APD/GBA (Belgium) - 189/2022

From GDPRhub
Revision as of 08:57, 11 January 2023 by Kv (talk | contribs)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
APD/GBA - 189/2022
LogoBE.png
Authority: APD/GBA (Belgium)
Jurisdiction: Belgium
Relevant Law: Article 5(2) GDPR
Article 12(3) GDPR
Article 12(4) GDPR
Article 15(1) GDPR
Article 58(2)(c) GDPR
Type: Complaint
Outcome: Upheld
Started: 14.12.2022
Decided: 22.12.2022
Published:
Fine: n/a
Parties: n/a
National Case Number/Name: 189/2022
European Case Law Identifier: n/a
Appeal: n/a
Original Language(s): Dutch
Original Source: GBA (in NL)
Initial Contributor: n/a

The Belgian DPA ordered a human resources provider to comply with an access request. In light of the the accountability principle of Article 5(2) GDPR this includes certain information regarding the source of personal data.

English Summary

Facts

The data subject was contacted on 24 August 2022 by the controller, a human resources provider. The controller stated that it possessed the data subjects file and wanted to provide assistance for job hunting. Wanting to find out more, the data subject sent an access request where she requested among the others the source of personal data, the purpose of processing, the storage period and the legal basis.

On 25 August 2022, the controller replied providing guidance on the right of erasure. The data subject responded that she did not request erasure, but merely wanted access at this point in time. The controller provided its privacy policy as a response and stated that the data subject could look for an answer therein. The data subject replied that the answer was not in the privacy policy and that she was still unable to determine the source of personal data, the purpose of processing, the storage period and the legal bases. On 29 August 2022, the controller did provide some information regarding the source of the data: It received the data subject's data from another service (nature and name of the service undisclosed), which worked together with employers to find suitable jobs for potential employees.

The data subject filed a complaint at the Belgian DPA on 14 December 2022, because the controller did not provide a substantive enough answer within one month to the access request (Article 12(3) GDPR) nor any extension under Article 12(4) GDPR had ever been communicated.

Holding

The DPA deemed the controllers answer to the access request inadequate, because it had only provided the name of the source of personal data while the data subject requested more information described in Article 15(1) GDPR. Therefore, the controller violated Articles 12(3), 12(4) and 15(1) GDPR.

The DPA went into further detail regarding the source of the personal data. The DPA specified that the controller had the obligation to provide certain basic information to the data subject because of the accountability principle (Article 5(2) GDPR). The controller had to show that personal data was processed in a GDPR compliant manner. This would also obligate the controller to show it had assessed if a third party was lawfully processing personal data before the receiving personal data from this third party. For this reason, the data subject could expect the controller to provide information about the way the third party had collected the data subject's personal data in the first place, as well as provide information about the legal basis this third party was using for its processing. The controller should also provide the contact details of this third party to the data subject. This would enable the data subject to exercise the right of access by contacting such third party.

The DPA ordered the controller to comply with the access request pursuant of Article 58(2)(c) GDPR and Article 95(1)(5) WOG. This was a preliminary decision prior to the decision on the merits.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Dutch original. Please refer to the Dutch original for more details.

1/7







                                                                                  Litigation room



                                                    Decision 189/2022 of 22 December 2022





File number : DOS-2022-05088



Subject: Exercise of the right of access without the controller

follows it




The Disputes Chamber of the Data Protection Authority, composed of Mr Hielke Hijmans,

sole chairman;



Having regard to Regulation (EU) 2016/679 of the European Parliament and Council of 27 April 2016 on
the protection of natural persons with regard to the processing of personal data and

on the free movement of such data and repealing Directive 95/46/EC (general

Data Protection Regulation), hereinafter GDPR;



Having regard to the law of 3 December 2017 establishing the Data Protection Authority, hereinafter WOG;


Having regard to the rules of internal order, as approved by the Chamber of Representatives

on December 20, 2018 and published in the Belgian Official Gazette on January 15, 2019;



Having regard to the documents in the file;




has taken the following decision regarding:

                                                                                                  .
The complainant: Mrs X, hereinafter referred to as “the complainant”; .

