APD/GBA (Belgium) - 39/2022

From GDPRhub
APD/GBA (Belgium) - 39/2022
LogoBE.png
Authority: APD/GBA (Belgium)
Jurisdiction: Belgium
Relevant Law: Article 12(3) GDPR
Article 17(1) GDPR
Article 13 ePrivacy Directive
Type: Complaint
Outcome: Upheld
Started:
Decided: 17.03.2022
Published:
Fine: None
Parties: n/a
National Case Number/Name: 39/2022
European Case Law Identifier: n/a
Appeal: n/a
Original Language(s): French
Original Source: APD/GBA (in FR)
Initial Contributor: kc

The Belgian DPA reprimanded a controller for failing to delete a former client's personal data in violation of Article 17(1) GDPR, and for not handling the erasure request within the one-month period under Article 12(3) GDPR.

English Summary[edit | edit source]

Facts[edit | edit source]

The data subject is a former client of the controller.

In June 2019, the data subject requested the deletion of their customer account and their personal data from the controller. They sent their request from their current email address [email address 2] and mentioned their old email address [email address 1] in the request. The controller acknowledged the receipt of the request and sent the data subject several messages assuring them that a follow-up was in progress.

However, in September 2019, the data subject received a new advertising email to email address 1, and subsequently sent a new request for deletion of their data to the controller. The controller's customer service department acknowledged the receipt of the request and announced a response within seven working days.

In October 2019, the data subject lodged a complaint with the DPA because they had not received any follow-up after their latest request. They claimed that their right to erasure (Article 17(1) GDPR) and their right to access (Article 15(1)(b) GDPR and Article 15(1)(d) GDPR) had been violated.

In February 2020, following several hearings of the parties, the controller sent a letter to the data subject, informed them about the deletion of the account linked to email address 1 and the date of deletion. Furthermore, the controller told the data subject that their request for deletion of the data related to email address 2 had been taken into account. The email addresses were stored in two seperate databases of the controller as "prospect" and "client".

The controller claimed that the data subject's request did not concern a request for access under Article 15(1)(b) GDPR and Article 15(1)(d) GDPR, but a request for information on the erasure of data by the controller.


Holding[edit | edit source]

The DPA reprimanded the controller for several violations of the GDPR.

First, the DPA found that the controller had violated Article 17(1) GDPR. Due to the superficial examination of the data subject's claim, the controller had not deleted both email addresses even though that would have been its responsibility. The fact that the two email addresses were recorded in separate databases and were not subject to the same processing was not sufficient justification to rule out a violation of Article 17(1) GDPR, especially since the data subject provided in their initial request the old email address 1. The DPA noted that the controllers procedure for managing requests has been reviewed and adapted in a way that such errors should not happen again.

Second, the DPA agreed with the controller that the data subject had not made a request for access under Article 15(1)(b) GDPR and Article 15(1)(d) GDPR, but a request for information on the erasure of data by the controller. It noted that, while the incomplete or inaccurate formulation of a request to exercise a right, in this case, the right of access, cannot be a reason not to act on it, the data subjects request objectively related to the deletion of the data and not their access. Therefore, the DPA dealt with this issue in accordance with Article 12(3) GDPR and not Article 15(1) GDPR.

Since the controller had not provided the data subject with the information on the measures taken following their request, the DPA found a violation of Article 12(3) GDPR. This provision sets a maximum period of one month to respont to such a request.

Lastly, the DPA briefly discussed the issue of the legal basis of data processing relating to direct marketing purposes, but did not reopen the proceedings at this stage in this regard.


Comment[edit | edit source]

Share your comments here!

Further Resources[edit | edit source]

Share blogs or news articles here!

English Machine Translation of the Decision[edit | edit source]

The decision below is a machine translation of the French original. Please refer to the French original for more details.

