APD/GBA (Belgium) - 41/2020: Difference between revisions

From GDPRhub
No edit summary
(8 intermediate revisions by 3 users not shown)
Line 29: Line 29:
|GDPR_Article_3=Article 14 GDPR
|GDPR_Article_3=Article 14 GDPR
|GDPR_Article_Link_3=Article 14 GDPR
|GDPR_Article_Link_3=Article 14 GDPR
|GDPR_Article_4=Article 15 GDPR
|GDPR_Article_Link_4=Article 15 GDPR




Line 52: Line 54:
}}
}}


The APD/GBA (the Belgian DPA) found that a hospital that requested an audit by an external expert was the controller for the audit-related processing activity, based on [[Article 4#7| Article (7) GDPR]]. The APD/GBA ordered the hospital to provide access to parts of an audit report based on the right of access, rejecting (for lack of evidence) the exceptions invoked by the hospital (confidentiality, IP rights, personal data of others).  
The APD/GBA (the Belgian DPA) found that a hospital that requested an audit by an external expert was the controller for the audit-related processing activity, based on [[Article 4 GDPR#7| Article 4(7) GDPR]]. The APD/GBA ordered the hospital to provide access to parts of an audit report based on the right of access, rejecting (for lack of evidence) the exceptions invoked by the hospital (confidentiality, IP rights, personal data of others).  


==English Summary==
==English Summary==
Line 63: Line 65:


In reaction to this refusal, the doctor filed a complaint with the APD/GBA.
In reaction to this refusal, the doctor filed a complaint with the APD/GBA.
===Dispute===
===Dispute===
If an external expert examines personal data at the request of an organisation, who is the controller?
If an external expert examines personal data at the request of an organisation, who is the controller?


What are the limits to a data subject’s right to obtain a copy of personal data relating to him or her?
What are the limits to a data subject’s right to obtain a copy of personal data relating to him or her?
===Holding===
===Holding===
- The defendant was the controller. Based on <nowiki>[[Article 4(7) GDPR]]</nowiki>, the APD/GBA stated that "in the present case, by giving mandate to doctor Z [the auditor], even in his capacity as independent ex-pert, to carry out an evaluation of the radiology service of the hospital, the defendant [the hospital] determined the purposes and means of the processing."


- As controller, the defendant was responsible for, and had to be able to demonstrate, compliance with the principles set out in [[Article 5 GDPR#1| Article 5(1) GDPR]]. The defendant also had to implement appropriate technical and organisational measures to ensure and to be able to demonstrate that the processing complied with the GDPR, with the APD/GBA explicitly referring to the obligation under [[Article 12 GDPR]] to facilitate the exercise by data subjects of their rights.
*The defendant was the controller. Based on[[Article 4 GDPR#7| Article 4(7) GDPR]], the APD/GBA stated that "in the present case, by giving mandate to doctor Z [the auditor], even in his capacity as independent expert, to carry out an evaluation of the radiology service of the hospital, the defendant [the hospital] determined the purposes and means of the processing."
*As controller, the defendant was responsible for, and had to be able to demonstrate, compliance with the principles set out in [[Article 5 GDPR#1|Article 5(1) GDPR]]. The defendant also had to implement appropriate technical and organisational measures to ensure and to be able to demonstrate that the processing complied with the GDPR, with the APD/GBA explicitly referring to the obligation under [[Article 12 GDPR]] to facilitate the exercise by data subjects of their rights.
*On[[Article 15 GDPR#3| Article 15(3) GDPR]] and the rejection by the hospital of access to the audit report, the APD/GBA examined the justification provided and rejected the hospital’s arguments:
**On confidentiality, the APD/GBA stated that the defendant failed to demonstrate that the report was indeed confidential, let alone that it was covered by professional secrecy ([[Article 14 GDPR#5d| Article 14(5)(d) GDPR]])
**On copyright:
***The author of the report did not appear to object to communication beyond the initial recipients,
***The balance of interests in the present case did not appear to prevent the sharing of a copy of the document and
***Even if that were the case, nothing would have prevented mere consultation of the document.
**On the data regarding other persons, the hospital could have redacted personal data concerning those other persons.


- On [[Article 15 GDPR#3| Article 15(3) GDPR]] and the rejection by the hospital of access to the audit report, the APD/GBA examined the justification provided and rejected the hospital’s arguments:
*On[[Article 12 GDPR#4| Article 12(4) GDPR]]: the defendant was found in breach of [[Article 12 GDPR#4|Article 12(4) GDPR]] for not mentioning the possibility to lodge a complaint with a supervisory authority or judicial remedies.
    - On confidentiality, the APD/GBA stated that the defendant failed to demonstrate that the report was indeed confidential, let alone that it was covered by professional secrecy ([[Article 14 GDPR#5d| Article 14(5)(d) GDPR]])
    - On copyright:
        - The author of the report did not appear to object to communication beyond the initial recipients,
        - The balance of interests in the present case did not appear to prevent the sharing of a copy of the document and
        - Even if that were the case, nothing would have prevented mere consultation of the document.
    - On the data regarding other persons, the hospital could have redacted personal data concerning those
other persons.


