Difference between revisions of "APD/GBA - DOS-2019-05450"
|Line 51:||Line 51:|
The Belgian data protection authority (APD/GBA) ruled that a bank was subject to the GDPR in its capacity as a controller and should have answered
The Belgian data protection authority (APD/GBA) ruled that a bank was subject to the GDPR in its capacity as a controller and should have answered access requests under Article 15 GDPR.
Latest revision as of 10:07, 20 May 2020
|APD/GBA - DOS-2019-05450|
|Relevant Law:||Article 12(3) GDPR|
Article 15(1) GDPR
Article 15(3) GDPR
|National Case Number/Name:||DOS-2019-05450|
|European Case Law Identifier:||n/a|
|Original Source:||APD/GBA (in FR)|
The Belgian data protection authority (APD/GBA) ruled that a bank was subject to the GDPR in its capacity as a controller and should have answered access requests under Article 15 GDPR.
English Summary[edit | edit source]
Facts[edit | edit source]
The complainants are clients of the defendant, a bank. In September 2019, the complainants made an access request to the bank’s controller. More precisely, they both sent a letter through their counsels, requesting “a copy of all the personal data [the bank] hold(s) as well as any additional information [the bank] ha(s) against [us] asking”. In response, the defendant asked them to provide for their ID cards and to specify which right they wanted to exercise. As the complainants found that the question was self-explanatory, they did not answer and lodged directly a complaint with the DPA in October 2019.
The complainants argued that the defendant should not have made the exercise of their access right conditional on either a clarification of the right at stake nor the sending of on a copy of the complainants' identity card.
The Defendant mainly argued that the data protection authority was not competent because the banking sector is not subject to data protection act.
Dispute[edit | edit source]
The authority has to clarify the scope of application of Article 15 GDPR.
Holding[edit | edit source]
The authority ruled that the data subjects who exercised their access right are not required to identify the applicable and relevant legal framework as long as the authority can assist them and ensure a clear understanding of the potential violation which is under its jurisdiction. Where necessary, the authority can change the legal qualification of the facts and review new facts within the limits of a contradictory debate. Thus, the authority is competent to examine the merits of a complaint as legally reclassified and submitted under Article 15 GDPR.
Also, the authority reminded that the controller must reply to an access request within the limit of one month under Article 12(3) juncto Article 15 GDPR. This deadline can be extended only under specific circumstances. In this regard, the defendant did not justify the delay and the incompleteness due specific circumstances such as complexity or the amount of requests to handle.
First, the complainants’ identity was made sufficiently clear in the access requests. Then, the authority recalled that the validity of an access request does not depend on whether a legal basis is invoked but on whether the access request is clear enough. Finally, the authority clarified that if the data subject does not request explicitly specific information, the controlled is required to give at once all the persona data mentioned by virtue of Article 15(1) GDPR, in the lights of Recital (63) GDPR.
Thus, the authority ruled that the lack of a complete answer was a breach of Articles 12(3), 15(1) and 15(3) GDPR
Comment[edit | edit source]
share your comment here!
Further Resources[edit | edit source]
Share blogs or news articles here!
English Machine Translation of the Decision[edit | edit source]
The decision below is a machine translation of the French original. Please refer to the French original for more details.
Litigation Chamber Substantive Decision 17/2020 of 28 April 2020 File No.: DOS-2019-05450 Subject: Complaint by two customers against their bank following their request for communication by return mail of all the personal data it had about them. The Litigation Chamber of the Data Protection Authority, consisting of Mr Hielke Hijmans, president, and Messrs Jellle Stassijns and Christophe Boerave, members, which takes over the case in its present composition; Having regard to Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC (General Regulation on Data Protection), hereinafter referred to as the DPA; Having regard to the Law of 3 December 2017 establishing the Data Protection Authority (hereinafter LCA); Having regard to the Law of 30 July 2018 on the protection of individuals with regard to the processing of personal data (hereinafter the "Data Protection Law"); Having regard to the internal rules of procedure of the Data Protection Authority as approved by the House of Representatives on 20 December 2018 and published in the Moniteur belge on 15 January 2019 ; Having regard to the documents on file; Has taken the following decision concerning: - the complainants - the defendant (controller) 1. History of the procedure 1. Having regard to the complaint lodged on 16 October 2019 with the Data Protection Authority by the complainants, through their counsel ; 2. Having regard to the additional information provided by the complainants' counsel to the DPA on 13 November 2019. 3. Having regard to the decision of 22 November 2019 of the Data Protection Authority's First Line Service (hereinafter "DPA") declaring the complaint admissible and the transmission of the complaint to the Litigation Chamber on the same date ; 4. Having regard to the decision of the President of the Litigation Chamber that the file was ready for processing on the merits pursuant to Articles 95 § 1, 1° and 98 ACL, the President invited the parties to conclude by registered letter of 20 January 2020, with a copy of the complaint and the inventory of the file. 5. Having regard to the letter of 31 January 2020 in which counsel for the defendant requested a copy of the documents in the file, which was sent to them by the Secretariat of the Litigation Chamber on 4 February 2020. 6. Having regard to the submissions of the defendant, received on 21 February 2020 ; 7. Having regard to the conclusions of the plaintiffs, received on 6 March 2020 ; 8. Having regard to the form of order sought by the defendant, received on 20 March 2020. 