APD/GBA (Belgium) - 97/2024
From GDPRhub
| APD/GBA - 97/2024 | |
|---|---|
 | |
| Authority: | APD/GBA (Belgium) |
| Jurisdiction: | Belgium |
| Relevant Law: | Article 5(1)(b) GDPR Article 6(1)(f) GDPR Article 12(4) GDPR Article 17(1) GDPR |
| Type: | Complaint |
| Outcome: | Upheld |
| Started: | |
| Decided: | 16.07.2024 |
| Published: | |
| Fine: | n/a |
| Parties: | n/a |
| National Case Number/Name: | 97/2024 |
| European Case Law Identifier: | n/a |
| Appeal: | Unknown |
| Original Language(s): | French |
| Original Source: | APD/GBA (in FR) |
| Initial Contributor: | fb |
The DPA issued a reprimand to a controller as it unlawfully kept an employee's email inbox open for an excessive time after the termination of the employment contract.
English Summary
Facts
The data subject was employed by the controller with the role of managing 30 residential buildings. In October 2020, the controller dismissed the data subject without notice, believing he made several mistakes during his job.
After the termination of the employment contract, the controller kept the professional email address of the data subject active. It argued that it needed that email inbox in order to ensure the tasks that were taken care by the data subject could be smoothly transferred to someone else. Therefore, it argued that it has a legitimate interest under Article 6(1)(f) GDPR to keep the email inbox active.
On 11 November 2020, the data subject asked the controller to stop using his email inbox and filed an erasure request pursuant to Article 17 GDPR.
On 3 December 2020, the data subject filed a complaint with the DPA.
Holding
First of all, the DPA pointed out that the email address of the data subject is personal data according to Article 4(1) GDPR, since it is a piece of information relating to an identified or identifiable natural person.
Secondly, the DPA noted that this address had been created for professional purposes, namely to allow the data subject to send and receive emails relating to his professional activity. According to the DPA, it follows from the principle of purpose limitation set by Article 5(1)(b) GDPR that the controller is obliged to close the inbox after a data subject terminates their job. The DPA added that, before doing this, the controller must activate an automatic reply, informing that the data subject is not working for the controller anymore and indicating another email address which the clients can use.
However, the DPA also noted that, depending on the role of the data subject (for example, if the data subject is the CEO or is the only person that is in charge of doing something in the controller’s organization), a delay up to 3 months can be admissible. In the case at hand, the DPA recalled that the controller had been keeping the email address active for more than that time. Therefore, the DPA found a violation of Article 5(1)(b) GDPR combined with Article 5(1)(c) and 5(1)(e) GDPR.
Thirdly, the DPA focused on the legal basis. The DPA agreed with the controller that, in principle, it can have a legitimate interest under Article 6(1)(f) GDPR to keep the inbox active for a certain time.
The DPA noted that to verify if a controller can use the legal basis provided for by Article 6(1)(f) GDPR, according to the CJEU (see C-13/16, Rīgas satiksme) a 3-step test must be conducted. As for the first step, it held that ensuring the continuity of the services provided by the controller is actually a legitimate interest.
As for the second step, the necessity test, the DPA held that this processing can be regarded as necessary to pursue the interest of the controller.
Finally, as for the third step, the DPA pointed out that, in principle, a short delay can be acceptable and does not imply that the legitimate interest of the controller is overridden by the interests and fundamental rights of the data subject. However, in the case at hand, the controller had kept the inbox open for a long time (more than 5 months). The DPA believed that this time is to be regarded as having an excessive impact on the rights of the data subject, in particular regarding the principle of data minimisation.
Therefore, the DPA held that the controller could not rely on Article 6(1)(f) GDPR as a legal basis and found a violation of Article 6(1) GDPR.
Finally, the DPA found a violation of Article 12(4) GDPR in combination with Article 17(1) GDPR since the controller did not reply to the data subject and erase the data.
On these grounds, the DPA issued a reprimand to the controller.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the French original. Please refer to the French original for more details.
Data Protection Authority
Litigation Chamber
Decision 97/2024 of July 16, 2024
File number: DOS-2020-05645
Subject: Complaint relating to the failure to delete a professional email address from
following a dismissal
The Litigation Chamber of the Data Protection Authority, made up of Mr.
Hielke HIJMANS, president;
Having regard to Regulation (EU) 2016/679 of the European Parliament and of the Council of April 27, 2016 relating to the
protection of natural persons with regard to the processing of personal data and
to the free movement of these data, and repealing Directive 95/46/EC (General Regulation on the
data protection), hereinafter “GDPR”;
Having regard to the Law of December 3, 2017 establishing the Data Protection Authority (hereinafter
“LCA”);
Considering the internal regulations as approved by the House of Representatives on
December 20, 2018 and published in the Belgian Official Gazette on January 15, 20191;
Considering the documents in the file;
Has taken the following decision regarding:
The complainant: Mr.
