APD/GBA (Belgium) - 145/2022: Difference between revisions

From GDPRhub
(Created page with "{{DPAdecisionBOX |Jurisdiction=Belgium |DPA-BG-Color= |DPAlogo=LogoBE.png |DPA_Abbrevation=APD/GBA |DPA_With_Country=APD/GBA (Belgium) |Case_Number_Name=145/2022 |ECLI= |Or...")
 
No edit summary
Line 63: Line 63:
}}
}}


The Belgian DPA warned a controller pursuant of [[Article 58 GDPR#2c|Article 58(2)(c) GDPR]]. The controller violated [[Article 5 GDPR#1c|Article 5(1)(c) GDPR]] by requiring an ID when the data subject wanted to exersise his rights of access (Article 15 GDPR) and Erasure (Article 17 GDPR).
The Belgian DPA warned a controller pursuant of [[Article 58 GDPR#2c|Article 58(2)(c) GDPR]]. The controller violated [[Article 5 GDPR#1c|Article 5(1)(c) GDPR]] by requiring an ID when the data subject wanted to exersise his rights of access ([[Article 15 GDPR]]) and Erasure ([[Article 17 GDPR]]).


== English Summary ==
== English Summary ==
Line 69: Line 69:
=== Facts ===
=== Facts ===
The controller requested the ID of the data subject who wanted to unsubscribe from a newsletter, stating he had never signed up in the first place. This was a form of direct marketing send by e-mail. The data subject also exercised its right of access, which the controller complied with. After this, the data subject wanted to exercise his right of erasure. However, the controller asked for the ID of the data subject.  
The controller requested the ID of the data subject who wanted to unsubscribe from a newsletter, stating he had never signed up in the first place. This was a form of direct marketing send by e-mail. The data subject also exercised its right of access, which the controller complied with. After this, the data subject wanted to exercise his right of erasure. However, the controller asked for the ID of the data subject.  
The data subject wanted information about the fact how the controller received his personal data. The controller stated that the data subject consented to the processing of his personal data by taking part in a campaign. However, the data subject rejected this.  
The data subject wanted information about the fact how the controller received his personal data. The controller stated that the data subject consented to the processing of his personal data by taking part in a campaign. However, the data subject rejected this.  
The controller stated in its privacy policy that a written letter with proof of identity was required for exercising rights.
The controller stated in its privacy policy that a written letter with proof of identity was required for exercising rights.


=== Holding ===
=== Holding ===
The DPA held that [[Article 12 GDPR#2|Article 12(2) GDPR]] stated that the controller was not allowed to refuse a data subject the possibility to exercise his/her rights unless the controller could prove that it was not able to identify the data subject. The DPA held that this was not the case, because the controller had complied with an access request of the data subject without requiring any further identification.  
The DPA held that [[Article 12 GDPR#2|Article 12(2) GDPR]] stated that the controller was not allowed to refuse a data subject the possibility to exercise his/her rights unless the controller could prove that it was not able to identify the data subject. The DPA held that this was not the case, because the controller had complied with an access request of the data subject without requiring any further identification.  
The DPA held that the controller violated [[Article 5 GDPR#1c|Article 5(1)(c) GDPR]] by requiring an ID for exercising GDPR rights, such as the right of access (Article 15 GDPR) and the right of erasure (Article 17 GDPR). The controller had to prevent that it would process to much personal data for the purpose of identifying a data subject, who wanted to exercise his rights. The DPA stated that the e-mail address of the data subject, used to send the direct marketing to him, was sufficient for the controller to identify the data subject.  
 
The DPA warned the controller pursuant of [[Article 58 GDPR#2c|Article 58(2)(c) GDPR]] and stated that it expected that the privacy policy would be adjusted to make it complaint with [[Article 5 GDPR#1c|Article 5(1)(c) GDPR]].
The DPA held that the controller violated [[Article 5 GDPR#1c|Article 5(1)(c) GDPR]] by requiring an ID for exercising GDPR rights, such as the right of access ([[Article 15 GDPR]]) and the right of erasure ([[Article 17 GDPR]]). The controller had to prevent that it would process to much personal data for the purpose of identifying a data subject, who wanted to exercise his rights. The DPA stated that the e-mail address of the data subject, used to send the direct marketing to him, was sufficient for the controller to identify the data subject.  
 
