APD/GBA (Belgium) - 33/2020
From GDPRhub
| APD/GBA - 33/2020 | |
|---|---|
 | |
| Authority: | APD/GBA (Belgium) |
| Jurisdiction: | Belgium |
| Relevant Law: | Article 5 GDPR Article 5(1)(c) GDPR Article 6(1) GDPR Article 12(1) GDPR Article 12(3) GDPR Article 15 GDPR |
| Type: | Complaint |
| Outcome: | Upheld |
| Started: | |
| Decided: | 19.06.2020 |
| Published: | |
| Fine: | 10000 EUR |
| Parties: | n/a |
| National Case Number/Name: | 33/2020 |
| European Case Law Identifier: | n/a |
| Appeal: | n/a |
| Original Language(s): | Dutch Dutch |
| Original Source: | Belgian APD/GBA (in NL) Belgian APD/GBA Litigation Chamber (in NL) |
| Initial Contributor: | n/a |
The APD/GBA (Belgian DPA) fined a controller 10,000 EUR for continuing to send a complainant marketing emails after he requested they stop, and for failing to fulfil the complaint's right to access information about the processing by the controller.
English Summary
Facts
The complainant received a marketing email from the defendant. The complainant replied, asking where the defendant had got his email address, and the legal basis for sending him the email. The defendant responded by requesting the complainant's date of birth and address, and for the complainant to forward on the email in question on the basis that they would not be able to comply with his original request otherwise. The same day the complainant forwarded on the email address.
After 30 days, the complainant had still received no reply from the defendant, but in the meantime the complainant had received other marketing emails from the defendant. The defendant contended that these emails were the result of a manual error.
Dispute
Was there a lawful basis for the processing of the complainant's email address by the defendant under Article 6(1) GDPR?
Did the controller infringe the data minimisation principle under Article 5(1)(c) GDPR?
Did the controller commit a breach of Article 12(3) GDPR?
Did the controller fail to uphold its responsibilities under Article 24 GDPR?
Holding
No lawful basis for processing: The APD/GBA held that no lawful basis for processing the complainant's email address applied. The APD/GBA relied on the defendant's arguments that the processing was a manual error to ground its decision, in particular deciding that a manual error as the reason for processing does not negate the responsibility of the controller.
Infringement of Articles 5(1)(c) and 5(1)(d): The Belgian DPA held that the continued use of the incorrect email address by the defendant violated both Articles 5(1)(c) and 5(1)(d) (the data accuracy principle). The DPA noted that the complainant had brought the potentially unlawful processing to the defendant's attention immediately in the complainant's first email, but over two weeks later the defendant had failed to take any reasonable measures to ensure more limited and accurate processing.
Breach of Articles 12(3): The DPA held that the controller had breached Article 12(3) by failing to provide information pursuant to an Article 15 access request within one month of receiving such a request (the DPA considered the complainant's first email to constitute such a request). The DPA emphasised that the controller's failure to reply to any of the complainant's interim emails only underscored their failure to act "without delay", stating in paragraph 45 of the decision that "the absence of any response from the defendant to the last three reports from the complainant is particularly striking." The DPA also held that Article 12(1) puts the onus on the controller to take measures to provide a data subject with sufficient information. Despite this, the DPA did note that Article 12(6) did permit the controller to ask for the additional information in their email responding to the complainant's initial email.
Failure to comply with Article 24 GDPR: The Belgian DPA concluded that in light of the technical errors and the failure to act to resolve them, the controller also failed to comply with their responsibilities as a controller to implement appropriate technical and organisational measures that would ensure GDPR compliant processing.
The DPA decided to issue an administrative fine of 10,000 EUR, on the following bases:
-the inadequate response to the requests for the exercise of the complainant's rights by the controller,
-the limited nature of the infringement, as it only affected one data subject,
-the fact that the processing eventually stopped,
-the duration of the infringement, which was longer than if the defendant had taken adequate technical and organisational measures to stop the unflawful processing.
The DPA acknowledged that the fine was of a relatively low level in relation to the controller's annual turnover, but made clear that this would not prevent them from imposing higher fines on "controllers of a similar economic size in a different factual context."
Comment
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Dutch original. Please refer to the Dutch original for more details.
