APD/GBA - 05/2021

From GDPRhub
APD/GBA - 05/2021
LogoBE.png
Authority: APD/GBA (Belgium)
Jurisdiction: Belgium
Relevant Law: Article 5(1)(f) GDPR
Article 5(2) GDPR
Article 24 GDPR
Article 32 GDPR
Article 33 GDPR
Article 34(1) GDPR
Art. 126 WEC
Art. 127 WEC
Art. 122 WEC
Type: Complaint
Outcome: Upheld
Decided: 01/2021
Published: 01/2021
Fine: 25000 EUR
Parties: n/a
Cellphone number provider
National Case Number/Name: 05/2021
European Case Law Identifier: n/a
Appeal: n/a
Original Language(s): Dutch
Original Source: Betreft : klacht wegens toekennen telefoonnummer klager aan een derde (in NL)
Initial Contributor: Enzo Marquet

The Belgian DPA (APD/GBA) held that sharing a phone number poses a high risk to a data subject and that this must be classified as a critical data breach, even if it concerns just one person and for a very short time.

English Summary[edit | edit source]

Facts[edit | edit source]

A third party visited a shop of the defendant (a provider of cellphone services) to change their mobile phone subscription. This third party used the phone and sim card number of the complaint. During this process, the mobile phone number of the complaint was transferred to a third party so that the complaint could not use its mobile phone number. The SIM of complaint was deactivated for the complaint and the third party had the possibility to access personal conversation data as well as linked accounts (PayPal, WhatsApp, Facebook) for three days.

Dispute[edit | edit source]

If a third party has access to a phone number, does this classify as a critical data breach?

Holding[edit | edit source]

One of the first arguments of the defendant is that it couldn't have known the identity of the third party as they are forbidden from collecting identification data for commercial purposes (article 127 WEC) when migrating from a prepaid to a postpaid abonnement.

However, the Dispute Chamber states that according to article 122 WEC, that this is possible when sending invoices or to protect the private life of the clients. The defendant had to check the identity of the third party, it is a legitimate purpose to prevent identity fraud with phone numbers as the impact on a data subject can be drastic.Not checking this is marked as grave negligence.

The defendant states that the impact on the personal life of the complaint is minimal which the Dispute Chamber dismisses as conversations are very personal and it is easy to access WhatsApp because only a phone number is required. SMS is also used for very personal things such as reminder of meetings (e.g. hospital, special categories of data) or it can be used to impersonate someone. The possession of a phone number creates a significant risk to the personal life of the data subject.

The Dispute Chamber states that defendant failed to respect the data breach notification deadline under Article 33(1) as this data breach poses a high risk to the data subject.

To determine the risks, the Dispute Chamber used the Guidance of WP29 250rev.01[1]. Possible damages for the usage of a phone number are discrimination, identity theft- and fraud, financial loss and reputation damage.The fact that it concerns one person and for a very short time are irrelevant as the risk is very high.

The controller must always implement the necessary technical and organisational measures to be in compliance with the GDPR and be able to demonstrate said compliance (Article 5(2) and Article 24 GDPR). It is one of the corner stones of the GDPR.

The defendant, as such, failed to take proactive measures: there was no verification of the identity of the third party and the data breach was not notified nor was it justified why this data breach was not necessary nor were there any logs on the data breach which is a breach of Article 33(5).

And even if a data breach poses no risks, it must still be logged internally.

Comment[edit | edit source]

Share your comments here!

Further Resources[edit | edit source]

Share blogs or news articles here!

English Machine Translation of the Decision[edit | edit source]

The decision below is a machine translation of the Dutch original. Please refer to the Dutch original for more details.

                                                                                               1/22









                                                                            Litigation chamber



                                      Decision on the merits 05/2021 of 22 January 2021





File number: DOS-2019-04867



Concerns: complaint about attributing the complainant's telephone number to a third party





The Disputes Chamber of the Data Protection Authority, composed of Mr Hielke

Hijmans, chairman and Messrs Jelle Stassijns and Frank De Smet, members;



Having regard to Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016

on the protection of natural persons with regard to the processing of

personal data and on the free movement of such data and repealing Directive

95/46 / EC (General Data Protection Regulation), hereinafter GDPR;



In view of the law of 3 December 2017 establishing the Data Protection Authority, hereinafter

WOG;



Having regard to the rules of internal procedure, as approved by the Chamber of

Representatives on December 20, 2018 and published in the Belgian Official Gazette on

January 15, 2019;



Considering the documents in the file;





has taken the following decision regarding:

                                                                                                         .

    - the complainant: Mr X,.

                                                                                                         .

    - the defendant: Y Decision on the merits 05/2021 - 2/22




    1. Facts and procedure


1. The complainant files a complaint against Y with the Data Protection Authority on 20 September 2019.

    The complaint was declared admissible by the Primary Care Service on September 30, 2019. The complaint

    implies that the complainant's mobile phone number would have been assigned to Y by his provider

    a third, as a result of which the complainant no longer had access to his number. The complainant's SIM card

    was deactivated and the third party could therefore have become aware of the personal GSM

    the complainant's traffic and calls, as well as linked accounts (such as Paypal, WhatsApp and

    Facebook) from 16 to 19 September 2019.



2. Since the complaint is directed against Y with its head office in Member State Z, the

    Data protection authority contacted the supervisory authority in this Member State

    in order to determine whether or not the complaint should be considered as cross-border.

    That communication led to the handling of the complaint and the data processing

    according to the national procedure of the Belgian data protection authority (art.56.2 GDPR) 1

    with Y as defendant.