The DPA warned the controller pursuant of [[Article 58 GDPR#2c|Article 58(2)(c) GDPR]] and stated that it expected that the controller would adjust the privacy policy to make it complaint with [[Article 5 GDPR#1c|Article 5(1)(c) GDPR]].


== Comment ==
== Comment ==

Revision as of 16:34, 24 October 2022

APD/GBA - 145/2022
LogoBE.png
Authority: APD/GBA (Belgium)
Jurisdiction: Belgium
Relevant Law: Article 5(1)(c) GDPR
Article 12(2) GDPR
Article 58(2)(c) GDPR
Type: Complaint
Outcome: Upheld
Started: 30.08.2022
Decided: 12.10.2022
Published:
Fine: n/a
Parties: n/a
National Case Number/Name: 145/2022
European Case Law Identifier: n/a
Appeal: n/a
Original Language(s): Dutch
Original Source: GBA (in NL)
Initial Contributor: n/a

The Belgian DPA warned a controller pursuant of Article 58(2)(c) GDPR. The controller violated Article 5(1)(c) GDPR by requiring an ID when the data subject wanted to exersise his rights of access (Article 15 GDPR) and Erasure (Article 17 GDPR).

English Summary

Facts

The controller requested the ID of the data subject who wanted to unsubscribe from a newsletter, stating he had never signed up in the first place. This was a form of direct marketing send by e-mail. The data subject also exercised its right of access, which the controller complied with. After this, the data subject wanted to exercise his right of erasure. However, the controller asked for the ID of the data subject.

The data subject wanted information about the fact how the controller received his personal data. The controller stated that the data subject consented to the processing of his personal data by taking part in a campaign. However, the data subject rejected this.

The controller stated in its privacy policy that a written letter with proof of identity was required for exercising rights.

Holding

The DPA held that Article 12(2) GDPR stated that the controller was not allowed to refuse a data subject the possibility to exercise his/her rights unless the controller could prove that it was not able to identify the data subject. The DPA held that this was not the case, because the controller had complied with an access request of the data subject without requiring any further identification.

The DPA held that the controller violated Article 5(1)(c) GDPR by requiring an ID for exercising GDPR rights, such as the right of access (Article 15 GDPR) and the right of erasure (Article 17 GDPR). The controller had to prevent that it would process to much personal data for the purpose of identifying a data subject, who wanted to exercise his rights. The DPA stated that the e-mail address of the data subject, used to send the direct marketing to him, was sufficient for the controller to identify the data subject.

The DPA warned the controller pursuant of Article 58(2)(c) GDPR and stated that it expected that the controller would adjust the privacy policy to make it complaint with Article 5(1)(c) GDPR.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Dutch original. Please refer to the Dutch original for more details.

1/6







                                                                                   Dispute room



                                                       Decision 145/2022 of October 12, 2022





File number : DOS-2022-03529



Subject : Provision of identity card as a condition for data erasure




The Disputes Chamber of the Data Protection Authority, composed of Mr Hielke Hijmans,

single chairperson;



Having regard to Regulation (EU) 2016/679 of the European Parliament and Council of 27 April 2016 on

the protection of natural persons with regard to the processing of personal data and
on the free movement of such data and repealing Directive 95/46/EC (General

Data Protection Regulation), hereinafter GDPR;



Having regard to the law of 3 December 2017 establishing the Data Protection Authority, hereinafter WOG;


Having regard to the internal rules of procedure, as approved by the Chamber of Representatives

on December 20, 2018 and published in the Belgian Official Gazette on January 15, 2019;



Having regard to the documents in the file;




has taken the following decision regarding:

                                                                                                   .
The complainant: Mr X, hereinafter referred to as “the complainant”; .

                                                                                                   .

The controller: Y, hereinafter “the controller” Decision 145/2022 - 2/6




I. Facts procedure




    1. On August 30, 2022, the complainant lodged a complaint with the Data Protection Authority against

        the controller.


    2. The subject of the complaint concerns the privacy statement in which the controller
        requests the complainant's proof of identity if he/she wishes to deregister from the

        receipt of newsletters. The complainant has exercised his right of access to which the

        controller has followed up. Subsequently, the complainant wishes to

        to exercise data erasure, but establishes that in accordance with the privacy statement of the

        the controller must submit his proof of identity to the

        controller.