2. The facts and subject-matter of the complaint 9. The complainants are clients of the defendant for bank accounts related to their activities as managers of several companies. By letter of 10 September 2019 addressed through their counsel, the complainants requested the defendant to disclose by return of post all personal data in its possession. The request was worded as follows: "my clients request that you communicate to them without delay and by return, a copy of all the personal data you hold as well as any additional information you have against them". This request was made in the context of a challenge to the closure by the defendant of the complainants' bank accounts. 10. In response, the defendant requested additional information by e-mail of 11 September 2019: "With regard to the request for the Right of Access, in order to be able to process At your request we need the following information: which right do you wish to exercise and for what reason? Please attach to your email a copy of the front side of your customer's identity card and send it to ... 11. The complainants did not feel that they had to answer positively to this request for a copy of their identity card. By e-mail of 12 September 2019, the complainants, through their counsel, indicated that "the request made by letter of 10 September 2019 was unambiguous as to the provision of a copy of all the personal data you hold with regard to my clients", and that this letter was the deadline within which the requested information had to be provided. In this e-mail, counsel for the complainants also stated that the request of his clients was, in his opinion, based on the "Data Protection Act", more precisely Article 38 § 1. 12. On 16 October 2019, the complainants lodged a complaint with the DPA, stating that the defendant had not yet responded to their request for access to their personal data. 13. 13. In their complaint, the complainants argued in particular that the defendant could not make the processing of their request conditional on either a clarification of the right they wished to exercise or the sending of a copy of the complainants' identity card. The complainants consider that their request for access to the data was clearly notified by letter of 10 September and that the defendant had no reason to doubt their identity or the validity of the information provided by their counsel as to their identity. 3. The conclusions exchanged following the complaint 14. In its conclusions, the defendant states that the failure to reply to the request for access within the time-limits laid down by the RGPD is the result of a combination of exceptional circumstances: the request was made in the context of a broader dispute and was not submitted in accordance with the procedures laid down by the defendant for that purpose in accordance with Article [X] of its Privacy Charter, namely, via an e-mail with a copy of the identity card, or via various applications. According to the defendant, a human error then led to a delay in the response: the complainants' contact person at the defendant re-addressed the application to the wrong addressee and that person was then absent due to illness without a back-up having been provided. 15. Finally, the defendant considers that the complaint is unfounded because it is based on an erroneous article of law: the complainants invoke provisions of the Data Protection Act which concern requests for access to data processed by the authorities referred to in Article 26(7) of that Act, within the scope of which the defendant is not covered. 16. In their conclusions in reply, the complainants point out that their request for access to the personal data, which the defendant has at its disposal with regard to them, was requested in a sufficiently clear manner by letter of 10 January 2020. The complainants complain that the defendant transmitted the personal data requested to them late and in part, i.e. four months later, and without providing any details as to the reason why the defendant terminated its contractual relations (bank accounts) with the complainants. The complainants are of the opinion that the defendant could not have taken such a decision without having "disposed of and/or collected the information on the basis of which it took the decision to terminate the business relationship" and that, since this information constitutes personal data, the defendant was obliged to communicate it to the complainants. Finally, the complainants state that by failing to communicate these data, the defendant continues to infringe the DPMR, in particular Article 15 thereof. 17. In its reply, the defendant argues that the Litigation Chamber cannot take into account the legal basis which the complainants invoked by way of conclusion only. According to the defendant, it follows from Articles 94 and 95 ACL that the facts and grievances invoked in the complaint must be specified either in the complaint or by means of an investigation which the Litigation Chamber may request from the Inspection Service within 30 days of the admissibility of the complaint. According to the defendant's interpretation, the qualification of the facts described in the complaint must be fixed from the moment the Litigation Chamber considers that the file is in a state of being processed on the merits, pursuant to article 95 of the LCA. The defendant refers in this case to the letter of 20 January 2020 in which the Litigation Chamber invited the parties to conclude and in which the complaint is described as a request for access to personal data formulated on the basis of Articles 36 § 4 and § 5 as well as 38 § 1" of the Data Protection Act, in accordance with the legal provisions initially invoked by the complainants. According to the Respondent, the complainants are "not permitted to change their position during the proceedings and to invoke a new The Litigation Chamber is not allowed to change the scope of the procedure once the investigation phase has been completed [...] to allow such a change of wording after any possibility of involvement of the inspection service, even though the LAPD [LCA] does not contain any provision allowing the complainant or the Litigation Chamber to make such an amendment, would invite the worst violations of the rights of defence of the accused managers and subcontractors before the Litigation Chamber ... If there were to be the slightest doubt as to the legal characterization of a complaint and its basis (p. Should there be any doubt as to the legal characterization of a complaint and its basis (e.g. for a complaint brought by an individual without the intermediary of a lawyer), the Litigation Chamber should ask the ODA Inspection Service to clarify the matter". Thus, the complainants consider that, by not requesting a further investigation by the inspection service and by considering that the case could be dealt with on the merits without any investigative measure, the Litigation Chamber clearly considered that the legal qualification chosen was the only relevant one for claiming access to the complainants' personal data. 18. 