3. On April 15, 2020, the Disputes Chamber decided that the complaint is ready for handling

    on the merits and notified to both the complainant and the defendant by registered mail

    this decision. The parties were also informed of the provisions mentioned in

    Article 98 of the WOG and the deadlines for submitting their defenses. The deadline

    it was determined on 27 May 2020 for receipt of the defendant's statement of defense; the

    deadline for receipt of the complainant's reply on 17 June 2020 and the

    deadline for receipt of the defendant's reply on 8 July 2020.



4. By letter of 20 April 2020, defendant's counsel submitted to the file, copy

    of the file and indicated that he wishes to be heard at a hearing

    on the basis of Article 98, 2 ° WOG.



5. On 27 May 2020 the respondent filed a statement of defense.



6. Neither the complainant nor the defendant have made use of the option of submitting a conclusion


    submit a reply. The complainant did not wish to make use of the opportunity to be heard

    to become.







1 Article 56.2 reads: By way of derogation from paragraph 1, any supervisory authority is competent a complaint submitted to it or a
to deal with any breach of this Regulation if the subject-matter of that case relates only to an establishment

in its Member State or only for data subjects in its Member State. Decision on the merits 05/2021 - 3/22



7. On November 9, 2020, the defendant shall be declared in accordance with Article 53 of the Rules of Procedure of

    internal order heard by the Disputes Chamber.



8. On November 19, 2020, the minutes of the hearing will be presented to the parties.


    The parties did not respond to this.



9. On December 7, 2020, the intention to impose a fine was transferred to the

    defendant. Respondent responded extensively to this intention on 22 December 2020.



    2. Legal basis




Article 5.1.f GDPR

1 Personal data must:



f) by taking appropriate technical or organizational measures in such a way


processed to ensure adequate security, including protection

are against unauthorized or unlawful processing and against accidental loss, destruction or

damage (“integrity and confidentiality”).



Article 5.2 GDPR



The controller is responsible for and can demonstrate compliance with paragraph 1

(“Accountability”).



Article 24 GDPR


1. Taking into account the nature, scope, context and purpose of the processing, as well

with the different likelihood and severity risks to the rights and freedoms of

natural persons, the controller shall take appropriate technical and

organizational measures to guarantee and be able to demonstrate that the processing in

in accordance with this Regulation. Those measures are being evaluated and

updated if necessary.



2. When proportionate to processing activities, include those referred to in paragraph 1

measures an appropriate data protection policy adopted by the controller

is carried out. Decision on the merits 05/2021 - 4/22



3. Adherence to approved codes of conduct as referred to in Article 40 or approved ones

certification mechanisms as referred to in Article 42 can be used as an element to indicate

show that the obligations of the controller have been fulfilled.



Article 32 GDPR

1. Taking into account the state of the art, the implementation costs, as well as the nature, the

scope, context and purposes of the processing and the likelihood and severity

various risks to the rights and freedoms of individuals affect the

controller and processor appropriate technical and organizational

measures to ensure a level of security appropriate to the risk, which, where appropriate,

include the following:



a) the pseudonymisation and encryption of personal data;



(b) the ability to maintain confidentiality, integrity, availability and

ensure resilience of processing systems and services


 (c) the ability, in the event of a physical or technical incident, to ensure the availability of and access to

to restore the personal data in a timely manner; (d) a procedure for regular testing,

assess and evaluate the effectiveness of the technical and organizational

security measures for processing.



2. In assessing the appropriate level of security, particular account shall be taken of

the processing risks, especially as a result of the destruction, loss, alteration or

unauthorized disclosure of or unauthorized access to forwarded, stored or

otherwise processed data, either accidentally or unlawfully.



3. Adherence to an approved code of conduct as referred to in Article 40 or an approved one

certification mechanism as referred to in Article 42 can be used as an element to demonstrate

that the requirements referred to in paragraph 1 of this Article are complied with.


4. The controller and processor shall take measures to ensure that

any natural person acting under the authority of the controller or of

the processor and has access to personal data, this only on behalf of the

the controller, unless he is under Union or Member State law to do so

held Decision on the merits 05/2021 - 5/22



Article 33 GDPR



1 If a personal data breach has occurred, the

controller without unreasonable delay and, if possible, no later than 72 hours

after taking note of it, to the competent person in accordance with Article 55

supervisory authority, unless it is unlikely that the breach is related to

personal data poses a risk to the rights and freedoms of natural persons. In the event that

the notification to the supervisory authority is not made within 72 hours, it shall be accompanied by

a justification for the delay.



2. The processor shall inform the controller as soon as possible without unreasonable delay

he is aware of a personal data breach.


3. The notification referred to in paragraph 1 shall describe or communicate at least the following:



(a) the nature of the personal data breach, specifying where possible

  the categories of data subjects and personal data registers in question and, approximately, the

  number of data subjects and personal data registers concerned;

b) the name and contact details of the data protection officer or other person

  contact point where more information can be obtained;

c) the likely consequences of the personal data breach;

(d) the measures proposed or taken by the controller to remedy the breach

  in connection with personal data, including, where appropriate, the

  measures to limit any adverse consequences thereof.



4. If and insofar as it is not possible to provide all information simultaneously, the

information is provided in stages without unreasonable delay.


5. The controller documents all breaches related to

personal data, including the facts about the breach in connection with

personal data, the consequences thereof and the corrective measures taken. That

documentation enables the supervisory authority to verify compliance with this Article










Article 34.1 GDPR Decision on the substance 05/2021 - 6/22




34.1 When the personal data breach is likely to pose a high risk

for the rights and freedoms of natural persons, the controller shares the

the data subject immediately notify the breach in connection with personal data.






    3. Justification

    3.1 Defenses and analysis of the Dispute Chamber




The procedure followed



10. Respondent has responded to the intention to impose a fine. The response keeps

    among other things in that defendant is of the opinion that the rights of defense are

    violated by the Dispute Chamber. According to the defendant, the disputes chamber

    established infringements have little or no connection with the complainant's initial complaint.

