APD/GBA (Belgium) - 128/2023: Difference between revisions

From GDPRhub
(Created page with "{{DPAdecisionBOX |Jurisdiction=Belgium |DPA-BG-Color= |DPAlogo=LogoBE.png |DPA_Abbrevation=APD/GBA |DPA_With_Country=APD/GBA (Belgium) |Case_Number_Name=128/2023 |ECLI= |Original_Source_Name_1=Autorité de protection des données |Original_Source_Link_1=https://www.gegevensbeschermingsautoriteit.be/publications/bevel-nr.-128-2023.pdf |Original_Source_Language_1=French |Original_Source_Language__Code_1=FR |Original_Source_Name_2= |Original_Source_Link_2= |Original_Sour...")
 
mNo edit summary
 
(2 intermediate revisions by the same user not shown)
Line 71: Line 71:
}}
}}


The Belgian DPA ordered, based on [[Article 58 GDPR#2c|Article 58(2)(c)]], a controller to comply with a request for information in line with [[Article 15 GDPR#1|Article 15(1)]] and erasure in line with [[Article 17 GDPR#1|Article 17(1)]] after the controller failed to reply to an access request.
The Belgian DPA ordered a controller to comply with an access request under [[Article 15 GDPR#1|Article 15(1)]] GDPR and an erasure request under [[Article 17 GDPR#1|Article 17(1)]] GDPR, after the controller failed to facilitate the requests.  


== English Summary ==
== English Summary ==


=== Facts ===
=== Facts ===
The data subject had contacted the controller (a real estate agent), after receiving direct marketing from her, to request how she received his contact information and the erasure of his personal data. The controller did not respond to the data subject.  
On 10 June 2023, the data subject received an email from a real estate agent (the controller). On the same day, the data subject replied to this email requesting explicilty for the controller to notify him of (a) the person or company who transmitted his data, and (b) requested that all of the data related to him be erased. The controller did not respond to the data subject. The controller claimed to have received the data subject's information from a source they knew but refused to disclose, and instead stressed that every email included the option to opt-out.  


The controller claimed to have received the data subject's information from a source she knowns, but does not want to share. She stressed that every e-mail has the option to opt-out.
On 2 August 2023, the data subject filed a complaint with the Belgian DPA.


=== Holding ===
=== Holding ===
The DPA ordered, based on [[Article 58 GDPR#2c|Article 58(2)(c)]], the controller to comply with the request for information in line with [[Article 15 GDPR#1|Article 15(1)]] and erasure in line with [[Article 17 GDPR#1|Article 17(1)]].
The DPA made an order under [[Article 58 GDPR#2c|Article 58(2)(c)]] for the controller to comply with the data subject's requests under [[Article 15 GDPR|Article 15(1) GDPR]] and [[Article 17 GDPR|Article 17(1) GDPR]].


The DPA concluded a prima facie breach of [[Article 15 GDPR|Article 15]] and [[Article 17 GDPR|Article 17]] in combination with [[Article 12 GDPR#3|Article 12(3)]] and [[Article 12 GDPR#4|Article 12(4)]].
Firstly, [[Article 15 GDPR#1|Article 15(1)]] GDPR provides data subjects with the right to access personal data concerning them and infromation relating to it, from a controller In particular, Article 15(1)(g) provides that a data subject is entitled to information concerning the source of data "where personal data are not collected form the data subject..." 
 
Secondly, [[Article 17 GDPR|Article 17(1) GDPR]] establishes the right of erasure, which grants data subjects the right to request that all data concerning them are erased by the controller. 
 
Lastly, the DPA concluded a prima facie breach of [[Article 15 GDPR]] and [[Article 17 GDPR]] in combination with [[Article 12 GDPR|Article 12(3) GDPR]] and [[Article 12 GDPR|Article 12(4) GDPR]], because the controller did not facilitate the request for data access and erasure.
 
Article 12(3) GDPR provides a time limit of 1 month for controllers to facilitate requests made under Articles 15 - 22 GDPR, and Article 12(4) GDPR notes that if the controller does not take action within the prescribed time frame, they must inform the data subject of why they did not take action and the data subject's ability to lodge a complaint with a supervisory authority. The controller did neither, thus the DPA additionally found a breach of Articles 12(3) and 12(4) GDPR.  