                                                                                                  .

The controller: Y, hereinafter “the controller” Decision on the substance 189/2022 - 2/7



I. Factual Procedure


    1. On 14 December 2022, the complainant lodged a complaint with the Data Protection Authority against

        the controller.


    2. The object of the complaint concerns the exercise of the right of inspection by the complainant without

        that it has received a substantively satisfactory answer from the controller

        active in the human resources sector, within the period of one month (article 12.3 GDPR), nor
        to notify the extension of that period (article 12.4 GDPR). The specific reason for the

        exercise of the right of access was the fact that the complainant became on August 24, 2022

        contacted by the controller who stated that the file of the complainant

        located in its database, offering the complainant to provide assistance in finding

        a new professional challenge. The complainant will also be asked to renew the
        contract. On August 25, 2022, the complainant will receive a response to the effect that the

        controller explains how the complainant can obtain data erasure.

        The complainant, in turn, responds that it wishes to erase data and, for the time being, no data

        the complainant will receive on August 25, 2022 from the controller the

        privacy statement with the question whether she can find the answer to her questions
        on August 29, 2022 that this is not the case and that she still did not receive an answer to her

        ask about the origin, purpose, retention period, and legal basis for the hair

        regarding data processing. The controller informs the complainant about 30

        August 2022 that her personal data was obtained as a result of

        a registration with the […] that forwards the data to employers who work with them

        the framework of job placement, with the aim of finding suitable employment. The
        the complainant subsequently stated on 2 December 2022 that he still had no answer

        received on her question about the legal basis for the data processing and the retention period

        of it, nor about the extent to which it was informed about the data processing and how

        processing fits within the principle of purpose limitation, the principle of minimum

        data processing and correctness, since she has been employed with her for more than two years
        current employer and has never lived or worked in (…), nor has any interest in doing so

        shown.


    3. On December 14, 2022, the complaint will be declared admissible by the First Line Service on the grounds

        of Articles 58 and 60 WOG and the complaint is settled on the basis of art. 62, §1 WOG transferred to

        the Disputes Chamber. Decision on the substance 189/2022 - 3/7




II. Motivation


    4. Based on the documents supporting the complaint, the Litigation Chamber determines that the complainant has its right

         has exercised access, but the controller has failed to do so

         to take appropriate action by limiting itself to only mentioning the name of the body whose

         personal data were obtained, notwithstanding the fact that the complainant also

         requested other information (including legal basis, retention period) included in Article 15.1


         AVG. As a result, the controller has acted in violation of Articles 12.3 and 12.4
              1 2
         GDPR , as well as Article 15.1 GDPR .

                                                                                                      3
    5. Specifically with regard to the origin of the personal data about which the

         controller, the Litigation Chamber states that the accountability
                            4
         (article 5.2 GDPR) of the controller entails basic information

         is provided to the person concerned, being the complainant, showing that the

         controller itself processes the data in accordance with the GDPR and prior to the

         obtaining the personal data checks whether that data is lawfully processed by

         the authority from which the personal data originates. Thus, the complainant can expect that the




1Article 12 GDPR.

[…]
3. The controller shall provide the data subject without undue delay and in any event within one month of receipt of the request
information on the action taken on the request under Articles 15 to 22. Depending on the complexity of the
requests and the number of requests, that period may be extended by a further two months if necessary. The

The controller shall inform the data subject of such an extension within one month of receipt of the request.
When the data subject submits his request electronically, the information shall be provided electronically if possible, unless the data subject
otherwise requests.
4. Where the controller does not comply with the request of the data subject, it shall inform the data subject without undue delay and
no later than one month after receipt of the request why the request has not been acted upon, and informs him about this
the possibility to lodge a complaint with a supervisory authority and to appeal to the courts.