    Respondent argues that the complainant merely stated in his complaint that this was the case

    violation of his privacy without specifying which violations were involved.

    Respondent considers that it was the task of the Disputes Chamber to legalize that complaint

    qualify and notify the defendant from the outset. Defendant argues that it is first

    was notified on 7 December 2020, i.e. through the intention to impose the fine

    of the specific infringements and has therefore not been able to defend itself effectively against

    the charge. Moreover, in the present case, according to the defendant, it was necessary for the

    Disputes Chamber would have arrested the Inspectorate. That did not happen and the Dispute Chamber


    has qualified the facts legally after the debates have closed, according to the defendant.



11. The Disputes Chamber generally wishes to draw attention to the fact that the submission

    of a complaint for the data subjects whose personal data are processed, uncomplicated

    should be. The complaints procedure as provided for in Article 77 GDPR and detailed in the WOG is

    intended as an alternative to recourse to a civil or administrative court. It

    The right to complain to the GBA must remain easy and accessible for citizens. For example, the

    For example, the legislator did not want parties to be always assisted by a lawyer. 2

    Article 60 of the WOG sets low requirements for the admissibility of a complaint. For receptive

    statement is only required that a complaint must be drawn up in one of the national languages, a

    should contain a statement of the facts as well as the necessary indications for identifying

    the processing to which it relates and must fall under the authority of the GBA.

    The article does not require the complaint to be an alleged violation of a legal provision

    must contain.



2
 See, for example, Management Plan 2021 of the GBA, p. 18. Decision on the merits 05/2021 - 7/22






12. The Disputes Chamber will therefore not verify the validity of the complaint

    whether the complainants in the complaint formally submitted to the GBA have the correct legal provision

    invoked in support of their request, but whether the facts involved are an infringement

    forms on one of the legal provisions with which the DPA must check compliance. The

    The Disputes Chamber also points out that monitoring compliance with the GDPR is the main task

    belongs to this body of a supervisor.



13. In an earlier decision, the Disputes Chamber considered as follows:




    Likewise, the complainants do not have to provide all the pertinent facts of the alleged infringement in their complaint

    to feed. The Disputes Chamber must be able to help them by asking specific questions about a

    to obtain a good understanding in fact and in law of the possible infringement of a fundamental right for which

    her attention is sought. The Disputes Chamber can also take into account any grievances

    be set out later by the complainant in conclusion, provided that it concerns facts or

    legal arguments related to the alleged infringement presented in the complaint, and with

    observance of the rights of the defense. "



    “During the procedure following the complaint, the Disputes Chamber therefore has the option to

    to change the legal classification of the facts presented to it, or to create new facts

    related to the complaint, without necessarily invoking the


    intervention of the Inspectorate, more specifically by asking questions to the parties or by

    to take into account new facts or qualifications invoked by conclusion, and this

    within the limits of the adversarial debate, namely to the extent that the parties have the opportunity

    have gotten to argue about these facts or legal qualifications in a manner that in

    is in accordance with the rights of the defense. If necessary, it is on the

    Litigation chamber to instigate this debate, either in its letter requesting conclusions in

    to be submitted on the basis of Article 98 of the WOG, or later in the context of a reopening of

    the debates. In this context, the fact that is taken into account does a new legal

    qualification invoked by the complainant does not prejudice the fairness of the proceedings

    and the equality of arms, a fortiori as the decisions of the Dispute Chamber

    are admissible for an appeal procedure at the Marktenhof. ” 3




14. The Disputes Chamber finds - unlike the respondent - that the respondent fully and

    has been able to defend against all alleged infringements and there has been no question of this

    new facts that became known afterwards that the defendant was unable to challenge



3 Decision 17/2020 of the Dispute Chamber
https://www.dataprotectionautoriteit.be/publications/beslissing-ten-gronde-nr.-17-2020.pdf Decision on the merits 05/2021 - 8/22




    to defend. After all, the respondent has answered by means of the statement of defense submitted by it

    on 27 May 2020 we discussed in detail all (possible) violations and defended the

    complaint and charges. The respondent argued in its conclusion - in short -

    that all necessary technical and organizational measures and other precautions are taken

    they were affected in order to prevent invasion of privacy. According to the defendant

    therefore acted in accordance with Articles 5.1.f, 5.2, 24, 32, 33 and 34 GDPR. In addition

    respondent acknowledges that there has been a data breach. However, she has disputed that there

    of a data breach that is likely to be a high risk associated with the

    personal data and which had been reported to the Data Protection Authority

    (Article 33 GDPR). Another reason for not reporting was according to

    respondent that the Data Protection Authority is more likely in a similar case of a

    data breach in which a report was made, had not taken any further measures against

    defendant. 4




The content of the case



15. The complainant has been a customer of the defendant since 11 June 2015 and purchases (prepaid) mobile telephone services.

    The complainant's telephone number is for a period of four days, from 15 to 19

    September 2019, awarded to a third party with the complainant's SIM card deactivated.