18. In the alternative, the defendant submits that the request under Article 15 of the GDR is unfounded, alleging that it provided its reply on 10 January 2020 to the complainants, that the longer than usual time-limit for reply is due to human error combined with the illness of a key participant in the proceedings. The defendant further submits the measures it has put in place to remedy these shortcomings in the future. 19. With regard to the complainants' allegation that the personal data provided by the defendant is incomplete (lack of response as to the reasons for the breach of contract that occurred), the defendant invokes the Law of 18 September 2017 on the prevention of money laundering and terrorist financing and on restrictions on the use of cash ("BC/FT" Law), which prohibits it from communicating any reason for termination to any customer, whether or not that customer is concerned by suspicions of money laundering, according to the defendant. 4. On the grounds of the decision On the competence of the Administrative Jurisdiction Division to assess whether the complaint is well-founded on the basis of the legal characterisation of the facts as corrected by the complainants by way of submissions and on the basis of a new complaint submitted by the complainants by way of submissions 20. According to the legal basis invoked in their complaint, the complainants seek access to the personal data held by the defendant in respect of them, on the basis of the provisions of the Act. Data Protection included under Title 2 of this law and which specifically applies to "competent authorities for the purpose of the prevention, investigation, detection and prosecution of criminal offences or the execution of criminal penalties, including the protection against and prevention of threats to public security and implements Directive 2016/680/EU of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data by those competent authorities" (the "Police Justice Directive"). 21. In this respect, the defendant rightly points out in its conclusions that, as a company active in the provision of banking services, it is not concerned by the scope of Title 2 of the Data Protection Law. 22. However, the defendant wrongly disputes the competence of the Administrative Jurisdiction Division to examine the facts mentioned in the complaint - a request for access to personal data - from the point of view of the legal basis invoked by the complainants in their submissions, namely Article 15 of the DPMR, taking the view that only the Inspection Service would be competent to re-qualify the facts submitted in the original complaint. Furthermore, the defendant wrongly disputes that the Litigation Chamber would be competent to examine new facts or complaints invoked by the complainants by way of conclusion (such as the fact that the answer given in the meantime to their request for access would be incomplete). 23. The Litigation Chamber is an ODA body, established under Article 4(1) of the DCA, enjoying a certain degree of autonomy within ODA and taking its decisions independently in accordance with Article 43 of the DCA. In Belgium, the ODA is the authority responsible for monitoring compliance with the PGRD within the meaning of Article 8 of the Charter of Fundamental Rights of the European Union, Article 16 of the Treaty on the Functioning of the European Union and Article 51 of the PGRD. This control by the ODA and its Litigation Chamber is an essential element of the protection of individuals with regard to the processing of personal data, as organised by the PGRDD. 24. Under Articles 51(1), 51(2) and 52(1) of the DPMR, Member States are required to entrust one or more independent public authorities with the supervision of the application of the DPMR in order to protect the fundamental rights and freedoms of natural persons with regard to the processing and to facilitate the free flow of personal data in the Union. These supervisory authorities should exercise their powers with a view to the effective implementation of European data protection law, including the PPMR. Ensuring the effectiveness of European law is one of the main duties of Member States' authorities under EU law. 25. It is their responsibility to facilitate the exercise of fundamental rights with regard to the protection of personal data. The supervisory authorities must in this respect play an active role through the tasks and powers conferred on them under Articles 57 and 58 of the PDSG. For example, under Article 57(2) of the EPR, each supervisory authority is required to "facilitate" the lodging of complaints by a data subject or a body. Logically, the processing of this complaint (or claim) should facilitate the exercise of the rights and contribute to a better control of citizens over their personal data. 26. The right to complain to ODA has been constructed by the legislator as an alternative to the judicial procedure (see articles 77 to 79 of the GDMP). The lodging of a complaint should remain an easy step for data subjects whose personal data are processed. The conditions of admissibility of this complaint are moreover defined in a minimal way in Article 60 ACL. To be admissible, a complaint lodged with the ODA must be written in one of the national languages, contain a "statement of the facts and the information necessary to identify the processing operation to which it relates" and fall within the competence of the ODA (Article 60 of the ACL). 27. 27. Thus, complainants are not required to invoke any legal provision in order for their complaint to ODA to be admissible, as long as ODA can determine that the complaint concerns a legal provision that it has the task of monitoring. When considering whether the complaint is well-founded, the Litigation Chamber must therefore assess not whether the complainants have invoked the correct legal provision in support of their claim, in the formal complaint lodged with ODA, but whether the facts reported constitute an infringement of one of the legal provisions whose observance is subject to ODA control. 