Litigation Chamber Decision on the merits 33/2020 of 19 June 2020 File number : DOS-2019-05200 Subject : Complaint about the unlawful and incorrect processing of personal data and breaches in the exercise of the rights of the person concerned The Disputes Chamber of the Data Protection Authority, composed of Mr. HielkeHijmans, chairman and Mr. Jelle Stassijns and Mr. Christophe Boeraeve, members; Having regard to Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC (General Data Protection Regulation), hereinafter AVG; Having regard to the law of 3 December 2017 establishing the Data Protection Authority, hereinafter referred to as WOG; Having regard to the internal rules of procedure, as approved by the Chamber of Representatives on 20 December 2018 and published in the Belgian Official Gazette on 15 January 2019; Having regard to the documents in the file has adopted the following decision concerning: - Mr. X, hereinafter 'the complainant', and -Y, hereinafter 'the defendant’. On 19 August 2019, the complainant sent an e-mail to the defendant's data protection officer. He writes the following: "Dear,I am not a customer of [defendant], yet today I received an email from you about a workshop you are offering. Therefore, I am wondering the following. -Where did you get my email address and from which party did you get it? -On what legal basis do you send this email to me? -On 26 August 2019, the (...) defendant will answer the following: "Dear [complainant], In order to be able to comply with your request, we ask you to provide us with your address and date of birth. We have established that there are several people with the same name in our database. In addition, we also ask you to forward the e-mail referred to in your message so that we have an idea which e-mail it concerns. Thank you in advance [...]" 4. On the same date, the plaintiff will provide the defendant with his current and former postal address and date of birth by e-mail. That same day, on 26 August 2019, (...) the defendant replied as follows: "Dear, in order to ensure that the correct information is passed on to the correct person concerned, it is permitted to request additional parameters. These additional elements are only requested for the purpose of dealing with the question in question, but are not kept in an internal system. Unfortunately, based on this information, no link can be made to a person in our database. Finally, the e-mail message itself can be verified, to see if it is indeed an e-mail from [defendant] and not a phishing message. Could you therefore forward us the mail in question? Thank you in advance [...]” 6. On the same day, 26 August 2019, the complainant forwards the e-mail message that gave rise to this complaint to the defendant, as requested by the latter. This forwarded e-mail message bears the title 'W' and was sent by the defendant to the complainant on 19 August. On 12 September 2019, the complainant received a new commercial e-mail message from the defendant entitled 'W'8. On 13 September 2019, the complainant again sent an e-mail to the defendant. On 13 September 2019, the Complainant will again send an e-mail to the Respondent entitled "W "8. On 12 September 2019, the Complainant will again send an e-mail to the Respondent entitled "W "8. On 12 September 2019, the Complainant will again send an e-mail to the Respondent entitled "W "8. On 13 September 2019, the Complainant will send a new commercial e-mail to the Respondent. In addition, the complainant writes the following: "Dear,On August 19th I already sent an e-mail regarding the advertising I receive from you, to date I still have not received a clear answer about this. In short, I have the following questions: What basis according to the [AVG] do you use to send me these mails? Direct marketing (what these mails are) is allowed according to the [AVG] with the basis justified interest. (opinion of the data protection authority)There should always be a balance of interests [in case of] justified interest. It seems to me as if this has not [happened], because I am not an SME or self-employed person so I could have no interest in receiving these mails. Another track could be documented consent. Also this track seems to me to be very punishable, I don't appear in your system (do receive mails from you). Under the GDPR-legislation it is not so obvious to buy and use personal data (my mail address). I would therefore like to be informed how you acquired my personal data, how they are secured, etc. What data do you have from me? Within the framework of my right to information, I would like to know what data you still have from me. On 20 September 2019, the complainant will once again send an e-mail to the data protection officer of the defendant: "Dear, A little more than 30 days ago, I asked for more information via e-mail regarding the processing of my personal data. Unfortunately I have not yet received an answer to my question. Now I seem to remember that the data controller has 30 days to respond to a request, there is the possibility of an extension of 30 days if the data subject is informed and there is a good reason. This is currently not the case. On 10 October 2019, the complainant lodges a complaint with the Data Protection Authority, stating the facts outlined above and further stating: 'Subsequently, all communication on the part of [the defendant] will cease. On 10 October 2019, the complainant submits a complaint to the Data Protection Authority. 