== Comment ==
== Comment ==

Latest revision as of 09:19, 13 September 2023

APD/GBA - 128/2023
LogoBE.png
Authority: APD/GBA (Belgium)
Jurisdiction: Belgium
Relevant Law: Article 12(3) GDPR
Article 12(4) GDPR
Article 15 GDPR
Article 15(1) GDPR
Article 17 GDPR
Article 17(1) GDPR
Article 58(2)(c) GDPR
Type: Complaint
Outcome: Upheld
Started: 02.08.2023
Decided: 05.09.2023
Published:
Fine: n/a
Parties: n/a
National Case Number/Name: 128/2023
European Case Law Identifier: n/a
Appeal: n/a
Original Language(s): French
Original Source: Autorité de protection des données (in FR)
Initial Contributor: Enzo Marquet

The Belgian DPA ordered a controller to comply with an access request under Article 15(1) GDPR and an erasure request under Article 17(1) GDPR, after the controller failed to facilitate the requests.

English Summary

Facts

On 10 June 2023, the data subject received an email from a real estate agent (the controller). On the same day, the data subject replied to this email requesting explicilty for the controller to notify him of (a) the person or company who transmitted his data, and (b) requested that all of the data related to him be erased. The controller did not respond to the data subject. The controller claimed to have received the data subject's information from a source they knew but refused to disclose, and instead stressed that every email included the option to opt-out.

On 2 August 2023, the data subject filed a complaint with the Belgian DPA.

Holding

The DPA made an order under Article 58(2)(c) for the controller to comply with the data subject's requests under Article 15(1) GDPR and Article 17(1) GDPR.

Firstly, Article 15(1) GDPR provides data subjects with the right to access personal data concerning them and infromation relating to it, from a controller In particular, Article 15(1)(g) provides that a data subject is entitled to information concerning the source of data "where personal data are not collected form the data subject..."

Secondly, Article 17(1) GDPR establishes the right of erasure, which grants data subjects the right to request that all data concerning them are erased by the controller.

Lastly, the DPA concluded a prima facie breach of Article 15 GDPR and Article 17 GDPR in combination with Article 12(3) GDPR and Article 12(4) GDPR, because the controller did not facilitate the request for data access and erasure.

Article 12(3) GDPR provides a time limit of 1 month for controllers to facilitate requests made under Articles 15 - 22 GDPR, and Article 12(4) GDPR notes that if the controller does not take action within the prescribed time frame, they must inform the data subject of why they did not take action and the data subject's ability to lodge a complaint with a supervisory authority. The controller did neither, thus the DPA additionally found a breach of Articles 12(3) and 12(4) GDPR.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the French original. Please refer to the French original for more details.

1/7



                                                                        Litigation Chamber


                                                   Decision 128/2023 of September 5, 2023


File number: DOS-2023-03274


Subject: Complaint relating to the lack of reaction to a request for access and erasure

carried out as part of a real estate canvassing



The Litigation Chamber of the Data Protection Authority, made up of Mr.

Hielke H IJMANS, president;

Having regard to Regulation (EU) 2016/679 of the European Parliament and of the Council of April 27, 2016 relating to the

protection of natural persons with regard to the processing of personal data and

to the free movement of these data, and repealing Directive 95/46/EC (General Regulation on the

data protection), hereinafter “GDPR”;

Having regard to the Law of December 3, 2017 establishing the Data Protection Authority, hereinafter

“ACL”;


Considering the internal regulations as approved by the House of Representatives on 20

December 2018 and published in the Belgian Official Gazette on January 15, 2019;

Considering the documents in the file;



Has taken the following decision regarding:


The complainant: .

                                                                                                         .

The defendant: LAGENCE Y, hereinafter: “the defendant”. . Decision 128/2023 — 2/7



I. Facts and procedure


 1. On August 2, 2023, the complainant filed a complaint with the Data Protection Authority.

       data (hereinafter “the DPA”) against the defendant, an agency specializing in the market

       real estate for expatriates in Brussels and its surroundings.

 2. The subject of the complaint concerns the lack of reaction to an access and erasure request

       carried out as part of a real estate canvassing.