                                                                                                         1/10








                                                                                 Litigation Chamber



                                                   Decision on the merits 39/2022 of 17 March 2022








File number: DOS-2019-04973



Subject: Complaint against a commercial company concerning a request for erasure of

data and a request for access to this data





The Litigation Chamber of the Data Protection Authority, made up of Mr. Hielke Hijmans,

Chairman, and Messrs. Romain Robert and Christophe Boeraeve;



Having regard to Regulation (EU) 2016/679 of the European Parliament and of the Council of April 27, 2016 relating to the protection
of natural persons with regard to the processing of personal data and to the free movement

of this data, and repealing Directive 95/46/EC (General Data Protection Regulation),

hereinafter “GDPR”;



Having regard to the Law of 3 December 2017 establishing the Data Protection Authority (hereinafter LCA);



Having regard to the internal regulations as approved by the House of Representatives on December 20, 2018

and published in the Belgian Official Gazette on January 15, 2019;



Considering the documents in the file;




made the following decision regarding:

                                                                                                         .

The plaintiff: Mr. X, hereinafter “the plaintiff”; .

                                                                                                         .

The defendant: Y, represented by Me Olivier Proust lawyer, hereinafter: "the defendant", Decision on the merits 39/2022 - 2/10



I. Facts and procedure



    1. The Complainant is a former client of the Respondent. Following a move on June 10, 2019, it

        requests the deletion of his customer account and his personal data from the

        defendant. The complainant is using his current email address [email address 2] to send this

        request, and also mentions his old email address [email address 1].

    2. The defendant acknowledges receipt of the request and sends the complainant several messages

        assuring him that a follow-up is in progress (11/07/2019; 22/07/2019 and 05/08/2019).


    3. On September 13, 2019, however, the complainant received a new advertising email to the address

        old [email address 1] , and sends a new request for deletion of his data to the

        defendant. The defendant's customer service department acknowledges receipt of the request at this

        same date and announces a response within 7 working days.


    4. On October 1, 2019, the complainant lodged a complaint with the Data Protection Authority

        given against the defendant due to the fact that no follow-up was given to its last

        demand.


    5. On October 31, 2019, the complaint was declared admissible by the Front Line Service on the basis

        articles 58 and 60 of the LCA and this same complaint is transmitted to the Litigation Chamber in
                                 er
        pursuant to Article 62, § 1 of the LCA.

    6. On December 9, 2019, the Litigation Division decides, pursuant to Article 95, § 1, 1° and Article


        98 of the ACL, that the case can be dealt with on the merits.

    7. The subject of the complaint, according to the facts as understood and qualified by the Litigation Chamber in

        its invitation to conclude concerns:


             at. the exercise of the right to erasure (article 17.1 of the GDPR) of the personal data of the

                 plaintiff in the databases of the defendant and


             b. the complainant's right of access to the categories of personal data held about him or her

                 in the defendant's database (articles 15.1.b GDPR) and the right of access to

                 information regarding the retention period of personal data

                 held about it by the defendant (15.1.d GDPR).

    8. Indeed, the request is worded in the complaint as follows: “Statement of facts: dated

        06/10/2019, I asked company Y, under the legal provisions on GDPR, to


        delete my account, to delete all my personal data and to follow up

        positive to my request for the "right to be forgotten". The complainant attaches to his complaint the initial request

        addressed to the defendant on June 10, 2019, in which he also requests the communication,

        by the defendant, of the “legal deadlines that you will use and the nature of the information that you

        delete (with the precise indication of the different dates of deletion)", Decision on the merits 39/2022 - 3/10




    9. On December 10, 2019, the parties concerned are informed by registered letter of the

        provisions as set out in article 95, § 2 as well as in article 98 of the LCA. They are

        also informed, pursuant to Article 99 of the LCA, of the deadlines for transmitting their

        conclusions.


    10. The deadline for receipt of the defendant's submissions in response is 17

        January 2020, that for the complainant's reply submissions dated February 14, 2020 and that for the

        Defendant's reply submissions dated February 28, 2020.


    11. On February 4, 2020, the Respondent requests a new procedural calendar, having not received the

        first invitation to conclude due to the closure of the company's head office during the

        Christmas period, and requests a full copy of the file electronically (art. 95, §2, 3°

        ACL). The defendant also manifests its intention to have recourse to the possibility of being

        heard, in accordance with Article 98 of the LCA.