16. During these proceedings, the Disputes Chamber has attempted to gain insight into the progress of

    the events leading to the attribution of the complainant's telephone number

    a third. From this decision it becomes clear that there are a few things about the actual course

    cannot be fully clarified. According to the defendant, the third is in one on September 11, 2019

    of the defendant's stores in order to transfer the complainant's prepaid subscription

    into a postpaid subscription (with accompanying smartphone device that after 24 months

    subscription is paid off). According to the respondent, both the telephone number and the

    SIM card number of the complainant provided by the third party. It changed from September 11th

    The complainant's subscription therefore changes from prepaid to postpaid. The third does have its own


    Identity information that linked it to the postpaid subscription

    so that all costs from then on were billed in the name of the third party. The third

    however, did not yet have a SIM card associated with the mobile number on 11 September

    of the complainant, so that the complainant could continue to use the services of the

    subscription. Four days later, on 15 September, the third party is again sent to the defendant

    been a Y-shop and asked for a new SIM card connected to the same mobile

    number. At that point, he was therefore given access to the complainant's mobile number and the




4
 see further marginal number [37]. Decision on the merits 05/2021 - 9/22




    the complainant's SIM card. The complainant had no more contact with the network from that on

    moment.



17. The complainant describes in his complaint that he has several telephone contact with the defendant

    and to have been in the defendant's shops in order to dispose again

    about his phone number. It was not until 19 September that the complainant could dispose of it again

    about his phone number.




18. At the request of the Disputes Chamber, the respondent gave an explanation about the

    standard procedure used in cases similar to these. Defendant argues -

    as already stated in conclusion - that in principle only the user of a mobile

    telephone number should know the associated SIM card number. It

    SIM card number is therefore used to verify that the applicant is the actual

    is the user of the telephone number that is given. The seller would therefore be in the store

    have requested and received both the telephone number and the SIM card number from the third party.

    The migration was then carried out and the third party therefore has its own identification data


    specified, according to defendant. The identification data of the third party was according to

    defendant checked by comparing the identity card data with the declared

    name, address and place of residence of the third party. These identity data were according to defendant

    however not compared with the identity details of the prepaid customer to whom the

    SIM card number and mobile phone number was allocated first, namely the complainant. Latter

    According to the defendant, control did not take place because identity data may not be used

    used for commercial applications based on the Electronic Communication Act and the

    Report to the King by Royal Decree implementing this Act. 6




19. Respondent finds it incomprehensible that the third party could find out the SIM card number.

    According to the defendant, the SIM card number can only be retrieved via the systems of

    defendant where it is stored or if these have been notified by the complainant himself. In order

    to obtain both the telephone number and the SIM card number would be the third - according to

    defendant - either had the cooperation of the complainant or that of a Y employee.








5
 Article 127 in conjunction with Article 126 § 2.7 ° Law on electronic communications of 13 June 2005, entered into force
June 30, 2005.
 Report to the King by Royal Decree of 27 November 2016 on the identification of the end user of
mobile public electronic communications services provided on the basis of a prepaid card, BS 7
December 2016. Decision on the merits 05/2021 - 10/22



20. During the hearing, the respondent indicated that entering the

    SIM card number by the employee of a Y shop a mandatory field (“mandatory”) is a

    migration from prepaid to postpaid. The employee must therefore provide the data for this

    field to be requested from the customer and effectively completed to form the contract for the postpaid paid


    to be able to take out a subscription, according to the defendant. The employee of a Y-shop can according to

    the respondent also does not query prepaid databases to retrieve the SIM card number

    questions based on the mobile number. According to the respondent, the employee could do it

    SIM card number - if the third party would not have provided this itself - only have it obtained

    by calling other Y employees to request this. The chance that an employee will use the

    third would have helped defendant, however, small, especially because the employee there

    could not get a commission for it. In addition, the defendant states that in the days and

    hours around the migration application no consultation of the data of the

    complainant.



21. On the basis of the defendant's statement that the store employees obligated it

    SIM card number must be requested from the customer and entered to perform a migration

    bring about from prepaid to postpaid, and there is no option for the employee to

    requesting the SIM card number in the database on the basis of the mobile number, the

    the question arises how the third party obtained the combination mobile phone number - SIM card number.



22. To the question of the Disputes Chamber during the hearing whether this may have occurred

    of a problem of confidentiality of data at the level or in the systems of Y -

    for example, through unauthorized access to the online customer portal causing the

    SIM card number could be obtained - the defendant replied in the negative. On

    the customer portal of Y (both via the web browser and the mobile application) is according to

    defendant does not state a SIM card number. In addition, defendant indicates at the hearing

    know that no reports have been received by defendant from other customers regarding

    possible instances of unauthorized access to their SIM card number.



23. According to the defendant, another scenario is that the third party has malicious fraud

    committed by some (unknown) way to the combination of telephone and

    SIM card number of the complainant. However, the Disputes Chamber finds that the third is

    has given your own name, address and place of residence, which means that all invoices from 11 September

    ended up with him (and the complainant between 11 and 15 September even in principle at the expense of

    the third could use the services of Y). This makes fraud on the part of the third party

    less likely. During the hearing, the respondent argues that the third party does

    had passed on his own personal data to the defendant, but that does not alter that

    could still be a case of fraud. According to the defendant, the third received Decision on the merits 05/2021 - 11/22




    a mobile telephone when taking out the postpaid subscription. The principle is

    that after paying two years of subscription costs the device would also have been paid off. According to

    defendant has given the third party the invoices that were charged for the postpaid

    subscription never paid. Respondent indicates that it has started proceedings against the

    third for not paying the invoices. The Disputes Chamber understands this scenario, however


    not why it was necessary for the third party to take over the complainant's telephone number. It

    In this case, the smartphone device could also easily be obtained by a postpaid

    apply for a subscription with a new mobile number.



24. The Disputes Chamber considers this fraud hypothesis with the intention of using a smartphone

    obtaining by taking over the complainant's mobile number in this case is therefore quite unlikely,

    all the more now that the third party provided its own personal data and entered into an agreement for it


    mobile subscription. This means that from September 11, the costs are also ahead

    bill came.



