APD/GBA (Belgium) - 73/2023
From GDPRhub
| APD/GBA - 73/2023 | |
|---|---|
 | |
| Authority: | APD/GBA (Belgium) |
| Jurisdiction: | Belgium |
| Relevant Law: | Article 4(1) GDPR Article 4(2) GDPR Article 4(7) GDPR Article 95, §1, 3° Loi portant création de l’Autorité de protection des données |
| Type: | Complaint |
| Outcome: | Rejected |
| Started: | 23.02.2023 |
| Decided: | 12.06.2023 |
| Published: | |
| Fine: | n/a |
| Parties: | Commissariat Général aux Réfugiés et Apatrides (CGRA) |
| National Case Number/Name: | 73/2023 |
| European Case Law Identifier: | n/a |
| Appeal: | n/a |
| Original Language(s): | French |
| Original Source: | Autorité de protection des données (in FR) |
| Initial Contributor: | Enzo Marquet |
The Belgian DPA concluded that BYOD poses certain risk and a risk assessment is necessary, especially when dealing with sensitive data. However, an employee using its personal device against the employer's procedure does not automatically constitute a breach of the GDPR.
English Summary
Facts
During a hearing as part of an asylum application, an employee of the Office of the Commissioner General for Refugees and Stateless Persons (CGRA) took photographs with his private phone of social networks of the applicant (data subject). The photographs were added to his file. The data subject was concerned whether this was standard practice and what happened with the pictures on the mobile phone.
The CGRA responded to the data subject that the employee only had his best interests at heart i.e. an effective and swift procedure. However, the CGRA also stressed that it provides its employees with work equipment and the usage of a private mobile phone is not allowed. It emphasised that this practice is neither widespread nor official and this has been communicated to the employee in question, as well as all other employees to prevent similar situations from occurring. The CGRA confirmed that the pictures were deleted immediately after the interviews.
Holding
The Belgian DPA established that the taking of photographs with a private phone constitutes processing of personal data according to Article 4(1) and Article 4(2). However, it is not the employee but his employer who is the controller according to Article 4(7), regardless of the employee acting in breach or in compliance of internal procedures. The DPA reaffirmed that it is the employer who determines the means and purposes (cumulative requirements) of the processing, not the employee. The employee acted in the interest of the employer, not for strictly personal reasons (see as example case 129/2021 point 23 in fine). As such, the DPA concluded that the employee cannot be held responsible for a potential breach of the GDPR.
Since the CGRA is the controller, they are responsible for implementing the GDPR. As such, the DPA noted that the taken awareness measures to prevent further incidents constituted a good practice. However, the DPA stated that the implementation of BYOD (Bring Your Own Device) at work can present certain risks, a thorough risk assessment is thus required, especially when dealing with personal data in a sensitive context, such as an asylum application.
The DPA concluded that nothing pointed towards a breach of the GDPR, regardless of the usage of personal equipment being against the controller's policy. The DPA reminded that the pictures were taken in favour of the data subject and were removed immediately from the personal device when retention was no longer required.
Based on the above, the DPA dismissed the case with no further action based on its competence under article 95, §1, 3° LCA as the controller cannot be accused of any breach under the GDPR.
Comment
For an example where an employee was classified as controller when breaching the employers' internal procedures, and processing data for their own purposes, refer to case 129/2021, point 23 in fine: https://www.gegevensbeschermingsautoriteit.be/publications/beslissing-ten-gronde-nr.-129-2021.pdf
The employee made use of the resources provided to her by the employer, to the extent the employee made the disputed consultations outside the scope of her duties as an employee, she must be considered a data controller for these unlawful consultations in particular.
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the French original. Please refer to the French original for more details.
