(1) of the GDPR due to taking insufficient measures to ensure the safety of the (special) personal data which are processed via the defendant's website guarantee. 6. The report also contains findings that go further than the object of the complaint. The Inspectorate determines, in broad terms, that there have been infringements of the articles 24 paragraph 1, 38 paragraphs 1 and 3 and to Article 39 of the GDPR due to the provision of advice by the data protection officer to the general manager and not to the board of directors while this body is the highest management within the organization of defendant. According to the Inspectorate, the information and advice provided by the Data Protection Officer has provided pursuant to Article 38(1) Decision on the substance 117/2021 - 3/12 and Article 39 of the GDPR on the security measures for the website (…) insufficiently convincing. 7. On April 7, 2021, the Disputes Chamber will decide on the basis of art. 95, §1, 1° and art. 98 WOG dat the file is ready for treatment on the merits. 8. The Disputes Chamber decides on the file on the basis of the report of the Inspectorate to be divided into two separate cases: 9. Pursuant to art. 92, 1° WOG, the Disputes Chamber will make a decision on the merits with relating to the subject matter of the complaint. 10. Pursuant to art. 92, 3° WOG, the Disputes Chamber will make a decision on the merits according to as a result of the findings made by the Inspectorate outside the scope of the complaint. 11. On 7 April 2021, the concerned parties will be notified of the provisions as mentioned in article 95, §2, as well as of those in art. 98 WOG. They are also, on the basis of art. 99 WOG of the time limits for submitting their defences. 12. With regard to the findings as to the subject-matter of the complaint, the deadline for receipt of the defendant's response laid down on 19 May 2021, this for the complainant's reply on 9 June 2021 and, finally, those for the defendant's statement of reply on June 30, 2021. 13. On 9 April 2021, the complainant requests a copy of the file (art. 95, §2, 3° WOG), which it was transferred on April 12, 2021. 14. On 11 May 2021, the complainant electronically accepts all communication regarding the case and he indicates that he wishes to make use of the opportunity to be heard, in accordance with article 98 WOG. 15. On April 20, 2021, the defendant electronically accepts all communications regarding the case and expresses his wish to make use of the opportunity to be heard, in accordance with article 98 WOG. 16. On 19 May 2021, the Disputes Chamber will receive the statement of defense from the defendant with regard to the findings with regard to the subject matter of the Decision on the merits 117/2021 - 4/12 complaint. Defendant argues that the protection of personal data is becoming sufficient guaranteed by the statutory duty of confidentiality as well as by the labor regulations, provisions regarding confidentiality, minimum data processing and purpose limitation. Therefore, the defendant argues that only data may be processed to the extent necessary to achieve the intended purpose. According to the work regulations, failure to comply with the aforementioned provisions sanctions. According to the defendant, the complainant does not demonstrate that personal data, which relating to him, have been processed via the (non-secure) website. To previous reason there is no requisite interest in filing a complaint. The Inspectorate refers in its report to another file vis-à-vis the defendant. Defendant points out that no to have knowledge of the contents of the aforementioned file; that is why that file is in irrelevant in the present case. 17. According to the defendant, Article 24 paragraph 1 GDPR has indeed been implemented. First of all Defendant indicates that he has started a project with the ultimate goal of ISO27001 certification. According to the defendant, this certification can be regarded as the global standard for information security. Second, according to the defendant, from the various agreements it has concluded with processors of personal data that a detailed analysis has been carried out with regard to the personal data to be processed in the context of the various processing agreements. The processor must also always complete a questionnaire after which information security and data protection are evaluated and appropriate measures are taken. 18. In addition, according to the defendant, the Inspectorate incorrectly establishes that the confidentiality obligation by the hospital as a controller not is complied with nor has it been demonstrated that violations of the confidentiality obligations can be effectively sanctioned. According to defendant has indeed been sanctioned and in case of violation of the professional secrecy by a doctor, even dismissal is possible. According to the defendant, the Inspectorate does not indicate that there is actually personal data, let alone health data, is processed via the non-secure form on the website. According to the defendant, it has also not been demonstrated that unauthorized persons have gained access to the aforementioned data. Defendant indicates already on December 22, 2020 decided of its own accord to delete the contact forms. Defendant is a not-for-profit association and at the time of filing it was called of the complaint [..]. Subsequently, the institution expanded its activities with a rehabilitation center. Since then it continues under the name Y. Decision on the merits 117/2021 - 5/12 19. The defendant is of the opinion that it also meets the requirements of Articles 24 and 32 GDPR complies with the internal systems used within the hospital. Since there is a link between the hospital's website on the one hand and the internal systems on the other hand, according to the defendant, a choice has been made for a “two-factor” authentication. According to the defendant, it is apparent from the foregoing, among other things, that adequate security measures have been taken. 