APD/GBA (Belgium) - XX/2021: Difference between revisions

From GDPRhub
No edit summary
 
(9 intermediate revisions by one other user not shown)
Line 23: Line 23:
|Date_Started=21.10.2018
|Date_Started=21.10.2018
|Date_Decided=17.01.2022
|Date_Decided=17.01.2022
|Date_Published=17.01.2022
|Date_Published=
|Year=2022
|Year=2022
|Fine=
|Fine=
Line 65: Line 65:
}}
}}


Under [[Article 60 GDPR]] the Belgian DPA (LSA) and other other concerned authorities ordered a controller to comply with a data subject's request to erasure according to [[Article 58 GDPR#2c|Article 58(2)(c) GDPR]] because it did not comply with request earlier.  
Under [[Article 60 GDPR]] the Belgian DPA (LSA) and other concerned authorities ordered a controller to comply with a data subject's request to erasure according to [[Article 58 GDPR#2c|Article 58(2)(c) GDPR]], because it did not comply with the request.  


== English Summary ==
== English Summary ==


=== Facts ===
=== Facts ===
On 21 October 2021 a complaint was filed with the Slovak DPA ([[UOOU (Slovakia)|Office for Personal Data Protection of the Slovak Republic]] [[:Category:UOOU (Slovakia)|- UOOU]]). It referred the case to the Belgian DPA [[APD/GBA (Belgium)|Belgian Data Protection Authority]] - [[:Category:APD/GBA (Belgium)|APD/GBA]] which on 23 November confirmed that it would act as Lead Supervisory Authority (LSA). During the proceedings the following supervisory authorities of the confirmed that they would act as Concerned Supervisory Authorities (CSA) next to the Slovak DPA: Ireland [[:Category:DPC (Ireland)|(]][[DPC (Ireland)|Irish Data Protection Commissioner]] -DPC), Sweden ([[IMY (Sweden)|Integritetsskyddsmyndigheten]] - [[:Category:IMY (Sweden)|IMY)]], Estonia ([[AKI (Estonia)|Estonian Data Protection Inspectorate]] - [[:Category:AKI (Estonia)|AKI)]] and Italy ([[:Category:Garante per la protezione dei dati personali (Italy)|Garante per la protezione dei dati personali]]).
On 4 September 2021, and again on 19 September 2021, the data subject contacted the controller requesting erasure of her personal data under [[Article 17 GDPR]]. On 21 September 2021, the controller confirmed the deletion, as required by [[Article 12 GDPR#3|Article 12(3)]] and [[Article 12 GDPR#4|(4) GDPR]]. However, the complainant found that her name still appeared on the controller's website.  


The complaint concerns the failure of the data controller to comply with the complainant's request to exercise her right to erasure. On 4 September, and again on the 19 September 2021, the complainant contacted the data controller requesting that the personal data relating to her be deleted. On 21 September 2021, the data controller confirmed that the complainant's account had been deleted. However, the complainant found that her name and first name still appeared on the website.
On 21 October 2021 the data subject filed a complaint with the Slovak DPA ([[UOOU (Slovakia)|Office for Personal Data Protection of the Slovak Republic]] [[:Category:UOOU (Slovakia)|- UOOU]]). It referred the case to the Belgian DPA [[APD/GBA (Belgium)|(Belgian Data Protection Authority]] - [[:Category:APD/GBA (Belgium)|APD/GBA)]] which on 23 November 2021 confirmed that it would act as Lead Supervisory Authority (LSA). During the proceedings the following supervisory authorities confirmed that they would act as Concerned Supervisory Authorities (CSA) next to the Slovak DPA: Ireland [[:Category:DPC (Ireland)|(]][[DPC (Ireland)|Irish Data Protection Commissioner]] -DPC), Sweden ([[IMY (Sweden)|Integritetsskyddsmyndigheten]] - [[:Category:IMY (Sweden)|IMY)]], Estonia ([[AKI (Estonia)|Estonian Data Protection Inspectorate]] - [[:Category:AKI (Estonia)|AKI)]] and Italy ([[:Category:Garante per la protezione dei dati personali (Italy)|Garante per la protezione dei dati personali]]).


=== Holding ===
=== Holding ===
Under [[Article 60 GDPR]] the Belgian DPA (LSA) and other other concerned authorities ordered the controller to comply with a data subject's request to erasure according to [[Article 58 GDPR#2c|Article 58(2)(c) GDPR]].
Under [[Article 60 GDPR]] the Belgian DPA (LSA) and other concerned authorities ordered the controller to comply with a data subject's request to erasure according to [[Article 58 GDPR#2c|Article 58(2)(c) GDPR]].


