APD/GBA - 03/2021

From GDPRhub
APD/GBA - 03/2021
LogoBE.png
Authority: APD/GBA (Belgium)
Jurisdiction: Belgium
Relevant Law: Article 5(1)(b) GDPR
Article 6(1)(f) GDPR
Article 6(4) GDPR
Article 24(1) GDPR
Article 24(2) GDPR
Article 25(1) GDPR
Article 25(2) GDPR
Type: Complaint
Outcome: Upheld
Decided: 13/01/2021
Published: 13/01/2021
Fine: None
Parties: n/a
National Case Number/Name: 03/2021
European Case Law Identifier: n/a
Appeal: n/a
Original Language(s): Dutch
Original Source: Beslissing ten gronde 03/2020 van 13 januari 2021 (in NL)
Initial Contributor: Enzo

The Belgian DPA (APD/GBA) held that sending a newsletter to the parents of school children with all email addresses visible in CC was a breach of the Article 5(1)(b), as this was not within the reasonable expectations of the parents to have their email address distributed.

Furthermore, the school cannot rely on legitimate interest (Article 6(1)(f)) as other measures exist to not share the contact details with the other parents (BCC) and the parents do not expect their personal data from being further processed.

As such, the school does not comply with their responsibilities as controller nor does uphold the principles of data protection by design and default (Articles 24 and 25).

English Summary[edit | edit source]

Facts[edit | edit source]

A school sent a newsletter to all parents with all email addresses of those parents visible in Carbon Copy (cc) as opposed to Blind Carbon Copy (BCC).

The school said that internal policies dictate that sending in BCC is mandatory in such cases. They also added that the time to unsend a email has been changed from 5 seconds to 30 seconds. The school also apologises.

The complainant later adds that even after the school said they implemented those measures, they still continue to send out emails with the email addresses in CC.

Dispute[edit | edit source]

Can email addresses of parents of children of a school be made public under Article 5(1)(b) if this was not the initial purpose for which the personal data was collected?

If not, can the school rely on legitimate interest under Article 6(1)(f)?

Holding[edit | edit source]

The school communicates with the parents on ground of contractual necessity based on Article 6(1). Without the contact details, it is impossible for the school to communicate with the parents. As such, there is no free choice.

Article 5

The DPA then states that it is possible to process the contact details for other purpose than initially processed if the purpose is compatible with the original purpose and that it will assess whether it is possible to rely on Article 5(1)(b) in this case.

However, the DPA states that this is not within the reasonable expectations of the parents, as they only provided their contact details relative to the school. The other parents are not included in this relationship. As such, these purposes are incompatible.

As every processing of personal data needs to rely on a legal basis from Article 6(1), this processing is unlawful.

Article 6

The DPA then assesses whether the school could rely on the legal basis of legitimate interest under Article 6(1)(f). It confirms earlier case law of the CJEU in which three requirements have to be fulfilled, cumulatively; legitimate interest pursued by controller, necessity of the processing and fundamental rights and freedoms of the data subject do not override the legitimate interest.

Assessment of legitimate interest

Reaching all parents, simultaneously, can serve as a legitimate interest. However, the means to reach this goal are not necessary and a simple technical measure exists to not make the mail addresses visible (BCC). As stated above, the reasonable expectations of the parents are in their relationship to the school, and not to other parents. The parents do not expect any other processing.

As such, requirement two and three are not fulfilled.

The school breaches Article 6(1)(b) in combination with Article 6(4) and Article 6(1)

Articles 24 and 25

Furthermore, as the school continued their processing, despite promising they wouldn't and despite the fact that they have internal policies regulating this, they failed to comply to Article 24(1), Article 24(2) and Article 25(1), Article 25(2).

No fine was imposed, but a reprimand and clear instructions to implement the necessary measures to become compliant within 3 months.

Comment[edit | edit source]

Share your comments here!

Further Resources[edit | edit source]

Share blogs or news articles here!

English Machine Translation of the Decision[edit | edit source]

The decision below is a machine translation of the Dutch original. Please refer to the Dutch original for more details.

