APD/GBA (Belgium) - 39/2022
From GDPRhub
| APD/GBA (Belgium) - 39/2022 | |
|---|---|
 | |
| Authority: | APD/GBA (Belgium) |
| Jurisdiction: | Belgium |
| Relevant Law: | Article 12(3) GDPR Article 17(1) GDPR Article 13 ePrivacy Directive |
| Type: | Complaint |
| Outcome: | Upheld |
| Started: | |
| Decided: | 17.03.2022 |
| Published: | |
| Fine: | None |
| Parties: | n/a |
| National Case Number/Name: | 39/2022 |
| European Case Law Identifier: | n/a |
| Appeal: | n/a |
| Original Language(s): | French |
| Original Source: | APD/GBA (in FR) |
| Initial Contributor: | kc |
The Belgian DPA reprimanded a controller for failing to delete a former client's personal data in violation of Article 17(1) GDPR, and for not handling the erasure request within the one-month period under Article 12(3) GDPR.
English Summary
Facts
The data subject is a former client of the controller.
In June 2019, the data subject requested the deletion of their customer account and their personal data from the controller. They sent their request from their current email address [email address 2] and mentioned their old email address [email address 1] in the request. The controller acknowledged the receipt of the request and sent the data subject several messages assuring them that a follow-up was in progress.
However, in September 2019, the data subject received a new advertising email to email address 1, and subsequently sent a new request for deletion of their data to the controller. The controller's customer service department acknowledged the receipt of the request and announced a response within seven working days.
In October 2019, the data subject lodged a complaint with the DPA because they had not received any follow-up after their latest request. They claimed that their right to erasure (Article 17(1) GDPR) and their right to access (Article 15(1)(b) GDPR and Article 15(1)(d) GDPR) had been violated.
In February 2020, following several hearings of the parties, the controller sent a letter to the data subject, informed them about the deletion of the account linked to email address 1 and the date of deletion. Furthermore, the controller told the data subject that their request for deletion of the data related to email address 2 had been taken into account. The email addresses were stored in two seperate databases of the controller as "prospect" and "client".
The controller claimed that the data subject's request did not concern a request for access under Article 15(1)(b) GDPR and Article 15(1)(d) GDPR, but a request for information on the erasure of data by the controller.
Holding
The DPA reprimanded the controller for several violations of the GDPR.
First, the DPA found that the controller had violated Article 17(1) GDPR. Due to the superficial examination of the data subject's claim, the controller had not deleted both email addresses even though that would have been its responsibility. The fact that the two email addresses were recorded in separate databases and were not subject to the same processing was not sufficient justification to rule out a violation of Article 17(1) GDPR, especially since the data subject provided in their initial request the old email address 1. The DPA noted that the controllers procedure for managing requests has been reviewed and adapted in a way that such errors should not happen again.
Second, the DPA agreed with the controller that the data subject had not made a request for access under Article 15(1)(b) GDPR and Article 15(1)(d) GDPR, but a request for information on the erasure of data by the controller. It noted that, while the incomplete or inaccurate formulation of a request to exercise a right, in this case, the right of access, cannot be a reason not to act on it, the data subjects request objectively related to the deletion of the data and not their access. Therefore, the DPA dealt with this issue in accordance with Article 12(3) GDPR and not Article 15(1) GDPR.
Since the controller had not provided the data subject with the information on the measures taken following their request, the DPA found a violation of Article 12(3) GDPR. This provision sets a maximum period of one month to respont to such a request.
Lastly, the DPA briefly discussed the issue of the legal basis of data processing relating to direct marketing purposes, but did not reopen the proceedings at this stage in this regard.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the French original. Please refer to the French original for more details.
