APD/GBA (Belgium) - 143/2022: Difference between revisions
From GDPRhub
No edit summary |
No edit summary |
||
| Line 10: | Line 10: | ||
|ECLI= | |ECLI= | ||
|Original_Source_Name_1= | |Original_Source_Name_1=Gegevensbeschermingsautoriteit | ||
|Original_Source_Link_1=https://www.gegevensbeschermingsautoriteit.be/publications/bevel-nr.-143-2022.pdf | |Original_Source_Link_1=https://www.gegevensbeschermingsautoriteit.be/publications/bevel-nr.-143-2022.pdf | ||
|Original_Source_Language_1=French | |Original_Source_Language_1=French | ||
| Line 23: | Line 23: | ||
|Date_Started=10.08.2022 | |Date_Started=10.08.2022 | ||
|Date_Decided=11.10.2022 | |Date_Decided=11.10.2022 | ||
|Date_Published= | |Date_Published=11.10.2022 | ||
|Year=2022 | |Year=2022 | ||
|Fine= | |Fine= | ||
|Currency= | |Currency= | ||
|GDPR_Article_1=Article 12(3) GDPR | |GDPR_Article_1=Article 4(1) GDPR | ||
| | |GDPR_Article_Link_1=Article 4 GDPR#1 | ||
| | |GDPR_Article_2=Article 12 GDPR | ||
| | |GDPR_Article_Link_2=Article 12 GDPR | ||
| | |GDPR_Article_3=Article 12(3) GDPR | ||
| | |GDPR_Article_Link_3=Article 12 GDPR#3 | ||
| | |GDPR_Article_4=Article 12(4) GDPR | ||
| | |GDPR_Article_Link_4=Article 12 GDPR#4 | ||
| | |GDPR_Article_5=Article 15 GDPR | ||
| | |GDPR_Article_Link_5=Article 15 GDPR | ||
|GDPR_Article_6=Article 15(1) GDPR | |||
|GDPR_Article_Link_6=Article 15 GDPR#1 | |||
|GDPR_Article_7=Article 15(3) GDPR | |||
|GDPR_Article_Link_7=Article 15 GDPR#3 | |||
|GDPR_Article_8= | |||
|GDPR_Article_Link_8= | |||
|GDPR_Article_9= | |||
|GDPR_Article_Link_9= | |||
|EU_Law_Name_1= | |EU_Law_Name_1= | ||
| Line 56: | Line 64: | ||
|Appeal_To_Body= | |Appeal_To_Body= | ||
|Appeal_To_Case_Number_Name= | |Appeal_To_Case_Number_Name= | ||
|Appeal_To_Status= | |Appeal_To_Status=Unknown | ||
|Appeal_To_Link= | |Appeal_To_Link= | ||
|Initial_Contributor= | |Initial_Contributor=Enzo Marquet | ||
| | | | ||
}} | }} | ||
Prior to the substantive decision, the Belgian DPA orders a controller to process a data subject access request even though the controller claimed to have never received the request. | |||
== English Summary == | == English Summary == | ||
=== Facts === | === Facts === | ||
The data subject | The data subject had sent a letter to the controller (his employer) with an access request and requested a copy of his data under [[Article 15#3 GDPR|Article 15(3) GDPR]]. However, the letter was returned to the data subject. No action was taken on behalf of the controller. | ||
=== Holding === | === Holding === | ||
The DPA | The DPA holds that a received access request must be facilitated, even if received incomplete, wrongfully formulated or on the ground of a wrongful interpretation of the law. | ||
The DPA | The DPA holds that [[Article 15#3 GDPR|Article 15(3) GDPR]] gives a right to data subject to receive a copy of the personal data processed. However, not all data has to be provided. Sharing specific documents (e.g. e-mails) can infringe the rights and freedoms of other data subjects. | ||
DPA orders the controller to process the data subject request accordingly. The DPA informs the defendant that it may have breached the GDPR by not following up on the access request. Prior to the substantive decision, the DPA orders the controller to process the data subject request accordingly. | |||
== Comment == | == Comment == | ||
Revision as of 11:57, 31 October 2022
| APD/GBA - 143/2022 | |
|---|---|
 | |
| Authority: | APD/GBA (Belgium) |
| Jurisdiction: | Belgium |
| Relevant Law: | Article 4(1) GDPR Article 12 GDPR Article 12(3) GDPR Article 12(4) GDPR Article 15 GDPR Article 15(1) GDPR Article 15(3) GDPR |
| Type: | Complaint |
| Outcome: | Upheld |
| Started: | 10.08.2022 |
| Decided: | 11.10.2022 |
| Published: | 11.10.2022 |
| Fine: | n/a |
| Parties: | n/a |
| National Case Number/Name: | 143/2022 |
| European Case Law Identifier: | n/a |
| Appeal: | Unknown |
| Original Language(s): | French |
| Original Source: | Gegevensbeschermingsautoriteit (in FR) |
| Initial Contributor: | Enzo Marquet |
Prior to the substantive decision, the Belgian DPA orders a controller to process a data subject access request even though the controller claimed to have never received the request.