                                                                                              1/11








                                                                              Litigation chamber




                                        Decision on the merits 03/2020 of 13 January 2021





File number: DOS-2020-00608



Subject: Sending by school of a global e-mail with all recipients

To Be Visible





The Disputes Chamber of the Data Protection Authority, composed of Mr Hielke

Hijmans, chairman and Messrs. Christophe Boeraeve and Frank De Smet, members;



Having regard to Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016

on the protection of natural persons with regard to the processing of

personal data and on the free movement of such data and repealing Directive

95/46 / EC (General Data Protection Regulation), hereinafter GDPR;



In view of the law of 3 December 2017 establishing the Data Protection Authority, hereinafter

WOG;



Having regard to the rules of internal procedure, as approved by the Chamber of

Representatives on December 20, 2018 and published in the Belgian Official Gazette on

January 15, 2019;



Considering the documents in the file;






                                                                                                       .

                                                                                                       .

                                                                                                       . Decision on the merits 03/2021 - 2/11



has taken the following decision regarding:

    - X, hereinafter “the complainant”

    - Y, hereinafter “the defendant”








    1. Facts and procedure



1. On January 30, 2020, the complainant lodged a complaint with the Data Protection Authority against the


    defendant.



2. The subject of the complaint concerns the sending by the defendant of an email with

    newsletter addressed to the parents of students throughout the school including all email addresses

    be visible to all recipients of the email concerned.



3. On February 17, 2020, the complaint will be declared admissible under Articles 58 and 60

    WOG and the complaint on the basis of art. 62, §1 WOG submitted to the Disputes Chamber.



4. On April 3, 2020, the Disputes Chamber will decide on the basis of art. 95, §1, 1 ° and art. 98 WOG that it

    file is ready for treatment on the merits.



5. On April 3, 2020, the parties concerned will be notified by registered mail of the

    provisions as stated in article 95, §2, as well as those in art. 98 WOG. They are also on

    based on art. 99 WOG of the time limits for submitting their defenses.

    The deadline for receipt of the defendant's statement of response was thereby

    recorded on 18 May 2020, this for the complainant's reply on 8 June 2020 and

    this for the statement of defense of the defendant on 29 June 2020.



6. On May 18, 2020, the Disputes Chamber will receive the statement of defense from the defendant.

    In it, he confirms that Y will receive an email with the monthly news items on January 30, 2020

    sent which concerned communication about the start-up of the nursery department by the municipality

    and a report that the school would be closed the next day. When sending the message

    the addresses of the parents were incorrectly placed in the field “Carbon Copy” (CC) instead

    from “Blind Carbon Copy” (BCC). The error was seen too late and an attempt to send it

    Undoing or withdrawing the mail failed. It was according to the defendant

    by no means the intention to put all addresses in CC. Decision on the merits 03/2021 - 3/11



7. Furthermore, the defendant adds three documents containing guidelines on the

    sending emails to external persons stating each time that email addresses are in

    BCC must be placed when sending an email in bulk. In addition, the

    default value to unsend an email, which is initially 5 seconds


    was now set to 30 seconds, so if in doubt the mail can still be sent

    withdrawn.



8. The defendant also apologizes to the complainant for disseminating his

    email address.



9. On 20 May 2020, the Disputes Chamber received the statement of reply from the complainant in which he stated

    that prior to the email of 30 January 2020 that is the subject of the complaint

    several times received e-mails from the defendant in which it had to establish that

    the email addresses were visible to all recipients. Notwithstanding the efforts

    which the defendant would have done, the complainant adds an email sent by the

    defendant on April 22, 2020, which shows that even after January 30, 2020, all e-mail addresses

    are visible to all recipients.




10. On May 22, 2020, the Disputes Chamber received the statement of reply from the defendant

    in which he indicates that he will take the necessary steps to ensure follow-up.







