APD/GBA (Belgium) - 95/2023

From GDPRhub
APD/GBA - 95/2023
LogoBE.png
Authority: APD/GBA (Belgium)
Jurisdiction: Belgium
Relevant Law: Article 4(1) GDPR
Article 6 GDPR
Article 9(1) GDPR
Article 9(2) GDPR
Article 13 GDPR
Article 14 GDPR
Article 100.1.1° LCA
Type: Complaint
Outcome: Other Outcome
Started: 07.10.2021
Decided: 06.07.2023
Published:
Fine: n/a
Parties: n/a
National Case Number/Name: 95/2023
European Case Law Identifier: n/a
Appeal: n/a
Original Language(s): French
Original Source: Autorité de protection des données (in FR)
Initial Contributor: Enzo Marquet

The Belgian DPA held that vaccination status constitutes sensitive health data under Article 9(1) GDPR and that a person who refused to provide such data has sufficient interest to submit a complaint even though no processing took place.

English Summary[edit | edit source]

Facts[edit | edit source]

The controller was a dancing school which refused to re-enroll a person because she did not want to confirm whether or not she had been vaccinated against Covid-19. Considering that the controller did not have a legal basis to ask for her vaccination status, the person filed a complaint with the Belgian DPA.The controller denied ever having requested this information, it stated that it had only recommended members to vaccinate based on the French Interfederal Sports Association's recommendation.

Holding[edit | edit source]

The Belgian DPA started by clarifying that since the complainant had not shared her vaccination status, no processing of personal data had taken place. Even though the complainant could not be considered as a data subject within the meaning of Article 4(1) GDPR, this lack of processing however, did not deprive her of her right and interest to submit a complaint with the DPA. The DPA stated that, considering that a vaccination status could qualify as sensitive health data under Article 9(1) GDPR, it is in principle forbidden to process. Article 9(2) sets out the exceptions to this principle, these conditions must be read in conjunction with the required legal basis as defined in Article 6. Unlike other cases in which the DPA has found one or other breach even in the absence of processing, in this case the DPA considered that there was not enough evidence that this information was actually requested. Consequently, the DPA dismissed the case.

Comment[edit | edit source]

The Belgian DPA refers to case law of the Court of Cassation of 7 october 2021 which is the result from a DPA decision APD/GBA - 06/2019 that was appealed (Court of Appeal of Brussels - 2019/AR/1600).

Further Resources[edit | edit source]

Share blogs or news articles here!

English Machine Translation of the Decision[edit | edit source]

The decision below is a machine translation of the French original. Please refer to the French original for more details.

1/9





                                                                        Litigation Chamber


                                           Decision on the merits95/2023 of 6 July 2023





File number: DOS-2021-06714


Subject: Complaint relating to a refusal to register for a leisure activity due to

the absence of communication of a vaccination status (covid-19)




The Litigation Chamber of the Data Protection Authority, made up of Mr. Hielke
Hijmans, chairman, and Messrs. Dirk Van Der Kelen and Romain Robert, members;


Having regard to Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the

protection of natural persons with regard to the processing of personal data and

to the free movement of such data, and repealing Directive 95/46/EC (General Regulation on the
data protection), hereinafter "GDPR";


Having regard to the Law of 3 December 2017 establishing the Data Protection Authority (hereinafter

ACL);

Having regard to the internal regulations as approved by the House of Representatives on 20

December 2018 and published in the Belgian Official Gazette on January 15, 2019;


Considering the documents in the file;


Made the following decision regarding:



The complainant: Mrs. X, hereinafter "the complainant".


The defendant: ASBL Y, hereinafter "the defendant". Decision on the merits 95/2023 – 2/9


I. Facts and procedure


 1. On October 7, 2021, the complainant filed a complaint with the Protection Authority

       data (APD) against the defendant. The defendant is an association which

       organizes dance lessons.

 2. The subject of the complaint relates to the refusal by the defendant to reinsert the complainant as

       member for the year 2021-2022 as soon as the latter has objected to him communicate if yes

       or not she was then vaccinated against the covid-19 virus. More generally, the complaint
       questions the question on what basis the defendant would have been authorized to

       request this information.