    12. On February 19, 2020, the Litigation Division sends the parties a copy of the file and grants

        a new deadline to conclude. The new deadline for receipt of conclusions in

        respondent's response is set for March 11, 2020, that for the submissions in reply of the

        complainant on March 25, 2020 and that for the defendant's reply submissions on April 8

        2020.


    13. On February 26, 2020, the defendant sent a letter to the complainant to inform him of the taking into

        account of his request for deletion vis-à-vis the e-mail address [email address 2] and with regard to

        concerns the “prospect” account linked to his old email address [email address 1]. The 1

        defendant informs the complainant of the nature of the information deleted and the date

        deletion of this data. Regarding the request to delete the new e-mail address


        of the plaintiff, the defendant indicates in this letter that "the request made on June 10 was indeed

        taken into account with regard to your customer account”.

    14. On March 10, 2020, the Litigation Chamber receives the submissions in response from the


        defendant. They can be summarized as follows:

        - The defendant promptly granted the request to erase the data for the address

            email linked to the “customer” account [email address 2], but the deletion did not take place


            immediately with regard to the data linked to the former email address of the complainant

            [email address 1], this address being itself linked to a "prospect" account kept by

            the defendant in a separate database. Therefore, the violation of article 17.1 of the GDPR
                                                                 and
            was only partial. Once confirmed that the 2 email address also belonged to the

            complainant and that it was not a homonym, this address has also been removed

            definitively from the defendant's "prospects" database.






1Respondent's Exhibit 5., Decision on the Merits 39/2022 - 4/10



        - The plaintiff's request relating to the "legal deadlines you will use and the nature of the

            information that you will delete with the precise indication of the different dates

            erasure” must be attached to his erasure request, and must not be interpreted

            as a request for access within the meaning of Article 15.1 d) of the GDPR. His complaint states that he

            wished to obtain confirmation that his data had indeed been erased. the


            GDPR does not impose on the controller an obligation to communicate the date

            erasure of the data as such, but rather an obligation to confirm to the

            data subject what measures have been taken to respond to his or her request (Art. 12.3

            GDPR). The defendant also voluntarily provided the complainant with an explanation

            detailed information on the retention period of the data and the date of erasure of the data.

    15. Following these conclusions in response, the Litigation Chamber did not receive any other document from the

        part of the parties (no conclusion from the complainant and no new conclusion - in

        reply - from the defendant).


    16. On January 28, 2022, the parties are informed that the hearing will take place on February 17, 2022. By

        this same letter, the Litigation Chamber informs the parties of the fact that the plaintiff marked

        his wish not to participate in the hearing.


    17. On February 17, 2022, the defendant was heard by the Litigation Chamber.

            er
    18. On March 1, 2022, the minutes of the hearing are submitted to the defendant, with the possibility of

        attach within one week any comments without this implying

        reopening of the debates. The Litigation Chamber did not receive any remarks relating to the trial-

        verbal.






II. Motivation


    On the violation of Article 17.1 of the GDPR

    19. Article 17.1 of the GDPR states that “the data subject has the right to obtain from the data controller

        processing the erasure, as soon as possible, of personal data concerning him

        and the controller has an obligation to erase such personal data within the

        as soon as possible, when one of the following reasons applies:


        a) The personal data are no longer necessary for the purposes for

            which it was collected or otherwise processed;


        b) The person withdraws the consent on which the processing is based, in accordance with article

            6(1)(a) or Article 9(2)(a) and there is no other

            legal basis for the processing”, Decision on the merits 39/2022 - 5/10



20. In the present case, based on the aforementioned elements and the conclusions of the defendant, the latter

    actually infringes Article 17.1 of the GDPR because the circumstance that the two email addresses

    were recorded in separate databases and were not subject to the same

    processing, is not sufficient justification to rule out a violation of Article 17.1 of the GDPR,

    especially since the complainant provided in his initial request of June 10, 2019 the former address


    email to be deleted.

