APD/GBA (Belgium) - 17/2023: Difference between revisions

From GDPRhub
m (Capitalised 'article')
Line 71: Line 71:
}}
}}


The Belgian DPA ordered a city municipality to comply with an access request pursuant to [[article 58 GDPR#2C|article 58(2)(c) GDPR]]. Additionally, the DPA recommended the controller to log the access to the national registry as a security measure.
The Belgian DPA ordered a city municipality to comply with an access request pursuant to [[article 58 GDPR#2C|Article 58(2)(c) GDPR]]. Additionally, the DPA recommended the controller to log the access to the national registry as a security measure.


== English Summary ==
== English Summary ==
Line 79: Line 79:


=== Holding ===
=== Holding ===
The DPA reinstated that [[article 15 GDPR#1a|article 15(1)(a) GDPR]] grants each data subject the right to obtain more information about the processing of their personal data. The DPA confirmed that the data subject exercised his right correctly. The DPA continued that a controller is obliged to answer such requests within 1 month pursuant to [[article 12 GDPR#3|article 12(3) GDPR]]. The DPA verified that the controller did not respond to the request.
The DPA reinstated that [[article 15 GDPR#1a|Article 15(1)(a) GDPR]] grants each data subject the right to obtain more information about the processing of their personal data. The DPA confirmed that the data subject exercised his right correctly. The DPA continued that a controller is obliged to answer such requests within 1 month pursuant to [[article 12 GDPR#3|Article 12(3) GDPR]]. The DPA verified that the controller did not respond to the request.


The DPA established that controllers are obliged to implement appropriate security measures to protect the personal data against unauthorised access as stipulated in [[article 5 GDPR#1f|article 5(1)(f) GDPR]]. The DPA also endorsed that controllers should be able to show compliance with the processing principles as set out in [[article 5 GDPR#2|article 5(2) GDPR]].
The DPA established that controllers are obliged to implement appropriate security measures to protect the personal data against unauthorised access as stipulated in [[article 5 GDPR#1f|Article 5(1)(f) GDPR]]. The DPA also endorsed that controllers should be able to show compliance with the processing principles as set out in [[article 5 GDPR#2|Article 5(2) GDPR]].


The DPA stated that security obligations are established in [[article 32 GDPR|article 32 GDPR]] and while the practice of logging is not included in the list of technical and organisational measures, the DPA recommended this as a best practice. The DPA referred to article 17 loi organisant un registre national des personnes physiques (law organising a national register for natural persons) which also enshrined this practice.  
The DPA stated that security obligations are established in [[article 32 GDPR|Article 32 GDPR]] and while the practice of logging is not included in the list of technical and organisational measures, the DPA recommended this as a best practice. The DPA referred to Article 17 loi organisant un registre national des personnes physiques (law organising a national register for natural persons) which also enshrined this practice.  


Given the above, the DPA concluded that the controller may have violated, among others, [[article 15 GDPR#1|article 15(1) GDPR]] by not providing an answer to the access request and ordered the controller to comply with said access request of the data subject.
Given the above, the DPA concluded that the controller may have violated, among others, [[article 15 GDPR#1|Article 15(1) GDPR]] by not providing an answer to the access request and ordered the controller to comply with said access request of the data subject.


== Comment ==
== Comment ==
Line 91: Line 91:


== Further Resources ==
== Further Resources ==
''Share blogs or news articles here!''
''Share blogs or news Articles here!''


== English Machine Translation of the Decision ==
== English Machine Translation of the Decision ==

Revision as of 05:58, 7 March 2023

APD/GBA - 17/2023
LogoBE.png
Authority: APD/GBA (Belgium)
Jurisdiction: Belgium
Relevant Law: Article 5(1)(f) GDPR
Article 5(2) GDPR
Article 12(3) GDPR
Article 15(1) GDPR
Article 15(1)(a) GDPR
Article 32 GDPR
Article 17 Loi organisant un registre national des personnes physiques
Type: Complaint
Outcome: Upheld
Started: 03.02.2023
Decided: 01.03.2023
Published: 06.03.2023
Fine: n/a
Parties: n/a
National Case Number/Name: 17/2023
European Case Law Identifier: n/a
Appeal: n/a
Original Language(s): French
Original Source: Gegevensbeschermingsautoriteit (in FR)
Initial Contributor: Enzo Marquet

The Belgian DPA ordered a city municipality to comply with an access request pursuant to Article 58(2)(c) GDPR. Additionally, the DPA recommended the controller to log the access to the national registry as a security measure.