Based on the documents supporting the complaint, the Beglian DPA found that the complainant exercised her right to data erasure pursuant to [[Article 17 GDPR#1|Article 17(1) GDPR]], and that the data controller subsequently confirmed the deletion of her account, as required by [[Article 12 GDPR#3|Article 12(3)]] and [[Article 12 GDPR#4|(4) GDPR]]. However, the DPA found that the controller did not fully comply with the request, as the data subject's name was still listed on the data controller's website. By doing so, the controller acted in violation of [[Article 17 GDPR#1|Article 17(1) GDPR]].
Based on the documents supporting the complaint, the Beglian DPA found that controller did not comply with the data subject's request to erasure under [[Article 17 GDPR#1|Article 17(1) GDPR]], as the data subject's name was still listed on the data controller's website.


== Comment ==
== Comment ==

Latest revision as of 12:34, 3 August 2022

APD/GBA - APD/GBA (Belgium) - XX/2021
LogoBE.png
Authority: APD/GBA (Belgium)
Jurisdiction: Belgium
Relevant Law: Article 60 GDPR
Article 17(1) GDPR
Article 58(2)(c) GDPR
Type: Complaint
Outcome: Upheld
Started: 21.10.2018
Decided: 17.01.2022
Published:
Fine: n/a
Parties: Redacted
National Case Number/Name: APD/GBA (Belgium) - XX/2021
European Case Law Identifier: n/a
Appeal: Unknown
Original Language(s): English
Original Source: EDPB (Translated) (in EN)
Initial Contributor: Mitali Kshatriya

Under Article 60 GDPR the Belgian DPA (LSA) and other concerned authorities ordered a controller to comply with a data subject's request to erasure according to Article 58(2)(c) GDPR, because it did not comply with the request.

English Summary

Facts

On 4 September 2021, and again on 19 September 2021, the data subject contacted the controller requesting erasure of her personal data under Article 17 GDPR. On 21 September 2021, the controller confirmed the deletion, as required by Article 12(3) and (4) GDPR. However, the complainant found that her name still appeared on the controller's website.

On 21 October 2021 the data subject filed a complaint with the Slovak DPA (Office for Personal Data Protection of the Slovak Republic - UOOU). It referred the case to the Belgian DPA (Belgian Data Protection Authority - APD/GBA) which on 23 November 2021 confirmed that it would act as Lead Supervisory Authority (LSA). During the proceedings the following supervisory authorities confirmed that they would act as Concerned Supervisory Authorities (CSA) next to the Slovak DPA: Ireland (Irish Data Protection Commissioner -DPC), Sweden (Integritetsskyddsmyndigheten - IMY), Estonia (Estonian Data Protection Inspectorate - AKI) and Italy (Garante per la protezione dei dati personali).

Holding

Under Article 60 GDPR the Belgian DPA (LSA) and other concerned authorities ordered the controller to comply with a data subject's request to erasure according to Article 58(2)(c) GDPR.

Based on the documents supporting the complaint, the Beglian DPA found that controller did not comply with the data subject's request to erasure under Article 17(1) GDPR, as the data subject's name was still listed on the data controller's website.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the English original. Please refer to the English original for more details.

                                                                                                          1/6







                                                                                    LitigationChamber



                                                               Decision XX/2021 of 17 January 2022



File number: DOS-2021-07137



Subject matter: Exercising of the right to erasure without adequate follow-up by the data

controller



The Litigation Chamber of the Data Protection Authority, composed of




Pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on

the protection of individuals with regard to the processing of personal data and on the free movement of

such data and repealing Directive 95/46/EC (General Data Protection Regulation), hereinafter referred to
as the GDPR;



Pursuant to the Act of 3 December 2017 establishing the Data Protection Authority, hereinafter referred

to as DPAA;


Having regard to the Internal Rules of Procedure, as approved by the Chamber of Representatives on 20

December 2018 and published in the Belgian Official Gazette on 15 January 2019;



Pursuant to the documents in the file




has takenthefollowing decision regarding:

                                                                                                         .
The complainant:                                               residing at

                                                    hereinafter 'the complainant';                       .