The defendant: Company Y, hereinafter “the defendant”
1 The new internal regulations of the APD following the modifications made to the LCA by the Law of December 25
2023 amending the law of December 3, 2017 establishing the Data Protection Authority (LCA) entered into force
on 01/06/2024.
It only applies to complaints, mediation files, requests, inspections and procedures before
the Litigation Chamber initiated from this date: https://www.autoriteprotectiondonnees.be/publications/reglement-dordre-
inside-the-data-protection-authority.pdf
Files initiated as in this case before 06/01/2024 remain subject to the provisions of the internal regulations
(https://www.autoriteprotectiondonnees.be/publications/reglement-d-ordre-interieur.pdf as it existed before this date.
Decision on merits 97/2024 — 2/18
I. Facts and procedure
1. The subject of the complaint concerns the failure to delete the professional email address
name of the plaintiff following his dismissal by the defendant.
2. The defendant is a company active in the field of real estate which operates
notably the function of co-ownership trustee.
3. The defendant explains that it dismissed the plaintiff in October 2020, without providing any
prior notice. The defendant describes this cessation of the plaintiff's activities as abrupt and
conflicting. She, still according to her, intervened without preparing files or passing
as a witness for the attention of a successor.
4. The parties disagree on the reasons for this dismissal. The defendant puts
evidence of a recovery context and, on this occasion, the discovery of errors
professional acts committed by the complainant. The complainant formally denies everything
failure on his part. He indicates that at the time of the resumption 7 months before his
dismissal, he was on the contrary informed that due to his age and the proximity of his
retirement, he was not part of the future of the company and his files would be
gradually taken over by colleagues from a sister company of the defendant. As of
At this time, the complainant indicates that his work was systematically hampered by
contradictory directives he received from the new management.
5. The defendant reports that the plaintiff managed around thirty
residences and played a very key role with regard to the legal obligations of the trustee of
co-ownership as well as in the operation of the company. Its missions were
numerous (financial management of buildings, administrative management of buildings and
monitoring the good performance of these buildings), extending regularly over several years.
In the exercise of his duties, the complainant was in direct contact with the co-owners
buildings he managed.
6. The defendant further states that she had no other choice than to keep the email address
of the complainant after his dismissal in order to ensure the continuity of the activities of the
company, in particular the holding of general meetings of co-owners in charge of
the complainant and the postponement of these during the period of the covid -19 virus pandemic
in accordance with the legal provisions temporarily applicable at the time2.
7. The defendant in fact emphasizes that the facts took place, in addition to in a context of
resumption of its activities, in the midst of a health crisis linked to the covid-19 virus pandemic
during which the processing of received e-mails was even more essential (compared to
2 Law of December 20, 2020 establishing various temporary and structural provisions in matters of justice within the framework
of the spread of the Covid-19 coronavirus, M.B., December 24, 2020.
Decision on merits 97/2024 — 3/18
with other non-electronic means of communication) to ensure the mission of
trustee and respond to requests from co-owners.
8. On November 11, 2020, the plaintiff sent a registered letter to the defendant
asking to end the use of his email box [X’s professional email address] by
based on the substantive decision 64/2020 of September 29, 2020 of the Chamber
ODA litigation.
9. On December 3, 2020, the complainant filed a complaint with the APD against the
defendant. The complainant having been dismissed at the beginning of October 2020 (point 3), he denounces the
fact that as of December 3, 2020, the defendant was still sending emails from
his address without informing the senders of his departure from the company. The complainant denounces
moreover that in many residences, his name still appeared on the
information panels as well as on numerous documents, which damaged its reputation.
The complainant was in fact no longer able to carry out his position since he had been dismissed
almost two months earlier.
10. On December 16, 2020, the complainant confirmed to the SPL that the defendant had refrained from
respond to his request of November 11, 2020 (point 8).
11. On January 5, 2021, the complaint was declared admissible by the SPL on the basis of articles 58 and
60 of the LCA and the complaint is transmitted to the Litigation Chamber under article 62, §
1st of the LCA
12. On February 2, 2021, in accordance with article 96, § 1 of LCA, the request of the Chamber
Contentious to carry out an investigation is transmitted to the Inspection Service (SI).
13. On June 30, 2021, the investigation by the Inspection Service is closed, the report is attached to the file
and this is transmitted by the inspector general to the President of the Litigation Chamber
(art. 91, § 1 and § 2 of the LCA).
14. The SI investigation report is based in particular on two technological reports from the 18
March and June 14, 2021 and made the following observations:
- Finding 1: the SI concludes that the defendant did not comply with articles 5.1.b (principle
of purpose), 5.1.c (principle of minimization) and 5.1.e (principle of limited conservation)
of GDPR3 as long as on March 23, 2021, i.e. more than 5 months after dismissal
of the complainant, the email address [professional email address of
always active / contactable. An auto-reply message is associated with this
email address that mentions that the complainant has left the company, that the email address
will be deactivated soon and that the email address to be used in the future is the address
[generic email address].
