APD/GBA (Belgium) - 16/2023
|APD/GBA - 16/2023|
|Relevant Law:||Article 5(2) GDPR|
Article 6(1) GDPR
Article 24(1) GDPR
Article 29 GDPR
Article 32 GDPR
Act of 8 August 1983 regulating a National Register of Natural Persons
|Parties:||Centre public d'action sociale|
|National Case Number/Name:||16/2023|
|European Case Law Identifier:||n/a|
|Original Source:||Décision 16/2023 (in FR)|
|Initial Contributor:||Matthias Smet|
An employee of the public social service acts as controller when consulting the national register of a data subject for personal purposes. This processing does not rely on a legal basis and therefore breaches Article 5(1)(a) and 6 GDPR.
English Summary[edit | edit source]
Facts[edit | edit source]
A data subject noticed that her personal data was consulted on 4 September 2019 by an intermediate of the Crossroads Bank for Social Security (BCSS). Consequently, she exercised her right of access towards the BCSS, which resulted in discovering that an employee (defendant 1) of the public social service center (CPAS) (defendant 2) had consulted her data. Based on this information the data subject filed a complaint stating that both defendants had breached Article 5(1) and articles 5 and 13 of the Act of 8 August 1983 regulating a National Register of Natural Persons which exhaustively list the purposes for which the register may be consulted.
Holding[edit | edit source]
Since the complaint was directed against two defendants, the litigation chamber determined who was the data controller within the framework of this processing activity. The DPA stated that CPAS remained the data controller for the consultations carried out by its employees. However, this qualification as 'data controller' is limited to the consultations that are carried out within the framework of the of CPAS's mission, i.e. pursuing the purposes set out in Article 5 of the Act of 8 August 1983 regulating a National Register of Natural Persons. In case of consultations and searches outside the framework of its duties as a social agent and searches for private purpose, the CPAS's employee (in this case Defendant 1), was acting as controller.
Towards the employee of CPAS (defendant 1):
The DPA stated that the employee consulted that national register without any legal basis. In doing so, the she was guilty of a breach of Article 6 GDPR combined with a breach of Article 5(1)(a) under which the processing of personal data must in particular be lawful. The DPA warned for the future that the consultation of personal data from the National Register via the BCSS for private purposes constitutes an unlawful processing of personal data.
The DPA considered that CPAS had taken appropriate and sufficient measures in order to prevent and detect abusive use of the national registers. It therefore dismissed the complaint against CPAS.
Comment[edit | edit source]
- The wording of the complaint and the documents that were handed over imply that the complainant is the ex-wife of defendant 1's father.
- Besides the administrative procedure before the litigation chamber, article 13 of the Act of 8 August 1983 regulating a National Register of Natural Persons foresees legal sanctions as fines and imprisonment under Belgian criminal law.
Further Resources[edit | edit source]
Share blogs or news articles here!
English Machine Translation of the Decision[edit | edit source]
The decision below is a machine translation of the French original. Please refer to the French original for more details.