In this news article, we focus on some of the decisions of the Belgian Data Protection Authority (“DPA”) issued in the last three months.
1. Decision of 9 July 2021: qualification as controller, co-controller, processor, or person acting under the authority of the controller?
In a decision of 9 July 2021 (text in NL/text in FR), the Belgian DPA stresses the importance of making a distinction between a controller, a co-controller, a processor and a person acting under the authority of the controller.
The facts of the case can be summarised as follows. In the context of the complainant’s socio-professional rehabilitation, the advising doctor working for the health insurance fund X provided a medical opinion to the national institute for sickness and disability insurance (RIZIV-INAMI). The complainant accused the advising doctor of having forwarded this medical opinion without the former’s prior consent and lodged a complaint with the DPA against the health insurance fund. The complainant also invoked a lack of transparency and a failure to respect the obligation of confidentiality.
In order to assess who is responsible/accountable for the data processing, the DPA analyses the qualification of the advising doctor and of the health insurance fund.
The DPA concluded that the health insurance fund qualifies as the sole data controller. The advising doctor of the health insurance fund should not be qualified as a separate data controller or co-controller, but must be qualified as a person acting under the authority of the controller/health insurance fund within the meaning of Article 29 or 32.4 of the GDPR.
To this end, the DPA considers that (i) the advising doctor’s professional freedom and independence do not mean that he is a controller, since he does not have the power of decision regarding the purposes and means of the data processing, (ii) the doctor is not a co-controller either, as joint responsibility requires a joint determination of both purpose and means of the data processing, which is not the case here, and (iii) the doctor is not a processor either as he is an employee in a hierarchical relationship with the health insurance fund, which is not reconcilable with the qualification as a processor.
2. Decision of 14 July 2021: transfer of customer data within the organisation
The importance of a correct qualification of the parties involved in the data processing was also demonstrated in this case. The facts were as follows. Bank Y, defendant, works by means of a network of independent banking agents. After the cessation of the activities of banking agent A, the defendant decided to transfer the personal data of the complainant, a customer with banking agent A, to banking agent B in order to guarantee the continuity of the financial services. Since the complainant did not consent to such transfer, the latter filed a complaint with the DPA.
In its decision (text in NL/text in FR), the DPA considers that bank Y must be qualified as the data controller and that the independent banking agents must be qualified as data processors on behalf of bank Y. As a result, the transfer of the data took place within bank Y’s network between two data processors and cannot be qualified as a transfer to a third party.
The DPA further found that the transfer is done for the purposes described in bank Y’s privacy policy and that the legal grounds for the processing (performance of contract, compliance with legal provisions, and legitimate interest) have not changed.
On these grounds, the DPA concludes that the consent of the complainant was not required for the transfer and that there was no breach of the GDPR.
3. Decision of 29 July 2021: electoral propaganda mailings and the principle of purpose limitation
In this decision (text in FR), the Belgian DPA once again recalls the importance of respecting the principle of purpose limitation, enshrined in Article 5.1.b) of the GDPR, in particular in the context of sending electoral propaganda mailings.
The complaint concerns the mailing of election propaganda letters by the defendant to senior citizens in the municipality of Z, in the context of the municipal elections of October 2018. The complainant, having been the target of these mails, suspects the defendant of having used the municipal senior citizens’ files and of having used his capacity as alderman to divert this file from its intended purpose. The complainant considers this use to be contrary to the GDPR and in particular to the principle of purpose limitation, which imposes that data can only be collected for specific, explicit and legitimate purposes and cannot be further processed in a way that is incompatible with these purposes.
In its decision, the DPA referred to its previous publication “Elections”, in which it applied the principle of purpose limitation to the example of electoral propaganda mailings: “For example, citizens’ personal data obtained in the course of exercising an aldermanic mandate may not be reused for the organisation of an election campaign. This is a misuse of information lawfully obtained in the exercise of an aldermanic mandate. Such use of personal data is not only prohibited by the purpose limitation principle, but also breaks the equality between political parties and the equality between candidates. The legislation aims to treat all candidates equally by giving them access to the same data, namely those on the voters’ lists”.
Consequently, personal data of citizens obtained in the context of the exercise of an aldermanic mandate cannot be reused for the organisation of an election campaign, which constitutes a different purpose.
Please contact Karel Janssens for further information about this topic and/or for general legal advice relating to privacy and data protection.