APD/GBA (Belgium) - 32/2022: Difference between revisions

From GDPRhub
m (Added hyperlinks)
m (Reverted edits by Riealeksandra (talk) to last revision by 194.126.177.80)
Tag: Rollback
Line 59: Line 59:
}}
}}


The Belgian DPA held that, under the GDPR, direct marketing via email may not require the data subject's consent. However, it is still necessary to inform the data subject pursuant to [[Article 14 GDPR|Article 14 GDPR]] at the latest at the time of initial contact.
The Belgian DPA held that, under the GDPR, direct marketing via email may not require the data subjects consent. However, it is still necessary to inform the data subject pursuant to [[Article 14 GDPR|Article 14 GDPR]] at the latest at the time of initial contact.


== English Summary ==
== English Summary ==
Line 79: Line 79:
In addition, regarding his mobile phone number, the DPA obliged the controller to provide information on the source that formed the basis of the processing since it was unclear how the number was obtained by the controller and thus, it was not possible to assess whether that information had been obtained lawfully.  
In addition, regarding his mobile phone number, the DPA obliged the controller to provide information on the source that formed the basis of the processing since it was unclear how the number was obtained by the controller and thus, it was not possible to assess whether that information had been obtained lawfully.  


Regarding the data subject's access request, the DPA held that the controller had not complied with its duty to provide access to the data subject because it had not given the data subject "all available information", [[Article 15 GDPR#1g|Article 15(1)(g) GDPR]]. Furthermore, the controller had violated [[Article 21 GDPR#4|Article 21(4) GDPR]] by not providing the information listed in [[Article 14 GDPR]] in its first communication with the data subject. According to the DPA, at the very least, the first message should have contained a link to the privacy policy in which this information is contained in an accessible, concise and clear manner. The fact that the first notice to the complainant did not contain the slightest reference to the information necessary to ensure transparent data processing constitutes an infringement of [[Index.php?title=Article 5 GDPR#1a|Articles 5(1)(a)]], [[Index.php?title=Article 12 GDPR#1|12(1)]] and [[Article 14 GDPR|14]].  
Regarding the data subject's access request, the DPA held that the controller had not complied with its duty to provide access to the data subject because it had not given the data subject "all available information", [[Article 15 GDPR#1g|Article 15(1)(g) GDPR]]. Furthermore, the controller had violated [[Article 21 GDPR#4|Article 21(4) GDPR]] by not providing the information listed in [[Article 14 GDPR]] in its first communication with the data subject. According to the DPA, at the very least, the first message should have contained a link to the privacy policy in which this information is contained in an accessible, concise and clear manner. The fact that the first notice to the complainant did not contain the slightest reference to the information necessary to ensure transparent data processing constitutes an infringement of Articles 5(1)(a), 12(1) and 14 GDPR.  


== Comment ==
== Comment ==

Revision as of 07:42, 25 April 2022

APD/GBA (Belgium) - 32/2022
LogoBE.png
Authority: APD/GBA (Belgium)
Jurisdiction: Belgium
Relevant Law: Article 5(1)(c) GDPR
Article 5(1)(e) GDPR
Article 6(1)(f) GDPR
Article 14 GDPR
Article 15 GDPR
Article 21 GDPR
Type: Complaint
Outcome: Partly Upheld
Started:
Decided: 10.03.2022
Published: 10.03.2022
Fine: None
Parties: n/a
National Case Number/Name: 32/2022
European Case Law Identifier: n/a
Appeal: Unknown
Original Language(s): Dutch
Original Source: Belgian DPA (in NL)
Initial Contributor: kc

The Belgian DPA held that, under the GDPR, direct marketing via email may not require the data subjects consent. However, it is still necessary to inform the data subject pursuant to Article 14 GDPR at the latest at the time of initial contact.

English Summary

Facts

In April 2020, the data subject requested not to receive any more direct marketing messages from the controller.

In May 2020, the data subject requested from the controller information on any processing of personal data concerning him pursuant to Article 15(1) GDPR after receiving further direct marketing messages via his email and on his mobile phone despite his previous request. Specifically, he asked about the origin of the acquisition of his personal data that allowed the controller to contact him and about the legal basis for the processing to which he claimed that he had not given consent.