- On [[Article 12 GDPR#4| Article 12(4) GDPR]]: the defendant was found in breach of [[Article 12(4)]] for not mentioning the possibility to lodge a complaint with a supervisory authority or judicial remedies.
*Infringement of Articles [[Article 13 GDPR|13]] and [[Article 14 GDPR|14]] GDPR: the APD/GBA found that the defendant did not provide any information concerning the collection and processing of personal data in the context of the preparation of the audit report (collected here both directly from the plaintiff and from third parties). Based on Articles [[Article 12 GDPR|12]], [[Article 13 GDPR|13]] and [[Article 14 GDPR|14]] GDPR, the APD/GBA stressed the importance of providing such information in a concise, transparent, intelligible and easily accessible form, using clear and plain language. The APD/GBA found that the information provided in this case by the defendant contained vague statements without sufficient granularity, which did not allow the plaintiff to identify the kinds of personal data processed, the processing activities, the purpose of the processing, etc.


- Infringement of [[Article 13 and 14 GDPR]]: the APD/GBA found that the defendant did not provide any information concerning the collection and processing of personal data in the context of the preparation of the audit report (collected here both directly from the plaintiff and from third par-ties). Based on [[Article 12, 13 and14 GDPR]], the APD/GBA stressed the importance of providing such information in a concise, transparent, intelligible and easily accessible form, using clear and plain language. The APD/GBA found that the information provided in this case by the defendant contained vague statements without sufficient granularity, which did not allow the plaintiff to identify the kinds of personal data processed, the processing activities, the purpose of the processing, etc.
*Concerns regarding [[Article 15 GDPR]]:  
 
**First, the hospital required requests to be made by appointment and did not provide the possibility to submit a request by e-mail or any other means of communication. The APD/GBA stated that it was excessive to require discussions systematically. According to the APD/GBA, this requirement could be viewed as "intimidating" and as hindering the freedom of data subjects to exercise their rights.
- Concerns regarding Article [[15 GDPR]]:  
**Next, the APD/GBA "invited" the hospital to examine whether a copy of the data subject's ID was truly "systematically necessary" to identify them and whether any alternative means could be used.
    -First, the hospital required requests to be made by appointment and did not provide the possibility to  
      submit a request by e-mail or any other means of communication. The APD/GBA stated that it was  
      excessive to require discussions systematically. According to the APD/GBA, this requirement could be  
      viewed as "intimidating" and as hindering the freedom of data subjects to exercise their rights.
    -Next, the APD/GBA "invited" the hospital to examine whether a copy of the data subject's ID was truly  
    "systematically necessary" to identify them and whether any alternative means could be used.
 
    - Outcome: no fine, because the APD/GBA was prohibited to impose a fine due to the “nature” of the
      hospital (an implicit reference to Article 221(2) of the Belgian Data Protection Act of 30 July 2018,
      according to which governmental bodies cannot be fined, except for public law entities that offer goods
      or services on a market), but a reprimand and an order to (i) provide access to an additional document
      and (ii) make its processing compliant within a period of 3 months.


*Outcome: no fine, because the APD/GBA was prohibited to impose a fine due to the “nature” of the hospital (an implicit reference to Article 221(2) of the Belgian Data Protection Act of 30 July 2018, according to which governmental bodies cannot be fined, except for public law entities that offer goods or services on a market), but a reprimand and an order to (i) provide access to an additional document and (ii) make its processing compliant within a period of 3 months.


==Comment==
==Comment==
Other in-depth commentaries and analyses can be found here:
Other in-depth commentaries and analyses can be found here:


https://www.e-nautadutilh.com/56/4139/landing-pages/news-item.asp?sid=237c0fb4-7398-48b9-8ecf-a48d776e9738 (3 August 2020).
*[https://www.e-nautadutilh.com/56/4139/landing-pages/news-item.asp?sid=237c0fb4-7398-48b9-8ecf-a48d776e9738 New Belgian DPA decision: broader "controller" concept & extensive access rights?] (3 August 2020).
 


==Further Resources==
==Further Resources==
Line 115: Line 103:
==English Machine Translation of the Decision==
==English Machine Translation of the Decision==
The decision below is a machine translation of the French original. Please refer to the French original for more details.
The decision below is a machine translation of the French original. Please refer to the French original for more details.
 
