APD/GBA (Belgium) - 145/2022: Difference between revisions
From GDPRhub
No edit summary |
No edit summary |
||
| Line 68: | Line 68: | ||
=== Facts === | === Facts === | ||
The controller | The controller sent out a newsletter as part of its marketing activity. The data subject in this case stated they had never signed up for it in the first place and wished to unsubscribe. The data subject exercised their right of access, which the controller complied with. After this, the data subject wanted to exercise their right of erasure. However, the controller asked for the identification card (ID) of the data subject in order to move on with the request. The controller's privacy policy stated that a written letter with proof of identity was required for exercising rights. The data subject requested information about how the controller received their personal data. The controller stated that the data subject consented to the processing of their personal data by taking part in a campaign. However, the data subject denied this and filed a complaint before the Belgian DPA. | ||
The data subject requested information about how the controller received their personal data. The controller stated that the data subject consented to the processing of their personal data by taking part in a campaign. However, the data subject denied this. | |||
=== Holding === | === Holding === | ||
The DPA recalled that [[Article 12 GDPR#2|Article 12(2) GDPR]] | The DPA recalled that under [[Article 12 GDPR#2|Article 12(2) GDPR]] the controller was not allowed to refuse a data subject the possibility to exercise their rights unless the controller could prove that it was not able to identify the data subject. The DPA held that this was not the case, because the controller had complied with an access request of the data subject without requiring any further identification. | ||
The DPA held that the controller violated [[Article 5 GDPR#1c|Article 5(1)(c) GDPR]] by requiring an ID for exercising data subject rights, such as the right of access ([[Article 15 GDPR]]) and the right of erasure ([[Article 17 GDPR]]). The controller had to prevent processing too much personal data for the purpose of identifying a data subject, who wanted to exercise their rights. The DPA stated that the e-mail address of the data subject, used to send the direct marketing, was sufficient for identification purposes. | The DPA held that the controller violated [[Article 5 GDPR#1c|Article 5(1)(c) GDPR]] by requiring an ID for exercising data subject rights, such as the right of access ([[Article 15 GDPR]]) and the right of erasure ([[Article 17 GDPR]]). The controller had to prevent processing too much personal data for the purpose of identifying a data subject, who wanted to exercise their rights. The DPA stated that the e-mail address of the data subject, used to send the direct marketing, was sufficient for identification purposes. | ||
Revision as of 14:02, 25 October 2022
| APD/GBA - 145/2022 | |
|---|---|
 | |
| Authority: | APD/GBA (Belgium) |
| Jurisdiction: | Belgium |
| Relevant Law: | Article 5(1)(c) GDPR Article 12(2) GDPR Article 58(2)(c) GDPR |
| Type: | Complaint |
| Outcome: | Upheld |
| Started: | 30.08.2022 |
| Decided: | 12.10.2022 |
| Published: | |
| Fine: | n/a |
| Parties: | n/a |
| National Case Number/Name: | 145/2022 |
| European Case Law Identifier: | n/a |
| Appeal: | n/a |
| Original Language(s): | Dutch |
| Original Source: | GBA (in NL) |
| Initial Contributor: | n/a |
The Belgian DPA warned a controller for a violation of Article 5(1)(c) GDPR by requiring the data subject to provide an ID to exercise their right of erasure under Article 17 GDPR.
English Summary
Facts
The controller sent out a newsletter as part of its marketing activity. The data subject in this case stated they had never signed up for it in the first place and wished to unsubscribe. The data subject exercised their right of access, which the controller complied with. After this, the data subject wanted to exercise their right of erasure. However, the controller asked for the identification card (ID) of the data subject in order to move on with the request. The controller's privacy policy stated that a written letter with proof of identity was required for exercising rights. The data subject requested information about how the controller received their personal data. The controller stated that the data subject consented to the processing of their personal data by taking part in a campaign. However, the data subject denied this and filed a complaint before the Belgian DPA.
Holding
The DPA recalled that under Article 12(2) GDPR the controller was not allowed to refuse a data subject the possibility to exercise their rights unless the controller could prove that it was not able to identify the data subject. The DPA held that this was not the case, because the controller had complied with an access request of the data subject without requiring any further identification.
The DPA held that the controller violated Article 5(1)(c) GDPR by requiring an ID for exercising data subject rights, such as the right of access (Article 15 GDPR) and the right of erasure (Article 17 GDPR). The controller had to prevent processing too much personal data for the purpose of identifying a data subject, who wanted to exercise their rights. The DPA stated that the e-mail address of the data subject, used to send the direct marketing, was sufficient for identification purposes.
The DPA warned the controller pursuant to Article 58(2)(c) GDPR and Article 95, §1, 4° WOG, and stated that it expected that the controller would adjust the privacy policy to make it complaint with Article 5(1)(c) GDPR.
Comment
The DPA mentions Article 58(2)(c) GDPR as a provision to warn the controller, also stating that it expected that the controller would adjust the privacy policy to make it complaint with Article 5(1)(c) GDPR. However, Article 58(2)(b) GDPR contains the authority of the DPA to reprimand a controller. Article 58(2)(c) GDPR contains the possibility to order the controller to comply with the data subject's requests to exercise his or her rights.
