APD/GBA (Belgium) - 48/2024
| APD/GBA - 48/2024 | |
|---|---|
 | |
| Authority: | APD/GBA (Belgium) |
| Jurisdiction: | Belgium |
| Relevant Law: | Article 12(3) GDPR Article 15(1) GDPR |
| Type: | Complaint |
| Outcome: | Upheld |
| Started: | |
| Decided: | 28.03.2024 |
| Published: | |
| Fine: | n/a |
| Parties: | n/a |
| National Case Number/Name: | 48/2024 |
| European Case Law Identifier: | n/a |
| Appeal: | n/a |
| Original Language(s): | French |
| Original Source: | APD (in FR) |
| Initial Contributor: | nzm |
The DPA issued a warning against an embassy for, among other things, not giving access to the identity of an employee who made an unauthorized consultation of the data subject’s personal data.
English Summary
Facts
On 12 July 2023, one of the embassy’s (“controller”) employees made an unauthorized consultation of the National Register as they were allegedly a friend of the data subject, seeking to find out about her after 25 years. After noticing a suspicious consultation of her data, on 19 July 2023, the data subject exercised her right of access regarding this consultation and asked that the controller disclose the identity of the person who carried out the consultation.
On 17 August 2023, the data subject repeated her request as she had not received a reply. On 22 August 2023, the controller’s DPO confirmed the receipt of the request and forwarded it to the relevant departments.
On 13 September 2023, the DPO explained to the data subject that they needed more than a month to process the request, as external approaches to the embassy take time.
On 8 November 2023, the data subject sent an email to the controller explaining that if she did not receive a reply by the end of November, she would lodge a complaint with the Belgian DPA (“APD”). On the same day, the DPO replied, stating that the investigation had revealed that the consultation had been carried out privately by a childhood friend of the data subject, who was also an embassy employee and who wished to renew contact with the data subject. The DPO indicated that any consultation for other than consular purposes was prohibited and would give rise to administrative sanctions.
On 9 November 2023, the data subject lodged a complaint with the APD.
Holding
Firstly, regarding the late response to the data subject’s access request, Article 12(3) GDPR establishes that that the controller must respond to a data access request without undue delay and in any event, within one month of receipt of the request. The APD held that it can be materially difficult for a data controller to respond within the one-month period provided for in the GDPR. However, the DPA considered that in the present case, the response to the access request was late and significantly exceeded the time limit as the controller took three and a half months to respond.
The controller confirmed the receipt of the data subject’s request one month after she exercised her right. The APD pointed out that the time limit for replying begins to run when the controller has received the request for access through one of its official channels, and not when the controller actually becomes aware of the request. The DPA also noted that the controller made an extension of 2 months, in accordance with Article 12(3) GDPR. However, this extension did not occur within one month of receipt of the request since it was made almost 2 months after the data subject exercised her right of access.
Secondly, the APD pointed out that the CJEU held that Article 15(1) GDPR does not lay down a right to access the information relating to the identity of the employees of the controller who carried out the operations under its authority and in accordance with its instructions, unless that information is essential to enable the data subject to effectively exercise their rights under the GDPR. The CJEU added that the rights and freedoms of the employees must also be taken into account (CJEU, C-579/21).
The APD also considered that with regard to its previous case law, when employees consulted the data subject’s data for their own purposes, then the data subject must be able to access the employee’s identity, unless the employees’ rights and freedoms prevail. Additional factors may justify a refusal to reveal the employee’s identity.
In the present case, the APD noted that the consultation was carried out privately by a childhood friend of the data subject. This was not under the authority of the controller. The controller did not reveal the identity of the employee and did not provide any justification to not do so. Therefore, the APD considered that the access request was incomplete.
The APD issued a warning against the controller.
Comment
As this is a 'prima facie' decision, not much information is available. The Litigation Chamber of the DPA has ruled solely based on the complaint without having a procedure. The controller could demand for a procedure within 30 days after the decision.
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the French original. Please refer to the French original for more details.