28. 28. Similarly, complainants are not required to invoke all the relevant facts relating to the violation alleged in their complaint. The Litigation Chamber should be able to assist them by asking questions directed in such a way as to ensure a clear understanding of the potential infringement in fact and in law. to a fundamental right that the complainant wishes to bring to his or her attention. The Litigation Chamber may also take into account grievances developed subsequently by way of a conclusion by the complainant, provided that they concern facts or legal arguments relating to the alleged violation referred to it by way of a complaint, and with due respect for the rights of the defence. 29. 29. During the procedure following the complaint, the Dispute Chamber therefore has the possibility of changing the legal qualification of the facts submitted to it, or examining new facts related to the complaint, without necessarily calling upon the intervention of the Inspection Service, in particular by putting questions to the parties or by taking into account the new facts or qualifications invoked by way of conclusion, and this within the limits of the adversarial debate, i.e. provided that the parties have had the opportunity to discuss these facts or legal qualifications in a manner consistent with the rights of the defence. If need be, it is for the Litigation Chamber to give rise to such debate either in its letter of invitation to conclude under article 98 of the ACL or subsequently in the context of a reopening of the proceedings. 30. 30. In this context, taking into account a new legal classification invoked by the complainant does not prejudice the fairness of the proceedings and the equality of arms, has been a matter of urgency. a fortiori insofar as the decisions of the Litigation Chamber are likely to be full appeal to the Market Court . 31. The procedure conducted before the Litigation Chamber is therefore not strictly adversarial in nature as is the case before the Belgian civil courts, and the Litigation Chamber may on its own initiative modify the subject matter of the complaint in fact or in law. 32. This inquisitorial power which the Litigation Chamber grants itself on a case-by-case basis is justified and necessary in the context where the Litigation Chamber is responsible for supervising the exercise of rights which form an integral part of the fundamental right to protection of personal data, in the context of the implementation of Article 8(3) of the Charter of Fundamental Rights of the European Union. 33. 33. The Litigation Chamber refers in this respect to the judgment of the Court of Justice of the European Communities of 9 October 2019 in the case of ODA v ING SA, in which the Court stated that the exercise of a right provided for in the GDR such as the right to rectification of personal data is not a mere subjective right on the part of the parties, but involves the exercise of powers of ODA on the basis of objective law, in the context where the right to rectification is an integral part of the fundamental right to protection of personal data and implements Article 8(3) of the Charter of Fundamental Rights of the European Union . The same reasoning applies to the right of access to personal data (art. 15 RGPD) which is the subject of the complaint submitted to the Litigation Chamber in the context of the present litigation. 34. 34. Thus, in the present case, the request for exercise of a right provided for by the GDR, such as the right of access to personal data enshrined in article 15 thereof, implies the exercise of ODA competences on the basis of objective law and does not concern only the subjective rights of the parties, insofar as the exercise of those rights is an integral part of the fundamental right to protection of personal data and implements article 8.3 of the Charter of Fundamental Rights of the European Union. 35. 35. The Litigation Chamber is therefore competent to examine the merits of the application as legally requalified by way of conclusion and made under Article 15 GDR. The Administrative Jurisdiction Division is also competent to examine the defendant's complaints by way of a final decision regarding the incompleteness of the reply to his request for access, insofar as that complaint relates to the request for access which is the subject of the initial complaint. On the merits of the request under section 15 of the GDPR 36. Under Article 15(1) of the DPMR, "the data subject shall have the right to obtain from the controller confirmation as to whether or not personal data relating to him or her are being processed and, where this is the case, access to such personal data and the following information ...": - the purposes of the processing, - the categories of personal data concerned, - the recipients or categories of recipients to whom the personal data have been or will be disclosed [...], - where possible, the intended period of storage of personal data or, where that is not possible, the criteria used to determine that period ; - the existence of a right to request the controller to rectify or erase personal data, or a restriction on the processing of the data (b) the right to object to the processing of personal data relating to the data subject; - the right to lodge a complaint to a supervisory authority; where the personal data are not obtained from the data subject, any available information as to their source ; - the existence of automated decision making, including profiling, as referred to in Article 22 (1) and (4) and, at least in such cases, relevant information concerning the underlying logic and the importance and intended consequences of the processing operation for the data subject. » 37. Information must also be provided on the appropriate safeguards implemented, if any, when personal data are transferred to a third country or to an international organisation (Art. 15.2 GDR). 38. Finally, Article 15(3) of the DPMR also provides that "the controller shall provide a copy of the personal data undergoing processing", this copy being the "copy of the personal data subject to processing". prescribed procedure for responding to an access request. 