2Article 15 GDPR

1. The data subject has the right to obtain from the controller a confirmation as to whether or not his or her data are processed
concerning personal data and, where that is the case, to obtain access to that personal data and to the following
information:
a) the processing purposes;

b) the categories of personal data concerned;
c) the recipients or categories of recipients to whom the personal data have been or will be disclosed, in particular recipients in

third countries or international organisations;
d) if possible, the period for which the personal data is expected to be stored, or if not
possible, the criteria for determining that period;

e) that the data subject has the right to request from the controller that personal data be rectified or erased,
or that the processing of personal data concerning him is restricted, as well as the right to object to that processing;
f) that the data subject has the right to lodge a complaint with a supervisory authority;

g) where the personal data is not collected from the data subject, all available information about the source of that data;

(h) the existence of automated decision-making, including profiling referred to in Article 22(1) and (4), and, at least
in those cases, useful information about the underlying logic, as well as the importance and expected consequences of that processing for the
data subject.
[…]

3See in this regard: Decision 14/2021 February of 09 February 2021; Decision 20/2021 of February 12, 2021
4 Article 5.2 GDPR: The controller is responsible for compliance with paragraph 1 and can demonstrate this

(“accountability”). Decision on the substance 189/2022 - 4/7



        controller provides information on how that body, in this case […],

        came into possession of the complainant's personal data, as well as the legal basis on which it is based

        whose data are processed by that authority in order to demonstrate that the data

        from the complainant have been lawfully obtained by the controller. In order to the

        rights of the complainant, the controller must also provide it with the

        make contact details of that authority available in order to enable the complainant

        to exercise its right of access vis-à-vis that authority, being the […].

    6. With regard to the other information that the complainant has requested and is entitled to

        Pursuant to Article 15.1 GDPR, the controller has left nothing there

        to provide an answer.


    7. The Disputes Chamber is of the opinion that on the basis of the above analysis it should be

        concluded that the controller has committed a breach of the provisions of the
        GDPR was committed, which justifies taking a

        decision pursuant to Article 95, §1, 5° WOG, more specifically the controller in

        orders to follow up on the exercise by the complainant of his right of access (art

        15.1 GDPR) and this in particular in view of the document submitted by the complainant showing that

        the complainant has indeed exercised its right of access, but the

        controller has not taken appropriate action.

    8. The present decision is a prima facie decision taken by the Litigation Chamber

        in accordance with article 95 WOG on the basis of the complaint submitted by the complainant, in the context of

        the 'procedure prior to the decision on the merits' and no decision on the merits of the

        Disputes Chamber within the meaning of Article 100 WOG.


    9. The purpose of this decision is to inform the controller of the

        fact that it may have committed a breach of the provisions of the GDPR and put it in the

        possibility to still comply with the aforementioned provisions.

    10. However, if the controller does not agree with the content of this

        prima facie decision and considers that it may leave factual and/or legal arguments

        funds that could lead to a different decision, this can be done via the e-mail address

        litigationchamber@apd-gba.be to submit a request for consideration of the merits of the case to the

        Litigation Chamber and this within the period of 30 days after notification of this decision. The

        enforcement of this decision will, if necessary, take place during the aforementioned period
        suspended.







5Section 3, Subsection 2 WOG (Articles 94 to 97 inclusive). Decision on the substance 189/2022 - 5/7




    11. In the event of a continuation of the handling of the case on the merits, the Disputes Chamber

        the parties pursuant to Articles 98, 2° and 3° in conjunction with Article 99 WOG invite their

        submit defenses as well as attach any documents they deem useful to the file. The

        the present decision will, if necessary, be definitively suspended.


    12. The Disputes Chamber points out for the sake of completeness so that a hearing on the merits of the case can take place
                                                                                     6
        lead to the imposition of the measures referred to in Article 100 WOG.