The data controller:                                   with its registered office at

                                                hereinafter referred to as "the data controller",                                                                                              Decision XX/2021 - 2/6






I.  Facts and procedure



    1. On21October2021,thecomplainantfiledacomplaintwiththeSlovaksupervisoryauthorityagainst

        the data controller. This is a cross-border complaint within the meaning of Article 60 of the GDPR,

        which was referred by the Slovak supervisory authority to the Belgian Data Protection Authority.

        On 23 November, the [Belgian] Data Protection Authority confirmed that it would act as Lead

        Supervisory Authority (LSA) in this case as the data controller is the representative of a company

        located within the EU whose registered office is in Belgium. The supervisory authorities of the

        following EU Member States confirmed that they would act as Concerned Supervisory Authorities

        (CSA): Ireland, Sweden, Estonia and Italy. As the complaint was filed with the Slovak authority, the

        latter is also a CSA.


    2. The complaint concerns the failure of the data controller to comply with the complainant's request

        to exercise her right to erasure. On 4 September, and again on the 19 September 2021, the

        complainant contacted the data controller requesting that the personal data relating to her be

        deleted. On 21 September 2021, the data controller confirmed that the complainant's account had

        been deleted. However, the complainant found that her name and first name still appeared on the

        website.


    3. This complaint is the subject of the procedure provided for in Article 60 GDPR (Cooperation

        between the Lead Supervisory Authority and the other Concerned Supervisory Authorities). This

        procedure provides that the Litigation Chamber as LSA submits a draft decision to the CSAs for

        their consideration within a period of 4 weeks. The CSAs may submit relevant and substantiated

        objections which the Litigation Chamber should take into account. If no objection has been lodged

        within the prescribed period, the LSA and the CSAs are deemed to agree to the draft decision and

        shall be bound by it.


II. Reasoning


    4. Based on the documents supporting the complaint, the Litigation Chamber finds that the

        complainant exercised her right to data erasure pursuant to Article 17.1 GDPR , and that the data

        controller subsequently confirmed the deletion of her account, as required by Article 12(3) and (4)



1
 1. The data subject shall have the right to obtain from the controller the erasure of personal data concerning him or her without undue delay and the
controller shall have the obligation to erase personal data without undue delay where one of the following grounds applies:
(a) the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed;
(b) the data subject withdraws consent on which the processing is based according to point (a) of Article 6(1), or point (a) of Article 9(2), and where there
is no other legal ground for the processing;

(c) the data subject objects to the processing pursuant to Article 21(1) and there are no overriding legitimate grounds for the processing, or the data
subject objects to the processing pursuant to Article 21(2);
(d) the personal data have been unlawfully processed;
(e) the personal data have to be erased for compliance with a legal obligation in Union or Member State law to which the controller is subject;

(f) the personal data have been collected in relation to the offer of information society services referred to in Article 8(1).,                                                                                                Decision XX/2021 - 3/6



        GDPR . However, the complainant found that her request for erasure was not fully complied with,


        as her name was still listed on the data controller's website. By doing so, the controller acted in

        violation of Article 17.1 of the GDPR.


    5. The Litigation Chamber is of the opinion that, on the basis of the above analysis, it must be

        concludedthatthedatacontrollercommittedaninfringement oftheprovisionsoftheGDPR,which

        justifies the adoption of a decision in this case on the basis of Article 95, § 1, 5° DPAA, i.e. ordering

        the data controller to comply with the complainant's exercise of their right to erasure (Article 17.1

        GDPR),particularlyinviewofthedocumentsprovidedbythecomplainant,whichshowthatthedata

        controller did not adequately comply with the complainant's request to erase the data, given that

        the complainant's surname and first name still appeared on the data controller's website.


    6. The present decision is a prima facie decision taken by the Litigation Chamber in accordance with

        Article 95 DPAA on the basis of the complaint lodged by the complainant, within the framework of

        the "procedure preceding the decision on the merits" and not a decision on the merits of the

        Litigation Chamber within the meaning of Article 100 DPAA. The Litigation Chamber has thus

        decided to rule on the basis of art. 58.2. c) GDPR and Art. 95, §1, 5° of the Act of 3 December 2017,

        and thus order the data controller to comply with the data subject's requests to exercise their

        rights, in particular the right to data erasure ("right to be forgotten") (Art. 17 GDPR).


    7. The purpose of this decision is to inform the data controller that it has breached the provisions of

        the GDPR and to give it the opportunity to comply with the aforementioned provisions.


    8. However, if the controller does not agree with the contents ofthe present prima facie decision and

        considers that it has factual and/or legal arguments which could lead to a different decision, it may

        send an e-mail to litigationchamber@apd-gba.be to submit a request to the Litigation Chamber to

        examine the merits of the case within 14 days of service of this decision. If necessary, the

        enforcement of this decision shall be suspended for the aforementioned period.