10 On 10 October 2019, the complaint states the facts described above and also states: 'Subsequently, all communication on the part of [the defendant] will cease. Procedure 12.On 29 October 2019, the First-line Service of the Data Protection Authority declares the complaint admissible and passes it on to the Disputes Chamber. 13.On 7 November 2019, the Disputes Settlement Chamber will send a request to the complainant regarding the submission of additional documentary evidence that he states in his complaint. On 28 November 2019, the complainant and the defendant are informed that a file is pending of which the Disputes Division has decided that it is ready to deal with the merits in accordance with Article 98 j° 95, §2 of the WOG. The complainant and the defendant are invited to submit their arguments and defences within the time limits set by the Disputes Chamber. 15.On 6 January 2020, the defendant submits its conclusion. 16.The defendant first of all points out that the e-mail messages were indeed not intended for the complainant, but for another person with the same first name and surname. The defendant appoints the person as 'the Intended Recipient'.17. The defendant goes on to state that it requested the additional personal data, in particular the postal address and date of birth of the complainant, from the complainant by e-mail on 26 August 2019 for identification purposes, 'in view of the existence of homonyms, and in order to be able to identify the e-mail message in question'. 18: "After verification, it appeared that the Complainant did not appear in [defendant's] database and was therefore unknown to [defendant]. This was confirmed to the Complainant by e-mail on 26 August 2019. On 13 September, the Complainant sent a new list of questions [...] and [the defendant] adjusted the scope of its investigation to be able to provide an answer to these questions as well. " 19. It sets out the findings of that analysis as follows. 19. In its conclusion, the defendant has been able to complete the "analysis" of the situation as follows: "i) the e-mail message received by the Complainant is the V E-mail intended for the Intended Recipient; ii) the sheet of the Intended Recipient contained an e-mail address [...] which, on the basis of the e-mail exchanges with the Complainant, appears to be the e-mail address of the Complainant (and not of the Intended Recipient); iii) there was a human error at the origin of this error; iv) this error was not yet discovered at the time of sending the V E-mail. In order to avoid that the Complainant's e-mail address would be used in the future, [the defendant] amended the Intended Recipient's sheet. " 20. The defendant states that it respected Articles 12 and 14 AVG in its communication with the Complainant, as it checked the identity of the Complainant within one week and confirmed to the Complainant that he was not in the defendant's database. As regards the lack of answers to the complainant's other questions, and the information and communication about further actions, the defendant submits that: 'The additional investigation into the origin of the presence of the complainant's e-mail address in the Intended Recipient's sheet appeared to be a more complex analysis. As a result, the investigation was not completed at the time the Complainant filed the complaint. However, [the defendant] now believes that it has provided the necessary information and has taken the appropriate measures to prevent this e-mail address from being processed again by mistake. " 21. The defendant asks for the extradition, given that "the processing of the Complainant's e-mail address was the result of a manual error" and that the processing of personal data was "purely accidental". The defendant also stresses that it removed the e-mail address from its systems 'after an investigation'. The defendant does not specify when it took this action. In minor order, the defendant requests the suspension of the judgment. According to her, other measures or sanctions would be 'disproportionate'. 22. If the Dispute Settlement Chamber decides to publish its decision, the defendant asks for the decision to be rendered anonymous. 23. On 4 February 2020, the defendant confirmed the content of its first conclusion. 25. In order to enable the defendant to defend itself on the amount of the administrative fine proposed by the Conciliation Chamber, the Conciliation Chamber decided to list relevant infringements in its standard 'form against the proposed fine'. This 'fine form' was sent by e-mail to the defendant on 12 May 2020, stating that the defendant could respond regarding the special circumstances of the case, the proposed amount of the fine and the annual figures submitted.1 26.The defendant replied to the fine form by e-mail of 29 May 2020, with its arguments regarding the amount of the fine [...]. The defendant also points out that it is important that the decision be rendered completely anonymous upon possible publication and that elements which may lead to the identification of the defendant be omitted. The defendant claims that the identification of the defendant in the press could lead to damage to its reputation. 3. Reason 3.1.The principles governing the processing of personal data and the lawfulness of processing (Articles 5 and 6 of the AVG) 27. Article 5(1)(a) of the AVG states, inter alia, that personal data must be processed in a way that is lawful, adequate, transparent and accurate. Article 6 lays down the manner in which processing is lawfully carried out. a) The lawfulness of the processing and the responsibility of the controller 28. On 19 August, the complainant receives an e-mail message to promote a workshop for the self-employed and small businesses; this is a message that can be regarded as direct marketing.2 The subject of the e-mail is 'W'. The e-mail message is addressed to the complainant's individual e-mail address. Pursuant to Article 4(1) AVG, an e-mail address is personal data. The complainant states that he is not a customer of the defendant. 