    13. Finally, the Disputes Chamber points out the following:


        If one of the parties wishes to make use of the possibility to consult and

        copying the file (art. 95, §2, 3° WOG), he must turn to the secretariat

        of the Disputes Chamber, preferably via litigationchamber@apd-gba.be, in order to make an appointment

        to capture.

        If a copy of the file is requested, the documents will be sent electronically if possible

        or otherwise delivered by regular mail. 7




III. Publication of the decision



    14. Given the importance of transparency with regard to decision-making by the

        Litigation Chamber, this decision will be published on the website of the

        Data Protection Authority. However, it is not necessary for this to include the identification data

        of the parties are disclosed directly.











61° to dismiss a complaint;
 2° to order the exclusion of prosecution;
 3° order the suspension of the judgment;
 4° propose a settlement;
 5° formulate warnings and reprimands;
 6° order that the data subject's requests to exercise his rights be complied with;
 7° order that the data subject be informed of the security problem;

 8° order that the processing be temporarily or permanently frozen, restricted or prohibited;
 9° order that the processing be brought into compliance;
 10° the rectification, restriction or deletion of data and the notification thereof to the recipients of the data
command;
 11° to order the withdrawal of the accreditation of certification bodies;
 12° to impose penalty payments;
 13° to impose administrative fines;
 14° order the suspension of cross-border data flows to another State or an international institution;
 15° transfer the file to the Public Prosecutor's Office of the Crown Prosecutor in Brussels, who informs it of the follow-up to the
file is given;
 16° decide on a case-by-case basis to publish its decisions on the website of the Data Protection Authority.

7Due to the extraordinary circumstances due to COVID-19, the possibility of collection at the secretariat of the
Dispute room NOT provided. In addition, all communication takes place electronically in principle. Decision on the substance 189/2022 - 6/7










   FOR THESE REASONS,
   the Disputes Chamber of the Data Protection Authority decides, subject to the

   submission of a request by the controller for treatment on the merits

   in accordance with Article 98 et seq. WOG , to:



   - on the basis of Article 58.2, c) GDPR and Article 95, § 1, 5 ° WOG, the controller

      order that the data subject's request to exercise his rights be complied with,

      in particular the right of inspection (article 15.1 AVG), and to proceed to the provision to the
      complainant of the information it has requested, within the period of 30 days

      from the notification of this decision;



   - to order the controller to notify the Data Protection Authority

      (Dispute Chamber) by e-mail within the same term of the result

      of this decision via the e-mail address litigationchamber@apd-gba.be; and


   - in the absence of timely implementation of the above by the

      controller, to handle the case ex officio on the merits in accordance with

      articles 98 et seq. WOG.







Pursuant to Article 108, § 1 of the WOG, within a period of thirty days from the notification

this decision may be appealed to the Marktenhof (Brussels Court of Appeal), with the

Data Protection Authority as defendant. Decision on the substance 189/2022 - 7/7




Such an appeal may be lodged by means of an inter partes petition that the in art

                                                                                                      8
1034terofthe Judicial Codemustcontainenumeratedenumerations.

contradictions must be submitted to the Registry of the Market Court in accordance with Article

1034quinquiesvanhetGer.W. , or via the Deposit Information System of Justice (article 32ter of

the Ger.W.).







(get). Hilke Hijmans


Chairman of the Litigation Chamber



















































8
 The petition states under penalty of nullity:
 1° the day, month and year;
 2° the surname, first name, place of residence of the applicant and, where applicable, his capacity and his national register or
     enterprise number;

 3° the surname, first name, place of residence and, where appropriate, the capacity of the person to be summoned;
 4° the object and brief summary of the means of the claim;
 5° the court before which the action is brought;
 6° the signature of the applicant or his lawyer.
9
  The petition with its appendix, in as many copies as there are parties involved, is sent by registered letter to the
clerk of the court or deposited with the clerk of the court.