APD/GBA (Belgium) - 12/2023

From GDPRhub
Revision as of 09:33, 22 February 2023 by Ls (talk | contribs)
APD/GBA - 12/2023
LogoBE.png
Authority: APD/GBA (Belgium)
Jurisdiction: Belgium
Relevant Law: Article 5(1)(c) GDPR
Article 5(1)(a) GDPR
Article 6(1) GDPR
Article 6(3) GDPR
Article 12 GDPR
Article 13 GDPR
Article 15 GDPR
Type: Complaint
Outcome: Rejected
Started: 19.11.2020
Decided: 16.02.2023
Published: 17.02.2023
Fine: n/a
Parties: n/a
National Case Number/Name: 12/2023
European Case Law Identifier: n/a
Appeal: Unknown
Original Language(s): French
Original Source: APD/GBA (in FR)
Initial Contributor: ls

The Belgian DPA found a violation of Articles 12 and 13 GDPR for some data processing operations carried out by a department of the King of Belgium office. However, considered the King's immunity under Belgian law, the DPA declared the complaint inadmissible.

English Summary

Facts

The controller in this case was a department of the King's office that deals with social affairs. A data subject had a dispute with a public authority, more precisely, the Government of the German-speaking Community (hereafter, the "Government") which had only partially responded to his request for information. The data subject wrote several complaint letters to the King. These letters contained personal data: his surname, first name and address. In an attempt to solve the matter, the King's office (controller) that had received these letters transferred them to the Government.

The data subject became aware of such disclosure and subsequently submitted an access request with the controller in accordance with Article 15 GDPR. Among the other things, he specifically inquired about the transfer of his data to the Government. The controller did not respond to his requests. The data subject also doubted the overall lawfulness of the processing. In particular, he argued that the transfer of his data was not necessary, since the controller could have simply interceded with the Government to remind it to respond to the requests for information.

He therefore filed a complaint with the Belgian DPA. During the investigation, the controller argued that the King's Office and its services benefit from the immunity from jurisdiction granted to the King under Article 88 of the Belgian Constitution.

Holding

Lawfulness

The DPA examined the existence of a legal basis on the basis of Article 6(1)(e) GDPR, which requires that the processing operation is carried out in the public interest and that it is necessary for the performance of that task.

On the subject of the public task, the DPA referred to a report which states that the King has a duty to form an opinion on the case brought to his attention. The controller was part of the King's services and was responsible for the task of dealing with requests for social assistance addressed to the King. Since the data subject sent his request to the King, he must have been aware of the King's possibility to intervene in citizens' requests, the DPA argued.

Regarding the necessity criteria, the DPA recalled that Article 6(3) requires that the purposes of the processing must be necessary for the performance of a task carried out in the public interest. Referring to the case law of the CJEU, the DPA also recalled that if there are realistic and less intrusive alternatives, the processing is not "necessary". In this case, the DPA considered that the personal data contained in the letter that the controller transferred were related to the explanation of the dispute and that it was not realistic or effective to pseudonymise them. In response to the data subject's view that the controller could have contacted the Government without transferring his data, the DPA considered that this was in contradiction with its aim of effective intervention. It therefore considered that the processing was necessary to resolve the conflict between the data subject and the Government.

On lawfulness, the DPA therefore concluded that there was no breach of Article 5(1)(a) and Article 6(1).

Rights of the data subject

The DPA recalled that compliance with transparency and information provisions is a precondition for the data subjects to exercise their rights. The DPA considered that the controller breached Articles 12 and 13 by not providing information about the processing of the data in the context of requests for help addressed to the King.

As regards the request for access under Article 15, the DPA did not, however, consider this article as violated. It explained that the data subject's request was for the controller to acknowledge his failures to comply with the GDPR and was therefore not valid.

Immunity from jurisdiction

The DPA explained that the King enjoys immunity on the basis of the Belgian Constitution. Whether this immunity extends to his collaborators, however, was controversial. "Despite the absence of an indisputable and irrefutable normative basis to support it, and despite the fact that the right to data protection is a fundamental right", the DPA considered that the majority doctrine was in favor of extending immunity. It therefore declared the complaint inadmissible, noting that this did not remove the illegality of the conduct, and invited the controller to comply with Articles 12 and 13.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the French original. Please refer to the French original for more details.