APD/GBA (Belgium) - 57/2024
| APD/GBA - 57/2024 | |
|---|---|
 | |
| Authority: | APD/GBA (Belgium) |
| Jurisdiction: | Belgium |
| Relevant Law: | Article 12 GDPR |
| Type: | Complaint |
| Outcome: | Upheld |
| Started: | |
| Decided: | 18.04.2024 |
| Published: | 18.04.2024 |
| Fine: | n/a |
| Parties: | n/a |
| National Case Number/Name: | 57/2024 |
| European Case Law Identifier: | n/a |
| Appeal: | n/a |
| Original Language(s): | Dutch |
| Original Source: | GBA (in NL) |
| Initial Contributor: | nzm |
The DPA held that asking for and ID document as a deposit for a mobility aid did not comply with national Belgian law which requires that every Belgian of 15 years or more hold an ID document at all times.
English Summary
Facts
On 25 June 2022, the data subject was asked for his identity card as a deposit when renting an mobility aid to visit the controller's domain. He would get his identity card back upon returning the device. The data subject pointed out to the controller that this practice was not in accordance with the law. The controller replied that everyone surrendered their ID card as a deposit. Therefore, the data subject proceeded to do so and received a ticket in exchange.
On the same day, the data subject filed a complaint using the controller's email address for privacy related matters. Three days later, the controller responded that the use of an ID document was allowed as no copies or scans would be made.
The data subject responded by indicating that internal regulations mentioned an alternative deposit of 100€ for those who did not have or did not want to provide proof of identity, an option which he was not proposed. He also referred to the Belgian DPA website ("GBA") which read that an ID card cannot be kept as a deposit, as it prevents the data subject from fulfilling it's legal obligation to carry their card (Royal Decree of 25 March 2003 on Identity cards - KB van 25 maart 2003 betreffende de identiteitskaarten).
On 5 July 2022, the data subject filed a complaint with the GBA.
Holding
Firstly, regarding the material scope of the GDPR, the GBA indicated that under Article 2(1) GDPR, the latter shall apply to the processing of personal data by automatic means or which form part of a filing system. The CJEU clarified the concept of "file" by holding that "the concept of a ‘filing system’ [...] covers a set of personal data collected in the course of door-to-door preaching, consisting of the names and addresses and other information concerning the persons contacted, if those data are structured according to specific criteria which, in practice, enable them to be easily retrieved for subsequent use." (CJEU, 10 July 2018, Jehovan todistajat).
In the present case, the DPA considered that the controller seems to structure the ID cards based on the number of the device in order to retrieve them easily when the device is returned. Since an ID card contains personal data, this practice falls within the scope of the GDPR.
Secondly, the DPA pointed out that national Belgian Law (Article 1 Royal Decree of 25 March 2003 on identity cards) establishes that every Belgian of 15 years or more must hold an identity card. The website of the Federal Government Department of Home affairs adds that withholding an ID card would make this request impossible and that there is no justification for withholding the ID card for the duration of a visit.
The GBA therefore held that even if the controller had sufficient legal basis, this practice does not comply with national Belgian law.
Finally, regarding transparency, the data subject noted that he was in no way informed of the alternative to the processing of his personal data, even when he was opposed to the processing. This alternative was not mentioned in the ticket received in exchange for his ID card either. The GBA found that the processing was not sufficiently transparent.
The DPA therefore issued a warning against the controller. This was a prima facie decision.
Comment
As this is a 'prima facie' decision, not much information is available. The Litigation Chamber of the DPA has ruled solely based on the complaint without having a procedure. The controller can still demand for a procedure if it does not agree.
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Dutch original. Please refer to the Dutch original for more details.
1/8
Dispute Chamber
Decision 57/2024 of April 18, 2024
File number: DOS-2022-02875
Subject: requesting an identity card as guarantee
The Disputes Chamber of the Data Protection Authority, composed of Mr
Hielke HIJMANS, sole chairman;
Having regard to Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016
on the protection of natural persons with regard to the processing of
personal data and regarding the free movement of such data and to the revocation of
Directive 95/46/EC (General Data Protection Regulation), hereinafter “GDPR”;
Having regard to the law of 3 December 2017 establishing the Data Protection Authority,
hereinafter “WOG”;
In view of the internal rules of order, as approved by the House of Representatives
Representatives on December 20, 2018 and published in the Belgian Official Gazette on
January 15, 2019;
Considering the documents in the file;
Has made the following decision regarding:
Complainant: X, hereinafter “the complainant”
The defendant: Y, hereinafter “the defendant” Decision 57/2024 — 2/8
I. Facts and procedure
1. The subject of the complaint concerns the use of the complainant's identity card as
guarantee for the loan of an aid when visiting the domain
defendant.
2. On 5 July 2022, the complainant submits a complaint to the Data Protection Authority against the
defendant.
On June 25, 2022, the complainant was asked to provide his identity card as security
renting a tool to visit the defendant's domain. He would
get his identity card back when returning the aid. The
The complainant pointed out to the defendant that handing over his identity card would not
was in accordance with the law, but the defendant replied that everyone is
provided an identity card as security. The complainant has his identity card on it
delivered and received back at the end of the day.