 3. On June 10, 2023, the plaintiff receives an email from the defendant in his inbox

       private. This email concerns the rental of your property, identified under the reference

       “…”. This communication is part of a direct canvassing for the rental of

       the plaintiff's apartment. The defendant claims to have collected information about

       potentially interesting goods for its customers, as well as information on
       individuals with whom she would have already collaborated. According to the defendant, the name of the complainant would have

       been quoted by a source known to them, without disclosing the identity of this source. Moreover,

       the defendant emphasizes that the complainant can express his desire to no longer be contacted

       by responding to the same email.


 4. In the context of the complaint, the complainant specifies that he did not make public the rental listing

       of his property, with the exception of a publication on a Facebook group (without mention of his

       mail) and on a professional intranet of an unspecified institution. The approach of the

       defendant surprises him, because she should not have known this information.

 5. Still on June 10, 2023, the plaintiff responded to the defendant by raising two questions;

       He explicitly asks the defendant to reveal the person or company who

       transmitted his data, and he demands that all data concerning him be erased

       immediately. According to the plaintiff, the defendant did not respect the legal deadline of 30

       days to provide an adequate response to his request.


 6. On August 9, 2023, the complaint was declared admissible by the Front Line Service (hereinafter
                                                             1
       “SPL”) on the basis of Articles 58 and 60 of the LCA and the complaint is transmitted to the Chamber
                                                              2
       Litigation under Article 62, § 1 of the LCA.



II. Motivation


 7. Pursuant to Article 4, § 1 of the LCA, the DPA is responsible for monitoring the principles
       of data protection contained in the GDPR and other laws containing

       provisions relating to the protection of the processing of personal data.



1
 Under article 61 LCA, the Litigation Chamber informs the parties by this decision of the fact that the complaint has been declared
2Pursuant to article 95, § 2 LCA, by this decision, the Litigation Chamber informs the parties of the fact that following this complaint,
the file was sent to him. Decision 128/2023 — 3/7



 8. Pursuant to Article 33, § 1 of the LCA, the Litigation Chamber is the body for

       administrative litigation of the APD. It receives complaints that the SPL forwards to it in

       application of Article 62, § 1 of the LCA, i.e. admissible complaints. In accordance with

       Article 60 paragraph 2 of the LCA, complaints are admissible if they are drawn up in one

       national languages, contain a statement of the facts and the information necessary to

       identify the processing of personal data to which they relate and which

       fall under the jurisdiction of the APD.

 9. Pursuant to articles 51 et seq. of the GDPR and article 4, § 1 of the LCA, it is up to the

       Litigation Chamber as an administrative litigation body of the APD, to exercise

       effective control of the application of the GDPR and to protect freedoms and rights

       fundamentals of natural persons with regard to the processing and to facilitate the free flow

       personal data within the Union.


 10. Pursuant to article 95 § 2, 3° of the LCA as well as article 47 of the order regulations

       internal to the DPA, a copy of the file may be requested by the parties. If one of

       parties wish to make use of the possibility of consulting the file, they are required to

       contact the secretariat of the Litigation Chamber, preferably via the address

       litigationchamber@apd-gba.be.


 11. Based on the facts described in the complaint file as summarized above, and on

       the basis of the powers assigned to it by the legislator under article

       95, § 1 of the LCA, the Litigation Chamber decides on the follow-up to be given to the complaint, in
       the occurrence to order the defendant, in accordance with article 58.2.c) of the GDPR and

       Article 95, § 1, 5° of the LCA, to comply with the request of the person concerned

       to exercise their rights, more precisely the right of access and the right to erasure, introduced

       by the complainant on June 10, 2023, in accordance with Articles 15.1 and 17.1 of the GDPR; And this,

       for the reasons set out below.


 12. The Litigation Chamber takes into consideration the grievance raised by the complainant regarding

       the lack of response from the defendant to its request for access (aimed at obtaining

       the identity of the individuals and/or entities having shared their personal data) as well as its

       request for erasure; both exercised on June 10, 2023, in accordance with articles

       15.1 and 17.1 of the GDPR, following the receipt of an email sent by the defendant to

       purposes of “direct marketing” (hereinafter “the disputed email”).




