APD/GBA (Belgium) - 17/2020

From GDPRhub
Revision as of 16:18, 14 May 2020 by Juliette Leportois (talk | contribs) (Replaced content with "{{DPAdecisionBOX |Jurisdiction=Belgium |DPA-BG-Color= |DPAlogo=LogoBE.png |DPA_Abbrevation=APD/GBA |DPA_With_Country=APD/GBA (Belgium) |Case_Number_Name=DOS-2019-05450 |...")
APD/GBA - DOS-2019-05450
LogoBE.png
Authority: APD/GBA (Belgium)
Jurisdiction: Belgium
Relevant Law: Article 15 GDPR
Type: Complaint
Outcome: Upheld
Started:
Decided:
Published:
Fine: None
Parties: n/a
National Case Number/Name: DOS-2019-05450
European Case Law Identifier: n/a
Appeal: n/a
Original Language(s): French
Original Source: APD/GBA (in FR)
Initial Contributor: n/a

TO BE COMPLETED.

English Summary

Facts

The complainants are clients of the defendant, a bank. In September 2019, the complainants made an access request to the bank’s controller. More precisely, they both sent a letter through their counsel, requesting “a copy of all the personal data you hold as well as any additional information you have against them asking”. In response, the Defendant asked them to provide for their ID card and to specify which right they wanted to exercise. As the complainant found that the question was self-explanatory, they did not answer and lodged directly a complaint with the DPA in October 2019. The complainants argued that the Defendant should not have made the exercise of their access right conditional on either a clarification of the right at stake nor the sending of on a copy of the complainants' identity card. The Defendant mainly argued that the data protection authority was not competent because the banking sector is not subject to data protection act.


Dispute

The authority has to discuss on the interplay between the GDPR and the specific legal framework applicable to the banking sector.

Holding

The authority ruled that the data subject who exercised their access right are not required to identify the applicable and relevant legal framework as long as the authority can assist them and ensure a clear understanding of the potential violation which is under its jurisdiction. Thus, if necessary the authority can change the legal basis. The authority also ruled that the request for exercise of a GDPR right, such as the access right, implies that the authority exercise on the basis of objective law and does not concern only the subjective rights of the parties.


Comment

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the French original. Please refer to the French original for more details.