 3. From the documents produced in support of the complaint, it appears that in August 2021, the defendant
       informed the members of the association of the upcoming resumption of classes after the interruption

       forced from them during the health crisis linked to the covid-19 virus pandemic. She

       also informed that the Interfederal Association of Francophone Sport (AISF)

       insisted that teachers, monitors and all members be vaccinated. There

       defendant thus wrote: “Here is the advice that the AISF has just sent to us. We

       hope you will welcome them so that we can resume our
       next season with complete peace of mind and reassure some of our members. All members

       of the committee being already vaccinated".


 4. The plaintiff reacted to this email by specifying that she would scrupulously respect the law but
       that no provision known at the time required proof of vaccination to be produced for

       take part in one or another dance class such as the one given by the defendant.


 5. The complainant indicates that on September 23, 2021, she went to the premises of the
       defendant to re-register for said courses. The complainant indicates that

       On this occasion, the defendant's manager orally asked him to specify whether

       whether or not she was vaccinated against covid-19. The complainant states that she refused to provide

       this information. Following this refusal, the plaintiff adds that the defendant did not

       wanted to re-register.

 6. In October and November 2021, letters were exchanged between the counsel consulted by

       the plaintiff and the defendant regarding the said refusal of registration, the payment of the

       contribution and communications relating to the defendant's activities, the

       complainant was not informed. It emerges from this correspondence that ultimately the
       complainant was able to participate in the courses, the defendant denying that she ever intended

       to make access to its courses conditional on the vaccination of its members (including the complainant)

       against the covid-19 virus, nor to demand to know their vaccination status. The defendant

       claims not to have requested this information when the complainant visited on 23 Decision on the merits 95/2023 – 3/9


      September 2021 (item 5). She adds that at most, she transmitted to her members

      recommendations aimed at preserving everyone's health.

7. On March 1, 2022, the complaint was declared admissible by the Service de Première Ligne (SPL)

      DPA on the basis of Articles 58 and 60 of the LCA and the complaint is transmitted to the Chamber

      Litigation under article 62, § 1 of the LCA.

                                                                                            er
8. On March 30, 2022, the Litigation Division decides, pursuant to Article 95, § 1, 1° and
      article 98 of the LCA, that the case can be dealt with on the merits.


9. On the same date, the parties concerned are informed by registered letter of the

      provisions as set out in article 95, § 2 as well as in article 98 of the LCA. They are
      also informed, pursuant to Article 99 of the LCA, of the deadlines for transmitting their

      conclusions.


10. On the basis of the facts denounced in the complaint, the Litigation Chamber invites the

      defendant to put forward its arguments with regard to the potential breaches that
      reveal the facts reported, in particular with regard to the basis of lawfulness on which it

      considers that it can justify the processing of the complainant's vaccination status (Article 9, combined with

      GDPR Article 6). The Litigation Chamber also invites the parties to enlighten it on

      the personal data requested during registration as well as the information provided

      to persons concerned with regard to the processing of their registration data in application

      of Articles 12 to 14 of the GDPR. The documents in the file are transmitted to the parties on the occasion
      of this mail.


11. The deadline for receipt of the defendant's submissions in response has been set

      to May 12, 2022, that for the complainant's reply submissions to June 3, 2022 and that

      for the defendant's reply conclusions on June 27, 2022.

12. On April 14, 2022, the Litigation Chamber receives the submissions in response from the

      defendant. The defendant's argument is based on the answers it provided

      provided to counsel for the complainant (point 6). She denies having asked the complainant whether or not
      no, the latter was vaccinated and initially refused, at the very least, her

      registration on the basis of the latter's refusal to answer him about his vaccination.


13. On May 30, 2022, the Litigation Chamber received the conclusions in response from the complainant.

      The latter maintains that this information was indeed requested of her and deplores the attitude
      deceit of the defendant.