21. Therefore, given the partial deletion of the complainant's data, the Litigation Chamber must

    find a partial violation of Article 17.1 of the GDPR. The Litigation Chamber notes that this

    violation results from a superficial examination of the claim of the plaintiff by the defendant to whom he

    responsibility to seek clarification in case of doubt about the scope of the deletion request.

    The defendant seems to believe that it could legitimately believe that the email address

    indicated as old was no longer used by the defendant and was not the subject of the

    deletion request. However, the Litigation Chamber considers that the defendant should have

    check whether it was not also his responsibility to remove the old email address from his system of

    mailing. The Litigation Division further notes that, according to the defendant, the service

    customer care also had access to the prospect database, and could have searched for this


    old email address to remove any doubt. Moreover, this misunderstanding could have been avoided if the

    defendant had informed the complainant of the concrete follow-up given to his request for erasure

    concerning the first email address (see below, on the violation of Article 12.3 of the GDPR).

22. The Litigation Division also notes that the procedure for managing requests has been reviewed

    in its new access request management policy (“GDPR department – data subject

    rights – procedure”) and that these requests will henceforth be directed to the service of the Delegate to

    data protection (DPO), which should prevent this type of error from happening again.


23. The Litigation Division also notes that the data for the second address were

    deleted by the defendant after clarification by the complainant of the addresses for which he was requesting

    suppression.


24. The Litigation Chamber understands, however, that failing to qualify the plaintiff's request

    as a request for access to all the data concerning him, the defendant abstained

    to search for all the data she had about him, and presumably lost a

    chance to make the link between the “customer” database and the “prospects” database

    containing different email details for the same customer. The latter, however, had

    departure provided his two addresses in his deletion request, one in the body of his

    message to the defendant (my old email is [email address 1]), the other via the address [address

    email 2] from which his request itself was sent to the defendant. It's this

    last address that was deleted and not the address entered as old. It was incumbent on

    elsewhere to the defendant, as data controller, to ensure that it had a view

    clear on the data to be deleted in order to respond to the wish of the complainant namely, in fine, au-, Decision on the merits 39/2022 - 6/10




        beyond the request to erase the data, no longer receive advertising emails from the

        defendant.




    On the violation of Article 15.1 of the GDPR


    25. Article 15.1 of the GDPR states that “the data subject has the right to obtain from the data controller

        processing the confirmation that personal data concerning him are or are not

        not processed and, when they are, access to said personal data as well as the

        following information:


        a) The purposes of the processing;


        b) The categories of personal data concerned;

        vs)  […]


        d) Where possible, the envisaged retention period for personal data

            or, where this is not possible, the criteria used to determine this duration;


            […]”.


    26. In its conclusions, the defendant argues that the plaintiff's request did not concern a

        request for access under Article 15.1.b and Article 15.1.d of the GDPR, but a request

        information on the erasure of data by the controller.


    27. In this regard, the Litigation Chamber wishes to recall that the incomplete or inaccurate formulation

        of a request to exercise a right, in this case, the right of access, cannot be a pretext
                                           2
        not to act on it (useful).


    28. In order to give useful effect to the complainant's request, the controller must

        proactively identify the will of the latter. In this case, and given the different exchanges between the

        parties, the Litigation Chamber considers that the main object of the plaintiff's request, as

        formulated (request to communicate the “nature of the information that you will delete (with

        precise indication of the different erasure dates”) did not mainly relate to access

        to these data but on their deletion.


    29. Therefore, the Litigation Chamber follows the defendant's reasoning and admits that the

        request of the complainant, including with regard to the nature of the data deleted, is related to

        exercise of the right to be forgotten. The request for information must therefore be dealt with in accordance with Article

        12.3 of the GDPR (right to information on the measures taken following a request to exercise

        right), and not on the basis of article 15.1 of the GDPR (right of access).