1/10
Litigation Chamber
Decision on the merits 39/2022 of 17 March 2022
File number: DOS-2019-04973
Subject: Complaint against a commercial company concerning a request for erasure of
data and a request for access to this data
The Litigation Chamber of the Data Protection Authority, made up of Mr. Hielke Hijmans,
Chairman, and Messrs. Romain Robert and Christophe Boeraeve;
Having regard to Regulation (EU) 2016/679 of the European Parliament and of the Council of April 27, 2016 relating to the protection
of natural persons with regard to the processing of personal data and to the free movement
of this data, and repealing Directive 95/46/EC (General Data Protection Regulation),
hereinafter “GDPR”;
Having regard to the Law of 3 December 2017 establishing the Data Protection Authority (hereinafter LCA);
Having regard to the internal regulations as approved by the House of Representatives on December 20, 2018
and published in the Belgian Official Gazette on January 15, 2019;
Considering the documents in the file;
made the following decision regarding:
.
The plaintiff: Mr. X, hereinafter “the plaintiff”; .
.
The defendant: Y, represented by Me Olivier Proust lawyer, hereinafter: "the defendant", Decision on the merits 39/2022 - 2/10
I. Facts and procedure
1. The Complainant is a former client of the Respondent. Following a move on June 10, 2019, it
requests the deletion of his customer account and his personal data from the
defendant. The complainant is using his current email address [email address 2] to send this
request, and also mentions his old email address [email address 1].
2. The defendant acknowledges receipt of the request and sends the complainant several messages
assuring him that a follow-up is in progress (11/07/2019; 22/07/2019 and 05/08/2019).
3. On September 13, 2019, however, the complainant received a new advertising email to the address
old [email address 1] , and sends a new request for deletion of his data to the
defendant. The defendant's customer service department acknowledges receipt of the request at this
same date and announces a response within 7 working days.
4. On October 1, 2019, the complainant lodged a complaint with the Data Protection Authority
given against the defendant due to the fact that no follow-up was given to its last
demand.
5. On October 31, 2019, the complaint was declared admissible by the Front Line Service on the basis
articles 58 and 60 of the LCA and this same complaint is transmitted to the Litigation Chamber in
er
pursuant to Article 62, § 1 of the LCA.
6. On December 9, 2019, the Litigation Division decides, pursuant to Article 95, § 1, 1° and Article
98 of the ACL, that the case can be dealt with on the merits.
7. The subject of the complaint, according to the facts as understood and qualified by the Litigation Chamber in
its invitation to conclude concerns:
at. the exercise of the right to erasure (article 17.1 of the GDPR) of the personal data of the
plaintiff in the databases of the defendant and
b. the complainant's right of access to the categories of personal data held about him or her
in the defendant's database (articles 15.1.b GDPR) and the right of access to
information regarding the retention period of personal data
held about it by the defendant (15.1.d GDPR).
8. Indeed, the request is worded in the complaint as follows: “Statement of facts: dated
06/10/2019, I asked company Y, under the legal provisions on GDPR, to
delete my account, to delete all my personal data and to follow up
positive to my request for the "right to be forgotten". The complainant attaches to his complaint the initial request
addressed to the defendant on June 10, 2019, in which he also requests the communication,
by the defendant, of the “legal deadlines that you will use and the nature of the information that you
delete (with the precise indication of the different dates of deletion)", Decision on the merits 39/2022 - 3/10
9. On December 10, 2019, the parties concerned are informed by registered letter of the
provisions as set out in article 95, § 2 as well as in article 98 of the LCA. They are
also informed, pursuant to Article 99 of the LCA, of the deadlines for transmitting their
conclusions.
10. The deadline for receipt of the defendant's submissions in response is 17
January 2020, that for the complainant's reply submissions dated February 14, 2020 and that for the
Defendant's reply submissions dated February 28, 2020.
11. On February 4, 2020, the Respondent requests a new procedural calendar, having not received the
first invitation to conclude due to the closure of the company's head office during the
Christmas period, and requests a full copy of the file electronically (art. 95, §2, 3°
ACL). The defendant also manifests its intention to have recourse to the possibility of being
heard, in accordance with Article 98 of the LCA.
