In a decision of 29 July that it published today, the Litigation Chamber of the Belgian Data Protection Authority (BDPA) examined the issue of who is controller in the case of an external auditor, as well as the limits to data subjects' rights to obtain a copy of personal data relating to them.
The case revolved around a request by a doctor, head of a radiology service in a hospital, to gain access to an audit report and specifically sections that related to her individually. The audit was carried out at the request of the hospital in question by an external expert.
If an external expert examines information at your request, who is the controller?
The BDPA and its predecessor, the Belgian Privacy Commission, have regularly examined the issue of who is controller. At the beginning of 2019, the Belgian Privacy Commission published a note, while it was acting as "BDPA in transition" prior to the full forming of the new BDPA in April & May 2019, in relation to the concepts of controller and processor. That note is no longer available online as a result of the revamp of the BDPA's website, but it notably set out the following as key criteria to determine who is controller in a customer-service provider relationship:
- The level of detail of instructions given by the customer to the service provider (the more freedom the service provider has, the more likely it will be considered as a controller);
- The level of supervision by the customer and monitoring of compliance with instructions and contractual requirements (the greater the supervision, the more likely the service provider will be a processor);
- The level of visibility of the service provider for processors (the more invisible the service provider, the more likely it acts as processor);
- The level of expertise of the parties (as in-depth expertise can show that the service provider is the only one able to take certain decisions in relation to the processing).
Perhaps for these reasons, the hospital argued that it was not the controller in relation to the audit report but that in reality the external expert was the controller.
This could easily have been countered by asserting that the audit report was held and used by the hospital, and that in this context the hospital became a separate controller.
However, the Litigation Chamber does not appear to have taken this approach. Instead, it stated as follows:
"In the present case, by giving mandate to doctor Z [the auditor], even in his capacity as independent expert, to carry out an evaluation of the radiology service of the hospital, the defendant [the hospital] determined the purposes and means of the processing."
In our view, this conclusion is flawed, as it appears to open up the possibility for any customer to be considered controller, irrespective of the criteria set out by the "transitional" DPA in the aforementioned note. A lawyer's client requests a lawyer to carry out an evaluation of a case; an organisation needing a financial audit requests an audit firm to carry out an evaluation of its inner workings. However, each of these service providers is given significant freedom in how to achieve this assessment and prior guidance has systematically suggested that the degree of freedom is a key factor in determining an entity's role as controller or processor.
For this reason, we hope future decisions by the Litigation Chamber will be more circumspect in their analysis of controller-processor roles and will highlight the precise level of freedom of the entities in question.
Can protected documents be excluded from a response to a data subject access request?
The hospital attempted to prevent access to the audit report, considering that the report was confidential, protected by copyright and contained data regarding other doctors and staff.
The Litigation Chamber rejected all of these arguments, for the following reasons:
- On confidentiality, the hospital failed to demonstrate that the report was indeed confidential, let alone that it was covered by professional secrecy (se Art. 14(5)(d) GDPR).
- On copyright:
- the author of the report did not appear to object to communication beyond the initial recipients,
- the balance of interests in the present case did not appear to prevent the sharing of a copy of the document and
- even if that were the case, nothing would have prevented mere consultation of the document (i.e. reading the document on premise).
- On the data regarding other persons, the hospital could have redacted personal data concerning those other persons.
In this particular case, the data subject access request was submitted at the time in which separate litigation began between the data subject and the hospital. The Litigation Chamber considered that this had no bearing on the case, as "the plaintiff is free to access at any time the personal data concerning her". It remains to be seen whether there will ever be situations of abuse of data subject rights, but the Litigation Chamber does not appear in this case to object to the instrumentalisation of data protection law.
It is also worth noting that according to the Litigation Chamber, the right to obtain a copy of personal data "is the major addition of the GDPR in terms of the right of access". This led the Litigation Chamber to consider that in this particular case the hospital had committed a "severe infringement" (manquement grave) of the GDPR by refusing to communicate personal data to the data subject.
In practice: If you wish to exclude documents from the scope of data subject access requests, think carefully about the justification for exclusion. The BDPA will not accept a simple reference to confidentiality, IP rights or the rights of other data subjects – it will be necessary to demonstrate to the BDPA why certain kinds of documents cannot be provided.
What measures can be required for the handling of data subject requests?
The Litigation Chamber also examined the process by which the hospital managed data subject requests.
First, the hospital required requests to be made by appointment and did not provide the possibility to submit a request by e-mail or any other means of communication. The Litigation Chamber stated that it was excessive to require discussions systematically. According to the Litigation Chamber, this requirement could be viewed as "intimidating" and as hindering the freedom of data subjects to exercise their rights.
Next, the Litigation Chamber "invited" the hospital to examine whether a copy of the data subject's ID was truly "systematically necessary" to identify them and whether any alternative means could be used.
In practice: Ensure your process for handling data subject requests is flexible and carefully thought out. Proportionality and effectiveness should be the underlying principles, as a data subject request procedure must help you comply with data protection rules – and help limit the risk of anyone (your organisation or the data subject) misusing his or her rights.
What was the outcome?
When reading the decision (available in French), it may come as a surprise that the hospital got away with merely a reprimand and no fine. This is because the Litigation Chamber was not authorised to do so as a result of the public nature of the hospital in question, in accordance with Art. 221(2) of the Belgian Data Protection Act of 30 July 2018 (according to which governmental bodies cannot be fined, except for public law entities that offer goods or services on a market).
In other words, the same findings in relation to any other organisation would likely have led to a fine. To avoid this situation, ensure your processing meets the Litigation Chamber's expectations – or ensure you have an adequate justification for deviating from the standard they have set in this case. Either way, be sure to reach out if you need more practical guidance.