25. Respondent stated both at the conclusion and during the hearing that it was not

    it was possible to identify the third party and that of the holder of the number associated with it

    compare the prepaid subscription. As the cause of this, respondent points to the

    prohibitions imposed by Article 127 of the Electronic Communication Act and the

    executive Royal Decree. The executive order contains further rules regarding identification

                                                                     8
    of the end users of prepaid (prepaid) cards. According to the defendant, the

    law and the decrees that identification data may not be used for commercial purposes

    purposes. The respondent states that: “Due to the strict application of the above

    Legislation allows employees in the concluent's points of sale when requesting the

    migration from a prepaid to a postpaid subscription just the phone number and the

    SIM card number. "



26. The part of the preamble to the Royal Decree quoted by the defendant reads: “The


    operators and the providers referred to in Article 126, § 1, first paragraph, may therefore use the

    identification data collected under Article 127 of the ECA and becoming

    retained under Article 126 ECA do not use for commercial purposes ……. ”. The

    The Dispute Chamber points out that the aforementioned article, however, is continued as follows: “but they

    may collect and store identification data of users of prepaid cards

    for commercial purposes in accordance with Article 122 (applicable when a




7 Law on electronic communications of 13 June 2005, entered into force on 30 June 2005 and implementing
Royal Decree
8
 Royal Decree of November 27, 2016 on the identification of the end user of mobile public
electronic communications services that are provided on the basis of a prepaid card, BS December 7, 2016. Decision on the substance 05/2021 - 12/22




    invoice is sent) or the general legislation on the protection of the personal

    privacy. "



27. During the hearing, the respondent, when asked, regarding the aforementioned Article 127 EC,

    read in conjunction with the executive Royal Decree and the Report to the King accompanying that

    decision, indicated that the provision has given rise to all telecom operators

    discussion, namely whether the article should be read strictly or not. Defendant interprets it

    section of the law strictly. Since the present case would concern the sale of subscriptions, this becomes

    considered a commercial objective by the defendant.




28. The defendant's assertion that the performance of an identity check (i.e. in this case the

    comparing the identity data of the complainant and the third party) in the context of a conversion

    from prepaid to a postpaid subscription, was not allowed to take place because of the legal

    The Disputes Chamber does not consider the prohibition of use for commercial purposes to be correct.



29. The Disputes Chamber asks whether this is indeed a commercial purpose,

    given the use of the identity data of a prepaid customer in this case only the occurrence

    would be aimed at abuse by someone who might present himself incorrectly in a Y shop

    as the user of the telephone number associated with a prepaid card. It

    The purpose is therefore to prevent the wrongful copying of a telephone number from a

    prepaid customer by a third party, which would also give him access to his mobile traffic and


    possibly also other services linked to the telephone number (see further below) with so

    access to his personal data. Therefore, the respondent had the data of the third and the

    must unambiguously compare data of the complainant known to him (and therefore

    not just based on a SIM card number which is anything but a strong means of authentication).

    After all, this is a legitimate purpose, namely the detection of possible

    fraud with telephone numbers which can have enormous consequences for those involved.



30. The Disputes Chamber also refers to the Report to the King to the Executive Royal

    Decision. The report states: “It is not the intention of the legislator here

    has been to impose a blanket ban on identity verification but strict

    subject to regulations in order to ensure a good level of protection of personal data


    can guarantee. ” By not carrying out an inspection, the defendant is, according to the Disputes Chamber

    also ignored the will of the legislator, namely to offer a good

    level of protection of personal data to data subjects. In a case like this, the -




9 Report to the King by Royal Decree of 27 November 2016 on the identification of the end user of
mobile public electronic communications services provided on the basis of a prepaid card, BS 7
December 2016. Decision on the merits 05/2021 - 13/22



    limited - processing of personal data to verify identity precisely allows misuse

    of personal data.



31. The Disputes Chamber is of the opinion that the respondent in the present case could simply have checked whether the


    data on the identity card of the third party (after verification of the photo on the identity card)

    corresponded with the known data of the holder of the telephone number of the advance

    paid card. After all, the defendant had access to the identity card of the third party

    has failed to compare the personal data with that of the holder of the mobile number,

    in the present case, the complainant. By performing a verification, it would turn out to be two

    several persons went. Defendant has failed to make such little effort

    required verification, while the defendant as a telecom operator had to be aware

    of the tremendous consequences that such negligence could entail.

    The Disputes Chamber considers this negligence disproportionate.





32. Respondent added the Safety Working Method in its statement of defense. This internal

    piece for employees describes how personal data should be handled

    of customers and provides guidelines for the confidentiality of the data within the organization

    of the defendant.



33. Several points in the working method indicate that a full

    identity check (name, first name, telephone number, if there is one; customer number, date of birth,

    identity card number, address, amount of the last invoice and where and when the activation

    is requested) is required for “Any questions in light of contract change, such as; change

    of the tariff plan, change of address, P2P, PPP, activation or deactivation of a service, question

    for a copy of an invoice and ask for confidential information ”.



34. In the present case, the third party who (later) obtained the complainant's telephone number requested the

    conversion of his prepaid card to a postpaid subscription. He therefore asked for activation

    of a new service. This means that the defendant also had according to its own working method

    must ask for additional information with the aim of establishing the identity of the

    person in question. By failing to establish the identity of the third party with certainty,

    the respondent acted culpably negligently according to the Dispute Chamber.



35. Respondent argues that the infringement had very limited consequences for the complainant. The third

    According to the defendant, the person could not have access to the profiles of the complainant on several

    platforms such as WhatsApp and Paypal because those platforms use the two-step verification

    in order to be able to log in or register on their profiles. According to the complainant, the third had Decision on the merits 05/2021 - 14/22




    furthermore, no access to all communications the complainant had in the past

    occurred. Therefore, according to the defendant, there is no infringement in any way

    of the complainant's privacy. There are only practical inconveniences that the complainant would have

    have experienced.