3
 APD, Recommendation No. 01/2020 of January 17, 2020 relating to the processing of personal data for marketing purposes
direct, p. 8, available on the APD website. The GDPR does not define what is meant by “direct marketing” (prospecting).
its interpretation of this legal concept in recommendation no. 01/2020: “Any communication, solicited or unsolicited, aimed at
promotion of an organization or person, services, products, whether paid or free, as well as brands or
of ideas, addressed by an organization or person acting in a commercial or non-commercial context, directly to one or more
several natural persons in a private or professional context, by any means, involving the processing of data
personal character. » By “direct marketing”, we therefore mean several forms of promotion, such as email newsletters,
commercial telephone calls, text messages or emails or online advertising, whether in a commercial or non-commercial context. Decision 128/2023 — 4/7



 13. Article 4(7) of the GDPR defines the “data controller” as “the person

       physical or legal entity, public authority, service or other body which, alone or
                                                                                                 4
       jointly with others, determines the purposes and means of the processing.


 14. The Litigation Chamber recalls that the data controller must follow up on the request

       request made pursuant to articles 15 to 22 of the GDPR by the data subject,

       in this case a request for access provided for by Article 15 of the GDPR and for erasure provided for

       by article 17 of the GDPR, and in compliance with the conditions set out in article 12 of the GDPR. 5


 15. Under Article 12.1 of the GDPR, it is up to the data controller to “take

       appropriate measures to provide any information referred to in Articles 13 and 14 as well as

       to make any communication under Articles 15 to 22 and Article 34 with regard to


       concerns the processing of the data subject in a concise, transparent manner,

       understandable and easily accessible, in clear and simple terms [...]. ".


 16. The Litigation Chamber also emphasizes that it is the responsibility of the data controller

       to provide the data subject with information on the measures taken following a

       request made in application of articles 15 to 22 of the GDPR, as soon as possible and

       in any event within one month of receipt of the request. 6

       Article 12.3 of the GDPR provides that this period may, if necessary, be extended by two months,

       given the complexity and number of requests. In such a case, the person responsible


       processing informs the data subject of this extension and the reasons for the postponement
                                                                             8
       within one month of receipt of the request.


 17. In the event that the data controller does not respond to the request made

       by the person concerned, he informs him without delay and at the latest within one

       months from receipt of the request of the reasons for its inaction and the possibility

       to lodge a complaint with a supervisory authority and lodge an appeal

       jurisdictional.


 18. On the basis of the documents supporting the complaint, the Litigation Chamber finds that the complainant

       effectively exercised its rights of access and erasure on June 10, 2023, in accordance with

       to Articles 15.1 and 17.1 of the GDPR, in response to the disputed email received on the same date. Of


       Furthermore, the Litigation Chamber notes that the complainant submitted his complaint to the DPA on 2

       August 2023, thus exceeding the response times allocated to the controller in

       under Articles 12.3 and 12.4 of the GDPR. Furthermore, it is relevant to note that the grievances



4According to Article 4, 2) of the GDPR, a "processing" of personal data means "any operation or set of operations
whether or not carried out using automated processes and applied to personal data or sets of personal data, such as
as the collection, recording, organization, structuring, storage, adaptation or modification, extraction, consultation,
use, communication by transmission, dissemination or any other form of provision, reconciliation or interconnection,
limitation, erasure or destruction”.
5GDPR, art. 12.
6GDPR, art. 12.2 and 12.3.
7GDPR, art. 12.3.
8GDPR, art. 12.3.
9GDPR, art. 12.4. Decision 128/2023 — 5/7


       expressed in his response to the disputed email are in all respects consistent with those

       presented in its complaint filed with the DPA. Finally, the Litigation Chamber

       emphasizes that if the defendant had fully complied with the requirements set out in


       Article 12 of the GDPR, it would have taken into account the request for access and erasure. This

       approach would have potentially prevented the complainant from initiating proceedings before the DPA.

 19. Following the aforementioned analysis, the Litigation Chamber considers that the defendant


       may have violated the following provisions: Articles 15 and 17 of the GDPR,

       combined with articles 12.3 and 12.4 of the GDPR; what justifies making a prima facie decision

       facie by the Litigation Chamber in accordance with Article 95 of the LCA, more specifically

       Article 95, §1, 5° of the LCA, in response to the complaint filed by the complainant, within the framework

       of the “procedure prior to the substantive decision” 10 and not a decision on the merits of the

       Litigation Chamber within the meaning of article 100 of the LCA.


 20. The purpose of this decision is to inform the defendant, presumed responsible for the

       processing, of the possibility of a possible violation of the provisions of the GDPR, in order to

       offer the opportunity to comply with the aforementioned provisions.


