APD/GBA (Belgium) - 73/2020

From GDPRhub
Revision as of 07:11, 9 December 2020 by Mh (talk | contribs)
APD/GBA - 73/2020
LogoBE.png
Authority: APD/GBA (Belgium)
Jurisdiction: Belgium
Relevant Law: Article 5 GDPR
Article 6 GDPR
Article 12 GDPR
Article 13 GDPR
Article 15 GDPR
Article 30 GDPR
Article 37(5) GDPR
Article 37(7) GDPR
Article 38(1) GDPR
Article 83(7) GDPR
Art. 6 § 2 Camera law
Art. 6 § 3 Camera law
Type: Complaint
Outcome: Partly Upheld
Started:
Decided: 13.11.2020
Published:
Fine: 1500 EUR
Parties: n/a
National Case Number/Name: 73/2020
European Case Law Identifier: n/a
Appeal: Unknown
Original Language(s): Dutch
Original Source: Beslissing ten gronde 73/2020 van 13 November 2020 (in NL)
Initial Contributor: Enzo Marquet

The Belgian DPA concludes several breaches of fundamental principles of the GDPR for a Social Housing Company.

English Summary

Facts

The complainant lives in the social housing of the defendant. Several cases are bundled in this one decision, the complainant raised several issues at different times: 1) They exercised its right of access and said the defendant wasn't sufficiently clear or thorough in the information they provided.

2) The website of the defendant wasn't sufficiently secure and the privacy policy was short and vague.

3) There is no cookie policy nor is it clear if cookies are used. Consent for cookies was never asked. The retention period of personal data is never discussed.

4) It is unclear why certain personal data of medical nature are required.

5) The usage of digital meters of gas wasn't communicated, nor with whom the data was shared.

6) There is no mentioning of cameras in the privacy policy and there was no information upon installation of 4 cameras.

Dispute

Holding

The GBA split the cases in several subtopics: - Privacy Policy & Right of Access - DPO - Cookie Policy - Processing of health data - Law on cameras - Processing through digital meters

The DPA points out that, pursuant to Article 5(2) and Article 24 GDPR, the person responsible for processing personal data must take appropriate technical and organizational measures in order to guarantee and be able to demonstrate that the processing of personal data is carried out in accordance with the GDPR. In doing so, the GPDR requires, among other things, that the nature and scope of the processing as well as the risks for the data subjects are taken into account. These elements will play an important role in assessing whether and to what extent sanctions should be imposed.

1) Privacy Policy & Right of Access The DPA upheld that a privacy policy should serve to fully inform the data subject about what is actually done with his or her personal data and in what context those data are processed. Any processing of personal data should be lawful, proper and transparent. Data subjects should be clearly informed of what data is being processed, how the processing is being carried out and why the personal data is being processed. It is not possible to deduce from the Privacy Sheet presented what exactly the personal data is used for. Clear and concrete language must be used when communicating to data subjects.

Because the data subjects are socially disadvantaged people, the language must be adapted to them to be clear and plain.

The word "concise" in Article 12(1)however , does not mean incomplete, all mandatory information from [Article 13 GDPR]] must still be included. The contact details of the DPO must be filled in correctly as well.

The defendant does not fulfil its requirement of transparency by inadequately informing the data subjects.

2) DPO Pursuant to Article 37 (5) GDPR, the DPO should be designated, inter alia, on the basis of its in data protection law and practice. Article 37 (7) GDPR provides that the contact details of the DPO shall be disclosed and communicated to the supervisory authority. These two requirements were not fulfilled. The choice for the DPO was not sufficiently motivated (in light of a tender) and the DPO wasn't communicated to the data subjects as single point of contact.

Furthermore, the contact to the DPO must be direct, and not through several parts of an organisation as this can dissuade people from contacting the DPO.

Lastly, the DPO was not properly involved in all data protection manners, which means the defendant breached Article 38 (1) GDPR

3) Cookie policy For a Google-DoubleClick.net cookie, no consent was asked. In the Planet 49 judgment, the Court of Justice ruled that information must be provided by the person responsible for processing in order to place cookies. The information provided must show for how long the cookies will remain active and whether third parties can also have access to those cookies. This is necessary in order to guarantee proper and transparent information.

