APD/GBA (Belgium) - XX/2021
|APD/GBA - APD/GBA (Belgium) - XX/2021|
|Relevant Law:||Article 60 GDPR|
Article 17(1) GDPR
Article 58(2)(c) GDPR
|National Case Number/Name:||APD/GBA (Belgium) - XX/2021|
|European Case Law Identifier:||n/a|
|Original Source:||EDPB (Translated) (in EN)|
|Initial Contributor:||Mitali Kshatriya|
Under Article 60 GDPR the Belgian DPA (LSA) and other concerned authorities ordered a controller to comply with a data subject's request to erasure according to Article 58(2)(c) GDPR, because it did not comply with the request.
English Summary[edit | edit source]
Facts[edit | edit source]
On 4 September 2021, and again on 19 September 2021, the data subject contacted the controller requesting erasure of her personal data under Article 17 GDPR. On 21 September 2021, the controller confirmed the deletion, as required by Article 12(3) and (4) GDPR. However, the complainant found that her name still appeared on the controller's website.
On 21 October 2021 the data subject filed a complaint with the Slovak DPA (Office for Personal Data Protection of the Slovak Republic - UOOU). It referred the case to the Belgian DPA (Belgian Data Protection Authority - APD/GBA) which on 23 November 2021 confirmed that it would act as Lead Supervisory Authority (LSA). During the proceedings the following supervisory authorities confirmed that they would act as Concerned Supervisory Authorities (CSA) next to the Slovak DPA: Ireland (Irish Data Protection Commissioner -DPC), Sweden (Integritetsskyddsmyndigheten - IMY), Estonia (Estonian Data Protection Inspectorate - AKI) and Italy (Garante per la protezione dei dati personali).
Holding[edit | edit source]
Based on the documents supporting the complaint, the Beglian DPA found that controller did not comply with the data subject's request to erasure under Article 17(1) GDPR, as the data subject's name was still listed on the data controller's website.
Comment[edit | edit source]
Share your comments here!
Further Resources[edit | edit source]
Share blogs or news articles here!
English Machine Translation of the Decision[edit | edit source]
The decision below is a machine translation of the English original. Please refer to the English original for more details.
1/6 LitigationChamber Decision XX/2021 of 17 January 2022 File number: DOS-2021-07137 Subject matter: Exercising of the right to erasure without adequate follow-up by the data controller The Litigation Chamber of the Data Protection Authority, composed of Pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC (General Data Protection Regulation), hereinafter referred to as the GDPR; Pursuant to the Act of 3 December 2017 establishing the Data Protection Authority, hereinafter referred to as DPAA; Having regard to the Internal Rules of Procedure, as approved by the Chamber of Representatives on 20 December 2018 and published in the Belgian Official Gazette on 15 January 2019; Pursuant to the documents in the file has takenthefollowing decision regarding: . The complainant: residing at hereinafter 'the complainant'; . The data controller: with its registered office at hereinafter referred to as "the data controller", Decision XX/2021 - 2/6 I. Facts and procedure 1. On21October2021,thecomplainantfiledacomplaintwiththeSlovaksupervisoryauthorityagainst the data controller. This is a cross-border complaint within the meaning of Article 60 of the GDPR, which was referred by the Slovak supervisory authority to the Belgian Data Protection Authority. On 23 November, the [Belgian] Data Protection Authority confirmed that it would act as Lead Supervisory Authority (LSA) in this case as the data controller is the representative of a company located within the EU whose registered office is in Belgium. The supervisory authorities of the following EU Member States confirmed that they would act as Concerned Supervisory Authorities (CSA): Ireland, Sweden, Estonia and Italy. As the complaint was filed with the Slovak authority, the latter is also a CSA. 2. The complaint concerns the failure of the data controller to comply with the complainant's request to exercise her right to erasure. On 4 September, and again on the 19 September 2021, the complainant contacted the data controller requesting that the personal data relating to her be deleted. On 21 September 2021, the data controller confirmed that the complainant's account had been deleted. However, the complainant found that her name and first name still appeared on the website. 3. This complaint is the subject of the procedure provided for in Article 60 GDPR (Cooperation between the Lead Supervisory Authority and the other Concerned Supervisory Authorities). This procedure provides that the Litigation Chamber as LSA submits a draft decision to the CSAs for their consideration within a period of 4 weeks. The CSAs may submit relevant and substantiated objections which the Litigation Chamber should take into account. If no objection has been lodged within the prescribed period, the LSA and the CSAs are deemed to agree to the draft decision and shall be bound by it. II. Reasoning 4. Based on the documents supporting the complaint, the Litigation Chamber finds that the complainant exercised her right to data erasure pursuant to Article 17.1 GDPR , and that the data controller subsequently confirmed the deletion of her account, as required by Article 12(3) and (4) 1 1. The data subject shall have the right to obtain from the controller the erasure of personal data concerning him or her without undue delay and the controller shall have the obligation to erase personal data without undue delay where one of the following grounds applies: (a) the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed; (b) the data subject withdraws consent on which the processing is based according to point (a) of Article 6(1), or point (a) of Article 9(2), and where there is no other legal ground for the processing; (c) the data subject objects to the processing pursuant to Article 21(1) and there are no overriding legitimate grounds for the processing, or the data subject objects to the processing pursuant to Article 21(2); (d) the personal data have been unlawfully processed; (e) the personal data have to be erased for compliance with a legal obligation in Union or Member State law to which the controller is subject; (f) the personal data have been collected in relation to the offer of information society services referred to in Article 8(1)., Decision XX/2021 - 3/6 GDPR . However, the complainant found that her request for erasure was not fully complied with, as her name was still listed on the data controller's website. By doing so, the controller acted in violation of Article 17.1 of the GDPR. 5. The Litigation Chamber is of the opinion that, on the basis of the above analysis, it must be concludedthatthedatacontrollercommittedaninfringement oftheprovisionsoftheGDPR,which justifies the adoption of a decision in this case on the basis of Article 95, § 1, 5° DPAA, i.e. ordering the data controller to comply with the complainant's exercise of their right to erasure (Article 17.1 GDPR),particularlyinviewofthedocumentsprovidedbythecomplainant,whichshowthatthedata controller did not adequately comply with the complainant's request to erase the data, given that the complainant's surname and first name still appeared on the data controller's website. 