The controller responded to the request by stating that it had obtained the data from a contact provider but limited itself to providing only the name of the company. Furthermore, it acknowledged that the data subject had received further messages due to human error.

In September 2020, the data subject filed a complaint with the Belgian DPA (APD/GBA). He complained both about the direct marketing messages which he claimed required consent (Article 6(1)(a) GDPR) and about the reaction to his access request which according to him had violated Articles 15(1), 5(1)(c) and (e) and 14(2)(e) GDPR.

Holding

The DPA partly upheld the complaint. It ordered the controller to comply with the data subject's right to access pursuant to Article 15(1)(g) GDPR. Furthermore, it formulated a warning with regard to the data controller's mentioning of the right to object to the processing in the message with which it first comes into contact with the data subject, so that the data processing in this respect will respect the transparency requirement set out in Articles 5(1)(a), 12, 14 and 21(4) GDPR in the future.

Regarding the direct marketing messages by the controller, the DPA dismissed the complaint. It held that the controller did not require the data subject's consent because it had sufficient legitimate interest in accordance with Article 6(1)(f) GDPR. According to the DPA, this was supported by Recital 47 GDPR which specifically states that direct marketing may be carried out with legitimate interest. Since the data subject's email address was publically available online, the DPA held that he had to have the reasonable expectation that that email address would be used to send him messages and that the controller had thus made use of publicly available information.

In addition, regarding his mobile phone number, the DPA obliged the controller to provide information on the source that formed the basis of the processing since it was unclear how the number was obtained by the controller and thus, it was not possible to assess whether that information had been obtained lawfully.

Regarding the data subject's access request, the DPA held that the controller had not complied with its duty to provide access to the data subject because it had not given the data subject "all available information", Article 15(1)(g) GDPR. Furthermore, the controller had violated Article 21(4) GDPR by not providing the information listed in Article 14 GDPR in its first communication with the data subject. According to the DPA, at the very least, the first message should have contained a link to the privacy policy in which this information is contained in an accessible, concise and clear manner. The fact that the first notice to the complainant did not contain the slightest reference to the information necessary to ensure transparent data processing constitutes an infringement of Articles 5(1)(a), 12(1) and 14 GDPR.

Comment

The decision did not take into account Article 13 ePrivacy Directive which covers unsolicited communications.

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Dutch original. Please refer to the Dutch original for more details.

                                                                                                      1/10








                                                                                     Dispute room



                                                            Decision 32/2022 of 10 March 2022






File number : DOS-2020-04479



Subject : Exercising the right of objection and right of access pursuant to unsolicited

advertising messages





The Disputes Chamber of the Data Protection Authority, composed of Mr Hielke Hijmans,

single chairperson;



Having regard to Regulation (EU) 2016/679 of the European Parliament and Council of 27 April 2016 on
the protection of natural persons with regard to the processing of personal data and

on the free movement of such data and repealing Directive 95/46/EC (General

Data Protection Regulation), hereinafter GDPR;



Having regard to the law of 3 December 2017 establishing the Data Protection Authority, hereinafter WOG;



Having regard to the internal rules of procedure, as approved by the Chamber of Representatives

on December 20, 2018 and published in the Belgian Official Gazette on January 15, 2019;



Having regard to the documents in the file;




has taken the following decision regarding:

                                                                                                     †

The complainant: Mr X, hereinafter referred to as “the complainant”; †

                                                                                                     †

The controller: Y, hereinafter referred to as “the controller”, Decision on the merits 32/2022 - 2/10




I. Facts procedure


    1. On 8 September 2020, the complainant lodged a complaint with the Data Protection Authority against

        the controller.


    2. The subject of the complaint concerns the exercise by the complainant of his right to object to

        following the receipt of unwanted advertising sent to him by the

        controller at the complainant's e-mail address, as well as by contacting his

        cell phone. The complainant also invokes his right of access, in particular he asks about the

        origin of the acquisition of his personal data, which means that the controller in

        was able to contact him by e-mail and by mobile phone, as well as to the legal basis for the processing of

        are personal data for which the complainant states that he has not given his consent.


