APD/GBA (Belgium) - 32/2024: Difference between revisions

From GDPRhub
Line 68: Line 68:
A data subject’s credit application was refused by the controller. Consequently, the data subject exercised his right of access with the controller and filed a complaint with its Financial Services Ombudsman. The controller informed him that 3 files had been consulted in examining his credit application: (i) his own file, (ii) the Central Individual Credit Register file and (iii) a finance company’s file. The controller shared the full content of the data subject’s file and only the identity and contact details of the respective controllers. It also told the data subject to contact the controllers of those files to exercise his right of access regarding said documents.  
A data subject’s credit application was refused by the controller. Consequently, the data subject exercised his right of access with the controller and filed a complaint with its Financial Services Ombudsman. The controller informed him that 3 files had been consulted in examining his credit application: (i) his own file, (ii) the Central Individual Credit Register file and (iii) a finance company’s file. The controller shared the full content of the data subject’s file and only the identity and contact details of the respective controllers. It also told the data subject to contact the controllers of those files to exercise his right of access regarding said documents.  


The data subject claimed that the information to which he had been given access to was incomplete, as the controller also had the “purpose of the credit” as well as an image of his identity card. The data subject asked the controller to confirm that he had been given access to all his personal data. The controller responded that it had other data in its possession, namely the one it received as part of the data subject’s complaint to the Financial Services Ombudsman.  
The data subject claimed that the information to which he had been given access to was incomplete, as the controller also had the “purpose of the credit” as well as a copy of his identity card. The data subject asked the controller to confirm that he had been given access to all his personal data. The controller responded that it had other data in its possession, namely the one it received as part of the data subject’s complaint to the Financial Services Ombudsman.  


Following this, the data subject lodged a complaint with the Belgian DPA (“APD”).
Following this, the data subject lodged a complaint with the Belgian DPA (“APD”).


=== Holding ===
=== Holding ===
Under [[Article 15 GDPR#1|Article 15(1) GDPR]], the data subject has the right to obtain from the controller, a confirmation as to whether or not personal data concerning him are being processed and if so, to obtain access to such personal data. The APD considered that in the present case, the controller did not respond directly to the data subject’s question asking it to confirm that he had been given access to all his personal data. Thus, the data subject did not obtain a conclusive answer or access as required by [[Article 15 GDPR#1|Article 15(1) GDPR]].  
Under [[Article 15 GDPR#1|Article 15(1) GDPR]], the data subject has the right to obtain from the controller a confirmation as to whether or not personal data concerning him are being processed and if so, to obtain access to such personal data. The APD considered that in the present case, the controller did not respond directly to the data subject’s question asking it to confirm that he had been given access to all his personal data. Thus, the data subject did not obtain a conclusive answer or access as required by [[Article 15 GDPR#1|Article 15(1) GDPR]].  


Moreover, [[Article 15 GDPR#3|Article 15(3) GDPR]] provides that the controller must provide a copy of the personal data being processed. The APD held that the controller processed an image of the data subject’s identity card and failed to provide a copy in response to the request. Therefore, the controller violated [[Article 15 GDPR#3|Article 15(3) GDPR]].
Moreover, [[Article 15 GDPR#3|Article 15(3) GDPR]] provides that the controller must provide a copy of the personal data being processed. The APD held that the controller processed an image of the data subject’s identity card and failed to provide a copy in response to the request. Therefore, the controller violated [[Article 15 GDPR#3|Article 15(3) GDPR]].


Finally, the APD pointed out that the purpose of the right of access is to “to be aware of, and verify, the lawfulness of the processing” (Recital 63 GDPR). The right of access therefore supports the right to rectification. Regarding the 2 other files the controller consulted, the APD considered that the controller determines the means and purposes of the processing of the personal data in question. However, without access to these 2 files, the data subject could not determine whether it was necessary to contact the controllers of those files in order to exercise his right to rectification.  
Finally, the APD pointed out that the purpose of the right of access is to “to be aware of, and verify, the lawfulness of the processing” (Recital 63 GDPR). The right of access therefore supports the right to rectification. Regarding the 2 other files the controller consulted, the APD considered that the controller determined the means and purposes of the processing of the personal data in question. Without access to these 2 files, the data subject could not determine whether it was necessary to contact the controllers of those files in order to exercise his right to rectification.  


