APD/GBA (Belgium) - 95/2023
From GDPRhub
| APD/GBA - 95/2023 | |
|---|---|
 | |
| Authority: | APD/GBA (Belgium) |
| Jurisdiction: | Belgium |
| Relevant Law: | Article 4(1) GDPR Article 6 GDPR Article 9(1) GDPR Article 9(2) GDPR Article 13 GDPR Article 14 GDPR Article 100.1.1° LCA |
| Type: | Complaint |
| Outcome: | Other Outcome |
| Started: | 07.10.2021 |
| Decided: | 06.07.2023 |
| Published: | |
| Fine: | n/a |
| Parties: | n/a |
| National Case Number/Name: | 95/2023 |
| European Case Law Identifier: | n/a |
| Appeal: | n/a |
| Original Language(s): | French |
| Original Source: | Autorité de protection des données (in FR) |
| Initial Contributor: | Enzo Marquet |
The Belgian DPA held that vaccination status constitutes sensitive health data under Article 9(1) GDPR and that a person who refused to provide such data has sufficient interest to submit a complaint even though no processing took place.
English Summary
Facts
The controller was a dancing school which refused to re-enroll a person because she did not want to confirm whether or not she had been vaccinated against Covid-19. Considering that the controller did not have a legal basis to ask for her vaccination status, the person filed a complaint with the Belgian DPA.The controller denied ever having requested this information, it stated that it had only recommended members to vaccinate based on the French Interfederal Sports Association's recommendation.
Holding
The Belgian DPA started by clarifying that since the complainant had not shared her vaccination status, no processing of personal data had taken place. Even though the complainant could not be considered as a data subject within the meaning of Article 4(1) GDPR, this lack of processing however, did not deprive her of her right and interest to submit a complaint with the DPA. The DPA stated that, considering that a vaccination status could qualify as sensitive health data under Article 9(1) GDPR, it is in principle forbidden to process. Article 9(2) sets out the exceptions to this principle, these conditions must be read in conjunction with the required legal basis as defined in Article 6. Unlike other cases in which the DPA has found one or other breach even in the absence of processing, in this case the DPA considered that there was not enough evidence that this information was actually requested. Consequently, the DPA dismissed the case.
Comment
The Belgian DPA refers to case law of the Court of Cassation of 7 october 2021 which is the result from a DPA decision APD/GBA - 06/2019 that was appealed (Court of Appeal of Brussels - 2019/AR/1600).
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the French original. Please refer to the French original for more details.
1/9
Litigation Chamber
Decision on the merits95/2023 of 6 July 2023
File number: DOS-2021-06714
Subject: Complaint relating to a refusal to register for a leisure activity due to
the absence of communication of a vaccination status (covid-19)
The Litigation Chamber of the Data Protection Authority, made up of Mr. Hielke
Hijmans, chairman, and Messrs. Dirk Van Der Kelen and Romain Robert, members;
Having regard to Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the
protection of natural persons with regard to the processing of personal data and
to the free movement of such data, and repealing Directive 95/46/EC (General Regulation on the
data protection), hereinafter "GDPR";
Having regard to the Law of 3 December 2017 establishing the Data Protection Authority (hereinafter
ACL);
Having regard to the internal regulations as approved by the House of Representatives on 20
December 2018 and published in the Belgian Official Gazette on January 15, 2019;
Considering the documents in the file;
Made the following decision regarding:
The complainant: Mrs. X, hereinafter "the complainant".
The defendant: ASBL Y, hereinafter "the defendant". Decision on the merits 95/2023 – 2/9
I. Facts and procedure
1. On October 7, 2021, the complainant filed a complaint with the Protection Authority
data (APD) against the defendant. The defendant is an association which
organizes dance lessons.
2. The subject of the complaint relates to the refusal by the defendant to reinsert the complainant as
member for the year 2021-2022 as soon as the latter has objected to him communicate if yes
or not she was then vaccinated against the covid-19 virus. More generally, the complaint
questions the question on what basis the defendant would have been authorized to
request this information.