English Summary
Facts
The data subject had sent a letter to the controller (his employer) with an access request and requested a copy of his data under Article 15(3) GDPR. However, the letter was returned to the data subject. No action was taken on behalf of the controller.
Holding
The DPA holds that a received access request must be facilitated, even if received incomplete, wrongfully formulated or on the ground of a wrongful interpretation of the law.
The DPA holds that Article 15(3) GDPR gives a right to data subject to receive a copy of the personal data processed. However, not all data has to be provided. Sharing specific documents (e.g. e-mails) can infringe the rights and freedoms of other data subjects.
DPA orders the controller to process the data subject request accordingly. The DPA informs the defendant that it may have breached the GDPR by not following up on the access request. Prior to the substantive decision, the DPA orders the controller to process the data subject request accordingly.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the French original. Please refer to the French original for more details.
1/8
Litigation Chamber
Decision 143/2022 of October 11, 2022
File number: DOS-2022-03313
Subject: Complaint relating to the exercise of a right of access
The Litigation Chamber of the Data Protection Authority, made up of Mr. Hielke
Hijmans, chairman;
Having regard to Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the
protection of natural persons with regard to the processing of personal data and
to the free movement of such data, and repealing Directive 95/46/EC (General Regulation on the
data protection), hereinafter “GDPR”;
Having regard to the Law of 3 December 2017 establishing the Data Protection Authority, hereinafter
“ACL”;
Having regard to the internal regulations as approved by the House of Representatives on 20
December 2018 and published in the Belgian Official Gazette on January 15, 2019;
Considering the documents in the file;
Made the following decision regarding:
The plaintiff: Mr. X, hereinafter “the plaintiff”; .
.
The defendant: Y, Hereinafter: “the defendant”. . Decision 143/2022 - 2/8
I. Facts and procedure
1. On August 10, 2022, the complainant lodged a complaint with the Data Protection Authority
data (APD) involving the defendant.
2. Under the latter, the complainant alleges an unsatisfactory response from the
defendant to exercise its right of access (Articles 15 and 12 of the GDPR).
3. It appears from the complaint and the annexed documents that on July 7, 2022, the complainant requested
the defendant a copy of all the personal data it held about him
pursuant to Article 15.3. of the GDPR.
4. At the end of this same letter, the complainant also indicated that he would like to receive a
copy of the email documents, notes, minutes in which he was identified
directly and indirectly and in particular, according to the very terms of its complaint, which
follows:
- Internal documents and those sent outside, including the minutes of all
orders;
- His administrative file;
- His disciplinary file;
- The emails, including and in a non-exhaustive manner, those exchanged about him with
the management, its administration, the Organizing Power, the Segec, the DPO, etc.
- Manual internal notes or in paper format;
- Computer logs (Logs);
- …
5. Finally, still under the terms of this letter of July 7, 2022, the complainant requests that he be
specified, for each processing: the related processing, its purpose, its legal basis, the source of the
personal data and the persons to whom this data has been transferred. Bedroom
Litigation notes that these elements refer to those listed in Article 15.1 of the GDPR.