The APD therefore ordered the controller to comply with the data subject’s access request by granting him access to all the personal data concerning him, as well as a copy of the data in question.
The APD therefore ordered the controller to comply with the data subject’s access request by granting him access to all the personal data concerning him, as well as a copy of the data in question.

Revision as of 16:03, 19 March 2024

APD/GBA - 32/2024
LogoBE.png
Authority: APD/GBA (Belgium)
Jurisdiction: Belgium
Relevant Law: Article 15(1) GDPR
Article 15(3) GDPR
Type: Complaint
Outcome: Partly Upheld
Started: 26.12.2023
Decided: 13.02.2024
Published:
Fine: n/a
Parties: n/a
National Case Number/Name: 32/2024
European Case Law Identifier: n/a
Appeal: n/a
Original Language(s): Dutch
Original Source: GBA (in NL)
Initial Contributor: nzm

The DPA held that when files constituted by other entities have been consulted in examining a data subject’s credit application, if the latter makes an access request, the controller must give him access to all the documents consulted during the examination.

English Summary

Facts

A data subject’s credit application was refused by the controller. Consequently, the data subject exercised his right of access with the controller and filed a complaint with its Financial Services Ombudsman. The controller informed him that 3 files had been consulted in examining his credit application: (i) his own file, (ii) the Central Individual Credit Register file and (iii) a finance company’s file. The controller shared the full content of the data subject’s file and only the identity and contact details of the respective controllers. It also told the data subject to contact the controllers of those files to exercise his right of access regarding said documents.

The data subject claimed that the information to which he had been given access to was incomplete, as the controller also had the “purpose of the credit” as well as a copy of his identity card. The data subject asked the controller to confirm that he had been given access to all his personal data. The controller responded that it had other data in its possession, namely the one it received as part of the data subject’s complaint to the Financial Services Ombudsman.

Following this, the data subject lodged a complaint with the Belgian DPA (“APD”).

Holding

Under Article 15(1) GDPR, the data subject has the right to obtain from the controller a confirmation as to whether or not personal data concerning him are being processed and if so, to obtain access to such personal data. The APD considered that in the present case, the controller did not respond directly to the data subject’s question asking it to confirm that he had been given access to all his personal data. Thus, the data subject did not obtain a conclusive answer or access as required by Article 15(1) GDPR.

Moreover, Article 15(3) GDPR provides that the controller must provide a copy of the personal data being processed. The APD held that the controller processed an image of the data subject’s identity card and failed to provide a copy in response to the request. Therefore, the controller violated Article 15(3) GDPR.

Finally, the APD pointed out that the purpose of the right of access is to “to be aware of, and verify, the lawfulness of the processing” (Recital 63 GDPR). The right of access therefore supports the right to rectification. Regarding the 2 other files the controller consulted, the APD considered that the controller determined the means and purposes of the processing of the personal data in question. Without access to these 2 files, the data subject could not determine whether it was necessary to contact the controllers of those files in order to exercise his right to rectification.

The APD therefore ordered the controller to comply with the data subject’s access request by granting him access to all the personal data concerning him, as well as a copy of the data in question.

Comment

As this was a prima facie decision, if the controller does not agree with the contents of the decision or believes that it has factual and/or legal arguments that could lead to a different decision, it may submit a request for a hearing to the APD within 30 days of the notification of the decision.

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Dutch original. Please refer to the Dutch original for more details.