36. In this context, the Disputes Chamber points out that - unlike the defendant

    claimed - for the use of, for example, the WhatsApp application in principle that is sufficient

    someone has the phone number. The two-step verification that according to the defendant serves

    must be explicitly activated via the WhatsApp settings and is not enabled

    default on. The standard security setting is therefore that only the telephone number is sufficient

    to take over the use of the Whatsapp application. The user executes it

    telephone number through which he wishes to use the communication via the application, then

    an SMS message will be sent to that number. After the code contained in the text message

    is entered, communication can take place directly via WhatsApp. There is - if the


    two-step verification has not been activated - so nothing is needed other than access to the mobile

    phone number to which the verification code will be sent.



37. Moreover, by having a telephone number, there is a considerable chance that

    access to various types of personal data can be obtained. Various

    remind authorities - such as hospitals - of appointments through the

    sending SMS messages. In addition, it converts a phone number to one

    others leave the door wide open for fraud and scams (for example, because there are

    potential conversations and messages can be conducted on behalf of the injured party or

    sent. The Disputes Chamber therefore disagrees with the defendant's assertion that there is no

    there would be a breach of privacy in any way.



38. The Court of Justice emphasized the importance of telecom data in the following terms

    in its judgment in Digital Rights Ireland of 8 April 2014: “From these data, in their entirety

    considered, very precise conclusions can be drawn about the private life of the


    persons whose data is retained, such as their daily habits, their permanent

    or temporary residence, their daily or other movements, the activities they
                                                                                10
    exercise, their social relationships and the social circles in which they find themselves. ” Notwithstanding the

    third in the present case may not have had access to all the information referred to in the judgment, is the

    The litigation chamber believes that by having the complainant's phone number

    there is a significant risk of violation of his privacy rights.




10 Court of Justice of the EU, Digital Rights Ireland and Seitlinger and others, Joined cases C-293/12 and C-594/12, ECLI: EU: C: 2014: 238,
r.o. 27. Decision on the merits 05/2021 - 15/22






39. Article 33 (1) of the GDPR states: “If there is a personal data breach

    occurred, the controller shall notify it without unreasonable delay and,

    if possible, no later than 72 hours after becoming aware of it, to the corresponding

    Article 55 competent supervisory authority, unless the infringement is unlikely to occur in

    connection with personal data poses a risk to the rights and freedoms of natural

    persons. If the notification to the supervisory authority is not made within 72 hours,


    it shall be accompanied by a justification for the delay. "



40. The respondent argues in its conclusions that there was no obligation to report the data leak

    to the Data Protection Authority. According to the defendant, the reason for this is the fact

    that the data leak concerned one data subject, it was of very short duration and according to the defendant

    no sensitive data was involved. The Disputes Chamber points out the above

    to the above consideration, namely that it can be considered plausible that there are

    for example SMS messages are received which would contain special personal data

    can contain.




41. In assessing whether an infringement poses a likely high risk to the

    rights and freedoms of natural persons according to the Guidelines of the Working Party 29

    to be taken into account the answer to whether the infringement can lead to

    physical, material or immaterial damage to the persons whose data is the subject of

    the offense. Examples of such damage are discrimination, identity theft or fraud,

    financial loss and reputation damage. 11 By assigning the complainant's telephone number to

    a third, the complainant is exposed to the risk of performing fraudulent acts

    under his name, using his telephone number. Also exists - other than


    defendant seems to argue - a risk that sensitive data (such as health data) in

    hands come from third parties. Respondent argues that there was no duty to report for her, under

    others because it concerns a data breach of only one person. The Dispute Chamber

    points out, however, that a breach can have serious consequences even for one person, entirely

    depending on the nature of the personal data and the context in which they are

    compromised. Again, it comes down to looking at the likelihood and severity of this

    the consequences. 12 Moreover, according to the Disputes Chamber, this concerns a risk of structural nature

    nature where potentially all prepaid card users could be exposed. It's possible

    It cannot be ruled out that there are other cases of which the Disputes Chamber is not aware


    is hit.



11
   Guidelines for reporting personal data breaches under Regulation 2016/679,
wp250rev.01, Workgroup 29, p. 26.
12 Idem, p. 30 Decision on the merits 05/2021 - 16/22






42. Respondent submits an earlier notification dated 11 March 2019 to the Data Protection Authority
                                           13
    of a similar data leak about. It is also stated that another reason for the in

    In this case no mention of the leak was the following: “The Data Protection Authority

    has not followed up this file any further, which shows the limited importance that the

    Data Protection Authority indicates such (small) data leak. For that reason

    the suspicion of the conclusion that there would be no obligation to report in the present case has been confirmed. "

    The Disputes Chamber hereby points to the accountability of the defendant that arises from

    Article 5.2 and Article 24 GDPR where it is up to the defendant to demonstrate that they also

    acts in accordance with article 5.1. f GDPR namely: ”by taking appropriate technical or

    organizational measures are processed in such a way that an appropriate

    their security is ensured, including protection against unauthorized or

    unlawful processing and against accidental loss, destruction or damage (“integrity

    and confidentiality ”).” The allegation that a previous report was not addressed by the


    Data protection authority does not affect the accountability obligation.



43. The Disputes Chamber points out once again that accountability under the articles

    5 (2), Art.24 and Art.32 GDPR implies that the controller the

    takes the necessary technical and organizational measures to ensure that the

    processing is in accordance with the GDPR. The foregoing obligation is part of it

    properly fulfilling the responsibility of the defendant under Article 5 (2), 24 and 32

    AVG. The Disputes Chamber points out that the accountability of article 5 paragraph 2 and article 24

    GDPR is one of the central pillars of the GDPR. This means that on the

    controller has the obligation to, on the one hand, take proactive

    measures to ensure compliance with the requirements of the GDPR and, on the other hand,

    being able to demonstrate that he has taken such measures.



