APD/GBA (Belgium) - 147/2022
|APD/GBA - 147/2022|
|Relevant Law:||Article 2(1) GDPR|
Article 5(1)(b) GDPR
Article 5(1)(c) GDPR
Article 6(1)(b) GDPR
Article 6(1)(f) GDPR
Article 13(1)(c) GDPR
|National Case Number/Name:||147/2022|
|European Case Law Identifier:||n/a|
|Original Source:||GBA (in NL)|
The Belgian DPA ordered a controller, a vacation park owner, to comply with the principle of data minimisation pursuant to Article 5(1)(c) GDPR. The controller legally processed personal data according to Article 6(1)(b) GDPR to prevent the fraudulent abuse of a swimming pool discount card, but unnecessarily requested photos and degree of kinship of the data subject's family members when their names alone would have sufficed.
English Summary[edit | edit source]
Facts[edit | edit source]
The controller was the owner of a ‘vacation park’. The data subject owned one of the apartments in this park.
The controller provided a special membership card for the owners of an apartment which included a discount for access to the swimming pool. Family members, limited to a certain degree of kinship, were also allowed to use this card. Several details had to be provided to use the card, such as the name of the card owner, a photo of every user family member using it, and their degree of kinship to the owner. It became clear from the proceedings that fraudulent use of the card had occurred in the past by loaned it to unauthorized third parties to profit from the discount. The controller used two legal grounds for the processing: Article 6(1)(b) GDPR and Article 6(1)(f) GDPR. Article 6(1)(f) GDPR, however, was only recently added as a legal ground. The data subject filed a complaint at the DPA, stating that he wanted to access the pool with a discount without providing the photos of the users of the card and their degree of kinship.
Holding[edit | edit source]
The DPA held that the controller could rely on Article 6(1)(b) GDPR to regulate access to its swimming pool. The DPA stated that according to Article 13(1)(c) GDPR, the controller should mention the legal basis and the purpose of the processing to the data subject before it starts processing personal data. The controller had mentioned in the contract with the data subject that it would have the possibility to regulate access to the pool. Therefore, the controller could rely on Article 6(1)(b) GDPR.
The DPA did however determine that the controller violated Article 5(1)(c) GDPR, stating that personal data could only be processed when the goal of the processing could not be reached any other way. The DPA held that identifying data subjects for preventing fraud was a specified, explicit and legitimate purpose in the context of Article 5(1)(b) GDPR. However, the DPA continued by stating that only providing names of the people who could use the card was sufficient for reaching the goal of preventing fraud. The DPA disagreed with the controller here, who stated that it would be necessary to also load a photo and degree of kinship on the card, and read this card automatically with an ID-Card reader, every time the card was used at the pool. The DPA held that this was not necessary for the intended goal and determined that this could even entail automatic processing (Article 2(1) GDPR).
Regarding the obligatory photo, the DPA was of the opinion that a human check at the reception was sufficient to prevent fraud and that providing a photo was therefore unnecessary. The DPA also stated that such a visual check would not even fall under the GDPR. The DPA also held that it was not necessary to provide the degree of kinship of family members. The DPA held that this degree of kinship did not provide any additional value, because the controller would not even be able verify this degree of kinship provided by the data subject. Therefore, there was a less privacy intrusive way to reach the intended goal, which resulted in a violation of Article 5(1)(c) GDPR by the controller.
The DPA ordered the controller to bring its processing in compliance with Article 5(1)(c) GDPR.
Comment[edit | edit source]
Share your comments here!
Further Resources[edit | edit source]
Share blogs or news articles here!
English Machine Translation of the Decision[edit | edit source]
The decision below is a machine translation of the Dutch original. Please refer to the Dutch original for more details.