3 The SI refers in particular to decision 64/2020 of the Litigation Chamber.
Decision on merits 97/2024 — 4/18
- Finding 2: the IS notes that there was a breach of article 6.1 of the GDPR by the
defendant since maintaining the disputed e-mail address for more than 5
months (i.e. from October 2020 - dismissal of the complainant - to March 2021 at least -
investigation reports) is excessive. No longer any basis for legality - not even interest
legitimate within the meaning of Article 6.1. f) which authorizes the continuation of the processing for a period
duration of 1 to 3 months depending on the concrete circumstances of the case - did not allow
to justify the continued processing of this data throughout this period.
- Finding 3: the SI notes that the defendant violated the requirements of articles 12.3,
12.4 and 17.1 of the GDPR by refraining from responding to the letter of November 11, 2020 from
complainant under the terms of which he made a request to erase his e-address -
professional email (articles 12.3 and 12.4) as well as by not deleting
(article 17.1 of the GDPR).
- Observation 4: the IS finally notes that the complainant put the APD in a copy of the letter he
addressed on June 8, 2021 to the defendant and in which he requests that the latter
stops using his private telephone number as a contact number for a
telephone alarm center. The IS notes that no action is postulated by the
complainant on the part of the APD and that in any event the response time of one month to
his erasure request has not expired on the date his report is closed.
In accordance with article 64, § 2 of the LCA, the SI does not consider it appropriate to pursue
its investigation concerning this last aspect.
15. On July 27, 2021 the Litigation Chamber decides, under Article 95, § 1, 1° and
article 98 of the LCA, that the file can be processed on its merits.
16. On this same date, the parties concerned are informed of the provisions such as
repeated in article 95.2 as well as article 98 of the ACL. They are also informed, in
under section 99 of the LCA, deadlines for transmitting their conclusions. The deadline
for the receipt of the conclusions in response from the defendant is set for September 22
2021, that for the complainant's reply conclusions as of October 14, 2021 and that for the
conclusions in reply of the defendant as of November 5, 2021.
17. On September 13, 2021, the defendant's counsel requested a copy of the file (art.
95, §2, 3° LCA), which is sent to them on September 16, 2021.
18. On this same date, the defendant agrees to receive all communications
relating to the case electronically.
19. On September 28, 2021, the Litigation Chamber receives the conclusions in response from the
defendant. The defendant having filed summary conclusions, its
argument is summarized below (points 21 et seq.).
Decision on merits 97/2024 — 5/18
20. On October 13, 2021, the Litigation Chamber receives the conclusions in response to the
complainant. The plaintiff refutes any legitimate interest of the defendant in pursuing the
processing of his nominative e-mail address as long as it was sufficient for him to communicate to the
co-owners, via the generic address of the company, that the trustee had changed and their
provide the contact details of the complainant’s successor. The factual circumstances
specific reasons invoked by the defendant, in particular to justify the lack of response to
its request for erasure within the period (1 month) prescribed by the GDPR, are also
dismissed by the complainant.
21. On November 5, 2021, the Litigation Chamber receives the conclusions in response to the
defendant.
22. The defendant contests any violation of Article 5.1. b), 5.1. c) and 5.1. e) of the GDPR (observance
1 of the SI) as well as article 6.1 of the GDPR (finding 2 of the SI). She highlights the fact that she has,
based on Article 6.1. f) of the GDPR, continued the processing of the email address data
of the complainant, leaving the associated email box open, in order to continue his
activity and its professional relations with the co-owners concerned following the
sudden departure of the complainant, for a period not exceeding what was reasonable
taking into account the concrete circumstances of the case. These same elements are invoked
to explain his lack of response (uncontested) to the complainant within the deadline of
articles 12.3 and 12.4 of the GDPR (information 3 of the SI). Finally, as for “observation” 4 of the SI, the
defendant indicates that it endeavored to verify that the diversion of emergency calls
alarm systems to the complainant's cell phone number had been successfully
deleted.
II. Motivation
II.1. Preliminary remark
23. It appears from the conclusions of the parties that the complaint filed is part of a climate
particularly conflictual which finds its source even before the dismissal of the complainant
by the defendant. In this regard, the Litigation Chamber wishes to emphasize that it does not enter
in its competence to replace the competence of other instances, judicial by
example, competent in matters of labor law disputes in particular.
II.2. As for compliance with the principles of purpose (article 5.1. b) of the GDPR), minimization
(article 5.1. c) of the GDPR) and limited storage (article 5.1. e) of the GDPR)
II.2.1. The point of view of the parties and the SI
24. In its investigation report, the SI notes that it has just been mentioned that on the date of
March 23, 2021, more than 5 months after the dismissal of the complainant, the email address
Decision on merits 97/2024 — 6/18
[X's professional email address] of the latter is still active / contactable. A
automatic reply message is associated with this address which mentions that the
complainant has left the company (i.e. the defendant), that the e-mail address will soon be
disabled and the email address to use in the future is [generic email address].