3. From the documents produced in support of the complaint, it appears that in August 2021, the defendant
informed the members of the association of the upcoming resumption of classes after the interruption
forced from them during the health crisis linked to the covid-19 virus pandemic. She
also informed that the Interfederal Association of Francophone Sport (AISF)
insisted that teachers, monitors and all members be vaccinated. There
defendant thus wrote: “Here is the advice that the AISF has just sent to us. We
hope you will welcome them so that we can resume our
next season with complete peace of mind and reassure some of our members. All members
of the committee being already vaccinated".
4. The plaintiff reacted to this email by specifying that she would scrupulously respect the law but
that no provision known at the time required proof of vaccination to be produced for
take part in one or another dance class such as the one given by the defendant.
5. The complainant indicates that on September 23, 2021, she went to the premises of the
defendant to re-register for said courses. The complainant indicates that
On this occasion, the defendant's manager orally asked him to specify whether
whether or not she was vaccinated against covid-19. The complainant states that she refused to provide
this information. Following this refusal, the plaintiff adds that the defendant did not
wanted to re-register.
6. In October and November 2021, letters were exchanged between the counsel consulted by
the plaintiff and the defendant regarding the said refusal of registration, the payment of the
contribution and communications relating to the defendant's activities, the
complainant was not informed. It emerges from this correspondence that ultimately the
complainant was able to participate in the courses, the defendant denying that she ever intended
to make access to its courses conditional on the vaccination of its members (including the complainant)
against the covid-19 virus, nor to demand to know their vaccination status. The defendant
claims not to have requested this information when the complainant visited on 23 Decision on the merits 95/2023 – 3/9
September 2021 (item 5). She adds that at most, she transmitted to her members
recommendations aimed at preserving everyone's health.
7. On March 1, 2022, the complaint was declared admissible by the Service de Première Ligne (SPL)
DPA on the basis of Articles 58 and 60 of the LCA and the complaint is transmitted to the Chamber
Litigation under article 62, § 1 of the LCA.
er
8. On March 30, 2022, the Litigation Division decides, pursuant to Article 95, § 1, 1° and
article 98 of the LCA, that the case can be dealt with on the merits.
9. On the same date, the parties concerned are informed by registered letter of the
provisions as set out in article 95, § 2 as well as in article 98 of the LCA. They are
also informed, pursuant to Article 99 of the LCA, of the deadlines for transmitting their
conclusions.
10. On the basis of the facts denounced in the complaint, the Litigation Chamber invites the
defendant to put forward its arguments with regard to the potential breaches that
reveal the facts reported, in particular with regard to the basis of lawfulness on which it
considers that it can justify the processing of the complainant's vaccination status (Article 9, combined with
GDPR Article 6). The Litigation Chamber also invites the parties to enlighten it on
the personal data requested during registration as well as the information provided
to persons concerned with regard to the processing of their registration data in application
of Articles 12 to 14 of the GDPR. The documents in the file are transmitted to the parties on the occasion
of this mail.
11. The deadline for receipt of the defendant's submissions in response has been set
to May 12, 2022, that for the complainant's reply submissions to June 3, 2022 and that
for the defendant's reply conclusions on June 27, 2022.
12. On April 14, 2022, the Litigation Chamber receives the submissions in response from the
defendant. The defendant's argument is based on the answers it provided
provided to counsel for the complainant (point 6). She denies having asked the complainant whether or not
no, the latter was vaccinated and initially refused, at the very least, her
registration on the basis of the latter's refusal to answer him about his vaccination.
13. On May 30, 2022, the Litigation Chamber received the conclusions in response from the complainant.
The latter maintains that this information was indeed requested of her and deplores the attitude
deceit of the defendant.