1/8 Dispute room Decision on the merits 147/2022 of 17 October 2022 File number : DOS-2019-04465 Subject: Digital membership card as access card for a reduced rate The Dispute Chamber of the Data Protection Authority, composed of Mr Hielke Hijmans, chairman, and Messrs Dirk Van Der Kelen and Christophe Boeraeve, members. Having regard to Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data and revocation of Directive 95/46/EC (General Data Protection Regulation), hereinafter GDPR; In view of the law of 3 December 2017 establishing the Data Protection Authority, hereinafter WOG; Having regard to the internal rules of procedure, as approved by the Chamber of Representatives on 20 December 2018 and published in the Belgian Official Gazette on January 15, 2019; Having regard to the documents in the file; Has made the following decision regarding: The complainant: Mr X, hereinafter referred to as “the complainant” The Defendant: Y. Y1. hereinafter referred to as “the defendant” Decision on the merits 147/2022 - 2/8 I. Facts procedure 1. On December 3, 2019, the complainant submits a complaint to the Data Protection Authority against the defendant. 2. The subject of the complaint concerns the creation of a digital membership card by the defendant for holiday home owners and their family members limited to one certain degree of kinship in order to give them access at a favorable rate to the pool for a large number of swims per holiday home. It is not for that purpose only the name of the applicant, also owner of the holiday home, to be provided, but also for each user of the card a photo must be uploaded in a e e data file, as well as the family ties (1 or 2 degree) must be stated. the complainant who owns a home in the holiday park wishes to gain access to the swimming pool at the preferential rate, but without providing photos and without indication of the degree of kinship. 3. On January 7, 2020, the complaint will be declared admissible by the Frontline Service on the grounds of Articles 58 and 60 of the WOG and the complaint on the basis of art. 62, 1 WOG submitted to the Disputes Chamber. 4. On August 11, 2020, the Disputes Chamber will decide on the basis of art. 95, § 1, 1° enart. 98WOG that the file is ready for processing on the merits. 5. On 11 August 2020, the concerned parties will be notified of the provisions as stated in article 95, § 2, as well as those in art. 98 WOG. They are also based on of art. 99 WOG of the time limits for submitting their defences. The deadline for receipt of the defendant's response was laid down on September 25, 2020, this for the conclusion of the complainant's reply on October 16, 2020 and, finally, for the defendant's reply to the statement on Nov 6, 2020. 6. In the absence of response from the defendant to the invitation to submit defenses and with a view to safeguarding the rights of the defence, the Dispute Chamber on June 24, 2022, in accordance with Article 52 of the Rules of Procedure of internal order to proceed to a hearing which will be scheduled for July 4, 2022. 7. On June 28, 2022, the defendant requests a copy of the file (art. 95, §2, 3° WOG), which was transferred to him the same day. 8. At the request of the defendant, the date of the hearing is moved to 5 Sep 2022. 9. On August 29, 2022, the Disputes Chamber will receive the statement of reply from the defendant. In it, the defendant explains that the membership card is an exceptional Decision on the merits 147/2022 - 3/8 commercial offer to private owners and its unauthorized use led to the collection of personal data, including photos of the beneficiaries of the map. In court, the defendant argues that the privacy principles as included in Article 5.1 a) - d) and f) GDPR are complied with, as well as the accountability principle laid down in article 5.2 GDPR. Finally, the defendant argues that the photos cannot be are considered biometric data within the meaning of Article 9 GDPR. 10. On September 5, 2022, the parties will be heard by the Disputes Chamber. 11. On September 7, 2022, the minutes of the hearing will be sent to the parties submitted. 12. On September 13, 2022, the Disputes Chamber will receive some comments with regard to the official report, which it decides to include in her deliberation. 13. On 15 September 2022, the Disputes Chamber will also receive a number of comments with regard to the official report, which are included in the deliberation. II. Justification a) Legal basis 14. The defendant argues that the processing of the personal data on the basis of the digital membership card, namely the first name and last name, as well as the photo of both e e the private owner if each of his family members is limited to the 1 and 2 degree, his basis can be found in Article 6.1 b) GDPR. In addition, the defendant invokes his legitimate interest (Article 6.1 f) GDPR) to have data processing based on the digital map as legitimate. 15. The Disputes Chamber elaborates on the legal grounds used by the defendant cited. In accordance with Article 13.1 c) GDPR, before starting the processing activities are determined by the controller which legal basis applies, and in relation to what specific purpose, with the 1 obligation on the defendant to inform the complainant. 