2See decision of the Litigation Chamber no. 41/2020 of 29 July 2020 and decision of the Litigation Chamber no. 44/2020 of 5
August 2020., Decision on the merits 39/2022 - 7/10



On the violation of Article 12.3 of the GDPR


30. Article 12.3 provides that “the controller shall provide the data subject with

    information on the measures taken following a request made pursuant to Articles

    15 to 22, as soon as possible and in any case within one month from the

    receipt of the request. If necessary, this period may be extended by two months, taking into account the

    complexity and number of requests related to the exercise of a GDPR right. The person in charge of

    processing is then required to inform the data subject of this extension and the reasons for the


    postponement within one month of receipt of the request”.

31. Article 12.3 sets a maximum period of one month to respond to such a request, and it appears from the

    defendant's exhibit file that the information on the follow-up given to the request

    deletion of the second email address was only provided on February 26, 2020, i.e. more

    eight months after the initial request for erasure, which exceeds the legal period including a period

    reasonable grace due to possible technical or organizational contingencies.


32. Pursuant to Article 12.3 of the GDPR, the onus was on the defendant to inform the complainant of the

    measures taken to respond to the request to delete the two email addresses concerned,

    within the legal period of one month. This information was not provided for the first email address

    removed. As a result, the defendant deprived itself of the possibility of clarifying

    directly with the complainant the scope of the deletion request, relating to two addresses

    email and not on one.


33. Moreover, if the defendant believed that it had responded to its initial request after erasing a

    first e-mail address, this confusion does not justify the new lack of response on the action

    undertaken by the defendant following the complainant's last request dated September 13


    2019. The Litigation Chamber considers in this respect particularly regrettable that the

    defendant undertook to respond "within 7 days" to the complainant's last reminder and
                                                                                                        er
    either then abstained from follow-up within the self-imposed time limit so that on the 1

    October, the complainant had not yet received any news in this regard.

34. Therefore, the Litigation Chamber must find a violation of Article 12.3 of the GDPR in respect of

    of the defendant due to the absence of information provided by the defendant within the legal period


    one month on the measures taken to respond to the request to erase data from the

    complainant, with regard to the “customer” email address [email address 2] and the “prospect” address and

    with regard to the email address [email address 1]. This one-month response time had to be taken

    taken into account from the complainant's initial request made on June 10, 2019. None

    extension or grace period was in this case justified by possible contingencies

    technical or organizational, which the defendant does not demonstrate. The

    defendant, in fact, did not make any justified request for an extension with regard to the complainant

    deadline under the conditions permitted by Article 12.3 of the GDPR., Decision on the merits 39/2022 - 8/10



35. However, the Litigation Chamber takes note of the defendant's explanations in the hearing

    concerning the management policy for access requests introduced after this

    incident: it is provided that access requests receive by default a response in the

    month by means of concise, transparent, intelligible and easily accessible information (article

    5.1 of the document “GDPR Data subject rights – procedure”, provided to the Litigation Chamber”). The


    repetition of the incident should also be avoided by the new procedure for handling

    complaint which provides for a transfer mechanism to the DPO for requests to exercise rights more

    complex such as the request at the origin of the complaint (concerning several email addresses and

    requiring investigation in the databases).


36. In addition, the Litigation Chamber emphasizes that the processing of personal data

    is only lawful if carried out in accordance with Article 6.1 of the GDPR. In the present case, the

    Litigation Chamber expresses all reservations as to the existence of a legal basis that allowed

    the defendant to send emails to prospects at the time, but does not reopen the proceedings

    on this point at this stage insofar as the inclusion of personal data “prospects” had

    place, either on the legal basis of consent, or on the legal basis of legitimate interest in view of

    to send prospecting emails for products or services similar to those purchased or

    previously subscribed by the person concerned, according to the explanations provided by the

    defendant in court.

37. The Litigation Division recalls the applicable principles set out in the recommendation of


    the Data Protection Authority nr 01/2020 of January 17, 2020 relating to the processing of

    personal data for direct marketing purposes.

    “Before looking at how the legal basis of legitimate interests works, you should

    examine whether or not you fall under the application of one or other special law that applies to you

    would prevent its use. As a reminder, when you send unsolicited communications

    direct marketing by electronic means, including via automated calling systems and

    communication without human intervention (automatic calls), fax machines or mail

    electronically, for commercial purposes, you must have the prior consent of the

    subscribers or users to do so (article 13.1 of the e-Privacy Directive).