1/9
Litigation Chamber
Decision 73/2023 of June 12, 2023
File number: DOS-2023-00901
Subject: Complaint relating to the taking of photographs with a mobile phone
personnel by an employee in the performance of his or her duties
The Litigation Chamber of the Data Protection Authority, made up of Mr Hielke
Hijmans, President, sitting alone;
Having regard to Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the
protection of natural persons with regard to the processing of personal data and
to the free movement of such data, and repealing Directive 95/46/EC (general regulation on the
data protection), hereinafter GDPR;
Having regard to the Law of 3 December 2017 establishing the Data Protection Authority (hereinafter
ACL);
Having regard to the Law of 30 July 2018 relating to the protection of natural persons with regard to
processing of personal data (hereinafter LTD);
Having regard to the Rules of Procedure as approved by the House of Representatives on 20
December 2018 and published in the Belgian Official Gazette on January 15, 2019;
Considering the documents in the file;
Made the following decision regarding:
The plaintiff: Mr. X, hereinafter “the plaintiff”;
The defendant: The General Commissariat for Refugees and Stateless Persons (CGRA), whose headquarters
is established at 1070 Brussels (Anderlecht), rue Ernest Blérot, 39 and registered with the
Crossroads Bank for Enterprises (BCE) under number 0308.356.862, below
after "the defendant". Decision 73/2023 - 2/9
I. Facts and procedure
1. The complaint concerns the taking of photographs by an employee of the defendant using
his personal mobile phone during a hearing organized as part of the
complainant's asylum application process.
2. On February 23, 2023, the complainant filed a complaint with the Authority for the Protection of
data (APD). He directs his complaint against the attaché in charge of contacts with lawyers
(see also note 1).
3. In his complaint, the Complainant states the following.
4. During the month of November 2022, the complainant, accompanied by his counsel, was
interviewed by the defendant. The plaintiff reports that during this interview, the police officer
1
protection (employee of the defendant) in charge of the plaintiff's file has, on 4 occasions with
a cell phone, taken photographs of social media pages of members of
the complainant's family and attach them to the file.
5. Following this hearing, Counsel for the Complainant contacted the Respondent to inform
of his astonishment at this taking of photographs and of what this practice
seemed to violate applicable data protection regulations. THE
plaintiff's counsel notes in this respect that "it is about the taking of a photo by mobile phone
(professional or personal? [see below]) data of the applicant for protection
international on the mobile phone of the applicant for international protection without having requested his
prior consent and which concerns data of third parties”. In this same letter, the
Counsel for the Complainant therefore also asks the question of the assets whether these photographs were
taken with a private or professional mobile phone, if it is a practice
generalized within the defendant and what happens to the photographs recorded on the
mobile phone of the author of the photos.
6. In December 2022, the defendant will, through the attaché responsible for contacts
with the lawyers to whom counsel for the plaintiff had addressed, responded in the manner
next :
1The protection officer and his function are described as follows on the CGRA website: https://www.cgra.be/fr/travailler-pour-le-cgra The protection officer
protection is the key figure in the fulfillment of the fundamental mission of the CGRS. He has a university education, is passionate about human rights and
international politics and has excellent writing skills. The protection officer develops in-depth knowledge of the countries of origin
applicants for international protection and regularly follows training in order to keep its expertise and the skills necessary for the exercise
of his function. The protection officer hears the applicant for international protection about all the elements contained in the file. He checks the
credibilityandexamineswhetherthereasonsfortherequestmeetthecriteriathatmayresultinthegrantingofprotectionstatus.Theprotectionofficerthen drafts
a duly substantiated proposal for a decision. Decision 73/2023 - 3/9
“Master X,
We would like to follow up on your intervention of […] November by informing you
of what follows.
It emerges from discussions with the protection officer who heard your client that he
actually used his private phone to take photographs. He rocks
that he has always been committed to strictly respecting confidentiality and data
of the applicants. He had no other intention than to achieve
efficient and rapid handling of the file for which he is responsible.
The photographs taken were attached to the administrative file and deleted from
his phone immediately after the November […] interview.
However, this way of proceeding is incompatible with the modus operandi of the
CGRS. The CGRS provides its employees with work equipment
necessary for the performance of their professional duties. Therefore, take
photos with an employee's private cell phone should not have happened. We
insist on the fact that this is a practice at the CGRS which is neither generalized nor
official.
This was also communicated to the protection officer in question. And will be
also communicated to other employees to prevent this situation from occurring.
reproduce”.
7. On February 23, 2023, i.e. the same day the complaint was filed, the Service de Première Ligne
(SPL) of the DPA declares the said complaint admissible on the basis of Articles 58 and 60 of the LCA, and
sends it to the Litigation Division in accordance with Article 62, § 1 of the LCA.