39. The provisions of the PGRD are directly applicable to the processing operations defined in Article 3 of the PGRD, with the exception of the provisions providing for a discretionary power for the benefit of the Member States as regards the implementation of the PGRD . Article 15 of the DPMR is part of the directly applicable provisions of the DPMR, which may be invoked by complainants in support of their requests for access to personal data concerning them that are processed in the context of the activities of a data controller on Belgian territory. In the present case, the Litigation Chamber must examine whether or not the defendant has infringed Article 15 of the GDR, which requires data controllers to comply with requests for access to their personal data. Indeed, the GDR does not impose any procedural conditions on the exercise of the right of access, such as the invocation of a specific legal basis. 41. 41. From the point of view of the defence and the right to a fair trial, it is furthermore incumbent on the Litigation Chamber to examine whether the initial complaint was sufficiently comprehensible as to its subject matter to allow the defendant to identify it as a request for access under Article 15 of the GDR. Failing that, it was for the Litigation Chamber to reclassify the facts and allow an adversarial debate on the subject, either in its letter of invitation to conclude on the basis of Article 98 of the ACL, or subsequently in the context of a reopening of the proceedings. 42. In the context of the complaint submitted to it, the Litigation Chamber finds that the defendant did indeed respond to the request for access (albeit belatedly in view of the one-month time-limit laid down in Article 12 of the RGPD). The first response of the defendant to the complainants also explicitly refers to a "request for access" to personal data (e-mail of 11 September 2019: "With regard to the request for the right of access to personal data, the defendant has submitted a request for access to the personal data of the complainants. access, [...]"). 43. 43. On the basis of the facts set out by the complainants and not contested by the other side, it appears from the facts presented by the complainants and not contested by the other side that the request for access was formulated in a sufficiently clear manner for the defendant to identify that it was a request for the exercise of the right of access provided for in Article 15 of the GDR. The Litigation Chamber therefore considers that the complaint was validly submitted to it for examination of facts constituting a potential infringement of the right of access under Article 15 of the GDR. 44. 44. The Litigation Chamber is therefore competent to take account of the grievances developed by the complainant by way of a finding under article 15 of the GDR instead of the provisions of article 15 of the GDR. 36, § 4 and § 5 as well as Article 38, § 1 of the Law of 30 July 2018 (Data Protection Act). 45. The Administrative Jurisdiction Division also notes that the defendant was able to develop its arguments by way of conclusion, albeit in the alternative, and put forward its complaints regarding the request for access by the complainants under Article 15 of the GDR. The Chamber should therefore not reopen the proceedings on this point, and decides that it is competent to examine and deal with the complaint and its two complaints, namely, the late and incomplete nature of the reply made by the defendant to a request for access to personal data, including a request for a copy, submitted to it by the complainants. Failure to comply with the obligation to reply to a request for access to personal data within one month of receipt of the request. 46. According to Article 12.3 of the DPMR juncto Article 15 of the DPMR, a response to a request for access to personal data must be provided within one month of receipt of the request. This time limit may be extended by 2 months taking into account the complexity and number of requests, provided that the controller informs the data subject of this extension and the reason for the extension within one month of receipt of the request (Article 12.3 of the DPMR). 47. 47. The defendant, as controller of the complainants' personal data, was therefore under an obligation to respond to their request for access to their personal data and to their request to receive a copy of these personal data within one month of receipt of the request, unless the time limit was extended for reasons to be communicated to the complainants within one month. The Administrative Jurisdiction Division finds that the defendant did not respond to the request for access within the prescribed time-limit, nor did it give reasons within one month for the postponement of the communication of that information. 48. 48. The Chamber considers that this failure to reply constitutes an infringement of Articles 15(1), 15(3) and 12(3) of the RGPD for the following reasons: 49. Firstly, the Litigation Chamber finds that the request for access was sufficiently clear as regards the identity of the persons concerned to enable the defendant to reply within one month. Indeed, the defendant did not state the reasons why it requested additional information in order to identify the complainants, as permitted by Article 12. 6 of the DPMR, which provides that the controller "may request further information to confirm the identity of the data subject" where "the controller has reasonable doubts as to the identity of the natural person making the request referred to in Articles 15 to 21", within one month from the receipt of the request (Article 12.3 DPMR). 50. 50. The defendant was therefore entitled to request that the complainants provide it with additional information (such as an identity card) to confirm their identity provided that it had reasonable doubt as to the identity of the natural person making the request. In the present case, the defendant did not give any reasons for doubting the mandate of their lawyer, a member of the bar, to represent clients, nor did it give any reasons for doubting the statements made by that lawyer with regard to the identity of his clients, in order to justify its request to return a copy of the front side of the clients' identity card. The defendant also replied to the complainants by letter dated 9 January 2020 addressed to one of the complainants. This fact shows that the defendant ultimately had no reasonable doubt as to the identity of this complainant. Without prejudice to the question whether, in view of the circumstances and the nature and volume of the data processed by it, a banking institution such as the defendant is entitled or not entitled to request a copy of the identity card of any person wishing to make a request for access to personal data in a standard manner, the Judicial Chamber notes that, in the present case, the intervention of a lawyer registered at the Brussels Bar and a letter sent with his paper to en en could enable the defendant to validate the factual data transmitted by that lawyer concerning the identity of his clients. 