    9. In the event of a continuation of the proceedings on the merits, the Litigation Chamber shall invite

        the parties, pursuant to Articles 98, 2° and 3° in conjunctionwith Article 99 of the DAPA, to submit


        their defences and to attach any documents they deem useful to the file. This decision shall be

        permanently suspended if necessary.





23. The controller shall provideinformation on action taken on a requestunder Articles 15 to 22 to the data subject without unduedelay and in any event
within one month of receipt of the request. That period may be extended by two further months where necessary, taking into account the complexity
and number of the requests. The controller shall inform the data subject of any such extension within one month of receipt of the request. Where the
data subject makes the request by electronic form means, the information shall be provided by electronic means where possible, unless otherwise
requested by the data subject.

4. If the controller does not take action on the request of the data subject, the controller shall inform the data subject without delay and at the latest
within one month of receipt of the request of the reasons for not taking action and on the possibility of lodging a complaint with a supervisory authority
and seeking a judicial remedy.
3Section 3, Subsection 2 DPAA (Articles 94 to 97).,                                                                                                 Decision XX/2021 - 4/6



    10. Forthe sake ofcompleteness,theLitigationChamberpointsout that ahearingonthe meritsofthe

        case may lead to the imposition of the measures mentioned in Article 100 DAPA .        4


    11. Finally, the Litigation Chamber points out the following:


        Ifeitherpartywishestomakeuseofthepossibilitytoconsultandcopythefile(art.95,§2,3°DPAA),

        they    should    apply   to   the   secretariat    of   the   Litigation   Chamber,     preferably    via

        litigationchamber@apd-gba.bein order to schedule an appointment. If a copy of the file is

        requested, the documents shall be delivered electronically if possible or otherwise by ordinary

        mail .




III. Publication ofthe decision


    12. Given the importance of transparency in relation to the decision of the Litigation Chamber, this

        decision will be published on the website of the Data Protection Authority. However, it is not

        necessary for the defendant's identification data to be disclosed directly for that purpose.





































4
 1° to close a complaint; 2° to order the dismissal of a complaint; 3° to order the suspension of the judgment; 4° to propose a
settlement; 5° to issue warnings and reprimands; 6° to order compliance with the requests of the data subject to exercise their rights; 7°
to order the notification of the security problem to the data subject; 8° to order the temporary or definitive freezing, restriction or
prohibition of the processing; 9° to order the bringing into compliance of the processing; 10° to order the rectification, restriction or
erasure of data and the notification thereof to the recipients of the data; 11° to order the withdrawal of the accreditation of certification
bodies; 12° to impose periodic penalty payments 13° to impose administrative fines; 14° to order the suspension of cross-border data
flows to another State or international institution; 15° to transfer the file to the public prosecutor's office in Brussels, which will inform it of
the action taken; 16° to decide, on a case-by-case basis, to publish its decisions on the website of the Data Protection Authority.
5
 Due to the exceptional circumstances which have arisen due to COVID-19, the option of collection from the secretariat of the Litigation
Chamber is NOT available. Moreover, all communication is in principle electronic.,                                                                                       Decision XX/2021 - 5/6


 ON THESE GROUNDS,
 the LitigationChamber of the Data Protection Authority rules, subject to the lodging of a request by

 the data controller, on the merits in accordance with Article 98 et seq. DPAA, to:



-   pursuant to Article 58.2(c) of the GDPR and Article 95(1)(5) of the DPAA , to order the data

    controller to comply withthe datasubject's request to exercise their rights, in particular the right

    to erasure (Article 17.1 of the GDPR), and to proceed with the erasure of the personal data
    concerned within a period of 14 days from the service of this decision;



-   order the data controller to inform the Data Protection Authority (Litigation Chamber) of the

    result of this decision by e-mail within the same period of time, at the e-mail address

    litigationchamber@apd-gba.beand



-   in the absence of timely implementation of the above by the controller, to rule on the merits of
    the case ex officio in accordance with Articles 98 et seq. DPAA.




 This decision may be challenged pursuant to art. 108, §1 DPAA; an appeal may be lodged with the

 Market Court within a period of thirty days from the service, with the Data Protection Authority as
 defendant.,                                                                                            Decision XX/2021 - 6/6




(signature)

Hielke Hijmans

President of the Litigation Chamber