APD/GBA (Belgium) - 84-2022

From GDPRhub
Revision as of 12:23, 21 June 2022 by Maria.anagnostou (talk | contribs) (Created page with "{{DPAdecisionBOX |Jurisdiction=Belgium |DPA-BG-Color= |DPAlogo=LogoBE.png |DPA_Abbrevation=APD/GBA |DPA_With_Country=APD/GBA (Belgium) |Case_Number_Name=84-2022 |ECLI=n/a |...")
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
APD/GBA - 84-2022
LogoBE.png
Authority: APD/GBA (Belgium)
Jurisdiction: Belgium
Relevant Law: Article 5(1)(a) GDPR
Article 5(1)(b) GDPR
Article 5(1)(d) GDPR
Article 6(1) GDPR
Article 13 GDPR
Article 14 GDPR
Type: Complaint
Outcome: Upheld
Started: 10.08.2020
Decided: 22.04.2022
Published: 24.05.2022
Fine: 20,000,000 EUR
Parties: n/a
National Case Number/Name: 84-2022
European Case Law Identifier: n/a
Appeal: n/a
Original Language(s): French
Original Source: Autorité de protection des données, Decision quant au fond 84/2022 du 24 mai 2022 (in FR)
Initial Contributor: Maria Anagnostou

The Belgian DPA fined a website provider for unlawful processing of personal data, and for violating the obligation to information.

English Summary

Facts

On 10 August 2020, the Belgian DPA examined a complaint about two websites which included personal data, obtained without the data subjects’ consent, or based on another legal based, and without even them being informed. Furthermore, the examination was also regarding the noncompliance of the privacy policy and the use of cookies with the GDPR.

The provisions examined were: First, Article 5 (1) and 6 GDPR for lack of lawful basis of the processing of the personal data concerned, with the purpose of publishing the data on the sites in dispute. More specifically, Article 5 (1) (a) GDPR about the principles of loyalty and transparency, because the processing was carried out without informing the persons concerned and related to personal data whose data subjects did not know where and how it was collected; Article 5 (1) (b) GDPR about the principle of correctness, because many personal data were erroneous; and Article 5 (1) (d) GDPR about the principle of limitation of purposes, due to the absence of indication of the purposes of the processing. Second, Article 13 GDPR, on the collection of personal data, for non-availability or incomplete nature of the privacy document and the charter related to cookies. Third, Article 14 GDPR about the collection points for personal data. Finally, the information to be provided when personal data collected elsewhere than from the person concerned, because the personal data concerning the referenced lawyers were processed without their solemnity informed and without their consent.

The defendant argued about his good aims and his unintentionality of infringing the rights of the persons concerned.

Holding

Regarding the legal basis of the processing, the DPA pointed out that it goes against all the essence of the GDPR for the data controller to rely on the legitimate interest of the data subject to base the processing he, himself carries out; the legitimate interest has to be related with the controller.

As for Article 6 (1) (f) GDPR, the DPA highlighted that, in order to be able to invoke the lawful basis of legitimate interest in accordance with this article, the controller must demonstrate that the interests can be recognized as legitimate (purpose test), the envisaged processing is necessary to achieve these interests (necessity test) and the balancing of these interests against the rights of the data subjects weights in favor of the controller (balancing test). These tree are cumulative conditions and in the case at hand the processing carried out by the defendant did not meet the third one. Hence, the processing was unlawful.

Moreover, the DPA recalled that an essential aspect of the principle of transparency highlighted in Articles 12, 13, and 14 GDPR is that the data subject should be able to determine the scope and consequences of the processing in advance, in order to not be caught unawares at a later stage as to how their personal data has been used. The information should be concrete and reliable, and it should not be formulated in abstract or ambiguous terms or leave room for different interpretations. In particular the purposes and legal bases for the processing of personal data should be clearly set out.

Regarding the policy document provided in the websites by the defendant, the DPA held that it was in violation of Article 5 (1) (b) of the GDPR as it didn’t indicate the purposes of the processing of the personal data of the persons concerned. The purposes of the processing must be clearly indicated.

The DPA held that the retention period set out by the defendant was not specific enough, as the users of the websites were not in the position to foresee the actual retention period of their data. The retention period should be indicated for each purpose.

The DPA found that the controller violated Articles 13 and 14 of the GDPR by not informing the data subjects concerned that their personal data are obtained and by including inaccurate and false information about then on the websites.

The DPA found that the privacy charter and the cookies policy contained false, incomplete and insufficient information. Therefore, it held that the controller violated Article 12 (1) by not communicating the information referred to in Article 13 and 14 of the GDPR in a “concise, transparent, intelligible and easily accessible form”. Mention of the possibility of filing a complaint with the DPA was also missing from the documents.

The DPA considered that the lack of response from the defendant to the complainant’s letter informing him of his breaches of the GDPR and ordering him to comply, together with absence of modification of the one site up to those made during the present proceedings, reflect a deliberate intention to violate the GDPR on the part of the defendant.

The DPA fined the controller 20,000,000EUR and imposed an order of compliance with the principles of lawfulness, information, loyalty and transparency, and accuracy, as they derive from Article 5 (1) (a), 5 (1) (b), 5 (1) (d), 6(1), 13 and 14 of the GDPR, respectively.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the French original. Please refer to the French original for more details.