14. On June 23, 2022, the Litigation Chamber receives the conclusions in reply and summary
of the defendant which contain the same line of defense as that developed in the
points 6 and 12 above. Decision on the merits 95/2023 – 4/9
II. Motivation
15. The DPA is the Belgian authority responsible in particular for monitoring compliance with the GDPR by
application of Article 8 of the Charter of Fundamental Rights of the European Union (EU),
of article 16 of the Treaty on the Functioning of the European Union (TFEU) and of article
51 GDPR.
16. It follows in this respect from Article 4 of the LCA and its explanatory memorandum that DPA is
"competent to carry out the missions and mandates to monitor compliance with the principles
fundamentals of protection of personal data as established in the
Regulation 2016/679. (…)”. 1
17. Under Article 77 of the GDPR, it is provided that “without prejudice to any other remedy
administrative or judicial, any person concerned has the right to introduce a
complaint to a supervisory authority, in particular in the Member State in which
is his habitual residence, his place of work or the place where the violation is alleged to have been
committed, if it considers that the processing of personal data concerning
constitutes a violation of this regulation”.
18. Before examining the merits of the complaint, the Litigation Chamber would like to
specify the following with regard to its competence (points 19-22).
19. The Litigation Division notes that it appears from the complaint filed that the complainant did not
not communicated his vaccination status to the defendant and that the defendant therefore did not
processed this personal data concerning him.
20. This lack of treatment does not, however, deprive the complainant of the right to lodge a complaint,
right recognized by article 77 of the GDPR mentioned above (point 17), completeness
concerning his right to lodge a complaint with the DPA by articles 56 and following of
the ACL.
21. In this regard, the Litigation Chamber recalls that in a judgment of October 7, 2021, the Court
of the cassation thus stated:“3.It is undoubtedly apparent from all the provisions
aforementioned legal provisions that a data subject has the right to lodge a complaint
with the Data Protection Authority against a processing practice of which it
believes that it violates its rights under the GDPR (...). This is also the case when the
personal data of the data subject himself has not been processed
but that the latter did not obtain the advantage or the service because, precisely because of
of the existence of the allegedly infringing practice, she refused to
1Preparatory work: to be completed Decision on substance 95/2023 – 5/9
2
consent to the processing”. The consideration issued by the Court of Cassation is precisely
that denounced in the present case.
22. The Litigation Chamber has also, on several occasions already, considered that, even in
the absence of an effective processing of his data, a person could, under certain
conditions, to be recognized as having an interest in acting and, subsequently, to have their complaint declared
admissible. The Litigation Chamber considers that in this case, the complainant had a
sufficient interest in acting since it was directly concerned by the request that
made by the defendant and that the communication of the information requested – moreover
sensitive to common sense and to the meaning of the regulations on the protection of
data (see below) - was likely to condition his access to an available activity
in principle to everyone, certainly subject to some membership management data but, excluding
covid-19 pandemic, free access for the surplus without interference from the vaccination status.
Therefore, the mere fact that the complainant did not provide information on her vaccination status
(point 5) and is not a data subject within the meaning of Article 4.1 of the GDPR is not
determining in the present decision of the Litigation Chamber to classify the complaint without
suite (see below) and does not constitute, in this case, a technical reason for classification without
suite (lack of admissibility).
23. As to the merits, the Litigation Chamber recalls - without these reminders constituting a
any corrective measure or sanction within the meaning of Article 100.1. of the ACL - that all
processing of personal data must, in application of the principle of legality
dedicated to article 5.1. a) of the GDPR, being able to rely on one of the bases of lawfulness of the article
6.1. of the GDPR. When the data controller plans to process data that
comes under the "special categories of data", it must also comply with the conditions of
Article 9 read in conjunction with Article 6 of the GDPR (and in light of recital 51). This
basis of lawfulness must both exist and be identified by the data controller before
the operationalization of the treatment.