    However, Article 13.2 of this Directive provides for a so-called “soft opt-in” exception for

    emails (defined as: any message in the form of text, voice, sound or

    image sent over a public communications network which may be stored on the network or

    in the terminal equipment of the recipient until the latter retrieves it) of marketing

    direct, addressed to existing customers or subscribers from whom an organization has obtained the

    electronic contact details in the context of the sale of a product or service of its own making.


    In this context, this organization is authorized to send an e-mail to these

    categories of persons for the purpose of direct prospecting for similar products or services

    itself provides provided that said customers are clearly and expressly given, Decision on the merits 39/2022 - 9/10



    the ability to object, free of charge and in a simple manner, to such use of contact details


    electronics at the time they are collected and during each message, in case they

    would not have immediately refused such exploitation.

    These rules apply only in this specific context and only in this one. If you

    wish to make use of this exception, you must comply with all of its terms


    application.The principles adopted therein are also useful for examining the legal basis

    legitimate interests for data controllers who wish to use it without entering

    in data processing situations covered by the scope of e-Privacy

    Directive. »




On the address of the data controller and the implementation of article 13.1 of the GDPR


38. Given that the defendant wished to be contacted at an address different from that

    informed by the plaintiff in his complaint, the Litigation Chamber asked the parties to

    enlighten him on the contact address of the controller and the way in which the defendant

    fulfills its information obligations under Article 13.1.a of the GDPR regarding the identity and

    contact details of the controller (letter of invitation to conclude of February 19, 2020).


39. In its submissions, the Defendant informed the Litigation Chamber of its address as

    mentioned in its Privacy Policy, and which corresponds to its registered office. Requirement

    made to the APD to correspond with another address, namely the address of the operating site

    principal of the defendant in Belgium and of its Managing Director, is not contrary to Article

    13.1.a of the GDPR, the Director General wishing to be heard during the hearing by the Chamber

    Litigation.


40. Consequently, the Litigation Chamber, which had initially not considered it necessary to seek

    the intervention of the Inspection Service on this point, concludes that there is ultimately no dispute on

    the identity of the data controller and his contact address.




On the sanction to be adopted by the Litigation Chamber


41. Based on the above elements, the Litigation Division finds the violation of Articles 12.3

    and 17.1 of the GDPR, due to (i) the absence of information as to the deletion of the first address

    email [email address 2] and (ii) failure to follow up on the complainant's request for erasure

    concerning his 2nd email address [email address 1] within the prescribed legal period of one month.


42. The Litigation Chamber nevertheless takes into account the partial fulfillment of the request of the

    complainant as a mitigating circumstance. The absence of a link between the database

    "prospect" and the defendant's "client" database does not constitute a circumstance

    mitigating because it was incumbent on the defendant to carry out with sufficient care a, Decision on the merits 39/2022 - 10/10




        searches for personal data held about the customer in databases in order to

        delete them according to his request, taking into account the basic data provided by the customer who

        did mention his old email address in his initial request. Bedroom

        Litigation therefore considers that a reprimand is the most appropriate sanction for breaches

        observed and that the facts are not of such gravity that it is necessary to impose a

        fine, in particular insofar as the Litigation Chamber did not observe that the

        shortcomings observed would impact a large group of citizens.







III. Publication of the decision


    43. Given the importance of transparency regarding the decision-making process of the Chamber

        Litigation, this decision is published on the website of the Authority for the protection of


        data. However, it is not necessary for this purpose that the identification data of the parties

        are communicated directly.






    FOR THESE REASONS,


    the Litigation Chamber of the Data Protection Authority decides, after deliberation:
                                    er
    - Pursuant to Article 100, §1, 5° of the LCA, to impose a reprimand for violation of Articles

        12.3 and 17.1 of the GDPR by the defendant;


                                 er
    Under Article 108, § 1 of the LCA, this decision may be appealed to the

    Court of Markets within thirty days of its notification, with the Authority of

    data protection as defendant.











(Sr.) Hielke Hijmans

President of the Litigation Chamber