II. Motivation
8. The Litigation Chamber notes, as already mentioned in point 1, that in its form
of complaint, the complainant directs his complaint against the attaché in charge of contacts with
lawyers. In his post-hearing letter (point 5), the complainant also seems
directly implicate the protection officer who took the decision
photographs during the hearing.
9. The Litigation Chamber is of the opinion that this last employee of the defendant is not the
controller in this case. Indeed, while it is undeniable that taking
photographs of family members in the context described by the complaint is
constituting a processing (article 4.2.) of personal data (article 4.1.) within the meaning of
GDPR, the only circumstance that these photographs were taken by the employee in
question does not make him a controller of said data within the meaning of Decision 73/2023 - 4/9
section 4.7. of the GDPR. Furthermore, the fact that this employee took these photographs
with his personal mobile phone, even in violation of the internal rules of application
with the defendant, does not make him a controller within the meaning of this
same item.
10. The data controller is indeed defined therein as being “the natural person or
legal entity, public authority, service or other body which, alone or jointly with
others,determinesthepurposesandmeansofprocessing”.Article 4.7.further specifies
that “when the purposes and means of this processing are determined by the law of
the Union or the law of a Member State, the controller may be designated or the
specific criteria for its designation may be provided for by Union law
or by the law of a Member State".
11. The Litigation Chamber is of the opinion that the employee concerned did not determine the purposes
data processing. The processing complained of took place in the exercise of its
function of protection officer of the defendant, in compliance with the missions legally
assigned to the defendant. In this regard, the Litigation Chamber notes that the defendant
has a privacy policy available on its website under the terms of
which he identifies as data controller (see the section “Data of
contact”) and under the terms of which it describes that in the context of the execution of
legal, it processes personal data for the purpose of making decisions about
applications for international protection/asylum as was the case in this case . 3
12. The Litigation Chamber also considers that even if he certainly used his telephone
personal mobile phone - and not a professional mobile phone - (i.e. a "means" in the
of section 4.7. of the GDPR) apart, it seems, from the instructions given by the defendant to
In this respect, this discrepancy does not, in this case, make him a data controller who would have
determined the purposes (quod non – see point 11 above) and the means, these elements
being cumulative. The present case should be distinguished from the situation in which an employee
would divert the purpose determined by the data controller to substitute a
own purpose, for example. The Litigation Chamber has thus already had the opportunity to
requalify an employee as a data controller in cases where the latter had misappropriated
access to the national register granted to him in the exercise of his functions for the
4
consult for strictly personal purposes. The same applies to the subcontractor who
2Emphasis added by the Litigation Chamber.
3The basis for the lawfulness of the data processing carried out by the defendant does not therefore have to be based on the consent of the applicant for protection. Data such as
photographs of members of his family also become data concerning him as soon as he mentions them in the context of a hearing in support of his own request.
4See. for example decision 129/2021 of the Litigation Chamber, point 23 in fine: https://www.autoriteprotectiondonnees.be/publications/decision-quant-au-fond-n-129-2021.pdf . See.
also decision 56/2021 of the Litigation Chamber, points 51 to 60 and the references cited: https://www.autoriteprotectiondonnees.be/publications/decision-quant-au-fond-n-56-2021.pdf Decision 73/2023 - 5/9
would go beyond the instructions received from the data controller and would pursue a
own purpose. In this case, he is requalified as data controller.
13. In the present case, this last scenario is also not applicable since the employee
concerned is no more a subcontractor than he is a data controller. Bedroom
Litigation recalls that is defined as a subcontractor within the meaning of Article 4.8. GDPR,
“the natural or legal person, public authority, agency or other body which
processes personal data on behalf of the controller”. THE
processor is therefore, as underlined by the EDPS in its guidelines relating to the
notions of data controller and processor in the GDPR already mentioned "a
separate entity from that of the data controller”. The EDPS thus states that "for
be considered a processor, two basic conditions must be met: a)
be a separate entity from the controller and b) process personal data
staff on behalf of the controller (point 76). The EDPS adds that "a
separate entity means that the data controller decides to delegate all or part
6
processing activities to an external organization (point 77)”.
14. It follows a fortiori from the foregoing that the defendant's attaché responsible for contacts
with the lawyers and identified by the complainant as data controller under the terms
of the complaint form (see note 1) is also not responsible for processing or sub-
treating.
15. If they are not responsible for processing or subcontracting, the above-mentioned employees shall not
may be accused of breach(es) of the GDPR.