12. On February 19, 2020, the Litigation Division sends the parties a copy of the file and grants
a new deadline to conclude. The new deadline for receipt of conclusions in
respondent's response is set for March 11, 2020, that for the submissions in reply of the
complainant on March 25, 2020 and that for the defendant's reply submissions on April 8
2020.
13. On February 26, 2020, the defendant sent a letter to the complainant to inform him of the taking into
account of his request for deletion vis-à-vis the e-mail address [email address 2] and with regard to
concerns the “prospect” account linked to his old email address [email address 1]. The 1
defendant informs the complainant of the nature of the information deleted and the date
deletion of this data. Regarding the request to delete the new e-mail address
of the plaintiff, the defendant indicates in this letter that "the request made on June 10 was indeed
taken into account with regard to your customer account”.
14. On March 10, 2020, the Litigation Chamber receives the submissions in response from the
defendant. They can be summarized as follows:
- The defendant promptly granted the request to erase the data for the address
email linked to the “customer” account [email address 2], but the deletion did not take place
immediately with regard to the data linked to the former email address of the complainant
[email address 1], this address being itself linked to a "prospect" account kept by
the defendant in a separate database. Therefore, the violation of article 17.1 of the GDPR
and
was only partial. Once confirmed that the 2 email address also belonged to the
complainant and that it was not a homonym, this address has also been removed
definitively from the defendant's "prospects" database.
1Respondent's Exhibit 5., Decision on the Merits 39/2022 - 4/10
- The plaintiff's request relating to the "legal deadlines you will use and the nature of the
information that you will delete with the precise indication of the different dates
erasure” must be attached to his erasure request, and must not be interpreted
as a request for access within the meaning of Article 15.1 d) of the GDPR. His complaint states that he
wished to obtain confirmation that his data had indeed been erased. the
GDPR does not impose on the controller an obligation to communicate the date
erasure of the data as such, but rather an obligation to confirm to the
data subject what measures have been taken to respond to his or her request (Art. 12.3
GDPR). The defendant also voluntarily provided the complainant with an explanation
detailed information on the retention period of the data and the date of erasure of the data.
15. Following these conclusions in response, the Litigation Chamber did not receive any other document from the
part of the parties (no conclusion from the complainant and no new conclusion - in
reply - from the defendant).
16. On January 28, 2022, the parties are informed that the hearing will take place on February 17, 2022. By
this same letter, the Litigation Chamber informs the parties of the fact that the plaintiff marked
his wish not to participate in the hearing.
17. On February 17, 2022, the defendant was heard by the Litigation Chamber.
er
18. On March 1, 2022, the minutes of the hearing are submitted to the defendant, with the possibility of
attach within one week any comments without this implying
reopening of the debates. The Litigation Chamber did not receive any remarks relating to the trial-
verbal.
II. Motivation
On the violation of Article 17.1 of the GDPR
19. Article 17.1 of the GDPR states that “the data subject has the right to obtain from the data controller
processing the erasure, as soon as possible, of personal data concerning him
and the controller has an obligation to erase such personal data within the
as soon as possible, when one of the following reasons applies:
a) The personal data are no longer necessary for the purposes for
which it was collected or otherwise processed;
b) The person withdraws the consent on which the processing is based, in accordance with article
6(1)(a) or Article 9(2)(a) and there is no other
legal basis for the processing”, Decision on the merits 39/2022 - 5/10
20. In the present case, based on the aforementioned elements and the conclusions of the defendant, the latter
actually infringes Article 17.1 of the GDPR because the circumstance that the two email addresses
were recorded in separate databases and were not subject to the same
processing, is not sufficient justification to rule out a violation of Article 17.1 of the GDPR,
especially since the complainant provided in his initial request of June 10, 2019 the former address
email to be deleted.
