APD/GBA (Belgium) - 12/2023

From GDPRhub
Revision as of 15:04, 22 February 2023 by Fz (talk | contribs) (Made adjustments to the short summary)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
APD/GBA - 12/2023
LogoBE.png
Authority: APD/GBA (Belgium)
Jurisdiction: Belgium
Relevant Law: Article 5(1)(c) GDPR
Article 5(1)(a) GDPR
Article 6(1) GDPR
Article 6(3) GDPR
Article 12 GDPR
Article 13 GDPR
Article 15 GDPR
Type: Complaint
Outcome: Rejected
Started: 19.11.2020
Decided: 16.02.2023
Published: 17.02.2023
Fine: n/a
Parties: Requests and Social Affairs Department of the King's Office
DPA/GBA
National Case Number/Name: 12/2023
European Case Law Identifier: n/a
Appeal: Unknown
Original Language(s): French
Original Source: APD/GBA (in FR)
Initial Contributor: ls

The Belgian DPA found violations of Articles 12 and 13 GDPR for data processing operations carried out by an office department of the King of Belgium. However, due to the King's immunity under Belgian law, the DPA declared the complaint inadmissible.

English Summary

Facts

The controller in this case was a department of the King's office that deals with social affairs. A data subject had a dispute with a public authority, more precisely, the Government of the German-speaking Community (hereafter, the "Government") which had only partially responded to his request for information. The data subject wrote several complaint letters to the King. These letters contained personal data: his surname, first name and address. In an attempt to solve the matter, the King's office (controller) that had received these letters transferred them to the Government.

The data subject became aware of such disclosure and subsequently submitted an access request with the controller in accordance with Article 15 GDPR. Among the other things, he specifically inquired about the transfer of his data to the Government. The controller did not respond to his requests. The data subject also doubted the overall lawfulness of the processing. In particular, he argued that the transfer of his data was not necessary, since the controller could have simply interceded with the Government to remind it to respond to the requests for information.

He therefore filed a complaint with the Belgian DPA. During the investigation, the controller argued that the King's Office and its services benefit from the immunity from jurisdiction granted to the King under Article 88 of the Belgian Constitution.

Holding

Lawfulness

The DPA examined the existence of a legal basis on the basis of Article 6(1)(e) GDPR, which requires that the processing operation is carried out in the public interest and that it is necessary for the performance of that task.

On the subject of the public task, the DPA referred to a report which states that the King has a duty to form an opinion on the case brought to his attention. The controller was part of the King's services and was responsible for the task of dealing with requests for social assistance addressed to the King. Since the data subject sent his request to the King, he must have been aware of the King's possibility to intervene in citizens' requests, the DPA argued.

Regarding the necessity criteria, the DPA recalled that Article 6(3) requires that the purposes of the processing must be necessary for the performance of a task carried out in the public interest. Referring to the case law of the CJEU, the DPA also recalled that if there are realistic and less intrusive alternatives, the processing is not "necessary". In this case, the DPA considered that the personal data contained in the letter that the controller transferred were related to the explanation of the dispute and that it was not realistic or effective to pseudonymise them. In response to the data subject's view that the controller could have contacted the Government without transferring his data, the DPA considered that this was in contradiction with its aim of effective intervention. It therefore considered that the processing was necessary to resolve the conflict between the data subject and the Government.

On lawfulness, the DPA therefore concluded that there was no breach of Article 5(1)(a) and Article 6(1).

Rights of the data subject

The DPA recalled that compliance with transparency and information provisions is a precondition for the data subjects to exercise their rights. Noting that a privacy policy was available, the DPA explained that this policy only applied to the personal data of visitors of the website, not to the personal data of data subjects who have sent requests for assistance to the King. By not providing information about the processing of the data in the context of requests for help, the controller breached Articles 12 and 13.

As regards the request for access under Article 15, the DPA did not, however, consider this article as violated. It explained that the data subject's request was for the controller to acknowledge his failures to comply with the GDPR and was therefore not valid.

Immunity from jurisdiction

After noting that the controller failed to comply with Articles 12 and 13, the DPA explained that the King enjoys immunity on the basis of the Belgian Constitution. Whether this immunity extends to his collaborators, however, was controversial. "Despite the absence of an indisputable and irrefutable normative basis to support it, and despite the fact that the right to data protection is a fundamental right", the DPA considered that the majority doctrine was in favor of extending immunity. It therefore declared the complaint inadmissible, noting that this did not remove the illegality of the conduct, and invited the controller to comply with Articles 12 and 13.

Comment

This decision calls for two main comments.

Firstly, regarding the necessity test, the DPA recalled that according to the case law of the CJEU, if there are less intrusive alternatives, the processing is not necessary. It considered that in this case, it was necessary for the resolution of the dispute between the data subject and the Government to transfer the data. As a reminder, this dispute is linked to an access request under Article 15. With a little imagination, one can envisage other less intrusive ways of resolving this problem. For example, the controller could have written a note to the Government pointing out a problem with Article 15 requests and suggest to react.

In §53 of the decision, the DPA added that "it cannot reasonably be expected that the King's Office, in the specific context of the follow-up given to an application for social assistance, will meticulously examine the various possibilities for 'realistic' and least intrusive actions". If it is not up to the controller to determine the least intrusive way of carrying out his or her duties, one wonders who would then be responsible for that.

The second comment concerns the extension of the king's immunity to his collaborators. According to Article 88 of the Constitution, inspired by the English public law principle that 'The king can do no wrong', the king cannot be arrested, prosecuted or tried. As the DPA points out, the extension of this privilege to his advisors or collaborators (who are chosen by the King himself) is not, however, unanimously approved in the doctrine. A part of the doctrine considers indeed that immunities must be interpreted in a strict manner (see Uyttendaele, Trente leçons de droit constitutionnel, p. 661 (Bruylant 2020), Kuty, Principes généraux du droit penal belge – Tome 1 – La loi pénale, p. 471 (Larcier 2018)).

It is therefore surprising that the DPA, a personal data protection body, took position in favor of this extension). Such an extension may lead to a breach of the citizen's fundamental right to data protection. This decision therefore appears conservative and cautious. It will be interesting to follow the reactions that it will provoke.

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the French original. Please refer to the French original for more details.