 21. If, however, the defendant does not agree with the content of this decision

       prima facie and considers that it can put forward factual and/or legal arguments which

       could lead to another decision, it may address to the Litigation Chamber a

       request for processing on the merits of the case via the email address litigationchamber@apd-

       gba.be, within 30 days of notification of this decision. The case

       where applicable, the execution of this decision is suspended for the period

       mentioned above.


 22. In the event of continued processing of the case on the merits, under Articles 98, 2° and 3°

       juncto article 99 of the LCA, the Litigation Chamber will invite the parties to introduce their

       conclusions and attach to the file all the documents they consider useful. If applicable, the

       this decision is permanently suspended.


 23. With a view to transparency, the Litigation Chamber finally emphasizes that a

       dealing with the case on the merits may lead to the imposition of the measures mentioned in

       section 100 of the ACL .1




1Section 3, Subsection 2 of the ACL (sections 94 to 97 inclusive).
1Art. 100. § 1. The litigation chamber has the power to
 1° dismiss the complaint without follow-up;
 2° order the dismissal;
 3° pronouncing the suspension of the pronouncement;
 4° to propose a transaction;
 5° issue warnings and reprimands;
 6° order to comply with requests from the data subject to exercise his or her rights;
 7° order that the person concerned be informed of the security problem;
 8° order the freezing, limitation or temporary or permanent prohibition of processing;
 9° order compliance of the processing;
 10° order the rectification, restriction or erasure of the data and the notification thereof to the recipients of the data;
 11° order the withdrawal of accreditation from certification bodies;
 12° to issue periodic penalty payments; Decision 128/2023 — 6/7


III. Publication of the decision


 24. Given the importance of transparency regarding the decision-making process of the Chamber

       Litigation, this decision is published on the website of the Protection Authority

       Datas. However, it is not necessary for this purpose that the identification data

       of the parties are communicated directly.




     FOR THESE REASONS    ,


     the Litigation Chamber of the Data Protection Authority decides, subject to

     the introduction of a request by the defendant for treatment on the merits

     in accordance with articles 98 e.s. of the LCA:

        - under article 58.2.c) of the GDPR and article 95, § 1, 5° of the LCA, to order

            the defendant to comply with the request of the person concerned

            to exercise their rights, more precisely the right of access which implies the revelation of

            the identity of the individuals and/or entities who shared the person’s data

            concerned, as well as the right to erasure, requiring the deletion of said


            data, and this within 30 days from the date of notification of this

            decision ;

        - to order the defendant to inform the Data Protection Authority by e-mail

            data (Litigation Chamber) of the follow-up given to this decision, in

            the same deadline, via the email address litigationchamber@apd-gba.be; And


        - if the defendant does not comply in a timely manner with what is requested of it above

            above, to deal ex officio with the case on the merits, in accordance with articles 98 e.s. of

            the LCA.




In accordance with article 108, § 1 of the LCA, an appeal against this decision may be lodged,

within thirty days from its notification, to the Court of Markets (court

of Appeal of Brussels), with the Data Protection Authority as defendant.


Such an appeal may be introduced by means of an interlocutory request which must contain the
                                                                 12
information listed in article 1034ter of the Judicial Code. The interlocutory motion must be


 13° to issue administrative fines;
 14° order the suspension of cross-border data flows to another State or an international body;
 15° transmit the file to the public prosecutor of the King of Brussels, who will inform it of the action taken in the file;
 16° decide on a case-by-case basis to publish its decisions on the website of the Data Protection Authority.
1The request contains under penalty of nullity:
 (1) indication of the day, month and year;
 2° the name, first name, domicile of the applicant, as well as, where applicable, his qualifications and his national register number or number
     business;
 3° the surname, first name, address and, where applicable, the status of the person to be summoned;
 4° the object and summary of the grounds of the request;
 5° indication of the judge who is seized of the request;
 6° the signature of the applicant or his lawyer. Decision 128/2023 — 7/7



filed with the registry of the Court of Markets in accordance with article 1034quinquies of the C. jud. , or 13

via the e-Deposit information system of the Ministry of Justice (article 32ter of the C. judic.).








(sé). Hielke H IJMANS

President of the Litigation Chamber







































































13
  The request, accompanied by its annex, is sent, in as many copies as there are parties involved, by registered letter to
clerk of the court or filed with the registry.