51. 51. It was incumbent on the defendant to provide all the personal data requested by the complainants, namely, according to the interpretation of the Litigation Chamber, all the personal data and information on this subject referred to in Article 15 of the GDR. 52. 52. Secondly, the Litigation Chamber notes that the request for access to and copy of the personal data held by the defendant was, as to its purpose, formulated sufficiently clearly by the complainants to enable the defendant to reply within one month. The Litigation Chamber also takes into account the fact that Articles 15.1 and 15.3 juncto 12.3 of the RGPD did not allow the defendant to postpone its response to the request for access by requesting clarification of the "rights" that the complainants would like to exercise following their request for access. 53. 53. Admittedly, the Litigation Chamber understands that the defendant asked the complainants to specify which rights they wished to exercise, since according to the case-law of the Court of Justice, in order to comply with a request for a right of access, "it is sufficient that the applicant be provided with a complete overview of those data in an intelligible form, that is to say, in a form which enables the applicant to acquaint himself with those data and to verify that they are accurate and processed in accordance with that Directive, so that the applicant may, where appropriate, exercise the rights conferred on him by that Directive. » . This case-law (under the former Directive 95/46) is relevant insofar as it does not make requests for access subject to the condition of indicating which right the data subject intends to exercise following his request for access. Recital 63 of the GDPMR states that the right of access to personal data must enable a data subject to "become acquainted with the processing operation and to exercise it in accordance with the law". verify lawfulness", without indicating that the controller may postpone its response pending information on the purposes of the access request. 54. 54 54. Recital 63 of the DPMR specifies, however, that it should be possible for the controller to postpone the response to a request for right of access in order to obtain specific additional information, namely "on which data or on what data, if any, should be disclosed". processing operations his request is related to", and this is the case when the controller processes a large amount of data relating to the data subject. Where appropriate, it is the responsibility of the controller to "facilitate the exercise of the rights" of the data subjects under Article 12(2) of the PGRD, which excludes the possibility of asking such questions in an irrelevant manner and/or for dilatory purposes, all the more so as Article 8(2) of the Charter of Fundamental Rights of the European Union mentions the right of access as one of the founding principles of the right to protection of personal data. 55. 55. In the present case, the only requests for additional information possible under recital 63 of the GDR were not made by the defendant, so that the Chamber considers that the request for access made by the complainants was sufficiently clear in terms of its content to enable the defendant to reply within the legal time-limit of one month from receipt. 56. Finally, for all practical purposes, the Litigation Chamber also recalls that the GDR does not make the validity of a request for access dependent on the invocation of a particular legal basis such as Article 15 of the GDR. It is sufficient in this respect that the subject of the request is sufficiently clear, namely access to and/or copying of personal data. In the present case, the Administrative Jurisdiction Division finds that the request was sufficiently clear in this respect, as evidenced by the fact that the defendant immediately identified the request of the complainants as a request for access to their data, which is apparent from the wording of the first response to this request by the defendant (e-mail of 11 September 2019: "With regard to the request for the Right of Access, ..."). 57. 57. As a result, the Litigation Chamber finds that the defendant has infringed Articles 15.1, 15.3 and 12.3 of the RGPD. The completeness or otherwise of the reply to the request for access 58. The Administrative Jurisdiction Division decided to dismiss the complaint lodged by the complainants by way of conclusion, namely, the fact that, in their view, the reply given by the defendant regarding access to any personal data relating to the reasons for the decision to terminate the commercial relations between the parties was not complete. 59. 59. In the present case, the Litigation Chamber considers that this request for access is part of a broader commercial dispute which a court of first instance may decide if it is seised of the following questions: whether or not the defendant had the right to terminate its commercial relationship with the plaintiffs without giving reasons, and is it correct that the anti-money laundering provisions which it must apply exonerate it from any duty to provide information as to the reasons for the decision to terminate the commercial relationship. 60. 