29.The Disputes Chamber considers the processing of the complainant's e-mail address by the defendant to be unlawful within the meaning of Article 6 of the AVG, and in particular relies on the defendant's own statements in this regard. It concerns the use of an erroneous e-mail address, which does not belong to the person whom the defendant wishes to write to. None of the conditions laid down in Article 6(1) of the AVG are met. According to the defendant, the processing is due to human error. The defendant's own analysis results in the following technical statement: 'The sheet of the Intended Recipient contained an e-mail address [...] which, on the basis of the e-mail exchanges with the Complainant, appears to be the e-mail address of the Complainant (and not of the Intended Recipient)' 30. The Disputes Chamber understands the defendant's argument that this was a manual error and that its purpose was never to process the personal data or to contact the complainant, especially since the defendant had no interest in contacting the complainant with a message addressed to independent entrepreneurs. The complainant does not belong to the target audience. Moreover, according to the defendant, in this case it appears to be a separate unlawful processing, following a manual error due to the existence of a person with the same surname and first name whose personal data the defendant does claim to be lawfully processed. 31. However, the Disputes Chamber points out that the 'manual error' at the origin of the problem in no way negates the responsibility of the data controller.3 This is equally the case when the data controller already has taken note of the fact that a processing operation does not comply with the legal provisions on the protection of personal data and yet - having established that the complainant does not appear in its systems - continues the processing, which is illustrated by the direct marketing message of 12 September 2019. 32.In this respect, the Disputes Settlement Chamber finds that such processing has negative consequences for the complainant concerned. The mere receipt of an e-mail message, which, moreover, is not intended for the addressee, can be experienced as disruptive and, consequently, as detrimental to a data subject.4 b) The accuracy of the processing of personal data 33. When on 26 August 2019 the defendant states that on the basis of the identifiers5 provided by the complainant 'no link' can be made with any person known to the defendant, and the complainant receives a similar message from the defendant more than two weeks later, this indicates that the defendant is not only (again) unlawfully processing the personal data of the complainant, but also an infringement of the principle relating to the accuracy of personal data pursuant to Article 5(1)(c) AVG. 34.Already on 16 August 2019, the day of receipt of the first e-mail message from the defendant to the complainant, the complainant makes it clear that the processing of the e-mail address may constitute unlawful processing. This is clear from the message and the questions that the complainant addressed to the defendant: "I am not a customer of [the defendant], yet I received an e-mail today [...]-Where did you get my e-mail address today and from which party did you get it?- On what legal basis did you send this e-mail to me? In addition, reference may be made to Article 5(1)(d) of the AVG: 'Personal data must be accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data which are inaccurate, having regard to the purposes for which they are processed, are promptly erased or rectified (...)' 36. The fact that the defendant continued the use of the incorrect personal data with the e-mail message of 12 September 2019 indicates that it did not rectify or delete the incorrect link in its systems to the complainant's e-mail address 'without delay'. The fact that the defendant does not cease using the email address for direct marketing purposes more than three weeks after the complainant's first request and more than two weeks after its own confirmation to the complainant that it is not known to the defendant points to the fact that the defendant did not cease using the email address for direct marketing purposes. failure to take 'reasonable measures' to ensure the correctness of the processing of personal data within the meaning of Article 5(1)(c) of the AVG.3 Transparent information, communication and further rules for the exercise of the rights of the data subject and the exercise of the right of inspection by the data subject in connection with the responsibility of the defendant (Article 12 j° 15 AVG), read together with the responsibility of the controller (Article 24 AVG)a)Article 12 AVG 37. The complainant addresses a request for the exercise of the right of inspection (Article 15 AVG) to the defendant. This was already done in the complainant's first e-mail on 19 August 2019. According to Article 12 §3 of the AVG, the defendant is obliged 'to provide the person concerned with information on the action taken on the request pursuant to Articles 15 to 22 without delay and in any event within one month of receipt of the request'. 