English Summary

Facts

The controller is a city municipality and the data subject a citizen of the municipality. The data subject noticed that his national register file had been consulted by the controller. He contacted their DPO for more information on the consultation on 10 November 2022. On 16 November, the data subject noticed a new consultation on 10 November 2022. The data subject contacted the DPO again demanding an explanation. However, both requests for information remained unanswered.

Holding

The DPA reinstated that Article 15(1)(a) GDPR grants each data subject the right to obtain more information about the processing of their personal data. The DPA confirmed that the data subject exercised his right correctly. The DPA continued that a controller is obliged to answer such requests within 1 month pursuant to Article 12(3) GDPR. The DPA verified that the controller did not respond to the request.

The DPA established that controllers are obliged to implement appropriate security measures to protect the personal data against unauthorised access as stipulated in Article 5(1)(f) GDPR. The DPA also endorsed that controllers should be able to show compliance with the processing principles as set out in Article 5(2) GDPR.

The DPA stated that security obligations are established in Article 32 GDPR and while the practice of logging is not included in the list of technical and organisational measures, the DPA recommended this as a best practice. The DPA referred to Article 17 loi organisant un registre national des personnes physiques (law organising a national register for natural persons) which also enshrined this practice.

Given the above, the DPA concluded that the controller may have violated, among others, Article 15(1) GDPR by not providing an answer to the access request and ordered the controller to comply with said access request of the data subject.

Comment

This was a preliminary (prima facie) decision according to Article 95 WOG, prior to a decision on the merits.

Further Resources

Share blogs or news Articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the French original. Please refer to the French original for more details.

1/6





                                                                        Litigation Chamber


                                                          Decision 17/2023 of March 1, 2023





File number: DOS-2023-00290


Subject: consultation of the national register and lack of response to the exercise of the right

access




The Litigation Chamber of the Data Protection Authority, made up of Mr. Hielke
Hijmans, chairman;


Having regard to Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the

protection of natural persons with regard to the processing of personal data and

to the free movement of such data, and repealing Directive 95/46/EC (General Regulation on the
data protection), hereinafter “GDPR”;


Having regard to the Law of 3 December 2017 establishing the Data Protection Authority, hereinafter

“ACL”;

Having regard to the internal regulations as approved by the House of Representatives on 20

December 2018 and published in the Belgian Official Gazette on January 15, 2019;


Considering the documents in the file;


Made the following decision regarding:



The plaintiff: X, hereinafter “the plaintiff”; .

                                                                                                        .
                                                                                                        .
The defendant: Commune Y, hereinafter: “the defendant”. Decision 17/2023 – 2/6



I. Facts and procedure


 1. The subject of the complaint concerns the consultation of the complainant's national register file by

       Commune Y and the lack of response to its request for access.

       The complainant noted that his national registry file had been consulted by the

       municipality Y on May 25, 2022. After calling the municipality in June, he contacted the

       data protection officer of the municipality by email on November 10, 2022 after

       midday asking for explanations about this consultation. This email would have remained

       without answer. On November 16, 2022, the complainant noticed that a new consultation of

       its data from the national register took place on November 10, 2022 in the morning. He writes to

       again to the data protection officer of the municipality to justify these

       different consultations. This email would also have remained unanswered.

 2. On February 3, 2023, the complainant lodged a complaint with the Data Protection Authority

       given against the defendant.


 3. On the same day, the complaint is declared admissible by the Front Line Service on the basis

       of articles 58 and 60 of the LCA and the complaint is transmitted to the Litigation Chamber in

       pursuant to Article 62, § 1 of the LCA.