The SI also notes on June 14, 2021, that the address [email address
professional of X] is no longer reachable even if it is probable that it still exists (pages
7 and 9 of the SI report).
25. The complainant shares the SI's findings.
26. As has just been mentioned in the statement of facts and procedural retroactive documents, the
Defendant contests any violation of Article 5.1. b), 5.1. c) and 5.1. e) GDPR. She put
highlighting the fact that it continued processing the data of the complainant’s email address,
leaving the associated email box open, in order to continue its activity and its
professional relations with the co-owners concerned following the sudden departure
of the complainant, in compliance with the principles of finality and minimization during a
duration not exceeding what was reasonable. She underlines that if the Litigation Chamber
has in the past indicated that this period should, ideally, not exceed 1 to 3 months, it does not
has no less, using the term “ideally”, left the possibility of a longer delay than
concrete circumstances could justify. The defendant highlights the context of
the health crisis linked to the covid-19 virus pandemic, the absence of a transition period
and handing over of files linked to the abrupt departure of the complainant, the recent resumption of the company
as well as the fact that the complainant was his only full-time employee for a number not
negligible number of residences.
II.2.2. The point of view of the Litigation Chamber
27. In its capacity as data controller, the defendant is required to respect the
data protection principles and must be able to demonstrate that these are
respected (principle of responsibility – article 5.2. of the GDPR). Furthermore, it must always
in its capacity as data controller, implement all technical measures
and organizational measures necessary for this purpose (article 24 of the GDPR).
28. Article 5.1 b) of the GDPR enshrines the principle of finality, i.e. the requirement that the data
are collected for specific, explicit and legitimate purposes and are not
subsequently processed in a manner incompatible with these purposes.
29. It is in the light of the purpose that other principles also enshrined can be applied
in article 5 of the GDPR: the principle of minimization - under which only data
adequate, relevant and limited to what is necessary with regard to the purpose may
be processed (article 5.1 c) of the GDPR) - and the principle of limitation of storage – to
under which the data cannot be kept in a form that allows
Decision on merits 97/2024 — 7/18
the identification of the persons concerned only for a period not exceeding that
necessary in view of the purposes for which they are processed (article 5.1 e) of the GDPR).
30. These principles and the obligations which result from them for the data controller, find
an echo in terms of rights for the person concerned since in particular, in
application of article 17.1 a) of the GDPR, the data subject has the right to obtain
data controller the erasure of data concerning them when these data are not
are more necessary in view of the purposes for which they were collected or
processed.
31. The complainant’s disputed email address is personal data within the meaning of
Article 4.1. of the GDPR. This is in fact information relating to a person
identified or identifiable physical person within the meaning of this article. In this case, it relates to the
complainant.
32. This address, created for professional purposes in the context of the activities of the
defendant, was to allow the plaintiff to receive and send letters
electronic in the context of his activities within the defendant.
33. The Litigation Chamber is of the opinion that to comply with the principle of finality (article
5.1. b) of the GDPR), combined with the principles of minimization (article 5.1 c) of the GDPR) and
limitation of the retention period (article 5.1 e) of the GDPR), it is the responsibility of the person responsible for
processing of blocking the electronic messaging of the holders of these having ceased
their duties at the latest on the day of their effective departure. This blockage must take place after
having informed them beforehand and having inserted an automatic message. This
automatic message will notify any subsequent correspondent of the fact that the person
concerned no longer exercises his functions within the company and will inform the
contact details of the person (or generic email address) to contact in their place,
for a reasonable period (a priori 1 month). Depending on the context and, in particular,
the degree of responsibility exercised by the person concerned, (such as a function
of delegated director or another key function that he or she is the only one to exercise
as in this case) a longer period can be accepted, not ideally exceeding 3
month. This extension must be justified and done with the agreement of the person
concerned or, at a minimum, after having informed them. An alternative solution must also
be researched and implemented as quickly as possible without necessarily waiting
the final deadline for this extension.
34. The Litigation Chamber considers that this way of proceeding is to be preferred over
automatic forwarding of emails to another email address
the company. In the case of an automatic transfer, especially without information to the issuer
of the message, there is in fact no control over incoming or “in” emails.
Furthermore, in this case, potentially sensitive private information could
Decision on merits 97/2024 — 8/18
be disclosed without the knowledge not only of the person concerned but also of
the sender of the message.
35. Beyond this period (1 to 3 months maximum), the electronic messaging of the
data subject will be deleted4.
29. The complainant having been dismissed by the respondent in October 2020, the Chamber
Litieuse considers that the processing of this data should have ceased on this date or,
at most, taking into account the function exercised by the complainant, within a reasonable time
from this date. The Litigation Chamber is of the opinion that this period could have varied from 1 to 3
month upon notification to message senders that this address
messaging was no longer active, with no automatic transfer of sent emails.