    2. Legal basis




    - Article 5.1. b) GDPR:

        “Personal data must: […] b) for specified, explicitly defined and

        legitimate purposes are collected and may not be further used with

        those purposes are processed in an incompatible manner; further processing for the purpose of

        archiving in the public interest, scientific or historical research or statistical

        purposes in accordance with Article 89 (1) are not considered incompatible with the

        original purposes ('purpose limitation'); '



    - Article 6.1. AVG

        The processing is only lawful if and insofar as at least one of the

        the following conditions are met:


        […] Decision on the merits 03/2021 - 4/11




    f) the processing is necessary for the representation of the legitimate interests of

    the controller or of a third party, except where the interests or the

    fundamental rights and freedoms of the data subject that protect

    personal data outweigh those interests, especially where the

    the person concerned is a child.

    […]



- Article 6.4. GDPR:

    “When the processing is for a purpose other than that for which the personal data are

    collected is not based on the consent of the data subject or on any provision of Union law

    or a provision under member state law that is necessary in a democratic society and

    is a proportionate measure to ensure the benefits referred to in Article 23 (1)

    objectives, the controller keeps in assessing whether the

    processing for another purpose is compatible with the purpose for which the personal data

    initially collected include:

    a) any link between the purposes for which the personal data was collected and the

    purposes of the intended further processing;

    b) the framework in which the personal data were collected, in particular what the relationship between

    concerns the data subjects and the controller;

    c) the nature of the personal data, in particular or special categories of

    personal data are processed, in accordance with Article 9, and / or personal data about

    criminal convictions and offenses are processed in accordance with Article

    10;

    d) the possible consequences of the intended further processing for the data subjects;

    e) the existence of appropriate safeguards, which may include encryption or

    pseudonymization. ”



- Art. 24.1 and 2. GDPR:

    “1. Taking into account the nature, scope, context and purpose of the processing,

    as well as with the varying risks to rights and

    freedoms of natural persons, the controller takes appropriate action

    technical and organizational measures to ensure and be able to demonstrate that the

    processing is carried out in accordance with this regulation. Those measures

    are evaluated and updated if necessary.

    2. When proportionate to processing activities, the data referred to in paragraph 1

    measures an appropriate data protection policy adopted by the

    controller is executed. " Decision on the merits 03/2021 - 5/11



    - Art. 25.1 and 2. AVG:

        “1. Taking into account the state of the art, the implementation costs, and the nature, the

        scope, context and purpose of the processing as well as with the probability and

        serious risks to the rights and freedoms of individuals


        the processing are connected, affects the controller, both in the determination

        of the processing means as in the processing itself, appropriate technical and

        organizational measures, such as pseudonymization, which are designed with the aim of the

        data protection principles, such as data minimization, in an effective way

        way and build in the necessary safeguards in the processing for compliance

        of the requirements of this Regulation and to protect the rights of the

        involved.

        2. The controller takes appropriate technical and organizational

        measures to ensure that, in principle, only personal data are processed

        necessary for each specific purpose of the processing. That obligation applies to the

        amount of personal data collected, the extent to which they are processed, the period

        for which they are stored and their accessibility. These measures ensure

        in particular, ensure that in principle personal data does not occur without human intervention

        an unlimited number of natural persons are made accessible. "








    3. Justification




11. The defendant has the contact details of the parents of students, including the

    complainant, in order to be able to communicate with them about information that is important in the

    context of the defendant's relationship with the students' parents. The

    The Disputes Chamber assumes that there is a legal basis for obtaining this information

    exists, as referred to in Article 6.1 of the GDPR, namely the necessity of the implementation of the

    agreement between the complainant and the defendant (Article 6.1.b). After all, it does not seem right in principle

    possible for students to receive education from a school, without the school having the email

    have data from (one of) the parents of the student. For that reason, consent is like

    legal basis in accordance with the conditions of Articles 4 (7) and 7 GDPR is not conceivable

    for obtaining the data. After all, parents of children do not have the freedom to choose

    whether or not to submit their contact details to the school.



12. The Disputes Chamber will examine to what extent the defendant can access the complainant's contact details

    with third parties, in the present case the parents of other students. Decision on the merits 03/2021 - 6/11






13. In accordance with article 5.1. b) GDPR may allow the processing of personal data for other


    purposes other than those for which the personal data were initially collected

    permitted if the processing is compatible with the purposes for which the personal data

    initially collected. Taking into account the criteria included in article 6.4. AVG and

    Recital 50 of the GDPR must thus be ascertained whether the further processing, in this case the

    communicating the complainant's contact details to the parents of others by e-mail

    learners, whether or not it is compatible with the initial processing consisting of the set of


    the complainant's contact details in the context of direct contact between the parents

    of students and the school. The Disputes Chamber comes to the decision that the complainant is

    has provided contact details within the framework of its relationship with the school (being the

    defendant) and it could not reasonably be expected that the school would do the same

    would share data with third parties who have their own link with the school, since it

    parents of other pupils, but who are outside the relationship between the complainant and the school


    stand.