        When the complainant requests more complete information on 4 May 2020 to which he is entitled to

        pursuant to Article 15.1 of the GDPR – so not only limited to his initial request to provide him with the source and the

        legal basis for its data processing – this will be accepted by the


        controller who will provide him with all the information requested on May 28, 2020. from this

        does the complainant infer that the principle of transparency (Article 5.1 of the GDPR), the principle of minimum

        data processing (Article 5.1 c) GDPR) and the storage limitation (Article 5.1 e) GDPR)

        respected. Also, the controller's reply would not have referred to

        under the competence of the Belgian Data Protection Authority (Article 14.2 e) GDPR) and

        the complainant has not received the information to which he is entitled under Article 14 GDPR.


    3. On March 23, 2021, the complaint will be declared admissible by the Frontline Service on the basis of the

        Articles 58 and 60 WOG and the complaint on the basis of art. 62, §1 WOG transferred to the

        Dispute room.




II. Justification


        Legal basis for sending advertising messages – Exercise of the right to object


    4. As to the complainant's allegation that the use of personal

        identification data, in this case his name, e-mail address and mobile phone number, for direct marketing

        purposes the consent would be required, the Disputes Chamber points out that the


        consent, but the legitimate interest of the controller as
                     1
        legal basis to process the complainant's identification data for direct marketing





1
 1. Processing is only lawful if and insofar as at least one of the following conditions is met:
a) the data subject has consented to the processing of his/her personal data for one or more specific purposes;

[…], Decision on the substance 32/2022 - 3/10



        purposes. Recital 47 GDPR expressly states that the processing of


        personal data for the purpose of direct marketing can be considered as performed with

        with a view to a legitimate interest (Article 6.1 f) GDPR). So this means that the

        controller not prior to processing for direct marketing

        consent from the data subject (Article 6.1 a) GDPR). The

        controller rightly invokes the legal basis set out in Article 6.1 f) GDPR

        to process information that is accessible to the public for direct marketing purposes.


    5. The factual elements present in the file show that the unwanted message

        to which the complaint relates was sent by the controller to the
                                                                                                     2
        e-mail address (…), which was made available online and is therefore accessible to everyone. It

        making your own contact details available online, such as the e-mail address in this case

        of the complainant, necessarily implies that it is for the purpose of the person providing the contact details

        online, to be able to get in touch with the person to whom the contact details

        relate. Because the complainant makes his contact details publicly available through the

        publishing it online, it is within his reasonable expectations that his e-mail address may be

        used to send him messages. The controller has thus of this

        publicly available data.


    6. The complainant does not deny that the email address used by the controller, and thus

        ipso facto also his name, is accessible to the public. The complainant, on the other hand, believes that

        specific to his cell phone number, to state that it is not publicly available

        data, but a private data that cannot be disclosed on the basis of the legitimate interest

        are processed. The Disputes Chamber notes that the complainant cannot simply claim that


        his cell phone number is private due to lack of knowledge in his mind about the source that was at the base

        of the processing of this data and through which the company to which the

        has appealed to the controller, has come into possession of the mobile phone number

        of the complainant and subsequently provided it to the controller. On the basis of

        the factual elements of the file, the Disputes Chamber must determine that it is unclear

        is how the complainant's mobile number was obtained, which means that it is therefore not

        it is possible to assess whether this information was obtained lawfully. To that end

        should provide the controller with information on the source that caused it

        of the processing of the GSM number (see below, edge nos. 13 et seq.)


    7. Against the right of the controller to process personal data pursuant to

        has a legitimate interest to process for direct marketing purposes, it does state that the




f) the processing is necessary for the purposes of pursuing the legitimate interests of the controller or of a
third party, except where the interests or fundamental rights and freedoms of the data subject are necessary for the protection of
personal data override those interests, in particular where the data subject is a child.
2
 See eg (…); (…), Decision on the merits 32/2022 - 4/10




        controller must comply with the objection raised by the data subject

        can be made against the processing of personal data concerning him at any time,

        without the data subject being required to provide any justification (Article 21.2 GDPR and Article 21.3

        GDPR) . The controller has within one month (Article 12.3 GDPR)

        after receipt of the complainant's request on April 17, 2020 not to send direct marketing messages


        more, followed by confirmation of the removal of the

        personal data of the complainant from his file on April 21, 2020. It is true that in the response

        of April 21, 2020 incorrectly stated that the complainant was registered to be re-registered

        contacted by the controller. This shortcoming was rectified by the

        controller on May 28, 2020 in which it admitted that this was based on a

        human error and the correct representation had to be that the complainant was registered for not

        to be contacted again by the controller.