38.The complainant is informed by the defendant in the e-mail of 26 August 2019 that he 'does not appear in the defendant's database'. The defendant then asks the complainant to forward the e-mail message itself, so that it can investigate whether it was indeed an e-mail message from the defendant and not a phishing message. The complainant complies with that request the same day, on 26 August 2019, and forwards the defendant's e-mail message of 19 August 2019. In the next 17 days, there will be no communication between the complainant and the defendant. 40. On 13 September 2019, the complainant will send a reminder with a clear reference to the email of 19 August 2019, with a new email message with direct marketing from the defendant dated 12 September 2019. Again, the complainant addresses a request to exercise the right of inspection to the defendant with a similar question to his e-mail message to the defendant dated 19 August 2019. E-mail from the complainant to the defendant dated 19 August 2019E-mail from the complainant to the defendant dated 13 September 2019 "Where did you get my e-mail address and from which party did you get it?""Where did you get my data?""On what legal basis do you send this e-mail to me?""On what legal basis according to the GDPR guidelines do you use to send me these e-mails?""What information do you have from me?""What information do you have from me?""What information do you have from me?""What information do you have from me?" 41.Only the wording in the question is different and the complainant also adds, with references to the provisions of the AVG, arguments as to why he suspects that no lawful processing takes place. In the margin of the first question mentioned in the table above, the complainant also writes: 'I would therefore also like to be informed how you acquired my personal data, how they are secured, etc.' The defendant does not answer the e-mail message of 13 September 2019 either. 42. In its conclusion, the defendant uses the e-mail of 13 September 2019 with some additional questions (according to the defendant 'a new list of questions') to argue that this increases the scope of the investigation into the complaints and questions of the complainant: 'the defendant adapted the scope of its investigation in order to be able to answer these questions as well'. 43.The complainant sends another e-mail on 20 September 2019 reminding the defendant that he made a request to the defendant 'just over 30 days ago' concerning the processing of my personal data.'He reminds the defendant that he is considering 'taking further steps' in the absence of a response from the defendant 'within a reasonable time'. 44.The Respondent also does not respond to this message from the Complainant and more than two weeks later, on 10 October 2019, the Complainant ultimately files a complaint with the Data Protection Authority. 45. It is clear from the reading of the facts that the Respondent did not act 'without delay' in exercising the right of inspection. The absence of any response from the defendant to the last three reports from the complainant is particularly striking. 46.In view of the fact that the defendant stated that it had started 'an investigation' in response to the e-mail message on 19 August 2019 following the finding on 26 August 2019 that the complainant was not known in its systems, the defendant could at least have informed the complainant that this investigation had been initiated and was ongoing, if compliance with the complainant's request depended on it. Indeed, according to Article 12(1) AVG, it is the responsibility of the controller to take 'appropriate measures' to ensure that the data subject receives 'the information referred to in Articles 13 and 14 and the communications referred to in Articles 15 to 22 and Article 34 in relation to the processing in a concise, transparent, comprehensible and easily accessible form, in plain and simple language ...'. 47.Where the defendant itself states in its conclusions that it has opened an investigation, but does not inform the complainant and then does not communicate for weeks on the taking of possible measures and on the exercise of the rights of the data subject, the communication on the complainant's request for access will not be made in accordance with Article 12(1) AVG. 48.It is also clear that the maximum time limit of one month after receipt of the request in Article 12(3) AVG has not been respected. If the defendant had not yet completed its investigation in response to these and other questions and requests from the complainant, it could have invoked an extension of the time limit, as provided for in Article 12(3) AVG. For the sake of completeness, it may be noted that the additional questions put by the complainant in his e-mail of 13 September 2019 do not give rise to any interruption or suspension of the term referred to in Article 12, paragraph 3 of the AVG. The fact that the 'scope of the investigation' at the defendant was increased concerns an internal matter that has no impact on the responsibility she has as controller to comply with the provisions of the AVG. In other words, the defendant should have responded adequately to the first request for inspection within one month of the e-mail of 19 August 2019. In view of the fact that the defendant decided in its conclusions that it does not process any other personal data of the complainant and that the processing of the e-mail address is due to 'human error', the investigation should not have been on such a scale that the defendant could not take any further action on the exercise of the right of access by the complainant until after the complainant had lodged his complaint with the Data Protection Authority. The duration of the investigation indicates an internal organisation that does not