21. Therefore, given the partial deletion of the complainant's data, the Litigation Chamber must
find a partial violation of Article 17.1 of the GDPR. The Litigation Chamber notes that this
violation results from a superficial examination of the claim of the plaintiff by the defendant to whom he
responsibility to seek clarification in case of doubt about the scope of the deletion request.
The defendant seems to believe that it could legitimately believe that the email address
indicated as old was no longer used by the defendant and was not the subject of the
deletion request. However, the Litigation Chamber considers that the defendant should have
check whether it was not also his responsibility to remove the old email address from his system of
mailing. The Litigation Division further notes that, according to the defendant, the service
customer care also had access to the prospect database, and could have searched for this
old email address to remove any doubt. Moreover, this misunderstanding could have been avoided if the
defendant had informed the complainant of the concrete follow-up given to his request for erasure
concerning the first email address (see below, on the violation of Article 12.3 of the GDPR).
22. The Litigation Division also notes that the procedure for managing requests has been reviewed
in its new access request management policy (“GDPR department – data subject
rights – procedure”) and that these requests will henceforth be directed to the service of the Delegate to
data protection (DPO), which should prevent this type of error from happening again.
23. The Litigation Division also notes that the data for the second address were
deleted by the defendant after clarification by the complainant of the addresses for which he was requesting
suppression.
24. The Litigation Chamber understands, however, that failing to qualify the plaintiff's request
as a request for access to all the data concerning him, the defendant abstained
to search for all the data she had about him, and presumably lost a
chance to make the link between the “customer” database and the “prospects” database
containing different email details for the same customer. The latter, however, had
departure provided his two addresses in his deletion request, one in the body of his
message to the defendant (my old email is [email address 1]), the other via the address [address
email 2] from which his request itself was sent to the defendant. It's this
last address that was deleted and not the address entered as old. It was incumbent on
elsewhere to the defendant, as data controller, to ensure that it had a view
clear on the data to be deleted in order to respond to the wish of the complainant namely, in fine, au-, Decision on the merits 39/2022 - 6/10
beyond the request to erase the data, no longer receive advertising emails from the
defendant.
On the violation of Article 15.1 of the GDPR
25. Article 15.1 of the GDPR states that “the data subject has the right to obtain from the data controller
processing the confirmation that personal data concerning him are or are not
not processed and, when they are, access to said personal data as well as the
following information:
a) The purposes of the processing;
b) The categories of personal data concerned;
vs) […]
d) Where possible, the envisaged retention period for personal data
or, where this is not possible, the criteria used to determine this duration;
[…]”.
26. In its conclusions, the defendant argues that the plaintiff's request did not concern a
request for access under Article 15.1.b and Article 15.1.d of the GDPR, but a request
information on the erasure of data by the controller.
27. In this regard, the Litigation Chamber wishes to recall that the incomplete or inaccurate formulation
of a request to exercise a right, in this case, the right of access, cannot be a pretext
2
not to act on it (useful).
28. In order to give useful effect to the complainant's request, the controller must
proactively identify the will of the latter. In this case, and given the different exchanges between the
parties, the Litigation Chamber considers that the main object of the plaintiff's request, as
formulated (request to communicate the “nature of the information that you will delete (with
precise indication of the different erasure dates”) did not mainly relate to access
to these data but on their deletion.
29. Therefore, the Litigation Chamber follows the defendant's reasoning and admits that the
request of the complainant, including with regard to the nature of the data deleted, is related to
exercise of the right to be forgotten. The request for information must therefore be dealt with in accordance with Article
12.3 of the GDPR (right to information on the measures taken following a request to exercise
right), and not on the basis of article 15.1 of the GDPR (right of access).
2See decision of the Litigation Chamber no. 41/2020 of 29 July 2020 and decision of the Litigation Chamber no. 44/2020 of 5
August 2020., Decision on the merits 39/2022 - 7/10
On the violation of Article 12.3 of the GDPR
30. Article 12.3 provides that “the controller shall provide the data subject with
information on the measures taken following a request made pursuant to Articles
15 to 22, as soon as possible and in any case within one month from the
receipt of the request. If necessary, this period may be extended by two months, taking into account the
complexity and number of requests related to the exercise of a GDPR right. The person in charge of
processing is then required to inform the data subject of this extension and the reasons for the
postponement within one month of receipt of the request”.