6. The plaintiff indicates that the registered mail he sent for these purposes to the defendant
returned to him and was therefore not received. No response was given to his request.
within one month.
7. Under the terms of his complaint, the complainant therefore alleges a breach of both Article 15
(paragraphs 1 and 3) than in Article 12.3. of the GDPR. As far as necessary, the Chamber
Litigation recalls that in any event, the formulation of a request for access (or
exercise of any other right elsewhere) – even incomplete or based on a provision
erroneous or in support of a misunderstanding or interpretation of the right invoked – ne Decision 143/2022 - 3/8
may serve as a pretext for the data controller not to take appropriate action.
In other words, the data controller requested cannot hide behind the
formulation of the request so as not to give it a useful effect and thus satisfy its
1
obligation to facilitate the exercise of the rights of data subjects (article 12.2 of the GDPR).
8. On August 12, 2022, the complaint was declared admissible by the Service de Première Ligne (SPL) of
DPA on the basis of Articles 58 and 60 of the LCA and the complaint is transmitted to the Chamber
Litigation under Article 62, § 1 of the LCA .3
9. Upon receipt of the complaint, the Litigation Chamber noted that according to the terms of the form
of complaint filed, the complainant requested that his identity be masked.
10. This request by the plaintiff follows the possibility given to him to tick the box "I
request to hide my data" of the form. This possibility, however, is
accompanied by the following statement: "Your contact details may be hidden for the
controller if there is a serious risk that the communication of your
identity to the opposing party leads to detrimental consequences. If you want
use this possibility, you must check the box below and give your justification.
If your anonymity hinders the processing of your complaint, the AMF may request
your agreement to disclose your details anyway or if necessary classify your
complaint without follow-up”.
11. On September 9, 2022, the Litigation Chamber explained to the Complainant that in view of the subject
his complaint (right of access) and the documents filed as well as to allow an examination
adequate of it, the Litigation Chamber sought its agreement to disclose its
identity and other personal data concerning him that he had communicated to
the DPA when lodging its complaint. She also told him that these data
could therefore be transmitted to the school (i.e. to the defendant) that it
implicated.
12. Still according to its email of September 9, 2022, the Litigation Chamber
clarified to the complainant that this request was in response to the information provided to him at the
terms of the complaint form that, if his anonymity hinders the processing
of the complaint, the DPA may request the complainant's agreement to disclose his contact details or,
where applicable, in the event of maintaining the request for "anonymity" (to be understood as
requestforconfidentialitywith regardtotheparty complained of), file the complaint without further action.
In this case, since the complainant requested that a response be given to his request
1See. decision 41/2020 of the Litigation Chamber (point 42).
2Under article 61 LCA, the Litigation Chamber informs the parties by this decision, of the fact that the complaint has
been declared admissible.
3Pursuant to article 95, § 2 LCA, by this decision, the Litigation Chamber informs the parties of the fact that following
of this complaint, the file was forwarded to him. Decision 143/2022 - 4/8
access to personal data concerning him, the Litigation Division informed the
complainant that she was unable to deal with her complaint without notifying her employer (either
the defendant) of his identity.
13. On the same day, i.e. September 9, 2022, the complainant agreed to the lifting of the
his "anonymity".
II. Motivation
14. The GDPR grants any data subject (Art. 4.1 GDPR) a right of access such as
formulated in Article 15 of the GDPR.
15. Under this Article 15, the data subject has the right, inter alia, to obtain
controller confirmation that personal data the
concerning are or are not processed and, when they are, access to said data to
personal character as well as the following information (article 15.1. of the GDPR): the purposes
of the processing (a), the categories of personal data (b), the recipients or
categories of data recipients (c), retention period (d), information
relating to the other rights conferred by the GDPR (e), the right to lodge a complaint with
the data protection authority (f), any information relating to the source of the data
when these have not been collected from the person concerned (g) and the existence
automated decision-making (h).