24. Article 9 of the GDPR (special categories of data) provides for its part in its § 1,
a ban on the processing of so-called “sensitive” data in terms: “the processing
personal data that reveals racial or ethnic origin, opinions
political, religious or philosophical beliefs or trade union membership, as well as
that the processing of genetic data, biometric data for the purpose of identifying
anaturalpersoninauniqueway,dataconcerninghealthordata
concerning the sexual life or sexual orientation of a natural person are prohibited”. 4
2 It is the Litigation Chamber which underlines. See. in this regard, decision 126/2021 of the Litigation Chamber:
https://www.autoriteprotectiondonnees.be/publications/classement-sans-suite-n-126-2021.pdf
3See. in this respect more particularly the following decisions of the Litigation Chamber: 30/2020, 80/2020 and
117/2021.
4It is the Litigation Chamber which underlines. Decision on the merits 95/2023 – 6/9
Article 9.2.provides for a number of cases in which this prohibition may,
in combination with Article 6 of the GDPR, be waived.
25. Before being able to consider whether or not a basis of lawfulness is lacking as denounced by the
complainant, it is therefore essential to qualify the data processed - or whose processing is
envisaged - to determine whether compliance with Article 6 of the GDPR alone should be checked or whether, in
presence of data covered by Article 9.1. of the GDPR (i.e. data qualified as “
sensitive”), it is compliance with article 9.2 read in combination with article 6 of the GDPR that
should be checked.
26. As for the qualification of the vaccination status, the Litigation Chamber recalls that it appears from the
recital 35 of the GDPR which clarifies article 4.15 that personal data
relating to health include all data relating to the state of health
of a data subject who reveal information about his or her physical or
mind past, present or future. The notion of “health data” must be
subject to wide interpretation. It encompasses not only the current state of health of the
person concerned, but also the possible evolution of his health in the future.
27. In a decision 143/20216 taken at the time of the facts denounced in the complaint which leads
to this decision, the Litigation Chamber concluded that the vaccination status was
constituting data concerning health within the meaning of Article 9.1. of the GDPR. Bedroom
Litigation emphasizes that it has been proven that the risk of contamination with covid-19 is
particularly high and that people who are not vaccinated are at risk
important to be contaminated in the future, with the consequence of a possible evolution
serious illness. This also explains, according to the Litigation Chamber, that the statute
vaccination of the person concerned is included in his medical file. In other words,
the notion of health data cannot be reduced to the fact of being sick or not. It is clear for the
Litigation Chamber that a person's vaccination status undeniably constitutes a
health data within the meaning of Article 9.1. of the GDPR.
28. Finally, the Litigation Chamber also recalls that in the event of direct collection of data from
personal nature with the person concerned as in this case, the person in charge
is required to provide the latter with the information listed in article
13.1 and 13.2. of the GDPR unless and insofar as the data subject has already
knowledge (Article 13.4. of the GDPR). This information could, for example, be
mentioned on the registration form.
5 See. in this respect the developments of the Litigation Chamber in its decision 49/2023:
https://www.autoriteprotectiondonnees.be/publications/decision-quant-au-fond-n-49-2023.pdf
6
https://www.autoriteprotectiondonnees.be/publications/decision-quant-au-fond-n-143-2021.pdf Decision on the merits 95/2023 – 7/9
III. Regarding corrective measures and sanctions
29. Under Article 100 of the LCA, the Litigation Chamber has the power to:
1° dismiss the complaint without follow-up;
2° order the dismissal;
3° order a suspension of the pronouncement;
4° propose a transaction;
(5) issue warnings or reprimands;
6° to order to comply with the data subject's requests to exercise his rights;
(7) order that the person concerned be informed of the security problem;
8° order the freezing, limitation or temporary or permanent prohibition of processing;
9° order the processing to be brought into conformity;
10° order the rectification, restriction or erasure of the data and the notification of
these to the recipients of the data;
11° order the withdrawal of accreditation from certification bodies;
12° to issue periodic penalty payments;
13° to impose administrative fines;
14° order the suspension of cross-border data flows to another State or a
international body;
15° forward the file to the public prosecutor's office in Brussels, which informs it of the
follow-up given to the file;
16° decide on a case-by-case basis to publish its decisions on the website of the Authority of
Data protection.