60. However, the Litigation Chamber intends to provide some clarification and its assessment of the scope of the information to be provided in response to requests for access under article 15 of the GDR. Insofar as the plaintiffs' request did not indicate which personal data or specific information relating to those data was requested among the various items of information provided for in Article 15.1 of the GDR (e.g. storage period, origin of the personal data, etc.), the Litigation Chamber considers that it was incumbent on the defendant to provide within the legal time limit of at least one month a complete overview of the personal data or categories of personal data being processed (Art. 15.1.b), including the purposes of that processing (Article 15.1.a), as well as the recipients or categories of recipients for each category of data (Article 15.1.c), where possible, the storage period or the criteria used to determine that period (Article 15.1.d), the source of the data where they are not obtained from the data subject (Article 15.1.g), and the information set out in Articles 15.1.e, f and h and 15.2 of the GDR. As regards the form of this information, the Administrative Jurisdiction Division considers that the information should enable the data subject to acquaint himself with the data processing operations and to verify their lawfulness, in accordance with the purpose of the right of access as set out in recital 63 of the GPRD. 61. If the controller does not provide from the outset all the information that the data subject is likely to obtain under Article 15 of the GDR, the Administrative Jurisdiction Division considers that it is at least incumbent on it to specify in the reply to the request for access how the data subject can obtain this additional information relating to the data processed, for example the Privacy Charter, provided that this document is sufficiently clear in this respect and that the reference to it is sufficiently precise to enable the data subject to easily find the information referred to in Article 15(1) of the GDR. 62. 62. The Litigation Chamber notes that the defendant has an automated system enabling it to respond to this type of request. The Litigation Chamber notes, however, that the result of this automatic response does not include all the information referred to in Article 15(1) of the GDR. The Administrative Jurisdiction Division notes that the reply sent by the defendant to the complainants contained, in particular, information on the categories of data processed, their origin and the purposes of the processing, as well as on the choices made by the complainants with regard to the processing of data for marketing purposes. In addition, the plaintiff was invited to address any request for further information to an e-mail address of the bank. 63. Thus, the document does not provide any information on : - the recipients or categories of recipients to whom the personal data have been or will be communicated, in particular recipients who are established in third countries or international organisations (Article 15 § 1, c GDR) ; - the envisaged period of retention of the personal data or, where this is not possible, the criteria used to determine this period (Article 15(1)(d) of the ECHR); - the existence of the right to request from the controller the rectification or erasure of personal data, or a restriction on the processing of personal data relating to the data subject, or the right to object to such processing (Art. 15 § 1, e PGRD) ; - the right to lodge a complaint with a supervisory authority (art. 15 § 1, f PGRD) ; - the existence of automated decision-making, including profiling, as referred to in Article 22(1) and (4) and, at least in such cases, useful information concerning the underlying logic, as well as the importance and the expected consequences of such processing for the data subject (Article 15(1)(h) of the Data Protection Regulation); - if personal data are transferred to a third country or to an international organisation, the appropriate safeguards put in place with respect to such transfer (Art. 15 § 2 RGPD). 64. The reply formulated by the defendant therefore appears to the Litigation Chamber to be incomplete. However, the Litigation Chamber will not uphold these complaints insofar as they have not therefore been the subject of an adversarial hearing in the context of the present case. The Chambre contentieuse understands that the plaintiffs' challenge is to the incompleteness of the categories of data provided with regard to the reasons for the breach of contract and not to the potentially incomplete nature of the information provided about the data processed by the defendant in general. The Litigation Chamber therefore does not reopen the proceedings on the latter point. 65. In view of the facts and complaints submitted to it, the Litigation Chamber therefore closes the complaint with regard to the complaint concerning the incompleteness of the reply to the request for access. On corrective measures and sanctions 66. Under article 100 of the LCA, the Litigation Chamber has the power to : "1° dismiss the complaint without further action; 2° order the dismissal; 3° pronounce a suspension of the pronouncement; 4° propose a settlement; 5° issue warnings or reprimands; 6° order to comply with the requests of the person concerned to exercise these rights; 7° order that the person concerned be informed of the security problem; (8) order the temporary or permanent freezing, restriction or prohibition of treatment; (9) order that the treatment be brought into conformity; 10° order the rectification, restriction or deletion of the data and the notification of the data to the recipients of the data; 11° order the withdrawal of the approval of certification bodies; (12° give penalty payments; 13° give administrative fines; 14° order the suspension of transborder data flows to another State or international organization; 15° transmit the file to the Public Prosecutor's Office of the King's Prosecutor of Brussels, which informs it of the follow-up given to the file; 16° decide on a case-by-case basis to publish its decisions on the website of the Data Protection Authority. » 67. The complainants request that the Litigation Chamber declare their complaint well-founded. The complaint does not include a specific provision on the measures requested. The Litigation Chamber understands that the complainants request that it find that the response to their request for access was late and incomplete and that the Litigation Chamber orders the defendant to comply with their request for access to personal data not yet disclosed, according to the complainants. 68. 