Digital Law Up(to)date: Dismissal of a complaint by the DPA for not processing the complainant's data

A recent decision (only available in Dutch) by the litigation chamber of the Belgian Data Protection Authority (DPA) can be put into perspective with the decision of the Supreme Court of 7 October 2021 (which we reported here) considering that the DPA has to deal with a complaint filed by a person whose data had not been processed.

In this case, the complainant found that the ombudsman contact form offered by a hospital was not sufficiently secure (e.g. no encryption for the transfer of sensitive health data, unsecured connection). The inspection service of the DPA identified several breaches of data protection legislation (e.g. article 32 “security of processing”). The complainant did not use the form to avoid such insecure processing.

The litigation chamber rejects the complaint, as there was no processing of the data subject's data. The complainant had thus no personal interest.

Is this decision of the DPA contrary to the earlier judgment of the Supreme Court? The litigation chamber cites the Supreme Court decision but notes that in this case the ombudsman is accessible other via other channels than the online form (via the telephone or a form to be completed directly at the hospital). It is therefore possible to access the service without using the problematic online form. This circumstance makes it possible to consider that the complainant does not have a personal interest because he does not demonstrate any disadvantage. In the judgment of the Supreme Court, the refusal to process data meant that the complainant in question was unable to obtain a loyalty card from a retailer (that is a real disadvantage): there was no other possibility to obtain the card. 

This article was co-authored by Edouard Cruysmans in his capacity of Professional Support Lawyer at Stibbe.