The consent requirement does not apply to the technical storage of information. Even if the placement of cookies is necessary for the provision of a service expressly requested by the subscriber or end user, the consent requirement does not apply.

The processing of personal data through cookies without consent is a breach of Article 6 (1) GDPR as there is no legal basis for the processing.

4) Processing of health data The e-mail exchanges between the parties show that the complainant voluntarily informed the defendant of his health situation and indicated that he could provide the defendant with another medical certificate if necessary. The processing of sensitive information was necessary for purposes of Article 9 (h) GDPR.

5) CCTV surveillance The complainant argues that there is camera surveillance in several residential units of the apartment. According to the complainant, the privacy policy does not mention anything about camera surveillance. Complainant also wants to know the legal basis and purpose of this processing.

In the renting agreement, cameras are mentioned but nothing more. The cameras were installed for safety, on request of some residents and are legally registered. The DPA determined that it wasn't clear why the cameras were installed exactly nor do the elements brought up suffice to determine if the cameras are compliant to the the law on cameras.

No register of camera processing was kept (article 6 § 2 Camera law) nor was the retention period of 30 days respected (article 6 § 3 Camera law).

The DPA found a violation of the requirement to keep a register of processing activities of Article 30 GPDR and storage limitation Article 5 (1) (e) GDPR.

6) Digital meters The Complainant complains that the defendant uses digital consumption meters and thus records the consumption of the tenants and unlawfully processes data about that consumption without a valid legal basis. The Complainant indicates that it has not given its consent to the processing of data relating to its consumption of gas and electricity.

During the hearing, the defendant indicated that the digital meters are linked to the address. In this way, it is read how much has been consumed at a certain address. This data is also passed on to a third party (local company) with whom there is a processing agreement. That company reads out the consumption. The defendant receives a list of this and links it to the tenant files, according to the defendant.

On the basis of Article 6 GDPR, the person responsible for processing personal data must have a legal basis in order for the processing to be lawful. On the basis of Article 24 and Article 25 GDPR, the defendant must therefore take appropriate technical and organizational measures in order to guarantee and be able to demonstrate that the processing takes place in accordance with the GDPR. In doing so, the data controller must effectively implement the principles of data protection, protect the rights of the data subjects and only process personal data that is necessary for each specific purpose of the processing. Based on these facts and documents, the DPA finds that the defendant has not been able to demonstrate that any privacy policy has been developed with respect to the digital remote reading of meter readings. Moreover, it is unclear on what legal basis the data are processed in accordance with Article 6 GDPR. This constitutes a breach of Article 6 GDPR.

Complainant indicates that it has not given permission for the processing. The defendant does not invoke any other legal grounds for the processing. In addition, the DPA inds in this case a violation of Article 5 (1) (a) GDPR now that it appears from the above that the personal data are not processed in a lawful, proper and transparent manner. The defendant indicates that a third party reads out the consumption data and forwards them to the defendant. The DPA points out that according to Article 28 (3) GDPR the processing by a processor should be regulated in a contract between the controller and the processor.

Sanction The DPAconsiders it particularly necessary in this case to give a strict interpretation to the (optional) exemption from administrative fines provided for in [Article 83 GPDR#7|Article 83 (7) GDPR] for "government bodies and agencies". Moreover, the article does not allow Member States to define the concept of "public authorities and public bodies". It is therefore a concept of Union law that must be given an autonomous and uniform meaning. It is therefore only up to the Union institutions, in particular the Court of Justice, to define the limits of that concept.

In the opinion of the DPA, a private law organization such as the Defendant's Housing Company does not fall under this category, even though this organization carries out tasks in the public interest in the field of social housing.

On these grounds, the DPA orders the defendant to become complaint within 3 months, to inform the DPA about this as well and to pay an administrative fine of €1500.


Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Dutch original. Please refer to the Dutch original for more details.