14. On June 23, 2022, the Litigation Chamber receives the conclusions in reply and summary

      of the defendant which contain the same line of defense as that developed in the

      points 6 and 12 above. Decision on the merits 95/2023 – 4/9


II. Motivation


 15. The DPA is the Belgian authority responsible in particular for monitoring compliance with the GDPR by

       application of Article 8 of the Charter of Fundamental Rights of the European Union (EU),

       of article 16 of the Treaty on the Functioning of the European Union (TFEU) and of article

       51 GDPR.

 16. It follows in this respect from Article 4 of the LCA and its explanatory memorandum that DPA is

       "competent to carry out the missions and mandates to monitor compliance with the principles

       fundamentals of protection of personal data as established in the

       Regulation 2016/679. (…)”. 1


 17. Under Article 77 of the GDPR, it is provided that “without prejudice to any other remedy
       administrative or judicial, any person concerned has the right to introduce a

       complaint to a supervisory authority, in particular in the Member State in which

       is his habitual residence, his place of work or the place where the violation is alleged to have been

       committed, if it considers that the processing of personal data concerning

       constitutes a violation of this regulation”.


 18. Before examining the merits of the complaint, the Litigation Chamber would like to
       specify the following with regard to its competence (points 19-22).


 19. The Litigation Division notes that it appears from the complaint filed that the complainant did not

       not communicated his vaccination status to the defendant and that the defendant therefore did not

       processed this personal data concerning him.

 20. This lack of treatment does not, however, deprive the complainant of the right to lodge a complaint,

       right recognized by article 77 of the GDPR mentioned above (point 17), completeness

       concerning his right to lodge a complaint with the DPA by articles 56 and following of

       the ACL.

 21. In this regard, the Litigation Chamber recalls that in a judgment of October 7, 2021, the Court

       of the cassation thus stated:“3.It is undoubtedly apparent from all the provisions

       aforementioned legal provisions that a data subject has the right to lodge a complaint

       with the Data Protection Authority against a processing practice of which it

       believes that it violates its rights under the GDPR (...). This is also the case when the

       personal data of the data subject himself has not been processed

       but that the latter did not obtain the advantage or the service because, precisely because of
       of the existence of the allegedly infringing practice, she refused to







1Preparatory work: to be completed Decision on substance 95/2023 – 5/9


                                 2
       consent to the processing”. The consideration issued by the Court of Cassation is precisely

       that denounced in the present case.

 22. The Litigation Chamber has also, on several occasions already, considered that, even in

       the absence of an effective processing of his data, a person could, under certain

       conditions, to be recognized as having an interest in acting and, subsequently, to have their complaint declared

       admissible. The Litigation Chamber considers that in this case, the complainant had a

       sufficient interest in acting since it was directly concerned by the request that

       made by the defendant and that the communication of the information requested – moreover

       sensitive to common sense and to the meaning of the regulations on the protection of

       data (see below) - was likely to condition his access to an available activity

       in principle to everyone, certainly subject to some membership management data but, excluding

       covid-19 pandemic, free access for the surplus without interference from the vaccination status.

       Therefore, the mere fact that the complainant did not provide information on her vaccination status

       (point 5) and is not a data subject within the meaning of Article 4.1 of the GDPR is not

       determining in the present decision of the Litigation Chamber to classify the complaint without

       suite (see below) and does not constitute, in this case, a technical reason for classification without

       suite (lack of admissibility).


 23. As to the merits, the Litigation Chamber recalls - without these reminders constituting a

       any corrective measure or sanction within the meaning of Article 100.1. of the ACL - that all

       processing of personal data must, in application of the principle of legality

       dedicated to article 5.1. a) of the GDPR, being able to rely on one of the bases of lawfulness of the article

       6.1. of the GDPR. When the data controller plans to process data that

       comes under the "special categories of data", it must also comply with the conditions of

       Article 9 read in conjunction with Article 6 of the GDPR (and in light of recital 51). This

       basis of lawfulness must both exist and be identified by the data controller before

       the operationalization of the treatment.

