APD/GBA - 73/2020
|APD/GBA - 73/2020|
|Relevant Law:||Article 5 GDPR|
Article 6 GDPR
Article 12 GDPR
Article 13 GDPR
Article 15 GDPR
Article 30 GDPR
Article 37(5) GDPR
Article 37(7) GDPR
Article 38(1) GDPR
Article 83(7) GDPR
Art. 6 § 2 Camera law
Art. 6 § 3 Camera law
|National Case Number/Name:||73/2020|
|European Case Law Identifier:||n/a|
|Original Source:||Beslissing ten gronde 73/2020 van 13 November 2020 (in NL)|
|Initial Contributor:||Enzo Marquet|
The Belgian DPA (APD/GBA) imposed an administrative fine of €1500 on a Social Housing Company for breaching several fundamental principles and obligations of the GDPR.
English Summary[edit | edit source]
Facts[edit | edit source]
The complainant lives in the social housing of the defendant.
Several cases are bundled in this one decision, the complainant raised several issues at different times:
1) They exercised its right of access and said the defendant wasn't sufficiently clear or thorough in the information they provided.
4) It is unclear why certain personal data of medical nature are required.
5) The usage of digital meters of gas wasn't communicated, nor with whom the data was shared.
Dispute[edit | edit source]
1) Exercise of right of access.
4) Processing of medical data.
5) Lack of information on the use of digital meters of gas.
Holding[edit | edit source]
The GBA split the cases in several subtopics:
- Processing of health data
- Law on cameras
- Processing through digital meters
The DPA points out that, pursuant to Article 5(2) and Article 24 GDPR, the person responsible for processing personal data must take appropriate technical and organizational measures in order to guarantee and be able to demonstrate that the processing of personal data is carried out in accordance with the GDPR. In doing so, the GDPR requires, among other things, that the nature and scope of the processing as well as the risks for the data subjects are taken into account. These elements will play an important role in assessing whether and to what extent sanctions should be imposed.
Because the data subjects are socially disadvantaged people, the language must be adapted to them to be clear and plain.
The word "concise" in Article 12(1) GDPR, however, does not mean incomplete, all mandatory information from Article 13 GDPR must still be included. The contact details of the DPO must be filled in correctly as well.
The defendant does not fulfil its requirement of transparency by inadequately informing the data subjects.
Pursuant to Article 37(5) GDPR, the DPO should be designated, inter alia, on the basis of its in data protection law and practice. Article 37(7) GDPR provides that the contact details of the DPO shall be disclosed and communicated to the supervisory authority. These two requirements were not fulfilled. The choice for the DPO was not sufficiently motivated (in light of a tender) and the DPO wasn't communicated to the data subjects as single point of contact.
Furthermore, the contact to the DPO must be direct, and not through several parts of an organisation as this can dissuade people from contacting the DPO.
Lastly, the DPO was not properly involved in all data protection manners, which means the defendant breached Article 38(1) GDPR
For a Google-DoubleClick.net cookie, no consent was asked. In the Planet49 judgment, the Court of Justice ruled that information must be provided by the person responsible for processing in order to place cookies. The information provided must show for how long the cookies will remain active and whether third parties can also have access to those cookies. This is necessary in order to guarantee proper and transparent information.
The consent requirement does not apply to the technical storage of information. Even if the placement of cookies is necessary for the provision of a service expressly requested by the subscriber or end user, the consent requirement does not apply.
The processing of personal data through cookies without consent is a breach of Article 6(1) GDPR as there is no legal basis for the processing.
4) Processing of health data
The e-mail exchanges between the parties show that the complainant voluntarily informed the defendant of his health situation and indicated that he could provide the defendant with another medical certificate if necessary. The processing of sensitive information was necessary for purposes of Article 9(2)(h) GDPR.
5) CCTV surveillance
In the renting agreement, cameras are mentioned but nothing more. The cameras were installed for safety, on request of some residents and are legally registered. The DPA determined that it wasn't clear why the cameras were installed exactly nor do the elements brought up suffice to determine if the cameras are compliant to the the law on cameras.
No register of camera processing was kept (article 6 § 2 Camera law) nor was the retention period of 30 days respected (article 6 § 3 Camera law).
6) Digital meters
The Complainant complains that the defendant uses digital consumption meters and thus records the consumption of the tenants and unlawfully processes data about that consumption without a valid legal basis. The Complainant indicates that it has not given its consent to the processing of data relating to its consumption of gas and electricity.
During the hearing, the defendant indicated that the digital meters are linked to the address. In this way, it is read how much has been consumed at a certain address. This data is also passed on to a third party (local company) with whom there is a processing agreement. That company reads out the consumption. The defendant receives a list of this and links it to the tenant files, according to the defendant.
On the basis of Article 6 GDPR, the person responsible for processing personal data must have a legal basis in order for the processing to be lawful. On the basis of Article 24 and Article 25 GDPR, the defendant must therefore take appropriate technical and organizational measures in order to guarantee and be able to demonstrate that the processing takes place in accordance with the GDPR.
Complainant indicates that it has not given permission for the processing. The defendant does not invoke any other legal grounds for the processing. In addition, the DPA inds in this case a violation of Article 5(1)(a) GDPR now that it appears from the above that the personal data are not processed in a lawful, proper and transparent manner. The defendant indicates that a third party reads out the consumption data and forwards them to the defendant. The DPA points out that according to Article 28(3) GDPR the processing by a processor should be regulated in a contract between the controller and the processor.
The DPA considers it particularly necessary in this case to give a strict interpretation to the (optional) exemption from administrative fines provided for in Article 83(7) for "government bodies and agencies". Moreover, the article does not allow Member States to define the concept of "public authorities and public bodies". It is therefore a concept of Union law that must be given an autonomous and uniform meaning. It is therefore only up to the Union institutions, in particular the Court of Justice, to define the limits of that concept.
In the opinion of the DPA, a private law organization such as the Defendant's Housing Company does not fall under this category, even though this organization carries out tasks in the public interest in the field of social housing.
On these grounds, the DPA orders the defendant to become complaint within 3 months, to inform the DPA about this as well and to pay an administrative fine of €1500.
Comment[edit | edit source]
Share your comments here!
Further Resources[edit | edit source]
Share blogs or news articles here!
English Machine Translation of the Decision[edit | edit source]
The decision below is a machine translation of the Dutch original. Please refer to the Dutch original for more details.