68. The defendant acknowledges that it reacted late to the request for access, but denies having any personal data about the complainants other than those which it transmitted to them. The defendant justifies the four-month time-limit for reply by a combination of circumstances. As a reminder, the addressee of the request was absent due to illness without provision having been made for a back-up, in the context where the request was not submitted in accordance with the procedures laid down by the defendant for that purpose in accordance with Article [X] of its Privacy Charter, namely, via an e-mail with a copy of the identity card, or via various applications. The defendant has put measures in place to deal with such circumstances in the future, which it asks the Administrative Jurisdiction Division to take into account in the context of the measures to be ordered. » 69. The defendant further refers to the existence of a procedure for processing access requests since 2018, with more than 25600 requests processed since then, without a customer having complained, according to the defendant's information. 70. 70. In that context, the defendant requests that the complaint be dismissed inasmuch as it considers it unfounded in view of the legal basis relied on by the complainants. In the alternative, if the Administrative Jurisdiction Division considers that it should deal with the complaint, the Respondent requests that the case be dismissed under Article 100 § 1, 2° ACL. In the further alternative, the defendant requests suspension of the proceedings in accordance with Article 100 § 1, 3° ACL. In particular, the defendant takes the view that, in view of the particular circumstances of the case, in particular the manifestly unfounded nature of the complainants' allegations, human error and the considerable efforts it has made to respond to the requests for access, a further penalty would be disproportionate. In addition, the defendant claims confidentiality of the publication of the decision to be taken in an 'anonymous' manner, inasmuch as it cannot be accused of negligence in the present case. 71. 71. In the present case, the Litigation Chamber recalls that the right of access to personal data, enshrined in Article 15 of the GDR, is a fundamental right of personal data protection. The one-month time-limit for reply has not only applied since the entry into force of the RGPD on 24 May 2018, but also since the entry into force in 1993 of the Act of 8 December 1992 on the processing of personal data, which preceded it, where the time-limit was 45 days (Article 10 § 1 (3) of that earlier Act). Failure to comply with the 30-day time-limit is, according to the Litigation Chamber, a failure to comply with the time-limit. 72. The argument put forward by the respondent that human error had occurred and that a person was ill therefore does not stand up to analysis. Those exceptional circumstances do not detract from the fact that, at the material time, there was no procedure for dealing with requests for access outside the standard methods of communication advocated by the defendant. 73. 73. The defendant acknowledges by way of conclusion that there was a certain degree of delay in processing the Complainants' request and states that it has taken appropriate organisational measures to remedy this in the future: "Due to a combination of unfortunate circumstances, in particular the long absence of the competent manager (due to illness) and a human error when sending an e-mail, the request could not be followed up in accordance with the usual procedure. In order to remedy this in the future, the defendant identified certain concrete measures: (i) The establishment of an internal, strictly monitored reminder system: if the competent person coordinating or handling a complaint is absent, that person will in future be followed up by a back-up person who will receive an automated reminder. (ii) The establishment of reminders of the possibility of access via automated tools: since any data subject can consult his or her own data in various applications, the defendant must further increase the visibility of this possibility, in particular by means of a standardised reply to any person making an access request reminding him or her of the existence of these tools. In this way, any data subject can benefit from the ease and speed of these tools. There is of course nothing to prevent the request being processed manually if the data subject so wishes, but this will make the procedure even more efficient. » 74. The Administrative Jurisdiction Division takes note of these efforts made by the respondent to improve the future handling of access requests made outside its specific automated procedures, and therefore confines itself to reprimanding the respondent on the basis of Article 100 § 1, 5° ACL. The Litigation Chamber refrains from any other sanction insofar as this is the first complaint it receives concerning the processing of access requests by the defendant, which is of course responsible for implementing the appropriate procedures that enable the effective exercise of the right of access (Article 24 RGPD juncto art. 15 RGPD). 75. On the basis of this finding of infringement of the PGRD, it is for the complainants to argue before the trial judge - if necessary - whether or not this lack of response deprived them of an opportunity to assert their rights in court, in the event that the response provided late would be considered incomplete in the context of such proceedings, which in this case the Litigation Chamber cannot assess on the basis of the facts submitted to it. 76. Furthermore, in view of the importance of transparency with regard to the decision-making process and the decisions of the Administrative Jurisdiction Division, the decision will be published on the website of the Data Protection Authority with the deletion of data directly identifying the parties and the persons cited, whether natural or legal persons. ON THESE GROUNDS, The Litigation Chamber of the Data Protection Authority decides, after deliberation, to : - Declare the complaint well-founded with regard to the late nature of the response provided by the defendant to the request for access to personal data made by the complainants, find that there has been an infringement of Articles 15.1 and 15.3 juncto 12.1 of the DPA and for this reason, issue a reprimand against the defendant on the basis of Article 100 § 1, 5° LCA ; - To dismiss the complaint (art. 100 § 1, 1° LCA) with regard to the incompleteness of the defendant's response to the request for access to personal data, in particular with regard to any personal data processed in connection with the reasons for the breach of contract by the defendant; Pursuant to Article 108 § 1 ACL, this decision may be appealed to the Market Court within 30 days of its notification, with the Data Protection Authority as defendant. Hielke Hijmans President of the Litigation Chamber