16. Section 15.3. of the GDPR provides for its part that the data controller provides a
copy of the personal data being processed.
17. As the Litigation Chamber has already had occasion to underline the right to obtain
copy relates to the personal data of the data subject. In others
In other words, Article 15.3 requires the controller to provide a copy of the
personal data processed to the person concerned. This right to obtain a
copy of the data does not entail the right for the person concerned to obtain a copy
of the original document containing this data since in certain cases, the communication
of this document could infringe the rights and freedoms of others (see point 19 below).
below and the reference to Article 15.4. GDPR).
18. In this case, the Litigation Division is of the opinion that the plaintiff is entitled to exercise his
right of access to the defendant - who is presumed to be responsible for processing
in its capacity as the complainant's employer - and to obtain a response from him with due respect
the terms of Article 12 of the GDPR, in particular Article 12.3. which requires a person responsible
of processing that it responds to the request for access sent to it within a period of one month.
4See. decision 41/2020 of the Litigation Chamber (point 39). Decision 143/2022 - 5/8
months from receipt, unless extended. In the latter case, the person responsible for
processing – here presumably the defendant – must inform the data subject, here
the complainant.
19. The Litigation Chamber adds that if the defendant intended to rely on a
5
exception from which she felt she could benefit, she was nonetheless required to respond
to the complainant within the same deadlines as those mentioned in point 18 above, in
application of article 12.4 of the GDPR. Indeed, under this provision, "if the
controller does not respond to the request made by the person
concerned, he informs the latter without delay and at the latest within one month from
the receipt of the request for the reasons for its inaction and the possibility of introducing a
complaint to a supervisory authority and to lodge a judicial appeal”.
20. The Litigation Division considers that on the basis of the aforementioned facts reported by the
complainant and the exhibits produced, it must be concluded that the defendant may have
committed a violation of the provisions of the GDPR, in particular Articles 15.1 and 15.3.
combined with Article 12.3. of the GDPR.
21. This observation justifies the adoption by the Litigation Chamber of a decision against it in
application of Article 95, § 1, 5° of the LCA, consisting more specifically in ordering him to
respond to the complainant's request for access within one month from the date of the
notification of this decision, in support of the foregoing reasoning.
22. This decision is a prima facie decision taken by the Litigation Chamber
pursuant to Article 95 of the LCA on the basis of the sole complaint lodged by the
6
complainant in the context of the “procedure prior to the substantive decision”. It is therefore not
not a decision on the merits of the Litigation Chamber within the meaning of Article 100 of the ACL.
23. The purpose of this decision is to inform the defendant of the fact that she may have committed
a breach of the provisions of the GDPR and to enable it to still comply with the
aforementioned provisions. The Litigation Chamber draws the attention of the
defendant on the existence of Guidelines of the European Committee for the Protection of
data relating to the right of access .7
24. Pursuant to article 95 § 2, 3° of the LCA as well as article 47 of the rules of order
inside the DPA, a copy of the file may be requested by the parties. If one of
5
Section 15.4. provides in this regard that the right to obtain a copy does not infringe the rights and freedoms of others.
Other exceptions provided for by national legislation may exist provided that they meet the conditions
set out in Article 23 of the GDPR.
6Section 3, Subsection 2 of the ACL (sections 94 to 97 inclusive).
7
European Data Protection Board, Guidelines 01/2022 on data subject rights – right of access – version 1.0
of 18 January 2022 https://edpb.europa.eu/our-work-tools/documents/public-consultations/2022/guidelines-012022-
data-subject-rights-right_en . This document is only available in English. It was submitted to a public consultation, the
results are under review. At the end of this examination, it is not excluded that the guidelines will be supplemented,
even amended on certain points. Decision 143/2022 - 6/8
parties wishes to make use of the possibility of consulting the file, the latter is required to
contact the secretariat of the Litigation Chamber, preferably via the address
litigationchamber@apd-gba.be.