16. Applied specifically to the present file, the Disputes Chamber establishes that the appendix to 2 3 the basic deed concerning the holiday domain in Article 19 provides that the defendant for 1See in this regard the Guidelines 05/2020 on consent in accordance with Regulation 2016/679 (edge nos. 121- 123); https://edpb.europa.eu/sites/default/files/files/file1/edpb_guidelines_202005_consent_en.pdf 2 In the basic deed referred to as: “annex Regulations of Co-ownership and Internal Order” 3Article 19 of the basic deed reads as follows: “Any owner may stay on the domain when it suits him with the members of his family. He may also receive guests provided they are neither too numerous nor too noisy. The Decision on the merits 147/2022 - 4/8 will issue appropriate regulations to the visiting relatives or guests or charge fees for the use of, among other things, the swimming pool. The Disputes Chamber determines that the defendant contractually has the option under the aforementioned provision to regulate access to the swimming pool, as the defendant has in practice done by providing a preferential rate for the owner and his relatives in 1 and 2 degree. The complainant acknowledges in his conclusion as well as during the hearing that this system is a favorable rate to access the swimming area has been in existence for many years. The Disputes Chamber is of the opinion that the basis for this can be found in the basic deed and the data processing is thus based on Article 6.1 b) GDPR in order to e e a holiday home and its family members limited to the 1 and 2 degree via an access card be able to enjoy the advantage of access to the swimming pool at a discounted rate. 17. In the following, the question to what extent the processing of the personal data by means of the digital membership card as it is currently set up, namely with processing the photos of the users of the card as well as the indication of the degree of kinship to the owner of the property holiday home respects the principle of minimum data processing. 18. For the sake of completeness, the Disputes Chamber also notes that the legal basis ‘legitimate interest’ (Article 6.1 f) GDPR) to which the defendant relies in the subsidiary order bases, is invoked by the defendant post factum and the defendant indicates that this legal basis was recently added to the privacy statement. The The Disputes Chamber repeats that due to the obligation to collect at the time of the collection of personal data to provide the legal basis on which the controller (Article 13.1 c) GDPR), the defendant before When collecting is started, you have to decide what the legal basis is for this. The addition of the legal basis 'legitimate interest' after the data collection took place, as in the present case, is not in accordance with the requirement that the legal basispriortocollectionofthephotosandinformationaboutdegree of kinship must be determined and made known to the person concerned, being the complainant. However, it is sufficient that there is one valid legal basis is present, which in the present case is the agreement that formed the basis of the data collection. 19. It follows from the foregoing that the Disputes Chamber determines that the legal basis on which the the complainant primarily invokes the performance of an agreement (Article 6.1 b) the owner of the lot is responsible for damage caused by his guests issue appropriate regulations or charge the visiting relatives or guests for the use of, among other things, swimming pool, sports pond or even for access to the domain. The owner is personally responsible for the registration of the persons he accommodates under his roof. Other external visitors to the domain will be subject to the same provisions.” Decision on the merits 147/2022 - 5/8 GDPR), which constitutes a valid legal basis for the processing by the defendant of the personal data by means of the digital membership card. Thus it is established that the defendant does not infringe article 6.1 AVG in conjunction with article 13.1 c) GDPR has committed. b) Minimum data processing principle 20. The existence of a legal ground that allows the defendant to to proceed with data processing in the light of the purpose pursued by him, in this case consisting of the granting of an advantage to the owners and a limited number of relatives by giving them access to the swimming pool at a favorable rate, does not mean that the defendant is obliged to comply with the principle of minimum data processing. This means that the defendant must determine how the purpose can be achieved on the basis of sufficient data, relevant are limited to what is necessary for the purposes for which they are being processed (Article 5.1 c) GDPR). 