 4. Pursuant to article 95 § 2, 3° of the LCA as well as article 47 of the rules of order

       inside the DPA, a copy of the file may be requested by the parties. If one of

       parties wishes to make use of the possibility of consulting the file, the latter is required to

       contact the secretariat of the Litigation Chamber, preferably via the address

       litigationchamber@apd-gba.be.



II. Motivation


 5. Article 15.1.a) of the GDPR provides that the data subject can contact the controller

       processing in order to achieve the purpose of the processing.


 6. Under Article 12.3 of the GDPR, the controller has a maximum period

       one month from the request for access to provide a response. This period may, under

       conditions, be extended for two additional months.

 7. Furthermore, in its capacity as data controller, the defendant is required to

       implement data protection principles and must be able to demonstrate that

       these are respected (principle of responsibility – article 5.2. of the GDPR). This includes the



1
 Pursuant to article 61 LCA, the Litigation Chamber informs the parties by this decision, of the fact that the complaint has been
declared admissible.
2 Pursuant to Article 95, § 2 LCA, by this decision, the Litigation Division informs the parties of the fact that following
of this complaint, the file was forwarded to him. Decision 17/2023 – 3/6



       principle of security included in article 5.1.f) and which is now erected in the GDPR at the same

       rank than the fundamental principles of legality, transparency and fairness.

 8. The obligations of data controllers with regard to the security of processing are

       established in articles 32 et seq. of the GDPR. Although logging is not

       expressly mentioned in the GDPR, keeping a journal of log files constitutes a

       technical and organizational measure envisaged in Article 32 GDPR. It constitutes a

       good practice, recommended to the data controller when this measure is

       adapted to the risks associated with the characteristics of the processing. This practice has also been

       enshrined by the legislator who integrated this obligation into article 17 of the law of 8 August

       1983 organizing a national register of natural persons. 3 4


 9. In this case, it appears from the emails sent by the complainant to the municipality, that he

       exercised his right of access regarding the purpose of the consultation of his file in the register

       national (Article 15.1a) of the GDPR).


 10. It appears from the complainant's emails and the content of the complaint that the municipality would never have

       Responded to the complainant's access requests.

 11. The Litigation Division considers that on the basis of the aforementioned facts, there is reason to

       conclude that the defendant may have breached the provisions of the GDPR, which

       which justifies that in this case, it is making a decision in accordance with Article

       95, § 1, 5° of the LCA, more specifically, to order compliance with the request of the

       complainant of the complainant to exercise his right of access (article 15.1 of the GDPR) and this in

       particular seen:



        - That under article 17 of the law of August 8, 1983 organizing a national register of

             natural persons, the data controller must be able to

             justify the consultations carried out and provide the purpose of the consultations;



        - The evidence provided by the complainant demonstrating that there was indeed consultation with

             its national registry file by the defendant;



        - Copies of emails sent by the plaintiff demonstrating that he has exercised his right

             access provided for in Article 15.1 of the GDPR;



        - That the complainant indicates that he received no response to his requests for access.




3 Law of 8 August 1983 organizing a national register of natural persons. Available on
https://www.ejustice.just.fgov.be/cgi_loi/change_lg.pl?language=fr&la=F&cn=1983080836&table_name=loi

4For more details, the Litigation Chamber refers in particular to its decision 129/2021 of November 26, 2021, § 33
and s. Available at https://www.autoriteprotectiondonnees.be/publications/decision-quant-au-fond-n-129-2021.pdf Decision 17/2023 – 4/6


 12. This decision is a prima facie decision taken by the Litigation Chamber

        pursuant to Article 95 of the LCA on the basis of the complaint lodged by the complainant/the

        complainant, within the framework of the “procedure prior to the substantive decision” and not a 5

        decision on the merits of the Litigation Chamber within the meaning of Article 100 of the LCA.


 13. The purpose of this decision is to inform the defendant, allegedly responsible for the

        processing, because it may have violated the provisions of the GDPR,

        in order to enable it to still comply with the aforementioned provisions.


 14. If, however, the defendant does not agree with the content of this decision

        prima facie and believes that it can make factual and/or legal arguments that

        could lead to another decision, it may send the Litigation Chamber a

        request for treatment on the merits of the case via the e-mail address litigationchamber@apd-

        gba.be, within 30 days of notification of this decision. The case

        applicable, the execution of this decision is suspended for the period

        aforementioned.


