APD/GBA - 55/2021
|APD/GBA - 55/2021|
|Relevant Law:||Article 6(1)(e) GDPR|
Article 6(3) GDPR
Article 13(1)(a) GDPR
Article 13(1)(b) GDPR
Article 25(1) GDPR
Article 25(2) GDPR
|National Case Number/Name:||55/2021|
|European Case Law Identifier:||n/a|
|Original Source:||Belgian DPA website (in FR)|
The Belgian DPA held that in this specific case, concerning a father and mother sharing parental authority, the request to have data about the child erased, introduced by the father alone, had not been submitted in a way that could be accepted. The Belgian DPA also found several other violations of the GDPR by the controller.
English Summary[edit | edit source]
Facts[edit | edit source]
The Belgian DPA issued a reprimand against a public administration in charge of child care for the violation of article 13(1) GDPR (lack of information on the processing) and 25 GDPR (lack of technical, organisational measures).
The DPA also concluded to the lack of appropriate legal basis to continue the processing of personal data under the new legislation in place (article 6(1)(e) and 6(3)), but decided to not suspend the processing at stake in order to let the administration perform its tasks relating to child care. The DPA will instead contact the legislator to further clarify the legal basis on which the administration relies.
Dispute[edit | edit source]
- Can a father alone (without the mother, being the other guardian) submit an request for erasure to the controller on behalf of a minor ? - How precise should the applicable legislation be on which the administration relies to process the data on the basis of Article 6.1.e GDPR ? - Did the administration sharing confidential data with a third party violates article 25 GDPR ? - Should the administration have informed the data subjects on the aspects of the processing which was based on Article 6.1.e ?
Holding[edit | edit source]
- The lack of foreseeability of the law upon which the processing takes place under Article 6(1)(e) GDPR amounts to a violation of Article 6(1)(e) and 6(1) GDPR - The lack of information on the identity of the controller and the DPO amounts to a violation of Article 13(1)(a) and (b) GDPR - The communication of personal data about the child to the mother without reminding that the data should be kept confidential and should not be used in another procedure is a violation of Article 25 GDPR (lack of organisational measures) - The request to delete the data about the child cannot be lodged by the father only, considering that he is not the sole guardian of the child and other elements in this specific case - Since the access request was not sent to the appropriate organ of the administration, the Belgian DPA did not consider that the answer to the access request was communicated too late
Comment[edit | edit source]
One should note that the Belgian DPA concluded to a violation of Article 6(1)(e) and 6(3) GDPR but did not hold the administration responsible for the lack of clarity of the law
Further Resources[edit | edit source]
Share blogs or news articles here!
English Machine Translation of the Decision[edit | edit source]
The decision below is a machine translation of the French original. Please refer to the French original for more details.