21. When applied to the present complaint, it must be verified whether the defendant has and the degree of kinship of the intended users of the membership card may retrieving and then processing it in a data file with a view to a controlled access to the swimming pool at a discounted rate to prevent card abuse prevented by third parties. Indeed, in the past, it was repeatedly established that third parties unauthorized use of the card because some owners used the then-current made a paper card with swimming sessions available to the tenants of their holiday home in the context of private rental. Based on the purpose consisting of averting possible misuse of the card, it should be checked whether for this purpose the processing of the relevant photos and degree of relationship is required. 22. Personal data may only be processed if the purpose of the processing is not can reasonably be realized in another way. From the actual elements of 4Recital 39 GDPR. “Any processing of personal data must be done properly and lawfully. Fornatural persons serves it be transparent that personal data concerning them is collected, used, consulted or otherwise processed and to what extent the personal data is or will be processed. According to the transparency principle, information and communication in connection with the processing of those personal data be easily accessible and understandable, and must be clearly used in a simple language in particular informing data subjects about the identity of the controller and the purposes of the processing, as well as further information to ensure fair and transparent processing with regard to the natural persons concerned and their right to receive confirmation and communication of their personal data that are processed. Natural persons must be made aware of the risks, rules, safeguards and rights in connection with the processing of personal data, as well as how they exercise their rights in relation to this be able to carry out processing. More specifically, the specific purposes for which the personal data are collected processed, to be explicit and legitimate and to be established when the personal data is collected. The personal data must be adequate, relevant and limited to what is necessary for the purposes for which they are processed. In particular, this requires ensuring that the storage period of the personal data is kept to a strict minimum. Personal data may only be processed if the Decision on the merits 147/2022 - 6/8 the file shows that there is a need to identify the users of the card who are offer at the pool, so that it can be verified whether the users actually are those who are entitled to access the pool at the favorable discount rate and thus abuse can be excluded. This constitutes a specific, explicit and legitimate purpose within the meaning of Article 5.1 b) GDPR . It is common ground that the owners concerned, including the complainant, were written by the defendant explaining in the letter that pursuant to misuse of the paper card would be switched to a digital card with explanation that henceforth the photos of the beneficiaries indicating the degree of relationship would be necessary. 23. Exactly about the need to provide photos with the degree of kinship and its processing in a database for the purpose of use of the digital card in the context of combating abuse, the to have examined the defendant during the hearing to use the identity card as means of access control, but that its reading is in no way less would be privacy violating, since the identity card contains more data than necessary for access control. 24. In this regard, the Disputes Chamber points out that the purpose pursued by the Defendant can be reached solely by the names of the to process beneficiaries of the discounted rate in a data file that is linked to a digital map. After all, it is sufficient that the beneficiary of the card at the pool entrance counter where he can get the discounted rate granted provided he offers his digital membership card and on presentation of his identity card. It is by no means necessary that the complainant shows his identity card 'reading' as the defendant argues, which is an automated data processing in accordance with Article 2.1 of the GDPR. Reading the identity card would have the consequence that by means of an e-ID card reader, more data is processed than necessary for the purpose, since a lot of data is stored on the card more information than that which the defendant believes it needs. 25. The Disputes Chamber states that it is sufficient that the names of the beneficiaries are processed by means of the membership card and can be consulted by the purpose of the processing cannot reasonably be achieved in any other way. To make sure that personal data are not kept for longer than necessary, the controller must set time limits for the erasure of data or for a periodic review thereof. All reasonable measures must be taken taken to ensure that incorrect data is corrected or deleted be processed in a manner that ensures appropriate security and confidentiality of that data, including for preventing unauthorized access or use of personal data and equipment intended for processing is used.” [own underlining] 5See in this regard also recital 39 GDPR which states: “[…] More specifically, the specific