How does the Office of Data Privacy handle misprocessing reports?

Misprocessing reports are followed up by the Office of Data Privacy (ODP) in the following way:

  1. Fact Finding
    First, the ODP establishes the facts pertaining to the processing of personal data concerned. This is typically done in collaboration with the services involved to find out what was done by whom, when and why. But also the study of applicable documentations, regulations, etc. are part of the fact finding.

  2. Compliance Check
    Then, the ODP assesses whether the processing was/is compliant with Operational Circular no. 11 (OC 11). The ODP checks if essential principles of processing are respected, if a lawful basis exist, if data subject rights are observed, etc.

  3. Recommendations
    Furthermore, if appropriate, the ODP tries to identify ways to bring the processing into compliance and recommends the services concerned specific measures for doing so. This can be for example: “Please, publish a privacy notice.”, or “Delete the data that is no longer needed.”, or “Carry out a Privacy Impact Assessment to analyse risks and identify suitable mitigation measures.”

  4. Follow-up
    Finally - as an “extra step” not defined in OC 11 - the ODP gives the services concerned the opportunity to react on the recommendations, for instance by committing to implement them in a certain time-frame.

    The reason the ODP has added this extra step is that OC 11 does not provide for follow-up of recommendations, while giving data subjects the right to lodge a complaint if they are dissatisfied, provided that their own personal data is affected by the misprocessing.

    Thus, data subjects have sufficient elements allowing them to decide whether they would like to file an official complaint with the Data Protection Commission.

  5. Documentation
    The steps above are documented in an evaluation report that is shared with the complainant and the services concerned. A copy is sent also to the Data Protection Commission for information.

As a principle, the ODP handles the reports in a confidential way by not disclosing the identity of the complainant to the services involved. However, this is not always possible, in particular when the own personal data of the complainant are concerned.

OC 11 does not define a time limit for the handling of misprocessing reports. The ODP tries to do its best to quickly investigate, evaluate and recommend. Unfortunately, the ODP often faces an important work load, which generates certain delays.