6. The present decision is a prima facie decision taken by the Litigation Chamber in accordance with Article 95 DPAA on the basis of the complaint lodged by the complainant, within the framework of the "procedure preceding the decision on the merits" and not a decision on the merits of the Litigation Chamber within the meaning of Article 100 DPAA. The Litigation Chamber has thus decided to rule on the basis of art. 58.2. c) GDPR and Art. 95, §1, 5° of the Act of 3 December 2017, and thus order the data controller to comply with the data subject's requests to exercise their rights, in particular the right to data erasure ("right to be forgotten") (Art. 17 GDPR). 7. The purpose of this decision is to inform the data controller that it has breached the provisions of the GDPR and to give it the opportunity to comply with the aforementioned provisions. 8. However, if the controller does not agree with the contents ofthe present prima facie decision and considers that it has factual and/or legal arguments which could lead to a different decision, it may send an e-mail to email@example.com to submit a request to the Litigation Chamber to examine the merits of the case within 14 days of service of this decision. If necessary, the enforcement of this decision shall be suspended for the aforementioned period. 9. In the event of a continuation of the proceedings on the merits, the Litigation Chamber shall invite the parties, pursuant to Articles 98, 2° and 3° in conjunctionwith Article 99 of the DAPA, to submit their defences and to attach any documents they deem useful to the file. This decision shall be permanently suspended if necessary. 23. The controller shall provideinformation on action taken on a requestunder Articles 15 to 22 to the data subject without unduedelay and in any event within one month of receipt of the request. That period may be extended by two further months where necessary, taking into account the complexity and number of the requests. The controller shall inform the data subject of any such extension within one month of receipt of the request. Where the data subject makes the request by electronic form means, the information shall be provided by electronic means where possible, unless otherwise requested by the data subject. 4. If the controller does not take action on the request of the data subject, the controller shall inform the data subject without delay and at the latest within one month of receipt of the request of the reasons for not taking action and on the possibility of lodging a complaint with a supervisory authority and seeking a judicial remedy. 3Section 3, Subsection 2 DPAA (Articles 94 to 97)., Decision XX/2021 - 4/6 10. Forthe sake ofcompleteness,theLitigationChamberpointsout that ahearingonthe meritsofthe case may lead to the imposition of the measures mentioned in Article 100 DAPA . 4 11. Finally, the Litigation Chamber points out the following: Ifeitherpartywishestomakeuseofthepossibilitytoconsultandcopythefile(art.95,§2,3°DPAA), they should apply to the secretariat of the Litigation Chamber, preferably via firstname.lastname@example.org order to schedule an appointment. If a copy of the file is requested, the documents shall be delivered electronically if possible or otherwise by ordinary mail . III. Publication ofthe decision 12. Given the importance of transparency in relation to the decision of the Litigation Chamber, this decision will be published on the website of the Data Protection Authority. However, it is not necessary for the defendant's identification data to be disclosed directly for that purpose. 4 1° to close a complaint; 2° to order the dismissal of a complaint; 3° to order the suspension of the judgment; 4° to propose a settlement; 5° to issue warnings and reprimands; 6° to order compliance with the requests of the data subject to exercise their rights; 7° to order the notification of the security problem to the data subject; 8° to order the temporary or definitive freezing, restriction or prohibition of the processing; 9° to order the bringing into compliance of the processing; 10° to order the rectification, restriction or erasure of data and the notification thereof to the recipients of the data; 11° to order the withdrawal of the accreditation of certification bodies; 12° to impose periodic penalty payments 13° to impose administrative fines; 14° to order the suspension of cross-border data flows to another State or international institution; 15° to transfer the file to the public prosecutor's office in Brussels, which will inform it of the action taken; 16° to decide, on a case-by-case basis, to publish its decisions on the website of the Data Protection Authority. 5 Due to the exceptional circumstances which have arisen due to COVID-19, the option of collection from the secretariat of the Litigation Chamber is NOT available. Moreover, all communication is in principle electronic., Decision XX/2021 - 5/6 ON THESE GROUNDS, the LitigationChamber of the Data Protection Authority rules, subject to the lodging of a request by the data controller, on the merits in accordance with Article 98 et seq. DPAA, to: - pursuant to Article 58.2(c) of the GDPR and Article 95(1)(5) of the DPAA , to order the data controller to comply withthe datasubject's request to exercise their rights, in particular the right to erasure (Article 17.1 of the GDPR), and to proceed with the erasure of the personal data concerned within a period of 14 days from the service of this decision; - order the data controller to inform the Data Protection Authority (Litigation Chamber) of the result of this decision by e-mail within the same period of time, at the e-mail address email@example.com - in the absence of timely implementation of the above by the controller, to rule on the merits of the case ex officio in accordance with Articles 98 et seq. DPAA. This decision may be challenged pursuant to art. 108, §1 DPAA; an appeal may be lodged with the Market Court within a period of thirty days from the service, with the Data Protection Authority as defendant., Decision XX/2021 - 6/6 (signature) Hielke Hijmans President of the Litigation Chamber