sufficiently facilitate the exercise of the data subject's rights under Article 15 AVG as required under Article 12(2) AVG. 51 For the sake of completeness, it may be noted that the defendant's request of 26 August 2019 to the complainant to obtain additional information about the complainant's identity is possible under Article 12(6) AVG. The additional identifiers requested by the defendant appear to the Disputes Chamber to be proportionate and appropriate for the present request. In this case, therefore, the Disputes Chamber does not find any infringement, given that Article 12(6) of the AVG allows the data controller, even more so, to request additional identifiers if the identity of the applicant has not been established.6b)Article 15 of the AVG. 52 The defendant does not provide an overview of the data it has on the complainant (even if this is limited to the complainant's e-mail address) and a conclusion as to whether or not (other) personal data of the complainant are being processed. However, pursuant to Article 15(3) of the AVG, the data controller is obliged to provide a copy of the personal data to the complainant as the data subject if the latter so requests within the framework of the right of inspection. 53. On the basis of the documents in the file, including the defendant's conclusions, the Disputes Chamber decides that the complainant's request for inspection in accordance with Article 15 AVG.c)Article 24 AVG 54 has still not been adequately complied with. In view of the above reasons, it can be concluded that the defendant has not taken sufficient technical and organisational measures to allow its processing to take place in accordance with the AVG.7 55. On the basis of the provisions of the GCG, and more specifically with due observance of the responsibility of the controller pursuant to article 24 of the GC, the Disputes Settlement Chamber will make a concrete assessment in each case. To determine the seriousness of the breach, the Disputes Chamber takes into account not only the specific factual elements of the case, but also the nature, scope, context and purpose of the processing within which the factual elements are located.3.3. Information to be provided when the personal data have not been obtained from the person concerned (article 14 GCC) 56. At the time the messages with direct marketing content were sent, the defendant could not know that those personal data had not been obtained from the complainant. It is therefore a 'manual error' following a 'human error', according to the defendant. In view of the fact that, at the time of processing, the defendant had no knowledge that the e-mail address had not been obtained from the complainant, it cannot be accused of not having transmitted the required information to the complainant at the time the direct marketing messages were sent, as provided for in Article 14(1) to (4) of the AVG. In that case, Article 14(5)(b) AVG applies, as the provision of the information proves to be 'impossible'. 58 As an additional positive element in the assessment of compliance with the information obligations as controller, reference may also be made to the linking of the privacy-related web pages in the defendant's direct marketing e-mail messages. This allows the complainant quick access to the defendant's privacy statement and the contact details of the data processing officer. The foregoing determination is independent of the assessment by the Disputes Chamber of the further communication by the defendant towards the complainant. 59.With regard to Article 14 of the AVG, the Disputes Committee does not find any shortcoming on the part of the defendant. Established breaches and the imposition of an administrative fine 60. The Disputes Chamber deems breaches of the following provisions proven by the defendant: a.Article 5 of the AVG, in view of the fact that the defendant does not take sufficiently reasonable measures to rectify or erase the personal data that were processed incorrectly; b.Article 6 of the AVG, in view of none of the conditions to allow lawful processing to take place, have been met; c. Article 5 of the AVG, in view of the fact that the defendant does not take reasonable measures to rectify or erase the personal data that were processed incorrectly; d.Article 6 of the AVG, in view of the fact that none of the conditions to allow lawful processing to take place have been met; e.Article 5 of the AVG, in view of the fact that the defendant does not take reasonable measures to rectify or erase the personal data. Article 15, j° 12 AVG, in view of the fact that the defendant did not take adequate measures to ensure that the complainant receives the communication referred to in Article 15 AVG in a transparent form; in view of the fact that the defendant does not sufficiently facilitate the exercise of the complainant's rights as a data subject; in view of the fact that the defendant does not provide the complainant with an answer within one month of receiving the complainant's request; in view of the fact that the defendant does not provide the complainant with an answer that corresponds to the complainant's request to exercise the right of inspection; d. in view of the fact that the defendant does not provide the complainant with an answer that corresponds to the complainant's request to exercise the right of inspection. Article 24 of the AVG, in view of the defendant's failure to take the appropriate technical and organisational measures to ensure that its processing is carried out in accordance with the provisions of the AVG. 61.In view of the economic and social role of the defendant, the