    8. On the basis of the elements in the file known to the Disputes Chamber, and on the basis of the

        powers assigned to it by the legislator on the basis of Article 95, §1 WOG, decides

        the Disputes Chamber about the further follow-up of the file; in this case, the Disputes Chamber

        to dismiss the complaint as to the legal basis, in accordance with Article 95,

        §1, 3° WOG, based on the motivation below.


    9. In the event of a dismissal, the Disputes Chamber must gradually investigate and motivate:


    - whether there is insufficient prospect of a conviction, after which a technical dismissal follows;


    - whether a successful conviction would be technically feasible but on grounds, in general
                                                                                                        4
        interest, a (further) prosecution is undesirable, followed by a policy dismissal.



    10. In the event that more than one ground is being discarded, the discarded grounds (or technically

        dismissal and policy dismissal) should be treated in order of importance.


    11. In the present case, the Disputes Chamber will proceed to a technical dismissal on a single

        ground, namely because the Disputes Chamber decides that the controller does not


        has committed an infringement of Article 6.1 of the GDPR. In addition, the controller within

        the legal period of one month has appropriately followed the request of the complainant

        causing his e-mail address, including his name, as well as his mobile phone number to no longer be

        used for direct marketing purposes, so that no infringement of article 12.3 . was also committed

        GDPR and Articles 21.2 and 21.3 GDPR.






3See in that regard also recital 70 of the GDPR: When personal data is processed for the purpose of direct marketing, the
data subject, whether it concerns initial or further processing, have the right at any time and free of charge

object to this processing, including in the case of profiling insofar as it relates to direct marketing. Which
right must be brought to the attention of the data subject expressly, in a clear manner and separately from other information.
4 Cfr. Judgment Court of Appeal Brussels (Marktenhof), 2 September 2020, no. 2020/5460, 18., Judgment on the merits 32/2022 - 5/10







        Exercise of the right of access


    12. The Disputes Chamber determines on the basis of the documents that substantiate the complaint that the complainant is entitled to

        exercised the right of inspection, which was initially aimed at becoming acquainted with

        this information was obtained. Later, the complainant's request was extended to the full

        information.


    13. The controller has complied with the complainant's first request by

        to state that he obtained it from a contact provider, but has limited himself to it

        only provide the name of the company. Article 15.1 g) GDPR nevertheless prescribes that the

        controller to the data subject “all available information” about the source of


        must provide the data, if the personal data have not been obtained from the data subject

        collected.


    14. The accountability obligation (Article 5.2 GDPR) of the controller entails

        note that basic information is provided to the person concerned, ie the complainant, showing that the

        controller himself processes the data in accordance with the GDPR and prior to the

        purchase of an address file checks whether that data is lawfully processed by the

        company that trades in personal data. Thus, the complainant can expect that the

        data controller provides information about how the company is held

        obtained from the complainant's contact details, as well as the legal basis on which that

        personal data is processed by that company in order to demonstrate that the contact details

        from the complainant were lawfully purchased and processed by the controller.


        In order to guarantee the rights of the complainant, the controller should also

        provide the company's contact details. This enables the complainant to

        to exercise its right of inspection with regard to that company.


    15. It is therefore not sufficient for the controller to provide only the name of the company

        to the complainant without any further specification. As a result, the

        controller acted in violation of Article 15.1 g) GDPR.


    16. The Disputes Chamber is of the opinion that on the basis of the above analysis,

        concluded that a breach of the provisions of the

        GDPR was committed, which justifies the taking of a

        decision on the basis of Article 95, §1, 5° WOG, more specifically to inform the controller

        Orders to comply with the complainant's exercise of his right of access (Article



5
 See the answer provided by the controller on April 21, 2020, to the question d.d. 17 by the complainant.
April 2020.
6See the answer provided by the controller on May 28, 2020, to the question asked by the complainant dated 4
May 2020, Decision on the merits 32/2022 - 6/10



        15.1 g) GDPR) and this in particular in view of the documents submitted by the complainant showing


        that the complainant has indeed exercised his right of access, but the

        controller has not adequately followed this up.


