GDPR: Recent EU Court Practice
RIGHT TO CORRECT INCORRECT PERSONAL DATA
On 9 October 2019, the Court of Appeals in Brussels, Kingdom of Belgium, rendered Decision no. 2019/AR/1006 which confirms the obligation to use correct diacritical marks when writing a business name. The court passed the mentioned decision because it is about personal data, in respect of which there is an obligation to state them accurately.
DESCRIPTION OF THE FACTUAL SITUATION
It is about a client who, as the controller of personal data in the sense of the regulations governing data protection at the level of the European Union (GDPR), asked the bank to have his name written using appropriate diacritics.
The bank rejected this request from the client, justifying the inability of the existing computer system to implement what was requested.
The client did not accept this explanation from the bank and filed a lawsuit against it with the Belgian authority responsible for personal data protection.
At the EU level, when it comes to personal data protection, the General Regulation on Personal Data Protection (“GDPR”) applies.
In this case, Art. 16 of the GDPR prescribes the right of data subjects to request the correction of inaccurate personal data, which must be done without delay.
OUTCOME OF THE DISPUTE
After the conducted procedure, the competent body decided that the bank was obliged to act upon the client’s request and that the bank’s argument based on technical obstacles was not sufficient.
The bank filed an appeal against the said decision and the whole case moved into the hands of the appellate court.
In the procedure before the Court of Appeals, the bank pointed out the argument that this case is not about the protection of personal data, and that the GDPR is irrelevant.
However, the Court of Appeals in Brussels held that, in accordance with Article 16 of the GDPR, the concerned person has the right to have his name spelled correctly when processed by the bank’s computer systems. The claim that adapting the computer system for proper handling of diacritical marks would cost several months of work and that it would also represent additional costs does not entitle the bank to disregard the rights of the persons in question.
WHERE IS SERBIA?
Our country has not fully implemented the EU regulations when it comes to personal data protection. Following the example of the GDPR, the Law on Personal Data Protection is applied in Serbia, which in Article 29 also stipulates that the data subject has the right to have his or her inaccurate personal data corrected without undue delay. Depending on the purpose of the processing, the data subject has the right to supplement his or her incomplete personal data, which includes giving an additional statement.
Case law is very modest because there are no decisions of domestic courts or the Commissioner for Personal Data Protection regarding the obligation to use diacritical marks when stating personal names, as personal data in terms of the said regulation.