1/7



                                                                          Dispute Chamber


                                                Decision 32/2024 of February 13, 2024


File number: DOS-2024-00078


Subject: Complaint due to insufficient response to a request for access



The Disputes Chamber of the Data Protection Authority, composed of Mr

Hielke HIJMANS, sole chairman;

Having regard to Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016

on the protection of natural persons with regard to the processing of

personal data and regarding the free movement of such data and to the revocation of

Directive 95/46/EC (General Data Protection Regulation), hereinafter “GDPR”;


Having regard to the law of 3 December 2017 establishing the Data Protection Authority,

hereinafter “WOG”;

In view of the internal rules of order, as approved by the House of Representatives

Representatives on December 20, 2018 and published in the Belgian Official Gazette on

January 15, 2019;


Considering the documents in the file;


Has made the following decision regarding:


Complainant: X, hereinafter “the complainant”



The defendant: Y, hereinafter “the defendant” Decision 32/2024 — 2/7


I. Facts and procedure


 1. On December 26, 2023, the complainant will submit a complaint to the Data Protection Authority

       against the defendant.

 2. The subject of the complaint concerns the exercise of the right of access by the complainant

       without receiving an adequate response from the controller.

       The complainant had exercised his right of access after his credit application was refused

       by the defendant. As a result, the defendant informed the complainant that there were three

       files were consulted in examining his credit application, namely that

       from the defendant itself, the Central Office for Credit to Private Individuals, and a
       financing company. The defendant sent “a complete content of the data

       that are in our files” to the complainant. Of the data in the remaining

       two files, the defendant shared only the identity and contact information of the

       respective controllers.

       The complainant disputed that the data he was given access to was complete. He asked

       namely that the defendant also had the “purpose of the credit” and an image

       of his identity card. He once again requested the defendant “to provide the files you as

       lender [sic] has in your possession, as you inform me, to transfer to me.” The complainer

       had also filed a complaint with the defendant's financial services ombudsman, and
       the documents available to the Disputes Chamber show that communication between the

       defendant and the complainant focused mainly on the rest for a certain period of time

       investigating the substantive reasons for the refusal of the credit, which is outside the

       scope of this decision. After some time, the complainant made contact again

       contacted the defendant to ask for confirmation that he had been given access to all

       his personal data. The defendant responded as follows:

                "Dear,

                We have other data in our possession, namely the one we received in the context

                of your complaint to the financial services ombudsman.

 3. On January 8, 2024, the complaint will be declared admissible by the First Line Service on the grounds

       of Articles 58 and 60 of the WOG and the complaint is filed on the basis of Article 62, § 1 of

       the WOG has been transferred to the Disputes Chamber.

 4. In accordance with Article 95, § 2, 3° of the WOG as well as Article 47 of the internal regulations

       order of the GBA, the parties can request a copy of the file. If one

       both parties wish to make use of the opportunity to consult and

       copying the file, he or she must contact the secretariat of the

       Disputes Chamber, preferably via litigationchamber@apd-gba.be. Decision 32/2024 — 3/7


II. Justification


 5. According to Article 15.1 GDPR, the data subject has the right to obtain from the

      controller to obtain clarity about whether or not to process

      personal data concerning him and, if applicable, to obtain access to it
      those personal data and the information referred to in Article 15.1.a) to h), GDPR.


      In accordance with Article 12.1 GDPR, read in conjunction with recital 58 hereof

      Regulation, the controller must take appropriate measures to ensure that
      the data subject the communications referred to in Article 15 GDPR in connection with the processing

      in a concise, transparent, understandable and easily accessible form and in

      receives clear and simple language”. Article 12.2 GDPR also stipulates that the

      controller must exercise the data subject's rights

      facilitate.

 6. The Disputes Chamber notes that the complainant submitted his request for access on 6

      October 2023.

 7. On October 17, 2023, the defendant informed the complainant that in the investigation of his

      file, three files were consulted. These files were those of (1) the

      defendant itself, (2) the Central Office for Credit to Private Individuals, and (3) a

      financing company. The same email contained, according to the defendant, “a complete

      content of the data contained in our files”. However, the complainant disputed
      that this information was complete. In particular, he stated that the defendant would also

      have the “purpose of the credit”.