30. In matters of dismissal, the Litigation Chamber must justify its decision by
step and:
- to pronounce a classification without technical continuation if the file does not contain or not
sufficient elements likely to lead to a sanction or if it includes a
technical obstacle preventing him from rendering a decision;
- or pronounce a classification without continuation of opportunity, if in spite of the presence of elements
likely to lead to a sanction, the continuation of the examination of the file does not seem to him
7Cour des marchés (Brussels Court of Appeal), 2 September 2020, 2020/AR/329, p. 18. Decision on the merits 95/2023 – 8/9
not timely given the ODA priorities as specified and illustrated in
the Dispute Resolution Policy of the Litigation Chamber. 8
31. In the event of classification without continuation on the basis of several grounds (respectively, classification
without technical and/or opportunity follow-up), the reasons for the classification without follow-up must be
9
treated in order of importance.
32. In the present case, the Litigation Chamber decides to proceed with a classification without
suite for technical reasons based on the absence of any breach of the GDPR or the laws of which
it is responsible for ensuring the observance of compliance by the defendant.
33. Indeed, the parties disagree on the question of whether this information relating
the vaccination status (which constitutes personal data within the meaning of article 4.1. of the
GDPR, sensitive within the meaning of Article 9.1 elsewhere) has or has not been requested. Bedroom
Litigation is unable to decide whether or not this was the case when these
remarks would have been made orally. Unlike other cases in which the
Litigation Chamber has found one or other breach even in the absence of
treatment, the Litigation Chamber is not in this case in possession of proof that
this information would have been effectively requested (but not collected) via a form
who would request data contrary to the principle of minimization, for example or via a
document to be completed which does not provide any information required by Articles 13 or 14
of the GDPR.
34. Accordingly, the Litigation Chamber classifies the complaint without further action for technical reasons on the
basis of article 100.1.1° of the LCA.
IV. Publication of the decision
35. Given the importance of transparency regarding the decision-making process of the Chamber
Litigation, this decision is published on the website of the Protection Authority
data (APD). However, it is not necessary for this purpose that the data
identification of the parties are directly mentioned.
8
https://www.autoriteprotectiondonnees.be/publications/politique-de-classement-sans-suite-de-la-chambre-
contentious.pdf .
9 Dismissal policy of the Litigation Chamber, 18/06/2021, point 3 (“In which cases is my complaint
likely to be dismissed by the Litigation Chamber?”), available on
https://www.autoriteprotectiondonnees.be/publications/politique-de-classement-sans-suite-de-la-chambre-
litigation.pdf Decision on the merits 95/2023 – 9/9
FOR THESE REASONS,
the Litigation Chamber of the Data Protection Authority decides, after deliberation:
- Pursuant to article 100.1.1° of the LCA, to close the present complaint without further action.
In accordance with Article 108, § 1 of the LCA, an appeal against this decision may be lodged,
within thirty days of its notification, to the Court of Markets (Court
d'appel de Bruxelles), with the Data Protection Authority (DPA) as a party
defendant.
Such an appeal may be introduced by means of an interlocutory request which must contain the
information listed in article 1034ter of the Judicial Code. The interlocutory motion must be
filed with the registry of the Court of Markets in accordance with article 1034quinquies of the C. jud. , or 11
via the e-Deposit information system of the Ministry of Justice (article 32ter of the C. jud.).
(Sr.) Hielke H IJMANS
President of the Litigation Chamber
10The request barely contains any invalidity:
(1) indication of the day, month and year;
2° the surname, first name, domicile of the applicant, as well as, where appropriate, his qualifications and his national register number or
Business Number;
3° the surname, first name, domicile and, where applicable, the capacity of the person to be summoned;
(4) the object and summary of the grounds of the application;
(5) the indication of the judge who is seized of the application;
6° the signature of the applicant or his lawyer.
11
The request, accompanied by its appendix, is sent, in as many copies as there are parties involved, by letter
recommended to the court clerk or filed with the court office.