20. One of the findings of the Inspectorate outside the scope of the complaint is that the data protection officer would not have issued advice and would not have reported to the highest body within the institution on the security measures within the hospital. Defendant believes at all times have been aware of the importance of the data protection officer and has therefore always called upon the data protection officer. According to the defendant, the foregoing is apparent, among other things, from the fact that the officer always is closely involved in cases where a processing agreement is concluded between the defendant and its processors. The officer is also consulted and involved in the construction of the new website in order to be sure that future processing via the website complies with the legal provisions, according to the defendant. In addition, the data protection officer is part of the so-called Information Security Committee which has a preparatory and advisory role acts towards the executive committee regarding privacy matters within the Hopital. According to the defendant, the general manager is indeed the highest managerial authority within the hospital of a violation of Article 38 (3) GDPR. 21. In addition, the defendant submits that it was never the intention that the contact forms on the website would serve to exchange health data to switch. After all, the electronic patient file is strictly secured, according to defendant. According to the defendant, there is also no processing of personal data on a large scale through the contact forms, as determined by the Inspection Service. Defendant points out that it should not be overlooked that a form could be filled in on the website which ends up at the ombudsman service and is therefore separate from the patient file. Defendant requests take into account a number of mitigating circumstances, namely that there is no personal data have been consulted by third parties in unauthorized ways and that, when personal data end up in the hospital or on the hospital's servers, the institution makes every effort to keep that data very secure. Decision on the merits 117/2021 - 6/12 22. Defendant indicates that it is aware that a security certificate for the web form should have been implemented faster when pointed out. However, as yet it has not been shown that damage has occurred in respect of person concerned. There has been no unauthorized access to personal data. 23. In addition, some key employees have been cut off due to the pandemic, causing there has been a delay in integrating certain measures. The defendant is not previously convicted of GDPR violations and started a project with as ultimate goal of obtaining an ISO 27001 certification and asks to take into account the aforesaid elements as mitigating circumstances. 24. On 14 June 2021, the Disputes Chamber will receive the statement of reply from the complainant, which concerns the findings with regard to the subject matter of the complaint. The complainant is from believes that the change in the structure and composition of the hospital does not matter could have resulted in the website not complying with the principles of data processing. After all, the GDPR already came into effect in 2018, as a result of which the defendant has already been inactive for two years is a violation of the GDPR. In response to the defendant's argument that visitors do not are obliged to use the contact form, the complainant submits that there is website visitors cannot be expected to exercise caution when filling out an online contact form that is facilitated by the defendant. Now there use is made from a form, the connection of the website must be secured. Which according to the complainant, obligations of confidentiality apply to the employees, it is also irrelevant, now the personal data sent via the contact form is unsecured and are exposed to the risk of being intercepted by third parties and read in the network traffic. The complainant shares the view of the respondent that he does not would have no interest in submitting a complaint. After all, the form is online without this being secured and can be filled in and sent by anyone. It's possible according to the complainant, it is not the intention that he should track down those involved who have completed the form and then ask them to submit a complaint to the GBA. 25. On 26 July 2021, the parties will be notified that the hearing will be take place on October 4, 2021. 26. On October 4, 2021, the defendant will be heard by the Disputes Chamber. Although duly summoned and confirmation that they would be present, the complainant did not appear. Decision on the merits 117/2021 - 7/12 27. On October 11, 2021, the minutes of the hearing will be sent to the parties submitted. 28. On October 18, 2021, the Disputes Chamber will receive the following from the defendant: comments with regard to the official report: the defendant has at the hearing indicated that the new website is currently online and indicated that the data protection officer reports to the audit committee composed of a representation of the Board of Directors. II. Admissibility of complaint 29. The Disputes Chamber first examines the question of whether the complaint is admissible. Defendant argues that the complainant has no interest in complaining about the website and the contact form of the defendant because there is no processing of his personal data by the defendant. For this reason, according to the defendant, the complaint be declared inadmissible or unfounded. 30. Article 58 WOG provides: “Anyone may submit a complaint in writing, dated and signed” or submit a request to the Data Protection Authority”. In accordance with article 60, Paragraph 2 WOG, a complaint is admissible if it: -is drawn up in one of the national languages; -contains a statement of the facts, as well as the necessary indications for the identification of the processing to which it relates; -it falls under the jurisdiction of the Data Protection Authority”. 