APD/GBA (Belgium) - 62/2022: Difference between revisions

From GDPRhub
No edit summary
No edit summary
Line 72: Line 72:


=== Facts ===
=== Facts ===
The controller is a government agency for "integrated youth assistance and housing." The controller owns a youth care facility. The data subjects are a mother and her son who was sometimes staying at the facility of the controller. The controller sent an email to the mother and 15 other recipients putting all of them in CC instead of BCC and by that exposing the e-mail addresses of the recipients to one another. The email did not reveal any other personal information than the names and email addresses of the recipients. This data breach was not reported to the DPA.  
The controller is a government agency which assists young people with a difficult family situation. It owns a youth care facility where young people can go.
 
The data subjects are a mother and her son who was sometimes staying at the facility of the controller. The controller sent an email to the mother and 15 other recipients putting all of them in CC instead of BCC and by that exposing the e-mail addresses of the recipients to one another. The email did not reveal any other personal information than the names and email addresses of the recipients. This data breach was not reported to the DPA.  


Furthermore, one day the   
Furthermore, one day the   

Revision as of 09:52, 18 May 2022

APD/GBA - 62/2022
LogoBE.png
Authority: APD/GBA (Belgium)
Jurisdiction: Belgium
Relevant Law: Article 12 GDPR
Article 13 GDPR
Article 30 GDPR
Article 33(1) GDPR
Type: Complaint
Outcome: Partly Upheld
Started: 23.07.2018
Decided: 29.04.2022
Published: 29.04.2022
Fine: n/a
Parties: n/a
National Case Number/Name: 62/2022
European Case Law Identifier: n/a
Appeal: n/a
Original Language(s): Dutch
Original Source: Beslissing ten gronde 62/2022 (in NL)
Initial Contributor: Enzo Marquet

The Belgian DPA held that it should not be informed about a data breach containing a few e-mail addresses, shared only among the recipients by means of CC instead of BCC.

The Belgian DPA held that parental consent is necessary for the use of picture of minors from a disadvantaged background in external communication.

English Summary

Facts

The controller is a government agency which assists young people with a difficult family situation. It owns a youth care facility where young people can go.

The data subjects are a mother and her son who was sometimes staying at the facility of the controller. The controller sent an email to the mother and 15 other recipients putting all of them in CC instead of BCC and by that exposing the e-mail addresses of the recipients to one another. The email did not reveal any other personal information than the names and email addresses of the recipients. This data breach was not reported to the DPA.

Furthermore, one day the

The complainant also received communication in two separate instances. They stated that there was no legal basis to send this direct marketing. The defendant does not qualify this as direct marketing as these newsletters are essential to reach their goals e.g. keeping parents involved.

On top of that, the legal base for the usage of a picture of a minor for an external publication is disputes on the basis that no parental consent was granted.

Holding

The DPA holds that, regarding the parental consent for the usage of a picture of a minor, the complaint is unfounded as it cannot be proven. However, in the hypothesis it could be proven, the DPA holds that caution must be taken as this concerns a minor in with a disadvantaged background.

The DPA reminds that right to image and protection of personal data are two different things and that agreeing to be filmed/photographed does not substitute consent to publish those pictures.

The defendant is a public instance and cannot use legitimate interest as legal base, and the usage of a picture of this specific minor for the external communication is not necessary for the task of public interest, nor can it fall under contract.

As such, consent would be necessary.


For the data breach, the DPA holds that because of the limited number of recipients (16) and only e-mail addresses being revealed, the risks for the data subjects is very low and thus there was no breach of Article 33(1). However, the DPA holds that the Record of Processing Activities does not include all required information such as retention period, or that it has unclear terminology. The DPA holds that this constitutes a breach of Article 30.


For the legal basis for sending newsletter, the DPA holds the newsletters both have a function to fulfill the duties of the defendant, as well as raising funds (i.e. a direct marketing purpose). The DPA holds that the complainant was not adequately informed of the distinction of these functions. A breach of Article 12 and Article 13 was concluded because of this lack of clear information.


The DPA reprimands the defendant for its infractions and orders it to update their privacy policy and register of processing activities.

Comment

Note that in Belgium, the government and its institutions cannot be fined.

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Dutch original. Please refer to the Dutch original for more details.