 24. Article 9 of the GDPR (special categories of data) provides for its part in its § 1,

       a ban on the processing of so-called “sensitive” data in terms: “the processing

       personal data that reveals racial or ethnic origin, opinions

       political, religious or philosophical beliefs or trade union membership, as well as

       that the processing of genetic data, biometric data for the purpose of identifying

       anaturalpersoninauniqueway,dataconcerninghealthordata

       concerning the sexual life or sexual orientation of a natural person are prohibited”. 4




2 It is the Litigation Chamber which underlines. See. in this regard, decision 126/2021 of the Litigation Chamber:
  https://www.autoriteprotectiondonnees.be/publications/classement-sans-suite-n-126-2021.pdf
3See. in this respect more particularly the following decisions of the Litigation Chamber: 30/2020, 80/2020 and

  117/2021.
4It is the Litigation Chamber which underlines. Decision on the merits 95/2023 – 6/9



      Article 9.2.provides for a number of cases in which this prohibition may,

      in combination with Article 6 of the GDPR, be waived.

25. Before being able to consider whether or not a basis of lawfulness is lacking as denounced by the

      complainant, it is therefore essential to qualify the data processed - or whose processing is

      envisaged - to determine whether compliance with Article 6 of the GDPR alone should be checked or whether, in

      presence of data covered by Article 9.1. of the GDPR (i.e. data qualified as “

      sensitive”), it is compliance with article 9.2 read in combination with article 6 of the GDPR that

      should be checked.


26. As for the qualification of the vaccination status, the Litigation Chamber recalls that it appears from the

      recital 35 of the GDPR which clarifies article 4.15 that personal data

      relating to health include all data relating to the state of health

      of a data subject who reveal information about his or her physical or

      mind past, present or future. The notion of “health data” must be

      subject to wide interpretation. It encompasses not only the current state of health of the

      person concerned, but also the possible evolution of his health in the future.


27. In a decision 143/20216 taken at the time of the facts denounced in the complaint which leads

      to this decision, the Litigation Chamber concluded that the vaccination status was

      constituting data concerning health within the meaning of Article 9.1. of the GDPR. Bedroom

      Litigation emphasizes that it has been proven that the risk of contamination with covid-19 is

      particularly high and that people who are not vaccinated are at risk
      important to be contaminated in the future, with the consequence of a possible evolution

      serious illness. This also explains, according to the Litigation Chamber, that the statute

      vaccination of the person concerned is included in his medical file. In other words,

      the notion of health data cannot be reduced to the fact of being sick or not. It is clear for the

      Litigation Chamber that a person's vaccination status undeniably constitutes a

      health data within the meaning of Article 9.1. of the GDPR.


28. Finally, the Litigation Chamber also recalls that in the event of direct collection of data from

      personal nature with the person concerned as in this case, the person in charge

      is required to provide the latter with the information listed in article

      13.1 and 13.2. of the GDPR unless and insofar as the data subject has already

      knowledge (Article 13.4. of the GDPR). This information could, for example, be

      mentioned on the registration form.




5 See. in this respect the developments of the Litigation Chamber in its decision 49/2023:

  https://www.autoriteprotectiondonnees.be/publications/decision-quant-au-fond-n-49-2023.pdf
6
  https://www.autoriteprotectiondonnees.be/publications/decision-quant-au-fond-n-143-2021.pdf Decision on the merits 95/2023 – 7/9


III. Regarding corrective measures and sanctions


 29. Under Article 100 of the LCA, the Litigation Chamber has the power to:


       1° dismiss the complaint without follow-up;

       2° order the dismissal;


       3° order a suspension of the pronouncement;

       4° propose a transaction;


       (5) issue warnings or reprimands;

       6° to order to comply with the data subject's requests to exercise his rights;


       (7) order that the person concerned be informed of the security problem;

       8° order the freezing, limitation or temporary or permanent prohibition of processing;


       9° order the processing to be brought into conformity;

       10° order the rectification, restriction or erasure of the data and the notification of

       these to the recipients of the data;


       11° order the withdrawal of accreditation from certification bodies;

       12° to issue periodic penalty payments;


       13° to impose administrative fines;

       14° order the suspension of cross-border data flows to another State or a

       international body;


       15° forward the file to the public prosecutor's office in Brussels, which informs it of the
       follow-up given to the file;


       16° decide on a case-by-case basis to publish its decisions on the website of the Authority of

       Data protection.