[[Category:Featured decisions]]
<pre>
 
</pre>

Revision as of 09:02, 28 October 2020

APD/GBA - 41/2020
LogoBE.png
Authority: APD/GBA (Belgium)
Jurisdiction: Belgium
Relevant Law: Article 12 GDPR
Article 13 GDPR
Article 14 GDPR
Article 15 GDPR
Type: Complaint
Outcome: Partly Upheld
Started:
Decided: 29.07.2020
Published: 03.08.2020
Fine: None
Parties: n/a
National Case Number/Name: 41/2020
European Case Law Identifier: n/a
Appeal: Unknown
Original Language(s): French
Original Source: Decision by the Litigation Chamber (in FR)
Initial Contributor: n/a

The APD/GBA (the Belgian DPA) found that a hospital that requested an audit by an external expert was the controller for the audit-related processing activity, based on Article 4(7) GDPR. The APD/GBA ordered the hospital to provide access to parts of an audit report based on the right of access, rejecting (for lack of evidence) the exceptions invoked by the hospital (confidentiality, IP rights, personal data of others).

English Summary

Facts

In the light of deficiencies regarding the radiology service in a hospital, the hospital asked an external expert to carry out an audit in order to find explanations and possible solutions. After the audit, the hospital decided to dismiss the head of the radiology service, a doctor, for severe misconduct.

The doctor in question requested access to the audit report and specifically to sections that related to her individually. The hospital refused to grant access, arguing that (i) the hospital was not the controller (but rather the external expert), (ii) the report was confidential, (iii) the report was protected by copyright and (iv) the report contained personal data of others.

In reaction to this refusal, the doctor filed a complaint with the APD/GBA.

Dispute

If an external expert examines personal data at the request of an organisation, who is the controller?

What are the limits to a data subject’s right to obtain a copy of personal data relating to him or her?

Holding

  • The defendant was the controller. Based on Article 4(7) GDPR, the APD/GBA stated that "in the present case, by giving mandate to doctor Z [the auditor], even in his capacity as independent expert, to carry out an evaluation of the radiology service of the hospital, the defendant [the hospital] determined the purposes and means of the processing."
  • As controller, the defendant was responsible for, and had to be able to demonstrate, compliance with the principles set out in Article 5(1) GDPR. The defendant also had to implement appropriate technical and organisational measures to ensure and to be able to demonstrate that the processing complied with the GDPR, with the APD/GBA explicitly referring to the obligation under Article 12 GDPR to facilitate the exercise by data subjects of their rights.
  • On Article 15(3) GDPR and the rejection by the hospital of access to the audit report, the APD/GBA examined the justification provided and rejected the hospital’s arguments:
    • On confidentiality, the APD/GBA stated that the defendant failed to demonstrate that the report was indeed confidential, let alone that it was covered by professional secrecy ( Article 14(5)(d) GDPR)
    • On copyright:
      • The author of the report did not appear to object to communication beyond the initial recipients,
      • The balance of interests in the present case did not appear to prevent the sharing of a copy of the document and
      • Even if that were the case, nothing would have prevented mere consultation of the document.
    • On the data regarding other persons, the hospital could have redacted personal data concerning those other persons.
  • On Article 12(4) GDPR: the defendant was found in breach of Article 12(4) GDPR for not mentioning the possibility to lodge a complaint with a supervisory authority or judicial remedies.
  • Infringement of Articles 13 and 14 GDPR: the APD/GBA found that the defendant did not provide any information concerning the collection and processing of personal data in the context of the preparation of the audit report (collected here both directly from the plaintiff and from third parties). Based on Articles 12, 13 and 14 GDPR, the APD/GBA stressed the importance of providing such information in a concise, transparent, intelligible and easily accessible form, using clear and plain language. The APD/GBA found that the information provided in this case by the defendant contained vague statements without sufficient granularity, which did not allow the plaintiff to identify the kinds of personal data processed, the processing activities, the purpose of the processing, etc.
  • Concerns regarding Article 15 GDPR:
    • First, the hospital required requests to be made by appointment and did not provide the possibility to submit a request by e-mail or any other means of communication. The APD/GBA stated that it was excessive to require discussions systematically. According to the APD/GBA, this requirement could be viewed as "intimidating" and as hindering the freedom of data subjects to exercise their rights.
    • Next, the APD/GBA "invited" the hospital to examine whether a copy of the data subject's ID was truly "systematically necessary" to identify them and whether any alternative means could be used.
  • Outcome: no fine, because the APD/GBA was prohibited to impose a fine due to the “nature” of the hospital (an implicit reference to Article 221(2) of the Belgian Data Protection Act of 30 July 2018, according to which governmental bodies cannot be fined, except for public law entities that offer goods or services on a market), but a reprimand and an order to (i) provide access to an additional document and (ii) make its processing compliant within a period of 3 months.

Comment

Other in-depth commentaries and analyses can be found here:

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the French original. Please refer to the French original for more details.