purposes serve for which the personal data are processed must be explicit and justified and to be established when the personal data is collected. […]” Decision on the substance 147/2022 - 7/8 receptionist.To make sure whoever offers the membership card is right is a beneficiary of the preferential rate, provides a purely visual check of the identity card on which both the name and the photo of the person concerned are visible stated, the guarantee of correct identification. Processing photos of the beneficiaries can therefore in no way be regarded as relevant and necessary for the realization of the intended purpose. The combination of the processing the names of the beneficiaries of the benefit rate by means of the membership card linked to a database, which is a data processing within the meaning of Article 4. 2) GDPR, and, on the other hand, the visual verification of the identity card which also contains the name of the beneficiary, as well as the photo that can be used to check whether the person who presents himself at the entrance counter is actually the person to whom that name and photo belong and is thus entitled to use the membership card is sufficient to prevent misuse A mere visual check in which physical similarities are checked of those who want access and the photo on the identity card, do not fall under the scope of the GDPR, as such control is not accompanied by any form of processing within the meaning of article 2.1 AVG. In case of identity verification, the visu, after all, there is no question of fully or partially automated processing, nor of any processing contained in a file or intended to be incorporated therein Hospitalized. It follows that with this method the intended goal can be achieved in a less privacy-violating way than that currently used by the defendant. 26. This also applies to the processing of the degree of kinship whose processing is also irrelevant and necessary in light of the purpose. The notification of the degree of kinship for each beneficiary, as requested by the defendant, is based on the simple “declaration of honor” of the owner of the vacation home. The Disputes Chamber is of the opinion that it is sufficient that the owner of the holiday home only gives the names of his relatives in the 1st and 2nd degree without him for each of them should state the exact degree. The designation of the kinship degree offers no added value, since this information is not may be subject to some scrutiny given that the unverified information to be provided by the owner himself, which is not objective can be established by the defendant on the basis of any document. This leads to that the Disputes Chamber is of the opinion that also with regard to the degree of kinship the processing only the names of the beneficiaries is sufficient without further specification of the degree of kinship. 27. By virtue of the fact that the defendant's purpose can be achieved without processing of the photos of the beneficiaries of the membership card and their degree of Decision on the merits 147/2022 - 8/8 relationship, it is established that the defendant has a violation of article 5.1c) GDPR committed. III. Publication of the decision 28. Given the importance of transparency in the decision-making of the Litigation Chamber, this decision is published on the website of the Data Protection Authority. However, it is not necessary for the identifiers of the parties are disclosed directly. FOR THESE REASONS, the Disputes Chamber of the Data Protection Authority decides, after deliberation, to pursuant to art. 100, §1, 9° WOG, to order the defendant that the processing in is brought into line with Article 5.1, c) GDPR, within a period of two months, the Data Protection Authority about it within the same period to inform. Pursuant to Article 108, § 1 of the WOG, within a period of thirty days from the notice against this decision, an appeal may be lodged with the Marktenhof (court of profession Brussels), with the Data Protection Authority as defendant. Such an appeal may be lodged by means of an adversarial petition that the must contain the statements listed in Article 1034ter of the Judicial Code. It adversarial petition must be submitted to the registry of the Marktenhof in accordance with article 1034quinquies of the Ger.W. , or via the e-Deposit IT system of Justice (Article 32ter of the Ger.W.). (get). HielkeIJMANS Chairman of the Disputes Chamber 6The petition states, on pain of nullity: 1° the day, month and year; 2° the surname, first name, place of residence of the applicant and, where applicable, his capacity and his national register or company number; 3° the surname, first name, place of residence and, where applicable, the capacity of the person to be summoned; 4° the subject matter and the brief summary of the grounds of the claim; 5° the court before whom the claim is brought; 6° the signature of the applicant or of his lawyer. 7The application with its annex shall be sent by registered letter, in as many copies as there are parties concerned sent to the clerk of the court or deposited at the clerk's office.