I’m not sure X/Y’s data protection practices are compliant” is not a justification for filing a complaint, says the Belgian DPA in a new decision, reminding data subjects that they should exercise their rights before a complaint or at least be able to show that an alleged non-compliance by a controller or processor somehow affects the data subject in question.
The case in question revolved around an automated number-plate recognition (ANPR) system used in a car park, described as follows:
“The car parks use ANPR cameras where, when the car enters a car park, the number plate is automatically registered and the barrier is automatically raised. Upon leaving, the driver has to enter his number-plate into one of the payment terminals, after which the terminal […] would provide a summary with the following data: i) confirmation of the car’s presence in the garage, ii) the exact time of entry and duration of parking, iii) a photo of the car concerned. The driver then has to confirm and pay and can then leave the garage as the barrier is raised automatically, without an intervening action by the driver, again using ANPR cameras placed at the exit of the car park.”
The data subject wrote to the controller, asking if a DPIA had been carried out, and the controller responded in general terms without directly answering the point about a DPIA. The data subject then filed a complaint.
The Belgian DPA has regularly dismissed complaints before, but the wording in this dismissal decision is particularly clear:
“First, in accordance with its dismissal policy, the Litigation Chamber examines whether the submitted complaint contains grievances with a major personal impact. […] the complainant in this case does not exercise any rights. Both in the communication he sent towards the defendant and in the actual complaint, no data subject rights – as included in the GDPR- are exercised. The Litigation Chamber also takes into account that the complainant does not prove that he himself was a user of a- car park with such a payment system.
“The complainant raises a socially relevant issue, but does not demonstrate an effective violation of the GDPR. Given that the complainant does not wish to exercise any data subject rights and is merely asking for more information regarding a possible DPIA, the Litigation Chamber finds that the grievances raised by the complainant do not meet the criteria of high personal impact […]
[Note that the Belgian DPA’s Inspection Service can investigate compliance even in the absence of a complaint (i.e. on its own initiative) if there are (documented) serious indications of non-compliance – it is unclear whether such indications exist or are documented in this case.]
It also serves as a useful reminder for controllers: responses to data subject requests can be limited to what is *required* by law.
Decision (in Dutch): https://lnkd.in/eWTHppaq
privacy
Did this analysis get you thinking? Reach out!
DataLaws.net is entirely open-access, and instead of getting your data in exchange for this content, how about another trade? If this commentary saved you research time or sparked an idea, feel free to invite me over for tea, chai or a hot chocolate next time you are around Brussels or Antwerp - or invite me over to your offices for a chat!
Get in touch ↗ Let's connect on LinkedIn ↗