The complainant submitted a complaint to the defendant via privacy on the same day
defendant's email address. The complainant had a photo of the rental ticket and the
statement is attached. The rental ticket shows the name of the customer and the date
and the number of the aid used. The number of the
identity card and signature are not completed. This ticket also states:
stated: “An ID will be retained as a guarantee.”
On June 28, 2022, the defendant responded that the use of a
proof of identity was indeed allowed on the private domain of the
defendant when no copies or scans would be made. She would do this
checked with the competent government authorities. The confirmed
defendant that no additional registrations or actions have been made with the
identity card. The defendant further pointed to the internal regulations in which:
Article 6 did indeed mention an alternative guarantee for those who do not
had or wanted to hand over proof of identity, i.e. €100.
That same day, the complainant responded with a reference to the website
Data Protection Authority which read: “You can use the ID card
not to hold a person as surety. This practice is not acceptable because you
this prevents the data subject from complying with his legal obligation to
carry your identity card on sight. Taking a copy of your identity card
in these circumstances also poses problems with regard to the
compatibility with the GDPR.” Decision 57/2024 — 3/8
3. On July 26, 2022, the First Line Service contacted the complainant with the question
add contact details of the controller to the complaint
to be able to handle them correctly. On July 31, 2022, the complainant sent the
contact details of the defendant. In a second e-mail, the defendant sent the complainant again
continued communication with the defendant and separately confirmed that he had
alternative of €100 as a deposit was not offered when he initially resisted
handing over his identity card.
4. On August 1, 2022, the complaint will be declared admissible by the First Line Service
on the basis of articles 58 and 60 of the WOG and the complaint is filed on the basis of article 62, § 1
of the WOG transferred to the Disputes Chamber. 2
5. In accordance with Article 95, § 2, 3° of the WOG as well as Article 47 of the internal regulations
order of the GBA, the parties can request a copy of the file. If one
both parties wish to make use of the opportunity to consult and
copying the file, he or she must contact the secretariat of the
Disputes Chamber, preferably via litigationchamber@apd-gba.be.
II. Justification
6. Article 2.1 of the GDPR determines the material scope of the GDPR:
“This regulation applies to the fully or partially automated
processing, as well as the processing of personal data contained in a file
included or intended to be included therein.”
The term 'file' is defined in Article 4.6) of the GDPR:
“file: any structured set of personal data that is collected according to certain criteria
accessible, regardless of whether it is completely centralized, decentralized or on
functional or geographical grounds;”
7. The European Court of Justice clarified the scope of the concept of 'file' in its
3
judgment “Jehova”:
“The answer to the second question must therefore be that Article 2(c) of Directive
95/46 must be interpreted as meaning that the term used in that provision
“truce” also falls entirely within the context of a door-to-door proclamation
collected personal data, consisting of the name and address of and others
1In accordance with Article 61 of the WOG, the Disputes Chamber hereby informs the parties that the complaint is admissible
declared.
2In accordance with Article 95, § 2 of the WOG, the Disputes Chamber hereby informs the parties that the file will be sent to
has been transferred to her as a result of this complaint.
3See ECJ judgment C-25/17, Jehovan Todistajat, EU:C:2018:551; marginal number 62. Decision 57/2024 — 4/8
information about the people visiting the home, when this data is structured
according to specific criteria that make it easy to obtain this data in practice
retrieved for later use. To fall under this concept, one has to
There are no index cards, specific lists or other organizing systems of this kind
include." (own underlining)
8. The defendant rents out several resources within his domain. As a guarantee for these
aids, the defendant asked for the complainant's identity card. Next to the tool
the complainant also received a ticket with the identification number of the
tool and its name. It is therefore possible that the identity cards received by the
defendant are structured based on the number of the device, in order
this can be easily found when the device is returned. It
structuring identity cards based on the criteria 'type of aid' and/or
'number of the device' could become like a file on functional grounds
considered. Since an identity card contains personal data, this practice would
fall within the material scope of the GDPR.
9. Article 4.2) of the GDPR defines the concept of 'processing' as follows:
“an operation or set of operations relating to personal data or
a set of personal data, whether or not carried out via automated processes,
such as collecting, recording, organizing, structuring, storing, updating or modifying,
retrieve, consult, use, provide by transmission, disseminate or
otherwise make available, align or combine, shield, erase or
destruction of data;”
10. The defendant requests the identity card for safekeeping. Since the
the identity card details of the bearing company contain, can be requested and stored
be considered as processing personal data.
11. Article 5.1.a) of the GDPR states: “Personal data must be processed in a
manner that is lawful, fair and transparent with regard to the data subject
(“legality, propriety and transparency”).”