36. It appears from the documents of this procedure that the address of the complainant remained
active at least 5 months after the cessation of his activities within the defendant
from which the dismissal decision came with the establishment of an automatic message
informing the senders of messages to the complainant's e-mail address that this
the latter no longer worked for her and that a new address was to be used from now on.
37. In support of the above, and notwithstanding the quality of the automatic message set up,
the Litigation Chamber concludes that article 5.1 b), combined with article 5.1 c) and e) of the GDPR
was not respected by the defendant due to the excessive duration of the maintenance of
the email address of the complainant. The Litigation Chamber considers that the context of the
pandemic and the various circumstances invoked by the defendant cannot justify
this period (see also point 55 below). If the management of the files taken over could perhaps not
not be fully realized by the plaintiff's successors, the question of maintaining his
nominative e-mail address beyond 3 months is separate from this one.
II.3. As for compliance with the requirement of a basis of legality (article 6 of the GDPR)
II.3.1. The point of view of the SI and the parties
38. According to its investigation report, the SI indicates that a professional email address
such as that of the complainant can remain active for a certain period of time (observation 1) in order to ensure
4 In its Recommendation CM/Rec(2015)5 on the processing of personal data in the context of employment, the
Committee of Ministers of the Council of Europe states in principle 14.5. the following: when an employee leaves their job,
the employer should take technical and organizational measures so that the employee's electronic messaging
is automatically deactivated. If the content of the messaging had to be retrieved for the smooth running of the organization,
the employer should take appropriate measures to recover its contents before the employee's departure and if possible
in his presence. The explanatory memorandum of the recommendation further specifies (point 122) that in these situations where the employee
leaves the organization, employers must deactivate the former employee's account so that they do not have access to their
communications after his departure. If the employer wishes to recover the contents of the employee's account, he must take the necessary steps
necessary measures to do so before the latter's departure and preferably in his presence. This recommendation
sectoral which complements the Convention for the protection of individuals with regard to automated processing of data
personal character (STE 108) illustrates how the principles of finality, minimization and conservation
proportionate, enshrined both in this Convention and in the GDPR, must apply.
Decision on merits 97/2024 — 9/18
the proper functioning of the company and the continuity of its services in support of the interest
legitimate of the data controller in compliance with the conditions of article 6.1. f) of
GDPR. Beyond this period, the SI is of the opinion that there is no longer any basis for legality that allows the
processing continues. Therefore, the IS concludes that maintaining the disputed email address
for more than 5 months (i.e. from October 2020 (dismissal of the complainant) to March 2021 to
minimum (investigation reports) is excessive and that no longer any basis of legality allows
to justify the continued processing of this data throughout this period. The IS
thus notes that there was a breach of Article 6.1 of the GDPR by the defendant.
39. The complainant refutes any legitimate interest of the defendant in continuing the processing of
his nominative e-mail address since it was sufficient, according to him, that the latter
communicates to the co-owners, via the generic address of the company, that the trustee had
changed and provide them with the contact details of the complainant's successor. The complainant adds
that a lawyer was hired the day after his dismissal, supplementing the staff
of the defendant's sister company to which the files he handled were transferred. This
sister company included, in addition to administrative staff (…), another manager responsible for
gradually resume its files. Reception and follow-up of customer calls as well as
secretarial work was carried out by a part-time secretary. The argument of the
defendant that he was the only employee cannot therefore be accepted.
40. The defendant considers that it can rely on its legitimate interest (article 6.1. f) of the GDPR)
to continue its activities to justify the disputed processing beyond a period of 3 months
taking into account the specific circumstances of the case already mentioned. There is no
therefore, according to her, there was no violation of Article 6.1. of the GDPR in its head.
II.3.2. The point of view of the Litigation Chamber
41. Article 6.1 of the GDPR requires that any processing be based on a basis of lawfulness. In others
terms, the data controller cannot process data without relying on one of the
bases of legality listed in article 6.1 of the GDPR, which concretizes the principle of legality stated
in article 5.1 a) of the GDPR.
42. The Litigation Chamber has, in accordance with the above developments, noted that
the purpose for which the data constituting the email address was processed was
extinguished with the cessation of the plaintiff's activities with the defendant. Pursuing
a legitimate interest in compliance with the conditions of article 6.1 f) of the GDPR, the address may,
as indicated in the SI, remain active for a certain period of time in order to ensure the correct
operation of the company and the continuity of the defendant's services. Beyond
After this period, there is no longer any basis of legitimacy for the processing to continue.