31. Article 12.3 sets a maximum period of one month to respond to such a request, and it appears from the
defendant's exhibit file that the information on the follow-up given to the request
deletion of the second email address was only provided on February 26, 2020, i.e. more
eight months after the initial request for erasure, which exceeds the legal period including a period
reasonable grace due to possible technical or organizational contingencies.
32. Pursuant to Article 12.3 of the GDPR, the onus was on the defendant to inform the complainant of the
measures taken to respond to the request to delete the two email addresses concerned,
within the legal period of one month. This information was not provided for the first email address
removed. As a result, the defendant deprived itself of the possibility of clarifying
directly with the complainant the scope of the deletion request, relating to two addresses
email and not on one.
33. Moreover, if the defendant believed that it had responded to its initial request after erasing a
first e-mail address, this confusion does not justify the new lack of response on the action
undertaken by the defendant following the complainant's last request dated September 13
2019. The Litigation Chamber considers in this respect particularly regrettable that the
defendant undertook to respond "within 7 days" to the complainant's last reminder and
er
either then abstained from follow-up within the self-imposed time limit so that on the 1
October, the complainant had not yet received any news in this regard.
34. Therefore, the Litigation Chamber must find a violation of Article 12.3 of the GDPR in respect of
of the defendant due to the absence of information provided by the defendant within the legal period
one month on the measures taken to respond to the request to erase data from the
complainant, with regard to the “customer” email address [email address 2] and the “prospect” address and
with regard to the email address [email address 1]. This one-month response time had to be taken
taken into account from the complainant's initial request made on June 10, 2019. None
extension or grace period was in this case justified by possible contingencies
technical or organizational, which the defendant does not demonstrate. The
defendant, in fact, did not make any justified request for an extension with regard to the complainant
deadline under the conditions permitted by Article 12.3 of the GDPR., Decision on the merits 39/2022 - 8/10
35. However, the Litigation Chamber takes note of the defendant's explanations in the hearing
concerning the management policy for access requests introduced after this
incident: it is provided that access requests receive by default a response in the
month by means of concise, transparent, intelligible and easily accessible information (article
5.1 of the document “GDPR Data subject rights – procedure”, provided to the Litigation Chamber”). The
repetition of the incident should also be avoided by the new procedure for handling
complaint which provides for a transfer mechanism to the DPO for requests to exercise rights more
complex such as the request at the origin of the complaint (concerning several email addresses and
requiring investigation in the databases).
36. In addition, the Litigation Chamber emphasizes that the processing of personal data
is only lawful if carried out in accordance with Article 6.1 of the GDPR. In the present case, the
Litigation Chamber expresses all reservations as to the existence of a legal basis that allowed
the defendant to send emails to prospects at the time, but does not reopen the proceedings
on this point at this stage insofar as the inclusion of personal data “prospects” had
place, either on the legal basis of consent, or on the legal basis of legitimate interest in view of
to send prospecting emails for products or services similar to those purchased or
previously subscribed by the person concerned, according to the explanations provided by the
defendant in court.
37. The Litigation Division recalls the applicable principles set out in the recommendation of
the Data Protection Authority nr 01/2020 of January 17, 2020 relating to the processing of
personal data for direct marketing purposes.
“Before looking at how the legal basis of legitimate interests works, you should
examine whether or not you fall under the application of one or other special law that applies to you
would prevent its use. As a reminder, when you send unsolicited communications
direct marketing by electronic means, including via automated calling systems and
communication without human intervention (automatic calls), fax machines or mail
electronically, for commercial purposes, you must have the prior consent of the
subscribers or users to do so (article 13.1 of the e-Privacy Directive).