31. The Disputes Chamber has considered as follows in a previous decision regarding this matter : “While the GDPR approaches the 'complaint' from the point of view of the data subject, the impose obligations on supervisory authorities when a person makes a complaint submits (see Articles 57, 1., f) and 77 of the GDPR), the GDPR does not prevent the national right to give persons other than the data subjects the opportunity to lodge a complaint should be submitted to the national supervisory authority. The possibility of such pending furthermore corresponds to the assignments imposed by the GDPR the control authorities are assigned each control authority for: the monitoring and enforcement of the application of the GDPR (Article 57, 1., a) GDPR), and the performance of all other tasks related to Decision on the merits 117/2021 - 8/12 with the protection of personal data (Article 57, 1., v) GDPR).” The condition is that the complainant appears to have sufficient interest. 32. The complainant indicated in the complaint form that he searched the website for the data from his treating physician and then noted that an unsecured connection was used for both the website and the contact forms. However, there is not it appears that the complainant's data has been processed. 33. Superfluously, the Disputes Chamber refers in this regard to a recent decision by the Court of Supreme Court judgment. In that judgment, the Court of Appeal ruled that any person involved who believes there has been an infringement of its rights under the GDPR make a complaint can file with the supervisory authority. However, data subjects whose personal data have not been processed in certain cases file a complaint. The however, this is subject to the condition that this data subject receives a certain advantage or a certain has not been able to obtain service because due to the existence of the alleged infringing practice, has refused to consent to the processing. In this case 2 cannot be argued, according to the Dispute Chamber, that there was non-use of a service, now that there were also other options such as telephone contact or filling in the forms on the spot. 34. The complainant did not appear at the hearing, as a result of which the Disputes Chamber did not explanation from the complainant. Based on the description of the complaint by the complainant and the documents submitted, the Disputes Chamber must determine that when submitting the complaint, the complainant pursued a general public interest existing from the protection of the privacy rights of anyone who uses the website of the defendant visits and possibly uses the contact forms on the website. the complainant has not shown that it has any personal interest. The fact that he was a patient of the relevant hospital in the given circumstances, in which not it appears that his personal data has been processed via the contact form and neither that he intended to use that contact form, insufficient to do this importance to determine. 1 2Decision 80/2020 dated 17 December 2020 of the Disputes Chamber. See also decision 30/2020 of the Disputes Chamber. Judgment Court of Cassation c.20.0323.N/1 dated 7 October 2021 Decision on the merits 117/2021 - 9/12 35. After examination of the complaint in the substantive proceedings, it has thus become apparent that the complaint was not meets the conditions for admissibility. The Disputes Chamber therefore concludes that the complaint is inadmissible and was for lack of personal interest. Therefore the Disputes Chamber will process the complaint and the subsequent findings of the inspection service within and outside the scope of the complaint are not prevented from imposing administrative sanctions. The Disputes Chamber therefore decides to transfer 3 go to a technical shutdown. II. General considerations Technical and organizational measures 36. This does not alter the fact that the Inspection Report reveals a number of shortcomings in the way in which the defendant processes data. On the basis of the findings in the Inspectorate Report, the Disputes Chamber wishes a number of general to devote considerations to the matter of taking sufficient security measures to ensure the safe processing of personal data guarantee. With this, the Disputes Chamber implements the general assignment of the DPA to contribute to a high level of data protection. 37. Article 24(1) of the GDPR provides: “Taking into account the nature, scope, context and the purpose of the processing, as well as with the varying degrees of probability and severity risks to the rights and freedoms of natural persons, the processing responsible take appropriate technical and organizational measures to guarantee and be able to demonstrate that the processing is in accordance with this regulation is being implemented. Those measures are evaluated and if necessary updated.” Article 32(1) of the GDPR provides ”Taking into account the state of the art, the implementation costs, as well as the nature, scope, context and processing purposes and the likelihood and severity of varying risks to the rights and freedoms of individuals, affect the controller and the processor takes appropriate technical and organizational measures to ensure an appropriate level of security, which, where appropriate, includes the following include: a) the pseudonymization and encryption of personal data; b) it ability to maintain confidentiality, integrity, availability and 3 Dismissal Policy Disputes Chamber of 18 June 2021 under 3.1.A.5 Decision on the merits 117/2021 - 10/12 ensure resilience of processing systems and services; c) the ability to in the event of a physical or technical incident, the availability of and access to the restore personal data in a timely manner; d) a procedure for the regular testing, assessing and evaluating the effectiveness of the technical and organizational measures to secure the processing. 