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Dutch original. Please refer to the Dutch original for more details.
1/6
Dispute room
Decision 145/2022 of October 12, 2022
File number : DOS-2022-03529
Subject : Provision of identity card as a condition for data erasure
The Disputes Chamber of the Data Protection Authority, composed of Mr Hielke Hijmans,
single chairperson;
Having regard to Regulation (EU) 2016/679 of the European Parliament and Council of 27 April 2016 on
the protection of natural persons with regard to the processing of personal data and
on the free movement of such data and repealing Directive 95/46/EC (General
Data Protection Regulation), hereinafter GDPR;
Having regard to the law of 3 December 2017 establishing the Data Protection Authority, hereinafter WOG;
Having regard to the internal rules of procedure, as approved by the Chamber of Representatives
on December 20, 2018 and published in the Belgian Official Gazette on January 15, 2019;
Having regard to the documents in the file;
has taken the following decision regarding:
.
The complainant: Mr X, hereinafter referred to as “the complainant”; .
.
The controller: Y, hereinafter “the controller” Decision 145/2022 - 2/6
I. Facts procedure
1. On August 30, 2022, the complainant lodged a complaint with the Data Protection Authority against
the controller.
2. The subject of the complaint concerns the privacy statement in which the controller
requests the complainant's proof of identity if he/she wishes to deregister from the
receipt of newsletters. The complainant has exercised his right of access to which the
controller has followed up. Subsequently, the complainant wishes to
to exercise data erasure, but establishes that in accordance with the privacy statement of the
the controller must submit his proof of identity to the
controller.
In addition, the complainant claims to have never registered to receive
newsletters from the controller. The complainant has
therefore requested the controller to provide information on how the
controller has come into possession of his personal data. The
controller states that the complainant has given his consent via VIP
Response B.V. (Netherlands) by participating in a campaign. However, the complainant denies this.
3. On September 5, 2022, the complaint will be declared admissible by the Frontline Service on the grounds
of Articles 58 and 60 of the WOG and the complaint on the basis of art. 62, §1 WOG transferred to
the Disputes Chamber.
II. Justification
4. The Disputes Chamber determines on the basis of the documents that support the complaint that the privacy policy
of the controller determines that for the exercise of rights a written
request and proof of identity via registered letter is required. With regard to the provision of
identification data, Article 12.2 of the GDPR provides that the controller may not
refuse to comply with the data subject's request for their rights, including
to exercise the right of access (Article 15 GDPR) and the right to erasure (Article 17 GDPR),
unless the controller demonstrates that it is unable to protect the data subject
identify .However, it does not appear from the factual elements that are the subject of the complaint
that the controller cannot identify the complainant. After all, the complainant has
exercised the right of access and the controller has complied with this
1 See in that regard 3.1.3. of the guideline 01/2022 on rights of data subjects – right of access:
https://edpb.europa.eu/system/files/2022-01/edpb_guidelines_012022_right-of-access_0.pdf Decision 145/2022 - 3/6
request without the need to provide any proof of identity beforehand
was deemed. In practice it has therefore been shown that the complainant can be sufficiently
identified by the controller to follow up on the request
of the complainant to provide information about the way in which the
controller has come into possession of his personal data. From this follows
ipso facto that the complainant in the present case is also sufficiently identified as soon as he/she
intends to exercise its right to erasure and
controller cannot require proof of identity to be provided.
5. By subjecting the exercise of rights in the privacy statement to the preceding
provision of an identity document, the controller disregards the principle of
minimum data processing (Article 5.1 c) GDPR). The concrete application of this principle with
with regard to the processing of identity documents in the context of the exercise of rights
by the data subject implies that the controller cannot require that a
proof of identity is provided in cases where the data subject can be identified
on the basis of the personal data already processed by him in order to be able to follow up
indicate the exercise of its rights
to prevent processing more data than is necessary for the purpose of identifying the
data subject in light of the exercise of rights with regard to direct marketing.
In concrete terms, this means that if – as in this case – the controller makes use
of the complainant's e-mail address to send these direct marketing messages, it is sufficient
that the complainant addresses the controller using the same email address
to exercise its rights.
6. The Disputes Chamber is of the opinion that on the basis of the above analysis,
concluded that a breach of the provisions of the
GDPR was committed, which justifies the taking of a
decision on the basis of Article 95, §1, 4° WOG, more specifically to inform the controller
warn that the condition included in the privacy statement for the provision of a
proof of identity in the context of exercising rights with regard to direct marketing
infringes Article 5.1 c) GDPR.
7. The Disputes Chamber is of the opinion that the controllers should be given the opportunity
be offered to adjust its course of action as a result of this first complaint, so that in
similar facts and possibly new complaints about them in the future
avoided. The Disputes Chamber therefore expects the privacy statement to be specific on this point
is adapted and brought into line with the principle of minimum
data processing. Decision 145/2022 - 4/6
8. The present decision is a prima facie decision made by the Disputes Chamber
in accordance with article 95 WOG on the basis of the complaint submitted by the complainant, in the context of
2
the ‘procedure prior to the decision on the merits’ and not a decision on the merits of the
Disputes Chamber within the meaning of Article 100 WOG.
