APD/GBA (Belgium) - 84-2022: Difference between revisions

Revision as of 16:16, 21 June 2022

APD/GBA - 84-2022

Authority:	APD/GBA (Belgium)
Jurisdiction:	Belgium
Relevant Law:	Article 5(1)(a) GDPR Article 5(1)(b) GDPR Article 5(1)(d) GDPR Article 6(1) GDPR Article 13 GDPR Article 14 GDPR
Type:	Complaint
Outcome:	Upheld
Started:	10.08.2020
Decided:	22.04.2022
Published:	24.05.2022
Fine:	5000 EUR
Parties:	n/a
National Case Number/Name:	84-2022
European Case Law Identifier:	n/a
Appeal:	n/a
Original Language(s):	French
Original Source:	Autorité de protection des données, Decision quant au fond 84/2022 du 24 mai 2022 (in FR)
Initial Contributor:	Maria Anagnostou

The Belgian DPA fined a website provider €5000 for listing personal data of lawyers on its website without a legal basis and without informing the data subjects. In addition, its privacy and cookie policy were not compliant with the GDPR.

English Summary

Facts

On 4 June 2020, the Belgian DPA received a complaint from the Order of Francophone Bars of Belgium (OBGF) and Mr. Forges concerning two websites (sos-services.be & sos.avocats.com) that list lawyers with their full name, address, a telephone number (if available) and a description of their activities. The operator of the websites is the controller. The lawyers are the data subjects.

The OBGF and Mr. Forges stated that the abovementioned personal data was processed without consent (or any other legal basis) and without informing them. They also stated the privacy policy and the use of cookies was not compliant with the GDPR.

The Controller raised 3 legal bases for the processing of the lawyers' personal data. First, it argued that the processing of the personal data is based on a contractual relationship with the lawyers listed. Second, it stated to have obtained consent from some lawyers. The controller did admit not to have obtained consent from all lawyers. Third, the controller argues that "some processing activities are undoubtedly based on legitimate interest," either of the data subject or the controller.

The controller stated modified its privacy policy and added a cookie policy during the proceedings.

The controller stated that it no longer operates sos.avocats.com.

Holding

The DPA held that the controller did not have a legal basis for the processing of the personal data (Article 5(1) GDPR). The controller did not demonstrate a contractual relationship (Article 6(1)(b)) with the lawyers concerned. The DPA also found no evidence of consent given by the lawyers (Article 6(1)(a)). Regarding the controllers argument on the legitimate interest, the DPA noted that relying on the legitimate interest of a data subject for its own processing goes against all logic of the GDPR. As for its own legitimate interest, this would not override the fundamental rights and freedoms of the lawyers concerned. The DPA therefore held that the controller violated Article 5(1)(a) and Article 6.

The DPA also held that the revision of the controllers privacy policy was not sufficient. First of all, it didn’t indicate the purposes of the processing of the personal data of the persons concerned. Second, the DPA held that the retention period was not specific enough, as users could not foresee the actual retention period of their data. Hence, there was a breach of Article 13 and Article 14.

The DPA held that the controller violated Article 5(1)(a) (principle of fairness), as it did not inform the data subjects about the processing, the purposes pursued and it relates to data of which the persons concerned do not now how or where this was collected. The controller also violated the principle of purpose limitation (Article 5(1)(b)) by not indicating the purposes of processing. Moreover, the principle of accuracy (Article 5(1)(d)) was violated, as the personal data was outdated, or simply made-up.

The DPA fined the controller €5000 and ordered to suspend all processing of the lawyers' personal data listed on its website.

The DPA ordered the controller, first of all, to transmit the list of recipients (including subcontractors) to whom the personal data concerned was communicated or confirm in writing that no such transfer took place. secondly, to submit a revision of its privacy policy in accordance with the GDPR within 3 months. Lastly, to permanently remove all personal data and send a written confirmation to the DPA of the removal.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the French original. Please refer to the French original for more details.