      On December 26, 2023, the complainant asked the defendant to confirm that he had access
      had received in all his personal data. The defendant responded that also “other

      data” were processed, and referred to the data provided by the complainant

      provides financial services in the context of his complaint to the Ombudsman

      defendant. Since the defendant did not directly answer the question of the

      complainant whether he had been given access to all his personal data, the complainant did not obtain any

      clear information about whether or not certain personal data are processed.
      Consequently, the complainant has not been provided with sufficient clarity or insight as required in Article

      15.1 GDPR.


 8. Furthermore, the complainant states that the defendant has an image of his identity card
      processed, and failed to provide a copy of it in response to the

      request for inspection. In this context, the Disputes Chamber recalls that Article 15.3 GDPR

      provides that the controller “a copy of the personal data that

      are processed” must be provided to the data subject. If the defendant indeed Decision 32/2024 — 4/7


       processes an image of the complainant's identity card, the defendant must also have one

       provide a copy of this image to satisfy the complainant's right of inspection.


 9. Regarding the two other files that the defendant consulted, communicated

       the defendant only the identification details and addresses of the respective

       controllers. The results of the consultations by the defendant –

       namely the contents of the files – the defendant did not communicate this to the complainant. At

       the latter was told to contact the administrators of that

       files to exercise his right of access. To the extent that the defendant

       determines the purposes and means of the processing of the personal data concerned
       However, he is a data controller and is therefore obliged to follow up himself

       the complainant's right of access in accordance with Article 15.1 GDPR. In this respect it is

       appropriate to recall that the aim of the right of access is to ensure that

       the data subject “can inform himself of the processing and its lawfulness

       can check this” (recital 63 GDPR). The right of access thus supports it

       right to the protection of personal data, and facilitates the exercise of others

       rights included in the GDPR, and in particular the right to rectification. Without

       access to the data that the defendant did or did not consult with the two parties involved

       files, the complainant is unable to determine whether it is necessary to contact them

       with those responsible for those files to assert his right to rectification.

       Furthermore, it should be noted that Article VII.79 of the Code of Economic Law

       stipulates that the “lender shall immediately provide the consumer with the result of the loan free of charge

       consultation [communicates] as well as the identity and address of the person responsible for the

       processing the files he consulted” (emphasis added).


 10. The Disputes Chamber is of the opinion that based on the above analysis

       concluded that the defendant may have violated the provisions of the GDPR
       was committed, which justifies taking one in this case

       decision on the basis of Article 95, § 1, 5° of the WOG, more specifically the

       order the controller to comply with the exercise by the

       complainant of his right of access (Article 15.1 GDPR).


 11. This decision is a prima facie decision taken by the Disputes Chamber

       in accordance with Article 95 of the WOG on the basis of the complaint submitted by the complainant,
                                                                                      2
       in the context of the “procedure prior to the decision on the merits” and none

       decision on the merits of the Disputes Chamber within the meaning of Article 100 of the WOG.






1CJEU December 20, 2017, Peter Nowak v. Data Protection Commissioner, C-434/16, ECLI:EU:C:2017:994
2Section 3, Subsection 2 of the WOG (Articles 94 to 97). Decision 32/2024 – 5/7


       The Disputes Chamber has thus decided, on the basis of Article 58.2.c) GDPR and

       Article 95, § 1, 5° of the WOG, to order the defendant to comply with the request

       of the data subject to exercise his rights, in particular the right of access such as

       determined in Article 15 GDPR.


 12. The purpose of this decision is to inform the defendant of the fact that this

       may have committed an infringement of the provisions of the GDPR and this in the

       the opportunity to still comply with the aforementioned provisions.


 13. If the defendant does not agree with the content of the present primafacie

       decision and is of the opinion that it can apply factual and/or legal arguments

       that could lead to a different decision, this can be done via the e-mail address

       litigationchamber@apd-gba.be send a request to hear the merits of the case

       to the Disputes Chamber within 30 days after notification of this

       decision. The implementation of this decision will, if necessary, continue for a period of time

       suspended for the aforementioned period.