14. This leads to the conclusion that there is no compatible further processing, so that

    a separate legal basis is required for the communication of the contact details of the

    the complainant could be considered legitimate to the parents of other students.




15. Processing of personal data, including incompatible further processing

    as in the present case, is only lawful if there is a legal basis for this.

    For incompatible further processing operations, it is necessary to fall back on article 6.1. AVG and

    recital 50 GDPR. Recital 50 of the GDPR states that this is a separate legal basis

    required for the processing of personal data for other purposes that are incompatible

    with the purposes for which the personal data was initially collected. That


    separate legal grounds on the basis of which a processing, including

    incompatible further processing, which can be considered lawful, are provided in

    article 6.1. AVG.







1 Recital 50 GDPR: […] To determine whether a purpose of further processing is compatible with the purpose for which the
personal data were initially collected, the controller must, after he has complied with all rules on
lawfulness of the original processing, including taking into account: a possible link
between those purposes and the purposes of the intended further processing; the framework in which the data was collected;

in particular, the reasonable expectations of data subjects based on their relationship with the controller
regarding its further use; the nature of the personal data; the consequences of the intended further
processing for data subjects; and appropriate safeguards for both the original and the intended further ones
processing.
2
 Recital 50 GDPR: The processing of personal data for purposes other than those for which the personal data
initially collected should only be allowed if the processing is compatible with the purposes for which
the personal data was initially collected. In such case, no separate legal basis other than that on
grounds for which the collection of personal data was permitted. […] Decision on the merits 03/2021 - 7/11




16. To this end, the Disputes Chamber will investigate to what extent the legal grounds as determined in Article 6.1.

    GDPR can be invoked by the defendant in order to further process the

    justify personal data relating to the complainant.



17. The defendant himself does not state any legal basis which would allow him to surrender

    proceed to the data processing that is the subject of the complaint, being the communication

    from the complainant's e-mail address to the parents of other students. In addition, the

    defendant expressly admits that this communication was an error and it was by no means intended

    was to put all email addresses in CC. The defendant does not therefore argue that the


    communication should take place and therefore does not try to justify it by itself

    rely on any legal basis.



18. On the basis of the factual elements present in the file, the Disputes Chamber proceeds ex officio

    whether, if necessary, a legal ground can be invoked that would allow the defendant

    to proceed with the sending of the mail containing it visible to all recipients

    e-mail address of the complainant. To this end, the Disputes Chamber will investigate whether the notification of the

    The complainant's e-mail address can be based on any legitimate interest on account of the

    defendant (Article 6.1. f) GDPR).

    The other legal grounds included in Article 6.1. points a), b), c), d) and e) GDPR are in

    present case not applicable.




19. In accordance with Article 6.1 f) GDPR and the case law of the Court of Justice of the European

    Union (hereinafter “the Court”) three cumulative conditions must be fulfilled for a

    controller can validly invoke this ground of lawfulness, “te

    know, in the first place, the promotion of a legitimate interest of the

    controller or of the third party (ies) to whom the data are provided, in the

    second, the necessity of the processing of personal data for the purpose of

    the legitimate interest, and, thirdly, the condition that the fundamental rights

    and freedoms of the person concerned with data protection do not prevail ”(judgment

    “Rigas”).