However, Article 13.2 of this Directive provides for a so-called “soft opt-in” exception for
emails (defined as: any message in the form of text, voice, sound or
image sent over a public communications network which may be stored on the network or
in the terminal equipment of the recipient until the latter retrieves it) of marketing
direct, addressed to existing customers or subscribers from whom an organization has obtained the
electronic contact details in the context of the sale of a product or service of its own making.
In this context, this organization is authorized to send an e-mail to these
categories of persons for the purpose of direct prospecting for similar products or services
itself provides provided that said customers are clearly and expressly given, Decision on the merits 39/2022 - 9/10
the ability to object, free of charge and in a simple manner, to such use of contact details
electronics at the time they are collected and during each message, in case they
would not have immediately refused such exploitation.
These rules apply only in this specific context and only in this one. If you
wish to make use of this exception, you must comply with all of its terms
application.The principles adopted therein are also useful for examining the legal basis
legitimate interests for data controllers who wish to use it without entering
in data processing situations covered by the scope of e-Privacy
Directive. »
On the address of the data controller and the implementation of article 13.1 of the GDPR
38. Given that the defendant wished to be contacted at an address different from that
informed by the plaintiff in his complaint, the Litigation Chamber asked the parties to
enlighten him on the contact address of the controller and the way in which the defendant
fulfills its information obligations under Article 13.1.a of the GDPR regarding the identity and
contact details of the controller (letter of invitation to conclude of February 19, 2020).
39. In its submissions, the Defendant informed the Litigation Chamber of its address as
mentioned in its Privacy Policy, and which corresponds to its registered office. Requirement
made to the APD to correspond with another address, namely the address of the operating site
principal of the defendant in Belgium and of its Managing Director, is not contrary to Article
13.1.a of the GDPR, the Director General wishing to be heard during the hearing by the Chamber
Litigation.
40. Consequently, the Litigation Chamber, which had initially not considered it necessary to seek
the intervention of the Inspection Service on this point, concludes that there is ultimately no dispute on
the identity of the data controller and his contact address.
On the sanction to be adopted by the Litigation Chamber
41. Based on the above elements, the Litigation Division finds the violation of Articles 12.3
and 17.1 of the GDPR, due to (i) the absence of information as to the deletion of the first address
email [email address 2] and (ii) failure to follow up on the complainant's request for erasure
concerning his 2nd email address [email address 1] within the prescribed legal period of one month.
42. The Litigation Chamber nevertheless takes into account the partial fulfillment of the request of the
complainant as a mitigating circumstance. The absence of a link between the database
"prospect" and the defendant's "client" database does not constitute a circumstance
mitigating because it was incumbent on the defendant to carry out with sufficient care a, Decision on the merits 39/2022 - 10/10
searches for personal data held about the customer in databases in order to
delete them according to his request, taking into account the basic data provided by the customer who
did mention his old email address in his initial request. Bedroom
Litigation therefore considers that a reprimand is the most appropriate sanction for breaches
observed and that the facts are not of such gravity that it is necessary to impose a
fine, in particular insofar as the Litigation Chamber did not observe that the
shortcomings observed would impact a large group of citizens.
III. Publication of the decision
43. Given the importance of transparency regarding the decision-making process of the Chamber
Litigation, this decision is published on the website of the Authority for the protection of
data. However, it is not necessary for this purpose that the identification data of the parties
are communicated directly.
FOR THESE REASONS,
the Litigation Chamber of the Data Protection Authority decides, after deliberation:
er
- Pursuant to Article 100, §1, 5° of the LCA, to impose a reprimand for violation of Articles
12.3 and 17.1 of the GDPR by the defendant;
er
Under Article 108, § 1 of the LCA, this decision may be appealed to the
Court of Markets within thirty days of its notification, with the Authority of
data protection as defendant.
(Sr.) Hielke Hijmans
President of the Litigation Chamber