 14. In the event of a continuation of the merits of the case, the

       Dispute Chamber the parties on the basis of Articles 98, 2° and 3° in conjunction with Article 99 WOG

       invite them to submit their defenses as well as any documents they consider useful in the case


       file to add. If necessary, the present decision will be permanently suspended.

 15. Finally, for the sake of completeness, the Disputes Chamber points out that a hearing on the merits

       of the case may lead to the imposition of the measures stated in Article 100 of the WOG. 3


 16. In accordance with Article 57WOG, and with regard to the language in which the complaint is submitted,

       Dutch is used as the procedural language.








3Article 100. § 1. The Disputes Chamber has the authority to:
 1° to dismiss a complaint;
 2° to order the dismissal of prosecution;
 3° order the suspension of the ruling;

 4° to propose a settlement;
 5° formulate warnings and reprimands;
 6° order that the data subject's requests to exercise his rights be complied with;
 7° to order that the person concerned is informed of the security problem;
 8° order that processing be temporarily or permanently frozen, restricted or prohibited;
 9° to order that the processing be brought into compliance;
 10°the rectification, limitation or deletion of data and its notification to the recipients of the data
     recommend data;
 11° order the withdrawal of the recognition of certification bodies;
 12° to impose penalty payments;
 13° to impose administrative fines;
 14° the suspension of cross-border data flows to another State or an international institution

     command;
 15° to transfer the file to the public prosecutor's office in Brussels, who will inform it of the
     follow-up given to the file;
 16° decide on a case-by-case basis to publish its decisions on the website of the
     Data Protection Authority. Decision 32/2024 — 6/7



III. Publication of the decision

 17. Considering the importance of transparency with regard to decision-making

      Dispute Chamber, this decision will be published on the website of the

      Data Protection Authority. However, it is not necessary that the

      identification details of the parties are disclosed directly.



    FOR THESE REASONS   ,


    the Disputes Chamber of the Data Protection Authority decides, with reservations

    from the submission of a request by the defendant for a hearing on the merits

    in accordance with Article 98 et seq. of the WOG, to:

       - on the basis of Article 58.2.c) of the GDPR and Article 95, § 1, 5° of the WOG the

           order the defendant to comply with the data subject's request

           to exercise its rights, in particular the right of access (Article 15 GDPR), by

           to grant the complainant access to all personal data relating to him

           processed by the defendant, as well as a copy of the data concerned

           provided, and this within a period of 30 days from the

           notification of this decision;

       - order the defendant to contact the Data Protection Authority (Dispute Chamber)

           by e-mail within the same period of the consequences

           this decision will be given via the email address litigationchamber@apd-gba.be;

           and


       - in the absence of timely implementation of the above by the defendant,
           to consider the merits of the case ex officio in accordance with Articles 98 et seq.

           of the WOG.



Pursuant to Article 108, § 1 of the WOG, within a period of thirty days from the

notice, an appeal against this decision will be filed with the Market Court (court of

appeal Brussels), with the Data Protection Authority as defendant.


Such an appeal can be lodged by means of an inter partes petition
                                                                                         4
must contain statements listed in Article 1034ter of the Judicial Code. It



4The petition states, under penalty of nullity:
 1° the day, month and year;
 2° the surname, first name, place of residence of the applicant and, where applicable, his capacity and his national register or
    company number;
 3° the surname, first name, place of residence and, where applicable, the capacity of the person to be
    summoned;
 4° the subject matter and brief summary of the grounds of the claim;
 5° the judge before whom the claim is brought; Decision 32/2024 — 7/7


an objection petition must be submitted to the registry of the Market Court

in accordance with Article 1034quinquies of the Dutch Civil Code. , 5 or via e-Deposit

IT system of Justice (Article 32ter of the Judicial Code).






(get). Hielke IJMANS

Chairman of the Disputes Chamber




























































 6° the signature of the applicant or his lawyer.
5
 The petition with its attachment will be sent by registered letter, in as many copies as there are parties involved.
deposited with the clerk of the court or at the registry.