Disputes Chamber considers the facts that gave rise to an infringement of articles 5, 6 and 12, j° 15AVG to be serious and decides to impose an administrative fine. 62.The Disputes Chamber has taken note of the annual turnover of the defendant in the last three financial years. These figures are between x and x billion euros for each of those financial years.963. Taking into account article 83 GCC and the case law of the Market Court, the Disputes Chamber justifies the imposition of an administrative sanction in concrete terms:a)The seriousness of the infringement64. The Disputes Chamber finds that the inadequate response to the requests for the exercise of the rights of the parties concerned indicates the negligent nature of the infringement of articles 12 and 15 GCC. This has also caused the complainant to suffer disruptive disadvantages as a result of the unlawful processing for longer than necessary, in view of the fact that his personal data were not rectified in good time. In view of the nature of the defendant's economic activities and related processing operations, an inadequate organisation with the appropriate measures to facilitate the exercise of data subjects' rights is worrying. 65.The rights of data subjects are at the heart of the General Data Protection Regulation and infringements thereof are punishable by the highest fines, in accordance with Article 83(5.9), 66. The reason for the request for the exercise of the right of inspection by the complainant concerns unlawful processing. The unlawful processing is based on human error, which led to the use of the complainant's e-mail address. Although this processing does constitute an infringement of Articles 5 and 6 of the AVG, the Disputes Settlement Chamber naturally takes into account the fact that this is a limited infringement with - as far as is known - one data subject. The fact that the processing was eventually stopped is also taken into account by the Disputes Chamber in its assessment of the facts. 67.The amount of the administrative fine imposed by the Disputes Chamber is relatively low in relation to the annual turnover of the previous financial year for the above reason. This does not prevent the Disputes Chamber from imposing a higher fine on processing controllers of similar economic size in a different factual context. 68.The inadequate communication and transparency of the defendant are serious, as is the failure to rectify personal data so that the processing of the complainant's e-mail address would be lawful and proper, constitute a serious breach of the AVG. An administrative fine is therefore an appropriate sanction for the Geschillenkamer.b)The extent to which the data controller has taken technical or organisational measures. 69 The Geschillenkamer understands that the legal assignment in the AVG sometimes, and more often than not, entails major organisational consequences for the defendant and any other data controller, in order to be able to take 'appropriate measures' to respond adequately to the requests of data subjects in accordance with Articles 12 and 15 AVG. However, the Disputes Chamber points out that the provisions of the AVG had already been in force for more than a year at the time of the events, and that the defendant had had the necessary time to take all technical and organisational measures to bring its processing and processes in line with the provisions of the AVG. In addition, it is noteworthy that the defendant did not reply to any of the last three e-mails from the complainant, despite the clear and constructive communication from the complainant. It is irrelevant in this respect that the request may have been minor for the defendant. The provisions of the AVG concern any processing of personal data. 72.As regards the duration of the infringement, the Disputes Chamber refers to the period between the complainant's request to the defendant and the submission of the complaint by the complainant to the Data Protection Authority. The absence of a response to the last three messages from the complainant, for a period of more than one month, until the submission of the complaint to the Data Protection Authority, can be considered as a long-term infringement for the purposes of the obligation of transparent communication in the exercise of the rights of the data subject pursuant to Article 12(1) of the AVG. In addition, the defendant failed to comply with the time-limit laid down in Article 12(3) AVG; the It should be noted that until the submission of the defences in the present case, the complainant did not receive a sufficient response to his request for access. 73.In addition, the Disputes Chamber points to the fact that the defendant already indicated on 26 August 2019 that the processing may have been unlawful, but that the complainant still received an e-mail message with direct marketing on 12 September 2019. This indicates that the duration of the infringement is longer than if the defendant had taken adequate technical and organisational measures to stop the unlawful processing after rectifying the personal data, in accordance with Articles 5 and 6 of the AVG. d) Conclusion 74. The totality of the elements set out above justifies an effective, proportionate and dissuasive sanction pursuant to Article 83 of the AVG, taking into account the assessment criteria laid down therein, amounting to EUR 10 000. The Chamber of Disputes points out that the other criteria laid down in Article 83(2) of the AVG in this case are not such as to result in an administrative fine other than that established by the Chamber of Disputes in the context of this decision.