    17. When the complainant in a second application requests more complete information under Article

        15.1 GDPR - so not only limited to the legal basis stated in point g) -, this is discussed

        by the controller who provides him with the requested information. This brings the

        then submit to the complainant that there would be no transparent data processing because

        the response to the request for access is given in English, while the

        marketing messages were drawn up in Dutch. The Disputes Chamber notes that

        the principle of transparency does not contain a language requirement. Transparent information and communication is

        necessary. Since the complainant was approached by the defendant from his position within his

        business and English is a common language used in business,

        are expected that the information given in English was completely transparent.


    18. According to the complainant, the retention period was also not clearly defined and it would be

        an infinite storage period. First of all, the Disputes Chamber notes that the

        controller indicates to keep the personal data for as long as necessary to

        to provide the services it provides. To the extent that the relevant personal data is

        processed for direct marketing purposes, it is sufficient that the controller

        offers the right of objection to the data subject, which immediately ends if it is exercised

        applies to the processing of the personal data of the data subject. In that sense, the

        data processing is not infinite. This is also apparent from the facts, i.e. as soon as the complainant has exercised his right to

        objected, the processing of his personal data was terminated (Article 21.3 GDPR)


        and no infringement of Article 5.1 e) GDPR can be established, provided that the

        controller informs the data subject in a timely and adequate manner about his or her right to

        objection (see margin no. 21 below).


    19. The complainant also cites that the controller is not the competent

        data protection authority and refers to the German

        Data protection authority instead of the Belgian authority. The Disputes Chamber points

        points out that the controller states that the complainant cannot only lodge a complaint with

        the German Data Protection Authority, but also at the Data Protection Authority
                                                                         7
        where he resides. This is in accordance with Article 77.1 GDPR. Because the complainant in Belgium

        resides, the controller has complied with the obligation to state that the

        complainant has the right to lodge a complaint with a supervisory authority, in this case the




7Article 77.1. GDPR. Without prejudice to other possibilities of administrative appeal or a judicial remedy, every person concerned has
the right to lodge a complaint with a supervisory authority, in particular in the Member State where he usually resides, his place of work

has or where the alleged infringement was committed, if he believes that the processing of his personal data infringement
makes on this regulation., Decision on the substance 32/2022 - 7/10




        Belgian Data Protection Authority (Article 15.1 f) GDPR). For the sake of completeness, the

        The dispute chamber still allows the Belgian Data Protection Authority to

        exercises jurisdiction under Article 55 of the GDPR because the defendant has

        has its registered office in Belgium and there is no reason to assume that there is a cross-border

        situation as referred to in Article 56 GDPR.


        Information obligation


    20. The complainant alleges that the obligation to provide information as set out in Article 14 GDPR was breached by

        the controller.


    21. With regard to information on the right to object (Article 14.2 b) GDPR) in particular

        Article 21.4 of the AVG 8 expressly states that this option, separately from the other


        information, already in the first message to the person concerned, being in this case the complainant, must be

        included. However, the message that is the subject of the complaint does not in any way make it

        the right of objection is clearly communicated to the complainant. What's more, it doesn't contain any reference to

        this right of objection. Recital 70 GDPR provides, however, that this right expressly, on

        clear manner and separate from other information, must be brought to the attention of the data subject

        are being brought . In the absence of notification of this right of objection to the complainant on the

        the moment he was first contacted, the controller has

        acted in violation of Article 21.4 of the GDPR.


    22. With regard to the other information (Article 14.1 and 14.2 GDPR) that the

        controller, this provision (Article 14.3 GDPR) requires that this

        this also takes place at the latest at the time of the first contact with the data subject. The first


        Prosecutor's notice does not contain any information as such. At least had the first message

        contain a link to the privacy policy in which, in an accessible manner and in a

        concise and clear way this information is included. Because the first message to the

        complainant does not contain the slightest reference to the necessary information to ensure a transparent

        data processing, there is an infringement of Articles 5.1 a), 12.1 and 14

        GDPR.