 15. In the event of further processing of the case on the merits, pursuant to Articles 98, 2° and 3°

        juncto article 99 of the LCA, the Litigation Chamber will invite the parties to introduce their

        conclusions and attach to the file all the documents they deem useful. If applicable, the

        this decision is permanently suspended.


 16. With a view to transparency, the Litigation Chamber finally emphasizes that a

        dealing with the case on the merits may lead to the imposition of the measures mentioned in

        section 100 of the ACL .6













5Section 3, Subsection 2 of the ACL (Articles 94 to 97 inclusive).

6Art. 100. § 1. The litigation chamber has the power to
 1° dismiss the complaint without follow-up;
 2° order the dismissal;
 3° pronouncing the suspension of the pronouncement;
 4° to propose a transaction;
 5° issue warnings and reprimands;

 6° order to comply with requests from the data subject to exercise his or her rights;
 7° order that the person concerned be informed of the security problem;
 8° order the freezing, limitation or temporary or permanent prohibition of processing;
 9° order compliance of the processing;
 10° order the rectification, restriction or erasure of the data and the notification thereof to the recipients of the
     data ;
 11° order the withdrawal of accreditation from certification bodies;
 12° to issue periodic penalty payments;
 13° to issue administrative fines;

 14° order the suspension of cross-border data flows to another State or an international body;
 15° forward the file to the public prosecutor's office in Brussels, who informs it of the follow-up given to the file;
 16° decide on a case-by-case basis to publish its decisions on the website of the Data Protection Authority. Decision 17/2023 – 5/6



III. Publication of the decision


 17. Given the importance of transparency regarding the decision-making process of the Chamber

       Litigation, this decision is published on the website of the Protection Authority
       Datas. However, it is not necessary for this purpose that the identification data

       of the parties are communicated directly.










    FOR THESE REASONS,


    the Litigation Chamber of the Data Protection Authority decides, subject to

    the introduction of a request by the defendant for treatment on the merits in accordance with

    to articles 98 e.s. of the ACL:

       - pursuant to Article 58.2.c) of the GDPR and Article 95, §1, 5° of the LCA, to order

           the defendant to comply with the request of the person concerned to exercise

           his right of access (article 15.1 of the GDPR) regarding the consultation of his file of the

           national register, and to send the information to the complainant within the

           30 days from the date of notification of this decision;


       - to order the defendant to inform by e-mail the Data Protection Authority

           data (Litigation Chamber) of the follow-up given to this decision, in the
           same deadline, via the e-mail address litigationchamber@apd-gba.be; And


       - if the defendant does not comply in good time with what is requested of it

           above, to deal ex officio with the case on the merits, in accordance with articles 98 e.s. of

           the ACL.






In accordance with Article 108, § 1 of the LCA, an appeal against this decision may be lodged,

within thirty days of its notification, to the Court of Markets (court

d'appel de Bruxelles), with the Data Protection Authority as defendant.


Such an appeal may be introduced by means of an interlocutory request which must contain the
                                                                 7
information listed in article 1034ter of the Judicial Code. The interlocutory motion must be



7The request contains on penalty of nullity:
 (1) indication of the day, month and year;
 2° the surname, first name, domicile of the applicant, as well as, where applicable, his qualities and his national register number or
    Business Number; Decision 17/2023 – 6/6


                                                                                                                    8
filed with the registry of the Court of Markets in accordance with article 1034quinquies of the C. jud. , Or

via the e-Deposit information system of the Ministry of Justice (article 32ter of the C. jud.).







    (S.) Hielke H IJMANS

    President of the Litigation Chamber

































































  3° the surname, first name, domicile and, where applicable, the capacity of the person to be summoned;
  (4) the object and summary statement of the means of the request;
  (5) the indication of the judge who is seized of the application;
  6° the signature of the applicant or his lawyer.

8 The request, accompanied by its appendix, is sent, in as many copies as there are parties involved, by letter
recommended to the court clerk or filed with the court office.