44. The Working Party 29 has indicated in the Opinion on the “principle of accountability”

    that two aspects are important in the interpretation of this principle:


        (i) “the need for a controller to provide appropriate and

                take effective action to enforce the principles for

                implement data protection; and

        (ii) the need to be able to demonstrate upon request that appropriate and effective

                measures have been taken. The controller should therefore
                                                              14
                provide evidence of (i) above ”.




13 As document 5 to her conclusions.
14 Opinion 3/2010 on the “accountability principle” adopted on July 13, 2010 by the Group 29, p. 10 - 14

https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2010/wp173_en.pdf. Decision on the merits 05/2021 - 17/22




45. The Disputes Chamber is of the opinion that the respondent has not succeeded in the present case

    Demonstrate that proactive measures have been taken to ensure compliance with the GDPR. The

    defendant's employees first of all failed to carry out a verification between the

    identities of the third party and that of the complainant and Y subsequently failed to resolve the data breach

    to report to the Data Protection Authority. Respondent has not submitted any documents

    from which it appears that the documentation obligation imposed on the defendant has been met. The only

    document submitted by defendant regarding a data breach was a report

    dating from another data breach by the defendant to the data protection authority

    the year 2019. From the documents in the file, which was put forward at the hearing and the

    The fact that defendant has not submitted documentation of the data breach proves defendant

    nor does it meet the obligation of article 33, paragraph 5, which states that:



        “The controller documents all breaches related to

        personal data, including the facts about the breach in connection with


        personal data, the consequences thereof and the corrective measures taken. That

        documentation enables the supervisory authority to verify compliance with this Article

        to check."



46. The Disputes Chamber pointed out earlier in decision 2020/22 that: “accountability

    applied to data breaches means that it relates to a controller

    It is not only the obligation to these data leaks, if necessary, accordingly

    Articles 33 and 34 GDPR to report to the supervisory authority and the data subjects, however

    whereas the latter must also be able to demonstrate at all times that he has taken the necessary measures

    taken to be able to comply with this obligation ”15 The Disputes Chamber is of the opinion that

    this cannot be demonstrated in the present case.



47. In a non-exhaustive list that data controllers can contact in order to comply with the

    The Group 29 refers to, inter alia, the

    next measures to be taken: the implementation and supervision of


    control procedures to ensure that all measures exist not only on paper but

    also be implemented and function in practice, establishing internal

    procedures, the drawing up of a written and binding policy

    data protection, developing internal procedures for effective management and

    reporting security breaches.








15
  Decision 22/2020 of 8 May 2020 of the Disputes Chamber, p. 12 Decision on the merits 05/2021 - 18/22




48. The Disputes Chamber also points to a form that is enclosed with the claim and in which

    A similar data breach was reported, namely the phone number of a

    customer who switched to another operator This phone number was incorrectly as

    seen freely and assigned to a new customer. In the form the respondent has the question “What

    is the degree or severity of the data breach for data subjects

    assessing the risks to the rights and freedoms of data subjects? ”, please note

    answered with “critical” data breach. According to the Disputes Chamber, this clearly shows that

    Respondent understands the seriousness of such a data breach.



49. The Disputes Chamber therefore finds violations of Article 33, paragraphs 1 and 5, and 34, paragraphs 1 and 2,

    AVG. The Dispute Chamber points out that there is a

    is obliged to document any data breach, whether risky or not, in order to

    to be able to provide information to the GBA. After all, the processing of personal data is

    a core activity of the defendant. In addition, personal data can be of great importance

    have sensitivity to those involved, in part because they are regular and systematic

    make observation possible. 16 The complainant had also informed in accordance with Article 34.1

    should be the data breach. Notwithstanding the fact that complainant has already been informed

    was of the data leak by calling his own number, the defendant had said

    of these as yet and without delay, in accordance with the requirements of article 34 paragraph 2. The aforementioned article

    namely that the communication; the nature of the breach; the contact details of the

    data protection officer or other contact point where more information can be obtained

    are obtained and the measures proposed by the controller or

    genomes.




50. The Disputes Chamber concludes from the non-submission of a notice in the sense of

    Article 34 GDPR reasonably declines by the respondent that this is not a communication to the complainant

    done. The defendant therefore failed to inform the complainant after he became aware himself

    by means of a notification in accordance with article 34 paragraph 2 of the allocation of

    the telephone number to a third party. The Disputes Chamber rejects the defendant's argument

    that a notification to the person concerned was not necessary in this case as it would not be a

    high risk. In this context, the Disputes Chamber refers to the following example in the recent

    published “Guideline on Examples regarding Data Breach Notification” from the EDPB in which

    the contact center of a telecommunications company is called by a person who says one

    be a customer and request that his email address be changed to allow the accounts

    will be sent to that new email address from now on. The caller gives the correct one

    personal data of the customer, after which the invoices from now on to the new email address




16
  Decision 18/2020 of April 28, 2020 of the Disputes Chamber Decision on the merits 05/2021 - 19/22




    are sent. When the actual customer calls the company to ask why he isn't

    receives more invoices, the company realizes that the invoices are being sent to another person.



51. The EDPB considers the following regarding the above example:



    This case serves as an example on the importance of prior measures. The breach, from a risk

    aspect, presents a high level of risk, as billing data can give information about the data subjects

    private life (e.g. habits, contacts) and could lead to material damage (e.g. stalking, risk to

    physical integrity). The personal data obtained during this attack can also be used in order to


    facilitate account takeover in this organization or exploit further authentication measures in

    other organizations. Considering these risks, the “appropriate” authentication measure should

    meet a high bar, depending on what personal data can be processed as a result of

    authentication.