 30. In matters of dismissal, the Litigation Chamber must justify its decision by

       step and:


       - to pronounce a classification without technical continuation if the file does not contain or not

           sufficient elements likely to lead to a sanction or if it includes a
           technical obstacle preventing him from rendering a decision;


       - or pronounce a classification without continuation of opportunity, if in spite of the presence of elements

           likely to lead to a sanction, the continuation of the examination of the file does not seem to him




7Cour des marchés (Brussels Court of Appeal), 2 September 2020, 2020/AR/329, p. 18. Decision on the merits 95/2023 – 8/9



           not timely given the ODA priorities as specified and illustrated in

           the Dispute Resolution Policy of the Litigation Chamber. 8


 31. In the event of classification without continuation on the basis of several grounds (respectively, classification

       without technical and/or opportunity follow-up), the reasons for the classification without follow-up must be
                                      9
       treated in order of importance.

 32. In the present case, the Litigation Chamber decides to proceed with a classification without

       suite for technical reasons based on the absence of any breach of the GDPR or the laws of which

       it is responsible for ensuring the observance of compliance by the defendant.


 33. Indeed, the parties disagree on the question of whether this information relating

       the vaccination status (which constitutes personal data within the meaning of article 4.1. of the

       GDPR, sensitive within the meaning of Article 9.1 elsewhere) has or has not been requested. Bedroom

       Litigation is unable to decide whether or not this was the case when these

       remarks would have been made orally. Unlike other cases in which the

       Litigation Chamber has found one or other breach even in the absence of

       treatment, the Litigation Chamber is not in this case in possession of proof that

       this information would have been effectively requested (but not collected) via a form

       who would request data contrary to the principle of minimization, for example or via a

       document to be completed which does not provide any information required by Articles 13 or 14

       of the GDPR.


 34. Accordingly, the Litigation Chamber classifies the complaint without further action for technical reasons on the

       basis of article 100.1.1° of the LCA.






IV. Publication of the decision


 35. Given the importance of transparency regarding the decision-making process of the Chamber

       Litigation, this decision is published on the website of the Protection Authority

       data (APD). However, it is not necessary for this purpose that the data

       identification of the parties are directly mentioned.








8
  https://www.autoriteprotectiondonnees.be/publications/politique-de-classement-sans-suite-de-la-chambre-
  contentious.pdf .
9 Dismissal policy of the Litigation Chamber, 18/06/2021, point 3 (“In which cases is my complaint
  likely to be dismissed by the Litigation Chamber?”), available on
  https://www.autoriteprotectiondonnees.be/publications/politique-de-classement-sans-suite-de-la-chambre-
  litigation.pdf Decision on the merits 95/2023 – 9/9







     FOR THESE REASONS,


     the Litigation Chamber of the Data Protection Authority decides, after deliberation:


     - Pursuant to article 100.1.1° of the LCA, to close the present complaint without further action.









In accordance with Article 108, § 1 of the LCA, an appeal against this decision may be lodged,

within thirty days of its notification, to the Court of Markets (Court

d'appel de Bruxelles), with the Data Protection Authority (DPA) as a party

defendant.


Such an appeal may be introduced by means of an interlocutory request which must contain the

information listed in article 1034ter of the Judicial Code. The interlocutory motion must be

filed with the registry of the Court of Markets in accordance with article 1034quinquies of the C. jud. , or 11

via the e-Deposit information system of the Ministry of Justice (article 32ter of the C. jud.).














(Sr.) Hielke H IJMANS

President of the Litigation Chamber















10The request barely contains any invalidity:
   (1) indication of the day, month and year;
   2° the surname, first name, domicile of the applicant, as well as, where appropriate, his qualifications and his national register number or
       Business Number;

   3° the surname, first name, domicile and, where applicable, the capacity of the person to be summoned;
   (4) the object and summary of the grounds of the application;
   (5) the indication of the judge who is seized of the application;
   6° the signature of the applicant or his lawyer.
11
  The request, accompanied by its appendix, is sent, in as many copies as there are parties involved, by letter
  recommended to the court clerk or filed with the court office.