20. In order to be able to rely on the lawfulness ground of the


    "Legitimate interest", in other words, must be indicated by the controller

    show that:






3HvJEU, 4 May 2017, C-13/16, Valsts policijas Rīgas reģiona pārvaldes Kārtības policijas pārvalde v Rīgas pašvaldības SIA
'Rīgas satiksme', recital 28. See also CJEU, 11 December 2019, C-708/18, TK t / Asociaţia de Proprietari bloc M5A-ScaraA,
recital 40. Decision on the substance 03/2021 - 8/11




    1) the interests pursued by this processing can be recognized as justified

        (the “target key”);

    2) the intended processing is necessary for the realization of these interests (the

        “Necessity test”); and

    3) the balancing of these interests against the interests, fundamental freedoms and

        fundamental rights of data subjects weighs in favor of the

        controller (the “balancing test”).



21. With regard to the first condition (the so-called “target test”), the Disputes Chamber of

    judge that the purpose is to simultaneously treat all the parents of the students

    reach by sending a single email is to be considered

    carried out with a legitimate interest in mind. The interest that the defendant as

    controller may in itself, in accordance with Recital 47 GDPR, be

    considered justified. Hence, the first condition is satisfied

    in Article 6.1, f) GDPR.



22. In order to meet the second condition, it must be demonstrated that the processing

    necessary for the achievement of the objectives pursued. This means more

    stipulates that the question should be asked whether the same result can be achieved by other means

    are achieved without processing of personal data or without unnecessarily invasive

    processing for the data subjects.



23. Based on the purpose of reaching the parents of students in a single email


    mail, the Dispute Chamber must establish that there is a simple technical means that

    allows you to reach the intended recipients of the e-mail in a single movement without

    that the email addresses of everyone are visible, namely the transmission in BCC instead of in

    CC. The second condition is thus not satisfied because of the principle of minimal

    data processing (Article 5.1. c) GDPR) has not been complied with.



24. In order to verify whether the third condition of Article 6.1, f) GDPR - the so-called

    “Balancing test” between the interests of the controller, on the one hand, and the

    fundamental freedoms and fundamental rights of the person concerned, on the other hand - can be fulfilled, should

    reasonable, in accordance with Recital 47 GDPR

    expectations of the data subject. More specifically, it should be evaluated whether “data subject

    at the time and in the context of the collection of the personal data is reasonably permitted

    expect processing to take place for that purpose ”.4




4
 Recital 47 GDPR. Decision on the merits 03/2021 - 9/11






25. This is also emphasized by the Court in its judgment “TK t / Asociaţia de Proprietari bloc M5A-

    ScaraA ”of December 11, 2019, in which it states:



    “Also relevant to this assessment are the reasonable expectations of the data subject that are or

    her personal data will not be processed when, in the circumstances of

    the case, the data subject cannot reasonably further process the data

    expect".




26. With regard to this third condition, the Disputes Chamber can only establish that the complainant is on

    could not expect any moment of sharing his email address with the parents of others

    pupils.



27. The Disputes Chamber is of the opinion that the totality of the elements set out demonstrates that

    the defendant cannot rely on any legal basis proving its legality

    of the data processing as set up by him. In addition, the defendant disputes

    not the facts and states that in the relevant e-mail that is the subject of the complaint

    the complainant's e-mail address was placed in the field “CC” instead of “BCC” (BCC), although

    this was not done intentionally. By doing so, he indicates that he has committed an infringement of the

    processing of the complainant's personal data. The Disputes Chamber thus concludes that the

    infringement of Article 5.1.b) in conjunction with Article 6.4. GDPR, and Article 6.1. AVG has been proven.




28. Despite the fact that it appears from the documents submitted by the defendant that there is within the school

    general guidelines have been drawn up whereby the recipients must be entered in BCC in global emails

    the complainant shows that these guidelines are not being put into practice.

    Not only the email dated January 30, 2020 to which the complaint relates, respects it

    Directive, but also in the e-mail dated April 22, 2020 enclosed by the complainant in his opinion

    of reply, that rule is not applied. The defendant does not disprove this, but merely states that

    the case will be followed up. The Disputes Chamber is of the opinion that the violation of art.

    24.1 and 2, and art. 25.1. and 2. AVG is proven.



29. Moreover, the Disputes Chamber is of the opinion that a school should be transparent about the


    way in which it processes (communication) data from parents and develops a policy for this purpose.

    The Disputes Chamber therefore recommends that the defendant develop such a policy,

    which serves to ensure that communication with parents takes place in accordance with art.