43. The Litigation Chamber recalls that in order to be able to rely on the basis of legality of
“legitimate interest” in application of article 6.1.f) of the GDPR, the data controller,
Decision on merits 97/2024 — 10/18
either the first respondent in this case, must demonstrate that (a) the interest he pursues via the
data processing concerned can be recognized as legitimate (the “purpose test”); b)
that the envisaged processing is necessary to achieve this interest (the “necessity test”) and
that c) the weighting of this interest in relation to the interests, freedoms and fundamental rights
of the persons concerned weighs in its favor or in favor of the third party (the "weighting test").
44. The Litigation Chamber will verify whether in this case, these 3 tests are satisfied with regard to
concerns the disputed processing.
Finality test
45. The Litigation Chamber recalls that in order to be qualified as “legitimate”, the interest
pursued by the data controller (or the third party but this is not the case
of species) must be lawful under the law, determined in a sufficiently clear manner and
precise, to be born and current and not fictitious or hypothetical (test of finality).
46. In this case, the Litigation Chamber is of the opinion that the use of the email address of the
complainant for a short period of time intended to ensure the continuity of the company and the
contacts with managed co-ownerships while putting in place transition measures
constitutes a legitimate interest on the part of the defendant.
Necessity test
47. Regarding the test of necessity, the Litigation Chamber recalls that the Court of Justice
of the European Union (CJEU) ruled among others in the “TK” judgment on this
condition of necessity of treatment5, insisting on the strict interpretation of this
a condition which is not specific to Article 6.1. f) of the GDPR but common to
all the bases of lawfulness listed in article 6.1 of the GDPR with the exception of the consent provided for
in article 6.1. a) GDPR.
48. The CJEU also observes that the condition relating to the necessity of the processing must
be examined in conjunction with the so-called “data minimization” principle
enshrined in Article 6(1)(c) of Directive 95/46, according to which the
personal data must be "adequate, relevant and not excessive
with regard to the purposes for which they are collected and for which they are
processed subsequently”.
49. The CJEU also clarified that if there are realistic and less intrusive alternatives
to the treatment carried out, this treatment is not “necessary”6. In other words, the
5 As regards the second condition set out in Article 7(f) of Directive 95/46, relating to the need for recourse to a
processing of personal data for the realization of the legitimate interest pursued, the Court recalled that the
exceptions and restrictions to the principle of protection of personal data must be carried out within the limits
what is strictly necessary (judgment of 4 May 2017, Rīgas satiksme, C‑‑13/16, EU:C:2017:336, paragraph 30 and case law cited).
6 This condition requires the referring court to verify that the legitimate interest in the processing of data pursued by the
video surveillance at issue in the main proceedings, which consists, in essence, of ensuring the security of property and people and of
prevent the occurrence of offenses, cannot reasonably be achieved as effectively by other means
Decision on merits 97/2024 — 11/18
data controller must ensure that there is no less intrusive means
to achieve its objective than to implement the envisaged treatment (for example a
device not processing personal data, or different processing more
protector of the right to privacy and protection of personal data of the person
concerned).
50. This case law formulated in relation to Articles 7 and 6 of Directive 95/46/EC
remains relevant to this day. Article 6.1 of the GDPR in fact repeats the terms of article 7 of
Directive 95/46/EC - the legitimate interest of the data controller being retained (article
7 f) of Directive 95/46/EC and article 6.1. f) of the GDPR), certainly in terms that are a bit
different. Article 5.1. c) of the GDPR relating to the principle of minimization reinforces the
terms of Article 6.1.c) of Directive 95/46/EC to which the CJEU also refers. THE
context of “video surveillance” of the TK judgment is certainly distinct from that in which the
disputed treatment is relevant to this case. However, this does not justify that the principles
stated by the CJEU with regard to the conditions of legitimate interest as the basis of lawfulness
are excluded. These requirements are expressed in general terms applicable to all
mixed contexts.
51. In this case, the Litigation Chamber is of the opinion that the processing of the e-mail address of the
complainant can be qualified as necessary for the realization of the interest pursued by the
defendant, if only to allow the reception of messages which are still
addressed to this address and in response to them, inform the issuers of the departure of the
complainant and the methods of communication following this departure.
Weight test
52. The Litigation Chamber recalls that in addition to the two conditions mentioned above, article 6.1. f) of
GDPR can only be mobilized if the interests or fundamental freedoms and rights of
the person concerned does not prevail over the interest pursued by the person responsible for the
processing or the third party. In other words, the data controller must make an update
in balance, a weighting between the rights and interests in question, and verify in this framework
that the interests (commercial, security of goods, fight against fraud, etc.) that it
pursues do not create an imbalance to the detriment of the rights and interests of individuals
whose data is processed. If the interests and rights of the latter prevail, the article
6.1. f) GDPR cannot be used.
53. Concretely, the data controller must first identify the consequences
of all kinds that its processing may have on the people concerned: on their lives
private but also, more broadly, on all the rights and interests covered by the
less detrimental to the freedoms and fundamental rights of the persons concerned, in particular the rights to respect
privacy and the protection of personal data guaranteed by Articles 7 and 8 of the Charter." This is the
Litigation Chamber which underlines.