12. With regard to legality and propriety, the Disputes Chamber refers to Article 1 of the
4
royal decree on identity cards, which states: “Every Belgian has the full fifteen
years old, must be the holder of an identity card that serves as proof of registration in the
population register applies in the event of loss, theft or destruction of that card
certificate issued in accordance with Article 6. […] One of these two documents must
be submitted at any request by the police, [...] and, in general, whenever the
holder must provide proof of his identity.” On the Federal website
4KB of March 25, 2003 regarding identity cards. Decision 57/2024 — 5/8
Government Department of the Interior can be found under the FAQ on identity documents
read: “The provisions of Article 1 of the Royal Decree regarding the
identity cards dated March 25, 2003 state that each person is at all times
must be able to present an identity card to a person who does so for legal reasons
requests. However, withholding the identity card would make this request impossible.
It is therefore not justified to keep the identity card during the period
visit.”5
13. To the extent that the defendant would have a sufficient legal basis for the identity card
of the complainant, this does not seem appropriate since the complainant is on the domain of the
defendant cannot comply with Article 1 of the Royal Decree regarding the
identity cards, whatever the complainant would have declared before his
identity card has been issued.
14. With regard to transparency, the complainant declares that at the time of requesting his
ID card was not informed in any way about an alternative to processing
of his personal data, even if he initially opposed this
processing. This alternative was also not mentioned on the ticket the complainant received in return
for his identity card. Despite the inclusion of this alternative in the park regulations, it seems
the processing is not sufficiently transparent.
15. The Disputes Chamber is of the opinion that on the basis of the above analysis
concluded that the defendant may have violated the provisions of the GDPR
were committed, which justifies taking action in this case
a decision on the basis of Article 95, § 1, 4° of the WOG, more specifically a warning
to formulate with regard to the defendant that requesting and maintaining the
a visitor's identity card as a guarantee for a tool may constitute an infringement
determine the lawfulness, fairness and transparency of the processing.
16. This decision is a prima facie decision taken by the Disputes Chamber
in accordance with Article 95 of the WOG on the basis of the complaint submitted by the complainant,
in the context of the “procedure prior to the decision on the merits” 6 and none
decision on the merits of the Disputes Chamber within the meaning of Article 100 of the WOG.
The Disputes Chamber has thus decided, on the basis of Article 58.2.a) GDPR and
Article 95, § 1, 4° of the WOG, to formulate a warning with regard to the
defendant with regard to the legality, propriety and transparency of the
requesting and keeping the identity card as guarantee for the use of a
tool in the domain of the defendant.
5https://ibz.rrn.fgov.be/nl/identitydocuments/eid/faq/ ; more specifically under the question: “Is one allowed at the reception of a
public building, ask for an identity card and keep it up to date?”
6Section 3, Subsection 2 of the WOG (Articles 94 to 97). Decision 57/2024 — 6/8
17. The purpose of this decision is to inform the defendant of the fact that this
may have committed an infringement of the provisions of the GDPR and this in the
the opportunity to still comply with the aforementioned provisions.
18. If the defendant does not agree with the content of this prima facie case
decision and is of the opinion that it can put forward factual and/or legal arguments that
could lead to a new decision, it can request a reconsideration
submit to the Disputes Chamber in accordance with the procedure established in Articles 98 in conjunction
99 of the WOG, known as a “treatment on the merits”. This request must be
sent to the email address litigationchamber@apd-gba.be within a period of 30
days after notification of this primafacie decision. If applicable, implementation will take place
of this decision is suspended for the above-mentioned period.
19. In the event of a continuation of the merits of the case, the
Disputes Chamber the parties on the basis of Articles 98, 2° and 3° in conjunction with Article 99 of the
invite WOG to submit their defenses and any documents they consider useful
to be added to the file. If necessary, the present decision will become final
suspended.
20. Finally, for the sake of completeness, the Disputes Chamber points out that a hearing on the merits
of the case may lead to the imposition of the measures referred to in Article 100 of the
7
WOG .
III. Publication of the decision
21. Considering the importance of transparency with regard to decision-making
Dispute Chamber, this decision will be published on the website of the
7Article 100. § 1. The Disputes Chamber has the authority to:
1° to dismiss a complaint;
2° to order the dismissal of prosecution;
3° order the suspension of the ruling;
4° to propose a settlement;
5° formulate warnings and reprimands;
6° order that the data subject's requests to exercise his rights be complied with;
7° to order that the person concerned is informed of the security problem;
8° order that processing be temporarily or permanently frozen, restricted or prohibited;
9° to order that the processing be brought into compliance;
10°the rectification, limitation or deletion of data and its notification to the recipients of the data
recommend data;
11° order the withdrawal of the recognition of certification bodies;
12° to impose penalty payments;
13° to impose administrative fines;
14° the suspension of cross-border data flows to another State or an international institution
command;
15° to transfer the file to the public prosecutor's office in Brussels, who will inform it of the
follow-up given to the file;
16° decide on a case-by-case basis to publish its decisions on the website of the
Data Protection Authority. Decision 57/2024 — 8/8
9
in accordance with Article 1034quinquies of the Dutch Civil Code. ,or via the Deposit Information System
the Ministry of Justice (Article 32ter of the Judicial Code).
(get). Hielke H IJMANS
Chairman of the Disputes Chamber
9The petition with its attachment will be sent by registered letter in as many copies as there are parties involved
deposited with the clerk of the court or at the registry.