9. The purpose of this decision is to notify the controller of the
fact that it may have infringed the provisions of the GDPR and that it is in the
possibility to still conform to the aforementioned provisions.
10. However, if the controller does not agree with the content of this
prima facie decision and considers that it may allow factual and/or legal arguments
funds that could lead to a different decision, can be sent to the email address
litigationchamber@apd-gba.be address a request for treatment on the merits of the case to the
Dispute Chamber and this within the period of 30 days after notification of this decision. The
enforcement of this decision will, if necessary, be during the aforementioned period
suspended.
11. In the event of a continuation of the handling of the case on the merits, the Disputes Chamber will
the parties on the basis of Articles 98, 2° and 3° in conjunction with Article 99 WOG invite their
to submit defenses and to attach to the file any documents they deem useful. The
If necessary, this decision will be definitively suspended.
12. For the sake of completeness, the Disputes Chamber is informed that a treatment on the merits of the case may be
3
lead to the imposition of the measures referred to in Article 100 WOG.
13. Finally, the Disputes Chamber points out the following:
If one of the parties wishes to make use of the possibility to consult and
copying the file (art. 95, §2, 3° WOG), this should contact the secretariat
2 Section 3, Subsection 2 WOG (Articles 94 to 97).
3
1° to dismiss a complaint;
2° order the suspension of prosecution;
3° order the suspension of the judgment;
4° propose a settlement;
5° to formulate warnings and reprimands;
6° order compliance with the data subject's requests to exercise his or her rights;
7° to order that the data subject is informed of the security problem;
8° order that the processing be temporarily or permanently frozen, restricted or prohibited;
9° to order that the processing is brought into conformity;
10° the rectification, restriction or deletion of data and its notification to the recipients of the data
command;
11° order the withdrawal of the recognition of certification bodies;
12° to impose periodic penalty payments;
13° impose administrative fines;
14° order the suspension of cross-border data flows to another State or an international institution;
15° to hand over the file to the public prosecutor's office in Brussels, who will inform it of the consequence that the
file is given;
16° decide on a case-by-case basis to publish its decisions on the website of the Data Protection Authority. Decision 145/2022 - 5/6
of the Disputes Chamber, preferably via litigationchamber@apd-gba.be, in order to make an appointment
to capture.
14. If a copy of the file is requested, the documents will be sent electronically if possible
or else delivered by regular mail. 4
III. Publication of the decision
15. Given the importance of transparency in the decision-making of the
Litigation Chamber, this decision is published on the website of the
Data Protection Authority. However, it is not necessary that the identification data
of the parties be published directly.
FOR THESE REASONS,
the Disputes Chamber of the Data Protection Authority decides, subject to the
submission of a request by the controller for processing on the merits
in accordance with Article 98 et seq. WOG, to:
- on the basis of Article 58.2, c) GDPR and Article 95, §1, 4° WOG to the controller
warn that with the intended processing similar to that which is the subject of
the present complaint infringes Article 5.1 c) GDPR;
- to request the controller from the Data Protection Authority (Dispute Chamber)
by e-mail within 30 days of notification of this decision
presenting the result of this decision in order to inform the Disputes Chamber about the
adjustment of the privacy statement regarding the condition for providing proof of identity in
in the context of the exercise of rights, this via the e-mail address litigationchamber@apd-gba.be; and
- in the absence of the timely implementation of the above by the controller,
to handle the case on the merits ex officio in accordance with Articles 98 et seq. WOG.
4Due to the extraordinary circumstances due to COVID-19, the possibility of collection at the secretariat of the
Dispute room NOT provided. In addition, all communication is in principle electronic. Decision 145/2022 - 6/6
Pursuant to Article 108, § 1 of the WOG, within a period of thirty days from the notification
appeal against this decision to the Marktenhof (Brussels Court of Appeal), with the
Data Protection Authority as Defendant.
Such an appeal may be lodged by means of an adversarial petition that the
1034terof the Judicial Code, the statements listed should contain .The application on 5
contradiction must be submitted to the registry of the Market Court in accordance with Article
6
1034quinquies of the Ger.W. , or via the Justice Deposit Information System (Article 32ter of
the Ger.W.).
(get). Hielke Hijmans
Chairman of the Disputes Chamber
5The petition states on pain of nullity:
1° the day, month and year;
2° the surname, first name, place of residence of the applicant and, where applicable, his capacity and his national register or
company number;
3° the name, first name, place of residence and, where applicable, the capacity of the person to be summoned;
4° the subject matter and the brief summary of the grounds of the claim;
5° the court before whom the claim is brought;
6° the signature of the applicant or of his lawyer.
6 The application with its annex is sent, in as many copies as there are parties involved, by registered letter to the
clerk of the court or at the registry.