Decision on merits 97/2024 — 12/18
Protection of personal data. This involves assessing the degree of intrusion of the
treatment considered in the individual sphere, measuring its impact on private life
people (processing of sensitive data, processing relating to people
vulnerable, profiling, etc.) and on their other fundamental rights (freedom of expression,
freedom of information, freedom of conscience, etc.) as well as the other concrete impacts of
treatment of their situation (monitoring or surveillance of their activities or movements,
exclusion of access to services, etc.). These impacts must be measured in order to
determine, on a case-by-case basis, the extent of the intrusion caused by the treatment into the lives of the
people. The principle of data minimization will also be taken into account.
54. The data controller must then take into account, in the weighting between its
legitimate interest and the rights and interests of the data subjects, “expectations
reasonable” of the latter. This consideration is essential when it comes to
treatments that can be implemented without the prior consent of individuals:
in the absence of a positive and explicit act on their part, legitimate interest requires not
surprise people in the implementation methods as well as in the
consequences of the treatment.
55. Generally speaking, regarding the continued processing of an e-mail address
professional after the departure of an employee or other actor of the company, the Chamber
Contentieuse is of the opinion, as was recalled by the SI in its investigation report and in the
point 33 of this decision, that it is appropriate to set up an automatic message
warning any correspondent of the fact that the person concerned (here the complainant) does not exercise
his functions within the company and to provide the contact details of the company as quickly as possible.
person (or generic email address) to contact in their place, for a
reasonable period (a priori 1 month). The complainant having been dismissed, it is important to clarify
the situation as quickly as possible and not create confusion or expectations that he would no longer be in
able to satisfy given his departure. Depending on the context and, in particular, the degree of
responsibility exercised by the person concerned, (such as a function of administrator
delegate or another key function that he or she is the only one to exercise as in this case)
a longer period may be allowed, ideally not exceeding 3 months. Even during periods
pandemic as put forward by the defendant to justify an extension of this deadline,
the Litigation Chamber considers that the extension of this period beyond 3 months (which
3 months already constitutes an extension of the basic period of 1 month which tends to express the
adequate balance between the interests of the controller and the person
concerned) is not justified in this case especially since, as the Chamber
Contentious will note in the following paragraphs, this extension was done without
information of the complainant nor communication of the reason for this extension even if
that he was opposed to it. The Litigation Chamber considers that 5 months constitute, even in
the case, an excessive duration with regard to the rights and freedoms of the complainant, all
Decision on merits 97/2024 — 13/18
particularly with regard to the principle of minimization to which the defendant is bound
this included in its assessment of the use of article 6.1. f) GDPR.
Conclusion
56. In conclusion, the Litigation Chamber can only note that there is no longer any basis for
lawfulness did not allow the defendant to justify the continuation of the processing of the email address
of the complainant. There was therefore a breach of article 6.1 of the GDPR on his part.
II.4. As for the follow-up to the complainant's request for erasure (articles 12.3, 12.4 and
17.1 of the GDPR)
II.4.1. The point of view of the SI and the parties
57. As mentioned above, the SI notes a breach of Article 12.3 and 12.4
of the GDPR on the part of the defendant in that it refrained from responding to the
request for erasure from the complainant of November 11, 2020, the circumstances invoked by
the defendant does not upset this observation.
58. Likewise, the complainant denounces this total lack of response. None of
arguments put forward by the defendant cannot be accepted. The argument of
the hasty cessation of its activities cannot be accepted since it is a decision
which emanates from the defendant itself. The argument based on the resumption of activities by a
separate management cannot be accepted either since this takeover had taken place 7
months before his dismissal. In this regard, the complainant disputes any error committed in
the framework of its services. Finally, the complainant emphasizes that the commitments of the new
management were taken under the duress of the APD services while the complaint was
pending and not spontaneously.
59. For its part, the defendant does not deny having failed to respond to the request of 11
November 2020 of the complainant for deletion of his professional email address [address
X's professional email]. In addition to the context of the pandemic and other circumstances already
mentioned, the defendant insists on the fact that she did not remain inactive since she put
set up an automatic response system for the complainant's email address and
then deactivated. At the same time, she set about replacing all the posters and
plates containing the complainant's contact details in the residences for which he had the
management. Finally, she indicates having verified that the diversion of emergency calls on the
The complainant's private phone was turned off.
II.4.2. The point of view of the Litigation Chamber
60. The Litigation Chamber notes that the defendant did not comply with article 12.4 of the
GDPR under the terms of which “if the data controller does not respond to the request
Decision on merits 97/2024 — 14/18
made by the person concerned, he informs him without delay and at the latest in a
period of one month from receipt of the request for the reasons for its inaction and the
possibility of lodging a complaint with a supervisory authority and forming a
legal recourse”.