16. These employees of the defendant are on the other hand “persons acting under the authority of the
controller” within the meaning of Article 29 of the GDPR who, when they have access to
personal data can only, except in exceptional cases, be processed on the instructions of the
controller, or on the instructions of the defendant. In this regard, the Chamber
Litigation notes that the defendant indicates that, following the facts complained of, he took
awareness-raising measures for the employee concerned as well as for all
personnel to prevent incidents such as the one denounced. This initiative is relevant.
17. The Litigation Chamber will now examine whether a breach of the GDPR or the rules
data protection with which the Litigation Chamber is required to ensure compliance
must be found on the part of the defendant who assumes the quality of responsible
treatment.
5.
European Data Protection Board (EDPB), Guidelines 07/2020 on the notions of controller and processor in the GDPR
6ttps://edpb.europa.eu/system/files/202202/eppb_guidelines_202007_controllerprocessor_final_fr.pdf, point 86.
European Data Protection Board (EDPB), Guidelines 07/2020 on the notions of controller and processor in the GDPR
https://edpb.europa.eu/system/files/202202/eppb_guidelines_202007_controllerprocessor_final_fr.pdf, page 4 of the French version and points 76-77. See. also Decision 175/2022 of the
Litigation Chamber. Decision 73/2023 - 6/9
18. The Litigation Chamber recalls that the use of personal equipment by
employees in the performance of their duties is a choice of the employer to authorize it
or not, if necessary under certain conditions. In this case, we speak of BYOD, an acronym
for “Bring Your Own Device” (in French: “Bring Your Personal Equipment from
Communication" or AVEC), which designates the use of personal computer equipment
in a professional context. This may be, for example, an employee who, in order to
connect to the company network, use personal equipment such as their computer,
his tablet or smartphone or, as in this case, the use of his telephone
personal laptop for taking photographs to be attached in a file as
evidence or documentation or the use of his telephone
staff for computer testing.
19. BYOD is not “personal data processing” per se. It's a
particular technical means, by means of which data processing takes place
applicable.
20. The use of such personal equipment can certainly present increased risks,
7
particularly in terms of data security and should be subject to an evaluation
particularly vigilant in terms of risk. Without this constituting a
any remedy or sanction within the meaning of Article 95 of the ACL, the Chamber
Contentious recalls in this regard the importance of data security, a fortiori
when sensitive data is regularly processed - as in the case of the
defendant - by the very nature of the missions entrusted to it or more generally,
when data processing (sensitive or not) takes place in a context
delicate as that of obtaining a right or the request for recognition of a
status (as in the present case) which may expose the person concerned or his entourage
at risk.
21. In this case, the defendant specifies that the use of personal equipment, such as a telephone
personal laptop, by one of its employees in the exercise of its function, is contrary to the
rules that it has in place. The use of their mobile phone by the employee concerned is
an isolated fact contrary to the defendant's practices.
22. However, as recalled in point 19, the use of his mobile phone
personnel by the employee concerned, even in contravention of internal rules, is not
constituting processing within the meaning of the GDPR. Nothing in the file attests to the fact that
the processing of said data would also have taken place in violation of the rules of
data protection. If, as the Litigation Chamber explained above, the appeal
7The CNIL recommends a certain number of good practices relating to the use of BYOD here: https://www.cnil.fr/fr/byod-quelles-sont-les-bonnes-pratiques.
See. also the work of the EDPS “Guidelines on the protection of personal data in mobile devices used by European institutions (December 2015), in particular points 90 and following
devoted to the specific risks of BYOD: https://edps.europa.eu/sites/edp/files/publication/15-12-17_mobile_devices_en.pdf Decision 73/2023 - 7/9
to BYOD (whether in contradiction or in accordance with internal practices) increases
potentially the risk of breaching the security of the data processed by means of such
equipment, nothing in the file provides proof of a breach of the obligation
security or any other breach of the GDPR. The defendant further clarified that
thephotographsareimmediatelydeletedfromtheemployee's personal phone
concerned.
23. Based on the facts described in the complaint file as summarized above and the
parts produced, and on the basis of the powers attributed to it by the legislator
under article 95, § 1 of the LCA, the Litigation Chamber decides on the action to be taken
case. In this case, the Litigation Chamber decides to proceed with the classification without
following up on the complaint, in accordance with Article 95, § 1, 3° of the LCA, for the reasons set out
below.