    As a result, both a notification to the SA and a communication to the data subject are needed

    from the controller. The prior client validation process is clearly to be refined in light of this case.

    The methods used for authentication were not sufficient. The malicious party was able to

    pretend to be the intended user by the use of publicly available information and information that

    they otherwise had access to. The use of this type of static knowledge-based authentication

    (where the answer does not change, and where the information is not “secret” such as would be

    the case with a password) is not recommended. ” 17




52. Reporting of breaches should be seen as a way of ensuring compliance

    on the protection of personal data. When there is an infringement in connection

    with personal data takes place or has taken place, this can lead to material or

    immaterial damage to natural persons or any other economic, physical or social

    damage to the person concerned. Therefore, the controller must, as soon as he

    becomes aware of a breach of personal data with a risk to rights

    and freedoms of data subjects, the supervisory authority without undue delay and,

    if possible, notify the breach within 72 hours. This allows the

    supervisory authority to exercise its duties and powers, as set out in the GDPR

    properly.






    4. Breaches of the GDPR





17EDPB Guideline on Examples regarding Data Breach Notification, 01/2021, p. 30
Underline by the Dispute Chamber Decision on the merits 05/2021 - 20/22




53. The Disputes Chamber considers that the defendant has infringed the following provisions:

        a. Articles 5.1.f, 5.2, 24 and 32 GDPR,; given defendant insufficient

            took precautions to prevent the data breach

        b. Articles 33.1 and 33.5 and 34.1 GDPR, given that defendant did not mention it

            data breach to the GBA and the data subject.


54. The Disputes Chamber considers it appropriate to impose an administrative fine in the amount

    of 25,000 euros (Article 83, paragraph 2 GDPR; Article 100, §1, 13 ° WOG and Article 101 WOG).


                                                                18
55. Taking into account article 83 GDPR and the case law of the Marktenhof, the

    Disputes Chamber imposing an administrative fine in concrete terms:



    a) The seriousness of the breach: the Disputes Chamber has determined that the data leak was, among other things, too

        due to negligence on the part of the defendant. In addition, defendant

        failed to report the leak to the Data Protection Authority and both by conclusion

        if it was indicated during the hearing that in this case there is no

        likely high risk to the rights and obligations of the complainant resulting in no

        Reporting obligation would exist for the defendant. The fact that in this case it concerns telecom data

        from which precise information about a person's private life can be derived

        as well as the potential risk of committing fraudulent acts in their name

        person make a serious infringement.



    b) Duration of the infringement: the infringement lasted for four days, which is a considerable time frame

        is in the light of the potential hazard identified above.



    c) The fine to be imposed and the order to reconcile the processing are


        according to the Dispute Chamber such a deterrent to such violations in the

        future.




56. The Disputes Chamber points out that the other criteria of art. 83.2. In this case, GDPR is not in nature

    are that they lead to a different administrative fine than that which the Disputes Chamber enters

    the framework of this decision.



57. In its response to the intention to impose a fine, the defendant has objected

    against the amount of the intended fine. This file is according to the Dispute Chamber

    however, it appeared that there was negligence and negligence to protect

    personal data of the person concerned. After all, the processing of personal data makes one


18
  Brussels Court of Appeal (section Marktenhof), X t. GBA, Judgment 2020/1471 of 19 February 2020. Decision on the merits 05/2021 - 21/22




    core activity of the defendant, so it is of overriding importance that the

    personal data is processed in accordance with the GDPR.



58. The facts, circumstances and infringements established therefore justify a fine

    meets the need to have a sufficiently deterrent effect, whereby the

    defendant are sanctioned sufficiently strongly to prevent practices involving such violations

    would not be repeated.



59. Considering the importance of transparency with regard to the decision-making of the

    Disputes Chamber, this decision will be published on the website of

    the Data Protection Authority. However, it is not necessary for the

    identification data of the parties are disclosed directly.



60. In its response to the proposed fine, the defendant requested that the decision not be upheld


    publishing, even in anonymous form. The Disputes Chamber rejected this request, with

    reference to the memorandum published on the GBA website about the publication of

    decisions, in which it is stated that: “The Dispute Chamber is based on the principle that all its

    decisions, with few exceptions, are published on its website, with a view to
                                                                                                19
    the overall goal of transparency, but also visibility and accountability. ”



















FOR THESE REASONS,


the Disputes Chamber of the Data Protection Authority decides, after deliberation,

to the defendants:



    - Pursuant to Article 100, §1, 9 ° WOG, to order processing in accordance

        with Articles 5.1.f, 5.2, 24 and 32 GDPR, in particular the policy on

        regarding the identification and verification of prepaid customers in accordance with the

        AVG is brought. The Disputes Chamber gives the defendant a period of three for this



19 https://www.gegevensbeschermingsautoriteit.be/publications/beleid-van-de-geschillenkamer-inzake-de-publicatie-van-de-

decisions.pdf Decision on the merits 05/2021 - 22/22



        months and the Disputes Chamber expects the defendant to report it within

        the same period for bringing the processing into line with

        aforementioned provisions.




    - an administrative fine on the basis of Article 83 GDPR and Articles 100, 13 ° and 101 WOG

        of EUR 25,000 to be imposed on the defendants for infringements of the articles

        5.1.f, 5.2, 24, 32, 33.1 and 5, 34.1 GDPR.



Against this decision on the basis of art. 108, §1 WOG, appeals are lodged within one


term of thirty days, from the notification, at the Marktenhof, with the

Data protection authority as defendant







(get.) Hielke Hijmans

Chairman of the Disputes Chamber