25. If the Respondent does not agree with the contents of this prima facie decision and
believes that it can make factual and/or legal arguments that could
lead to another decision, it can address to the Litigation Chamber a request
processing on the merits of the case via the e-mail address litigationchamber@apd-gba.be, and
this within 30 days of notification of this decision. If applicable,
the execution of this decision will be suspended for the aforementioned period.
26. In the event of further processing of the case on the merits, pursuant to Articles 98, 2° and 3°
juncto article 99 of the LCA, the Litigation Chamber will invite the parties to introduce their
arguments in the form of conclusions and to attach to the file all the documents they
will find useful. If necessary, this decision will be definitively suspended.
27. With a view to transparency, the Litigation Division finally emphasizes that a
dealing with the case on the merits may lead to the imposition of the measures mentioned in
section 100 of the ACL.
III. Publication of the decision
28. Given the importance of transparency regarding the decision-making process of the Chamber
Litigation, this decision is published on the website of the APD. However, it is not
it is not necessary for this purpose that the identification data of the parties be directly
mentioned.
8Art. 100. § 1. The litigation chamber has the power to
1° dismiss the complaint without follow-up;
2° order the dismissal;
3° pronouncing the suspension of the pronouncement;
4° to propose a transaction;
5° issue warnings and reprimands;
6° order to comply with requests from the data subject to exercise his or her rights;
7° order that the person concerned be informed of the security problem;
8° order the freezing, limitation or temporary or permanent prohibition of processing;
9° order compliance of the processing;
10° order the rectification, restriction or erasure of the data and the notification thereof to the recipients
Datas ;
11° order the withdrawal of the approval of the certification bodies;
12° to issue periodic penalty payments;
13° to issue administrative fines;
14° order the suspension of cross-border data flows to another State or an international body;
15° forward the file to the public prosecutor's office in Brussels, who informs it of the follow-up given to the file;
16° decide on a case-by-case basis to publish its decisions on the website of the Data Protection Authority. Decision 143/2022 - 7/8
FOR THESE REASONS,
the Litigation Chamber of the Data Protection Authority decides, subject to
the introduction of a request by the defendant for treatment on the merits in accordance with
to articles 98 e.s. of the ACL:
- pursuant to Article 58.2.c) of the GDPR and Article 95, §1, 5° of the LCA, to order
the defendant to comply with the plaintiff's request to exercise his rights,
more precisely his right of access (article 15.1 and 15.3. of the GDPR), and this in the
as soon as possible and at the latest within 30 days of notification of this
decision ;
- to order the defendant to inform, by e-mail, the Data Protection Authority
data (Litigation Chamber) of the follow-up given to this decision, in the
same 30-day period, via the e-mail address litigationchamber@apd-gba.be; and
- if the defendant does not comply in good time with what is requested of it
above, to deal ex officio with the case on the merits, in accordance with articles 98 e.s. of
the ACL.
In accordance with Article 108, § 1 of the LCA, an appeal against this decision may be lodged,
within thirty days of its notification, to the Court of Markets (court
d'appel de Bruxelles), with the Data Protection Authority (DPA) as a party
defendant. Decision 143/2022 - 8/8
Such an appeal may be introduced by means of an interlocutory request which must contain the
information listed in article 1034ter of the Judicial Code (C. jud.) . The interlocutory motion
must be filed with the registry of the Market Court in accordance with article 1034quinquies of the C.
10
jud. , or via the e-Deposit information system of the Ministry of Justice (article 32ter of the C. jud.).
(Sr.) Hielke H IJMANS
President of the Litigation Chamber
9The request contains on penalty of nullity:
(1) indication of the day, month and year;
2° the surname, first name, domicile of the applicant, as well as, where applicable, his qualities and his national register number or
Business Number;
3° the surname, first name, domicile and, where applicable, the capacity of the person to be summoned;
(4) the object and summary of the grounds of the application;
(5) the indication of the judge who is seized of the application;
6° the signature of the applicant or his lawyer.
10
The request, accompanied by its appendix, is sent, in as many copies as there are parties involved, by letter
recommended to the court clerk or filed with the court office.