        In addition, the complainant claims to have never registered to receive

        newsletters from the controller. The complainant has

        therefore requested the controller to provide information on how the

        controller has come into possession of his personal data. The

        controller states that the complainant has given his consent via VIP

        Response B.V. (Netherlands) by participating in a campaign. However, the complainant denies this.


    3. On September 5, 2022, the complaint will be declared admissible by the Frontline Service on the grounds
        of Articles 58 and 60 of the WOG and the complaint on the basis of art. 62, §1 WOG transferred to

        the Disputes Chamber.





II. Justification


    4. The Disputes Chamber determines on the basis of the documents that support the complaint that the privacy policy

        of the controller determines that for the exercise of rights a written

        request and proof of identity via registered letter is required. With regard to the provision of

        identification data, Article 12.2 of the GDPR provides that the controller may not

        refuse to comply with the data subject's request for their rights, including

        to exercise the right of access (Article 15 GDPR) and the right to erasure (Article 17 GDPR),

        unless the controller demonstrates that it is unable to protect the data subject

        identify .However, it does not appear from the factual elements that are the subject of the complaint

        that the controller cannot identify the complainant. After all, the complainant has

        exercised the right of access and the controller has complied with this




1 See in that regard 3.1.3. of the guideline 01/2022 on rights of data subjects – right of access:
https://edpb.europa.eu/system/files/2022-01/edpb_guidelines_012022_right-of-access_0.pdf Decision 145/2022 - 3/6



    request without the need to provide any proof of identity beforehand

    was deemed. In practice it has therefore been shown that the complainant can be sufficiently

    identified by the controller to follow up on the request

    of the complainant to provide information about the way in which the

    controller has come into possession of his personal data. From this follows

    ipso facto that the complainant in the present case is also sufficiently identified as soon as he/she
    intends to exercise its right to erasure and

    controller cannot require proof of identity to be provided.


5. By subjecting the exercise of rights in the privacy statement to the preceding

    provision of an identity document, the controller disregards the principle of

    minimum data processing (Article 5.1 c) GDPR). The concrete application of this principle with
    with regard to the processing of identity documents in the context of the exercise of rights

    by the data subject implies that the controller cannot require that a

    proof of identity is provided in cases where the data subject can be identified

    on the basis of the personal data already processed by him in order to be able to follow up

    indicate the exercise of its rights

    to prevent processing more data than is necessary for the purpose of identifying the
    data subject in light of the exercise of rights with regard to direct marketing.

    In concrete terms, this means that if – as in this case – the controller makes use

    of the complainant's e-mail address to send these direct marketing messages, it is sufficient

    that the complainant addresses the controller using the same email address

    to exercise its rights.

6. The Disputes Chamber is of the opinion that on the basis of the above analysis,

    concluded that a breach of the provisions of the

    GDPR was committed, which justifies the taking of a

    decision on the basis of Article 95, §1, 4° WOG, more specifically to inform the controller

    warn that the condition included in the privacy statement for the provision of a

    proof of identity in the context of exercising rights with regard to direct marketing
    infringes Article 5.1 c) GDPR.


7. The Disputes Chamber is of the opinion that the controllers should be given the opportunity

    be offered to adjust its course of action as a result of this first complaint, so that in

    similar facts and possibly new complaints about them in the future

    avoided. The Disputes Chamber therefore expects the privacy statement to be specific on this point
    is adapted and brought into line with the principle of minimum

    data processing. Decision 145/2022 - 4/6




     8. The present decision is a prima facie decision made by the Disputes Chamber

         in accordance with article 95 WOG on the basis of the complaint submitted by the complainant, in the context of
                                                                               2
         the ‘procedure prior to the decision on the merits’ and not a decision on the merits of the

         Disputes Chamber within the meaning of Article 100 WOG.


     9. The purpose of this decision is to notify the controller of the

         fact that it may have infringed the provisions of the GDPR and that it is in the

         possibility to still conform to the aforementioned provisions.


     10. However, if the controller does not agree with the content of this

         prima facie decision and considers that it may allow factual and/or legal arguments

         funds that could lead to a different decision, can be sent to the email address

         litigationchamber@apd-gba.be address a request for treatment on the merits of the case to the

         Dispute Chamber and this within the period of 30 days after notification of this decision. The

         enforcement of this decision will, if necessary, be during the aforementioned period


         suspended.