2. In assessing the appropriate level of security, particular account shall be taken of account of the processing risks, in particular as a result of the destruction, loss, modification or unauthorized disclosure of or access to data transmitted, stored or otherwise processed, either accidentally or unlawful.” 3. Joining an approved code of conduct as referred to in Article 40 or a approved certification mechanism as referred to in Article 42 can be used as element to demonstrate that the requirements referred to in paragraph 1 of this Article are met complied with. 4. The controller and the processor take measures to ensure that ensure that any natural person acting under the authority of the controller or of the processor and has access to personal data, these only on behalf of the controller processed, unless he is required to do so under Union or Member State law.” 35. According to Article 9 of the GDPR, health data belongs to special personal data. Recital 51 of the GDPR defines that data as: ” Personal data that are, by their nature, particularly sensitive with regard to the fundamental rights and fundamental freedoms deserve specific protection since the context of their processing may pose significant risks to the fundamental rights and fundamental freedoms.” Therefore, the processing of health data should be accompanied by the greatest care and should make every possible technical and organizational measures must be taken to protect this data to protect. The main task of a hospital is to provide medical care. It It is therefore not implausible that patients used these contact forms for information about their health situation with the hospital to share. In addition, the form for the ombudsman service often serves to: express dissatisfaction and complaints, especially about treatment in the hospital and which are indirectly related to that medical treatment, resulting in often provide health information. Decision on the merits 117/2021 - 11/12 36. As can be seen from the above articles, the controller is obliged to to take the necessary technical and organizational measures in order to guarantee that data processing is carried out in accordance with the GDPR. Hospitals whose main task is to provide medical care, process on a regular basis basic and large amounts of health data. They should therefore be extra vigilant and to ensure that this data is processed in accordance with the AVG. The Disputes Chamber points out that data relating to health (and the transfer thereof) must be sufficiently secured and that the data is therefore and, among other things, must be sent from the computer with sufficiently strong encryption from the user to the server that serves a website with a form. This is possible done by using a security certificate. 37. In addition to the above, recital 83 of the GDPR provides: “In order to ensure security and prevent the processing from infringing these regulation, the controller or the processor must comply with the processing assess inherent risks and take measures, such as encryption, to mitigate risks. Those measures should provide an appropriate level of security, including including confidentiality, taking into account the state of the technique and the implementation costs compared to the risks and the nature of the protect personal data. When assessing data security risks attention should be paid to risks arising from personal data processing, such as the destruction, loss, alteration, unauthorized disclosure or access to the transmitted, stored or otherwise processed data, whether accidentally or unlawfully, which may lead in particular to physical, material or immaterial damage.” Reporting by Data Protection Officer 38. The Data Protection Officer Directive provides the following explanation reporting to the most senior manager as referred to in Article 38 paragraph 3: ”If the controller or processor makes decisions that are not in the line with the General Data Protection Regulation and the advice of the data protection officer, the latter should be given the opportunity to make dissenting views clear to senior management and those who make the decisions. In that regard, Article 38(3) provides that the official data protection "reports directly to the highest supervisor of the controller or processor". Through such Decision on the merits 117/2021 - 12/12 direct reporting ensures that senior management (e.g. the board of directors) is aware of the advice and recommendations that the official data protection provided as part of its mission to to inform and advise the controller or the processor. From the the text quoted above therefore shows that the official for data protection should be able to report directly to the highest manager. The Disputes Chamber does not rule out the possibility that this may be the general manager inside a hospital 39. The Disputes Chamber recalls that the accountability obligation laid down in Article 5.2 GDPR entails that the controller can demonstrate that he complies with the obligations as described in the GDPR. IV. Publication of the decision 40. Given the importance of transparency in the decision-making of the Litigation Chamber, this decision is published on the website of the Data Protection Authority. However, it is not necessary for the identifiers of the parties are disclosed directly. FOR THESE REASONS, the Disputes Chamber of the Data Protection Authority decides, after deliberation, to: - To dismiss the present complaint pursuant to Article 100 § 1, 1° WOG. Against this decision, pursuant to art. 108, §1 WOG, appeals must be lodged within a period of thirty days, from the notification, to the Marktenhof, with the Data Protection Authority as Defendant. (get). Hielke Hijmans Chairman of the Disputes Chamber 4 Guidelines for the Data Protection Officer of the Working Group 29, WP 243 rev.01, p. 18