    24.1 and 2, and art. 25.1. and 2. GDPR.




5 CJEU, 11 December 2019, C-708/18, TK to Asociaţia de Proprietari bloc M5A-ScaraA, recital 58. Decision on the substance 03/2021 - 10/11




30. Since this problem affects all schools in Belgium, the Disputes Chamber considers it

     decision as an incentive for schools to handle parental data with care


     and to develop a policy to this end. An important part of that would be further processing

     of data, whereby - in the cases in which Article 6.1. f) GDPR cannot be

     applied, consent can be used as a legal basis. For example when that data

     processed for the purpose of communication between parents.




31. It is important here that schools bear in mind that, as a general rule, it should come first

     that if consent has been given, further processing is only possible within the scope

     of that consent. After all, consent must be granular. If parents consent

     for the use of communication data by the school in the context of communication

     with other parents, the same data may not be passed on to third parties, for example


     for direct marketing (for eg school books). If the school wanted that information anyway

     pass it on for direct marketing purposes, the school must give it permission again

     ask the parents. This is also in accordance with the guidelines of the European Committee

     for Data Protection (EDPB) regarding consent which contains in essence

     that the controller prior to the collection of personal data


     must determine the legal basis on which the processing is based and cannot switch to the

     legal basis "legitimate interest", when the further processing does not fit within the initial

     legal basis "consent" on the basis of which the data was collected.



32. The Disputes Chamber is of the opinion that the following sanctions are sufficient, also in view of the


     the fact that the defendant himself admits that an error has occurred and is willing to do the same

     avoid facts in the future.









6 Recital 43 GDPR: […] Consent is deemed not freely given if no separate consent
can be given for different personal data processing operations despite the fact that this is appropriate in the individual case

is, or if the performance of an agreement, including the provision of a service, depends on the
consent despite the fact that such consent is not necessary for that performance.
7 Guidelines 05/2020 on consent under Regulation 2016/679 (for the time being there is no official Dutch translation

available) https://edpb.europa.eu/sites/edpb/files/files/file1/edpb_guidelines_202005_consent_en.pdf:
121. Article 6 sets the conditions for a lawful personal data processing and describes six lawful bases on which a
controller can rely. The application of one of these six bases must be established prior to the processing activity and in relation

to a specific purpose.
122. It is important to note here that if a controller chooses to rely on consent for any part of the processing, they must be
prepared to respect that choice and stop that part of the processing if an individual withdraws consent. Sending out

the message that data will be processed on the basis of consent, while actually some other lawful basis is relied on, would be
fundamentally unfair to individuals.
123. In other words, the controller cannot swap from consent to other lawful bases. For example, it is not allowed to

retrospectively utilize the legitimate interest basis in order to justify processing, where problems have been encountered
with the validity of consent. Because of the requirement to disclose the lawful basis, which the controller is relying upon at
the time of collection of personal data, controllers must have decided in advance of collection what the applicable lawful
base is. Decision on the merits 03/2021 - 11/11



33. Considering the importance of transparency with regard to the decision-making of the

    Disputes Chamber, this decision is made in accordance with Article 100, §1, 16 ° WOG

    published on the website of the Data Protection Authority with the omission of the

    identification data of the parties, given that identification data is not necessary and


    relevant in the publication of the decision.













FOR THESE REASONS,



the Disputes Chamber of the Data Protection Authority decides, after deliberation, to:

- to formulate a reprimand on the basis of Article 100, §1, 5 ° WOG with regard to the

    defendant.

- on the basis of Article 100, §1, 9 ° WOG, order the defendant to commence processing

    to bring it into line with Article 24.1. and 2. GDPR and Articles 25.1 and 2. GDPR.

    The Disputes Chamber gives the defendant a period of three months for this and expects the

    Disputes Chamber that the defendant will report to it by March 31, 2021 on the

    bringing the processing into line with the aforementioned provisions.




Against this decision on the basis of art. 108, §1 WOG, appeals are lodged within one

term of thirty days, from the notification, at the Marktenhof, with the

Data protection authority as defendant.









(get.) Hielke Hijmans

Chairman of the Disputes Chamber