24. In matters of dismissal, the Litigation Chamber is required to justify its
step-by-step decision and:
- to pronounce a classification without technical continuation if the file does not contain or not
sufficient elements likely to lead to a sanction or if it includes a
technical obstacle preventing him from rendering a decision;
- or pronounce a classification without further opportunity, if despite the presence
elements likely to lead to a sanction, the continuation of the examination of the
file does not seem to him to be appropriate given the priorities of the Autorité de
data protection as specified and illustrated in the Privacy Policy
dismissal of the Litigation Chamber. 9
25. In the event of dismissal based on several grounds, the latter (respectively,
classification without technical follow-up and classification without opportunity follow-up) must be
10
dealt with in order of importance.
26. In this case, the Litigation Chamber decides to close the complaint without action on the grounds
technical when it considers that no breach of the GDPR or the rules of
protection of the data for which it cannot control, on the basis of grievances and documents
produced in support of the complaint, be blamed on the defendant (criterion A.2. of the
dismissal of the Litigation Chamber).
III. Publication and communication of the decision
8. Court of Markets (Brussels Court of Appeal), September 2, 2020, judgment 2020/AR/329, p.18.
9. In this respect, the Litigation Chamber refers to its policy of classification without follow-up as developed and published on the website of the Data Protection Authority:
https://www.autoriteprotectiondonnees.be/publications/politique-de-classement-sans-suite-de-la-chambre-contentieuse.pdf.
10Cf.Titre 3 – In which cases is my complaint likely to be dismissed by the Litigation Chamber? of the classification policy without follow-up of the Litigation Chamber. Decision 73/2023 - 8/9
27. Given the importance of transparency with regard to the process
decision-making and the decisions of the Litigation Chamber, this decision will be published on the
ODA website. However, for this purpose it is not necessary that the data
identification of the complainant are mentioned.
28. With regard to the identification of the defendant, the Litigation Chamber considers that the
complete understanding of the decision - which one (without this being a criterion
decisive) does not otherwise accuse the defendant of any breach - requires that
the identity of the defendant is published. This depends on the specific nature of the defendant's mission,
references cited relevant to the motivation of this decision and therefore to the effect
useful transparency desired by the Litigation Chamber.
29. In accordance with its policy of dismissal, the Litigation Chamber
11
communicate the decision to the respondent. Indeed, the Litigation Chamber decided to
communicate dismissal decisions to default defendants. There
However, the Litigation Chamber refrains from such communication when the complainant
requested anonymity vis-à-vis the defendant and when the communication of the decision to the
defendant, even if pseudonymised, nevertheless risks being re-identified. 12
This is not the case in the present case.
FOR THESE REASONS,
the Litigation Chamber of the Data Protection Authority decides, after deliberation,
to close this complaint without further action pursuant to Article 95, § 1, 3° of the LCA.
In accordance with Article 108, § 1 of the LCA, an appeal against this decision may be lodged,
within thirty days of its notification, to the Court of Markets (court
d'appel de Bruxelles), with the Data Protection Authority as defendant.
Such an appeal may be introduced by means of an interlocutory request which must contain the
information listed in article 1034ter of the Judicial Code. The interlocutory motion must be
11Cf.Titre 5 – Will the classification without follow-up be published? Will the opposing party be informed? of the classification policy without follow-up of the Contentious Chamber.
12.
Ibidem.
1. The request contains on pain of nullity:
(1) indication of the day, month and year;
2° the surname, first name, domicile of the applicant, as well as, where applicable, his qualities and his national register number or company number;
3° the surname, first name, domicile and, where applicable, the capacity of the person to be summoned;
(4) the object and summary statement of the means of the request;
(5) the indication of the judge who is seized of the application;
6° the signature of the applicant or his lawyer. Decision 73/2023 - 9/9
14
filed with the registry of the Court of Markets in accordance with article 1034quinquies of the C. jud. , Or
via the e-Deposit information system of the Ministry of Justice (article 32ter of the C. jud.).
(se). Hielke HIJMANS
President of the Litigation Chamber
14. The request, accompanied by its appendix, is sent, in as many copies as there are parties involved, by registered letter to the clerk of the court or filed with the registry.
