Updated: Apr 14
The Belgian data protection Authority decided to reprimand the Federal Public health service for not responding to the exercise of a citizen’s right of access.
To read the full decision in French, click here
Tuesday 9 July 2019, the Data Protection Authority decided to reprimand with the Federal Public Service Public Health. This sanction concerns a case where the FPS Public Health had not responded to a citizen’s request to exercise his right of access despite an order from the Authority.
The case concerns a health care professional whose appointment as a deputy member of PGC Limburg (Provincial Medical Commission of Limburg) was withdrawn. The complainant then decides to exercise his right of access to his personal data to know the reason why his position was taken away.
Without a reply from the FPS Public Health, he submitted his first complaint to the Authority at the end of 2018.
In October 2018, the Authority’s Dispute Chamber ordered the FPS Health to respond to the complainant’s request, but the FPS did not respond to the request. The complainant then submits a complaint about the second time in 2019.
During a hearing, the FPS Public Health acknowledged the facts and emphasised that there are problems with internal procedures. After hearing both parties, the Authority’s Dispute Chamber concluded that the FPS Public Health was negligent and decided to issue a reprimand, as well as to publish the Dispute Chamber’s decision including the names of the parties (with the complainant’s formal consent). The Court also considers it important that the FPS Public Health introduce internal procedures in the short term so that it can effectively manage its obligations under the GDPR.
Hielke Hijmans, Chairman of the Dispute Chamber, explains
(this quote is a translation): “The procedure revealed that the FPS Public Health did not implement internal procedures to meet the requirements of the GDPR, while the Regulation was published in May 2016 and since May 2018 entered into force. The FPS Public Health also did not adhere to the principle of responsibility of the controller as referred to in the GDPR.”
Citizens can exercise their rights with the controller of their personal data. This person in charge must respond to the person’s request within one month. It is necessary for organisations that process personal data to have internal measures in place to respond to requests in the time specified in the law. For example, through a clear contact person for citizens to and to introduce a response procedure.
“It is very important for us to remind organisations that they must do everything they can to comply” concludes Hielke Hijmans, President of the Authority’s Dispute Chamber.
David Stevens, President of the Data Protection Authority: “We are delighted that more and more citizens are coming to us to assert their rights.”