@@ Line 25: / Line 25: @@
 |Date_Published=24.05.2022
 |Year=2022
-|Fine=20,000,000
+|Fine=5000
 |Currency=EUR
@@ Line 69: / Line 69: @@
 }}
-The Belgian DPA fined a website provider for unlawful processing of personal data,  and for violating the obligation to information.
+The Belgian DPA fined a website provider €5000 for listing personal data of lawyers on its website without a legal basis and without informing the data subjects. In addition, its privacy and cookie policy were not compliant with the GDPR.
 == English Summary ==
 === Facts ===
-On 10 August 2020, the Belgian DPA examined a complaint about two websites which included personal data, obtained without the data subjects’ consent, or based on another legal based, and without even them being informed. Furthermore, the examination was also regarding the noncompliance of the privacy policy and the use of cookies with the GDPR.
+On 4 June 2020, the Belgian DPA received a complaint from the Order of Francophone Bars of Belgium (OBGF) and Mr. Forges concerning two websites (sos-services.be & sos.avocats.com) that list lawyers with their full name, address, a telephone number (if available) and a description of their activities. The operator of the websites is the controller. The lawyers are the data subjects.
-The provisions examined were: First, Article 5 (1) and 6 GDPR for lack of lawful basis of the processing of the personal data concerned, with the purpose of publishing the data on the sites in dispute. More specifically, Article 5 (1) (a) GDPR about the principles of loyalty and transparency, because the processing was carried out without informing the persons concerned and related to personal data whose data subjects did not know where and how it was collected; Article 5 (1) (b) GDPR about the principle of correctness, because many personal data were erroneous; and Article 5 (1) (d) GDPR about the principle of limitation of purposes, due to the absence of indication of the purposes of the processing. Second, [[Article 13 GDPR|Article 13 GDPR]], on the collection of personal data, for non-availability or incomplete nature of the privacy document and the charter related to cookies. Third, [[Article 14 GDPR|Article 14 GDPR]] about the collection points for personal data. Finally, the information to be provided when personal data collected elsewhere than from the person concerned, because the personal data concerning the referenced lawyers were processed without their solemnity informed and without their consent.
+The OBGF and Mr. Forges stated that the abovementioned personal data was processed without consent (or any other legal basis) and without informing them. They also stated the privacy policy and the use of cookies was not compliant with the GDPR.
-The defendant argued about his good aims and his unintentionality of infringing the rights of the persons concerned.
+The Controller raised 3 legal bases for the processing of the lawyers' personal data. First, it argued that the processing of the personal data is based on a contractual relationship with the lawyers listed. Second, it stated to have obtained consent from some lawyers. The controller did admit not to have obtained consent from all lawyers. Third, the controller argues that "some processing activities are undoubtedly based on legitimate interest," either of the data subject or the controller.
-=== Holding ===
+The controller stated modified its privacy policy and added a cookie policy during the proceedings.
-Regarding the legal basis of the processing, the DPA pointed out that it goes against all the essence of the GDPR for the data controller to rely on the legitimate interest of the data subject to base the processing he, himself carries out; the legitimate interest has to be related with the controller.
-As for Article 6 (1) (f) GDPR, the DPA highlighted that, in order to be able to invoke the lawful basis of legitimate interest in accordance with this article, the controller must demonstrate that the interests can be recognized as legitimate (purpose test), the envisaged processing is necessary to achieve these interests (necessity test) and the balancing of these interests against the rights of the data subjects weights in favor of the controller (balancing test). These tree are cumulative conditions and in the case at hand the processing carried out by the defendant did not meet the third one. Hence, the processing was unlawful.
+The controller stated that it no longer operates sos.avocats.com.
-Moreover, the DPA recalled that an essential aspect of the principle of transparency highlighted in Articles 12, 13, and 14 GDPR is that the data subject should be able to determine the scope and consequences of the processing in advance, in order to not be caught unawares at a later stage as to how their personal data has been used. The information should be concrete and reliable, and it should not be formulated in abstract or ambiguous terms or leave room for different interpretations. In particular the purposes and legal bases for the processing of personal data should be clearly set out.
+=== Holding ===
+The DPA held that the controller did not have a legal basis for the processing of the personal data (Article 5(1) GDPR). The controller did not demonstrate a contractual relationship (Article 6(1)(b)) with the lawyers concerned. The DPA also found no evidence of consent given by the lawyers (Article 6(1)(a)). Regarding the controllers argument on the legitimate interest, the DPA noted that relying on the legitimate interest of a data subject for its own processing goes against all logic of the GDPR. As for its own legitimate interest, this would not override the fundamental rights and freedoms of the lawyers concerned. The DPA therefore held that the controller violated Article 5(1)(a) and Article 6.
-Regarding the policy document provided in the websites by the defendant, the DPA held that it was in violation of Article 5 (1) (b) of the GDPR as it didn’t indicate the purposes of the processing of the personal data of the persons concerned. The purposes of the processing must be clearly indicated.
-The DPA held that the retention period set out by the defendant was not specific enough, as the users of the websites were not in the position to foresee the actual retention period of their data. The retention period should be indicated for each purpose.
-The DPA found that the controller violated Articles 13 and 14 of the GDPR by not informing the data subjects concerned that their personal data are obtained and by including inaccurate and false information about then on the websites.
+The DPA also held that the revision of the controllers privacy policy was not sufficient. First of all, it didn’t indicate the purposes of the processing of the personal data of the persons concerned. Second, the DPA held that the retention period was not specific enough, as users could not foresee the actual retention period of their data. Hence, there was a breach of Article 13 and Article 14.
-The DPA found that the privacy charter and the cookies policy contained false, incomplete and insufficient information. Therefore, it held that the controller violated Article 12 (1) by not communicating the information referred to in Article 13 and 14  of the GDPR in a “concise, transparent, intelligible and easily accessible form”. Mention of the possibility of filing a complaint with the DPA was also missing from the documents.
+The DPA held that the controller violated Article 5(1)(a) (principle of fairness), as it did not inform the data subjects about the processing, the purposes pursued and it relates to data of which the persons concerned do not now how or where this was collected. The controller also violated the principle of purpose limitation (Article 5(1)(b)) by not indicating the purposes of processing. Moreover, the principle of accuracy (Article 5(1)(d)) was violated, as the personal data was outdated, or simply made-up.
-The DPA considered that the lack of response from the defendant to the complainant’s letter informing him of his breaches of the GDPR and ordering him to comply, together with absence of modification of the one site up to those made during the present proceedings, reflect a deliberate intention to violate the GDPR on the part of the defendant.
+The DPA fined the controller €5000 and ordered to suspend all processing of the lawyers' personal data listed on its website.
-The DPA fined the controller 20,000,000EUR and imposed an order of compliance with the principles of lawfulness, information, loyalty and transparency, and accuracy, as they derive from Article 5 (1) (a), 5 (1) (b), 5 (1) (d), 6(1), 13 and 14 of the GDPR, respectively.
+The DPA ordered the controller, first of all, to transmit the list of recipients (including subcontractors) to whom the personal data concerned was communicated or confirm in writing that no such transfer took place. secondly, to submit a revision of its privacy policy in accordance with the GDPR within 3 months. Lastly, to permanently remove all personal data and send a written confirmation to the DPA of the removal.
 == Comment ==