     11. In the event of a continuation of the handling of the case on the merits, the Disputes Chamber will

         the parties on the basis of Articles 98, 2° and 3° in conjunction with Article 99 WOG invite their

         to submit defenses and to attach to the file any documents they deem useful. The

         If necessary, this decision will be definitively suspended.


     12. For the sake of completeness, the Disputes Chamber is informed that a treatment on the merits of the case may be
                                                                                               3
         lead to the imposition of the measures referred to in Article 100 WOG.


     13. Finally, the Disputes Chamber points out the following:


         If one of the parties wishes to make use of the possibility to consult and

         copying the file (art. 95, §2, 3° WOG), this should contact the secretariat





2 Section 3, Subsection 2 WOG (Articles 94 to 97).
3
 1° to dismiss a complaint;
 2° order the suspension of prosecution;
 3° order the suspension of the judgment;
 4° propose a settlement;
 5° to formulate warnings and reprimands;
 6° order compliance with the data subject's requests to exercise his or her rights;
 7° to order that the data subject is informed of the security problem;

 8° order that the processing be temporarily or permanently frozen, restricted or prohibited;
 9° to order that the processing is brought into conformity;
 10° the rectification, restriction or deletion of data and its notification to the recipients of the data
command;
 11° order the withdrawal of the recognition of certification bodies;
 12° to impose periodic penalty payments;
 13° impose administrative fines;
 14° order the suspension of cross-border data flows to another State or an international institution;
 15° to hand over the file to the public prosecutor's office in Brussels, who will inform it of the consequence that the
file is given;

 16° decide on a case-by-case basis to publish its decisions on the website of the Data Protection Authority. Decision 145/2022 - 5/6




        of the Disputes Chamber, preferably via litigationchamber@apd-gba.be, in order to make an appointment
        to capture.



    14. If a copy of the file is requested, the documents will be sent electronically if possible

        or else delivered by regular mail. 4





III. Publication of the decision



    15. Given the importance of transparency in the decision-making of the

        Litigation Chamber, this decision is published on the website of the

        Data Protection Authority. However, it is not necessary that the identification data

        of the parties be published directly.






    FOR THESE REASONS,

    the Disputes Chamber of the Data Protection Authority decides, subject to the
    submission of a request by the controller for processing on the merits

    in accordance with Article 98 et seq. WOG, to:



   - on the basis of Article 58.2, c) GDPR and Article 95, §1, 4° WOG to the controller

       warn that with the intended processing similar to that which is the subject of

       the present complaint infringes Article 5.1 c) GDPR;



   - to request the controller from the Data Protection Authority (Dispute Chamber)
       by e-mail within 30 days of notification of this decision

       presenting the result of this decision in order to inform the Disputes Chamber about the

       adjustment of the privacy statement regarding the condition for providing proof of identity in

       in the context of the exercise of rights, this via the e-mail address litigationchamber@apd-gba.be; and



   - in the absence of the timely implementation of the above by the controller,

       to handle the case on the merits ex officio in accordance with Articles 98 et seq. WOG.







4Due to the extraordinary circumstances due to COVID-19, the possibility of collection at the secretariat of the
Dispute room NOT provided. In addition, all communication is in principle electronic. Decision 145/2022 - 6/6




Pursuant to Article 108, § 1 of the WOG, within a period of thirty days from the notification

appeal against this decision to the Marktenhof (Brussels Court of Appeal), with the

Data Protection Authority as Defendant.


Such an appeal may be lodged by means of an adversarial petition that the

1034terof the Judicial Code, the statements listed should contain .The application on 5


contradiction must be submitted to the registry of the Market Court in accordance with Article
                                     6
1034quinquies of the Ger.W. , or via the Justice Deposit Information System (Article 32ter of

the Ger.W.).









(get). Hielke Hijmans


Chairman of the Disputes Chamber








































5The petition states on pain of nullity:

 1° the day, month and year;
 2° the surname, first name, place of residence of the applicant and, where applicable, his capacity and his national register or
     company number;
 3° the name, first name, place of residence and, where applicable, the capacity of the person to be summoned;
 4° the subject matter and the brief summary of the grounds of the claim;
 5° the court before whom the claim is brought;
 6° the signature of the applicant or of his lawyer.

6 The application with its annex is sent, in as many copies as there are parties involved, by registered letter to the
clerk of the court or at the registry.