        Decision


    23. The present decision is with regard to the exercise of the right of access and

        information obligation a prima facie decision taken by the Disputes Chamber in accordance with

        Article 95 WOG on the basis of the complaint submitted by the complainant, in the context of the 'procedure'






8
 Article 21.4 GDPR. The right referred to in paragraphs 1 and 2 shall be expressly granted at the latest at the time of the first contact with the data subject
brought to the attention of the data subject and presented clearly and separately from any other information.
9See footnote 2., Decision on the substance 32/2022 - 8/10




        prior to the decision on the merits' and no decision on the merits of the Disputes Chamber

        within the meaning of Article 100 WOG.


    24. The purpose of this decision is to inform the controller of the

        fact that it may have infringed the provisions of the GDPR and that it is in the

        opportunity to still conform with the aforementioned provisions.


    25. However, if the controller does not agree with the content of this

        prima facie decision and considers that it may allow factual and/or legal arguments

        money that could lead to a different decision, can be sent to the email address

        litigationchamber@apd-gba.be submit a request for treatment on the merits of the case to the

        Disputes Chamber and this within the period of 14 days after notification of this decision. The

        enforcement of this decision will, if necessary, be during the aforementioned period

        suspended.


    26. In the event of a continuation of the handling of the case on the merits, the Disputes Chamber will

        the parties on the basis of Articles 98, 2° and 3° in conjunction with Article 99 WOG invite their

        to submit defenses and to attach to the file any documents they deem useful. The

        If necessary, this decision will be definitively suspended.


    27. For the sake of completeness, the Disputes Chamber points out that a hearing on the merits of the case may

        lead to the imposition of the measures stated in Article 100 WOG.


    28. Finally, the Disputes Chamber points out the following:


    29. If one of the parties wishes to make use of the possibility to consult and

        copying the file (art. 95, §2, 3° WOG), this should contact the secretariat

        of the Disputes Chamber, preferably via litigationchamber@apd-gba.be, in order to make an appointment

        to capture.


    30. If a copy of the file is requested, the documents will be sent electronically if possible

        or else delivered by regular mail.


III. Publication of the decision


    31. Given the importance of transparency in the decision-making of the

        Litigation Chamber, this decision will be published on the website of the

        Data Protection Authority. It is not necessary, however, that the identification data

        of the parties be published directly., Decision on the merits 32/2022 - 9/10






FOR THESE REASONS,



the Disputes Chamber of the Data Protection Authority decides, after deliberation, to:

    - the complaint to the extent that it relates to the legal basis for the shipment

       of advertising messages, pursuant to Article 95, §1, 3° WOG, to be dismissed in view of the fact

       that no breach of the GDPR can be established in this regard.



    - the complaint to the extent to which it relates to the exercise of the right of

       inspection pursuant to Article 58.2. c) GDPR and Article 95, §1, 5° WOG de

       order the controller to comply with the complainant's request

       to exercise its rights, in particular the right of access under Article 15.1

       g) GDPR);


       to order the controller to the Data Protection Authority

       (Dispute Chamber) by e-mail within the period of 14 days after the notification of this

       decision of the outcome of this decision via the email address

       litigationchamber@apd-gba.be; and



       in the absence of the timely implementation of the above by the

       controller, to handle the case on the merits ex officio

       in accordance with Articles 98 et seq. WOG.



    - to formulate a warning with regard to the controller for

       with regard to the mention of the right of objection in the message with which he

       first contacts the data subject, so that the data processing at this point in the

       future the transparency requirement as stated in Articles 5.1 a), 12, 14 and 21.4 GDPR

       respects;



       to request the controller from the Data Protection Authority

       (Dispute Chamber) by e-mail within the period of 14 days after the notification of this

       decision of the outcome of this decision in order to

       To inform the dispute chamber about the adjustment of the procedure (see margin no. 21) via the e-mail

       email address litigationchamber@apd-gba.be; and



       In the absence of the timely implementation of the above by the

       controller, to handle the case on the merits ex officio

       in accordance with Articles 98 et seq. WOG.



Against this decision, pursuant to art. 108, §1 WOG, appeals must be lodged within a

period of thirty days, from the notification, to the Marktenhof, with the

Data Protection Authority as Defendant., Decision on the merits 32/2022 - 10/10





(Get). Hielke Hijmans

Chairman of the Disputes Chamber