61. Indeed, once it receives a request to exercise the rights of a data subject
(here the complainant), the data controller (here the defendant) is always required to
respond to the person concerned:
- Either by providing him with information on the measures taken following his request
as soon as possible and in any event within one month from the date of
receipt of the request in accordance with the requirements of article 12.3. of the GDPR. If needed,
this period may be extended by two months, taking into account the complexity and number of
requests. In this case, the data controller nevertheless informs the
person concerned of this extension and the reasons for the postponement within a period of one
months from receipt of the request.
- Or as mentioned above, if he considers that he should not follow up on the request
made by the person concerned (article 12.4.), he informs him without delay and at
later within one month from receipt of the request for reasons for
its inaction and the possibility of lodging a complaint with a regulatory authority.
control and to file a legal appeal.
62. In other words, the person concerned must never be left without any response.
whatever the intention of the data controller as to the action he gives or intends
comply with the request to exercise a right addressed to him.
63. In this case it is not disputed that the defendant refrained from responding to the
request for erasure from the complainant of November 11, 2020.
64. The circumstances already invoked by the defendant and linked to work overload,
particular context of the pandemic or even the consequences of the hasty departure of the
complainant are not likely to eliminate this breach. At most these circumstances
could they be taken into account by the Litigation Chamber in the determination
of the sanction appropriate to the breach noted.
65. There was therefore a violation of Article 12.4 of the GDPR on the part of the defendant, who
considering itself justified (quod non – see above) in continuing to process the email address of the
complainant, and therefore to refuse his request for erasure, should nevertheless have
respond and explain the reasons for this refusal as well as inform them of the possibility of introducing
a claim (complaint) to the APD and to seek legal recourse.
66. Finally, as the Litigation Chamber has already stated above, the principles of finality,
minimization and limitation of conservation as well as the obligations arising therefrom
Decision on merits 97/2024 — 15/18
for the data controller, find an echo in terms of rights for the individual
concerned. If the data controller fails to comply with these obligations of
spontaneous manner taking into account the extinction of the processing purpose (article 5.1. b) and
e) of the GDPR), the data subject may obtain erasure by exercising this right
is recognized in article 17.1 a) of the GDPR. In application of this, it has in fact the right
to obtain from the data controller the erasure of data concerning him when these
data are no longer necessary for the purposes for which they were
collected or processed.
67. Notwithstanding the plaintiff's request to this effect, the defendant belatedly complied with
this request for erasure once the complaint is pending before the APD and in violation of the
articles 5.1.b) of the GDPR, combined with article 5.1. c) and 5.1. e) GDPR (point 37), as well as
Article 6.1 of the GDPR (point 55).
68. In doing so, the defendant was guilty of a breach of article 17.1
combined with Article 12.4. of the GDPR.
II.5. Additional remarks
69. The Litigation Chamber takes note that the defendant has taken the measures
necessary to indicate to the security company that the telephone number of the complainant
no longer had to be called in the event of an incident, the latter having left the company. So
general, it was up to the defendant to inform those to whom the data of the
complainant had been communicated in the exercise of his functions that he
no longer exercised them, ideally and if possible, proactively but in all
hypothesis from the moment the complainant made the request.
70. As a reminder, Article 19 of the GDPR provides in this sense that “the data controller
notifies each recipient to whom the personal data has been
communicated any rectification or erasure of personal data or
any restriction of processing carried out in accordance with Article 16, Article 17(1)
1, and article 18, unless such communication proves impossible or requires
disproportionate efforts. The data controller provides the data subject with
information on these recipients if the latter requests it.
71. As for the signs providing the contact details of the complainant displayed in the
various buildings which he managed, the Litigation Chamber takes
also notes that the contact details of the complainant thus displayed - which are
constituting personal data concerning him within the meaning of article 4.1. of
GDPR - have gradually been erased and replaced by a general address of
contact.
Decision on merits 97/2024 — 16/18
III. As for corrective measures and sanctions
72. Under the terms of article 100 LCA, the Litigation Chamber has the power to:
1° close the complaint without further action;
2° order the dismissal of the case;
3° pronounce a suspension of the sentence;
4° propose a transaction;
5° issue warnings or reprimands;
6° order to comply with the requests of the person concerned to exercise these rights;
7° order that the person concerned be informed of the security problem;
8° order the freezing, limitation or temporary or definitive ban on processing;
9° order compliance of the processing;
10° order the rectification, restriction or erasure of the data and the notification of
these to the recipients of the data;
11° order the withdrawal of the approval of certification bodies;
12° give fines;
13° issue administrative fines;
14° order the suspension of cross-border data flows to another State or a
international body;
15° transmit the file to the public prosecutor of the King of Brussels, who informs him of the
follow-up given to the case;
16° decide on a case-by-case basis to publish its decisions on the website of the Authority of
Data protection
73. In its conclusions, the defendant indicates that the new management of the company has, more
still more than in the past, keen to respect the regulations regarding protection
Datas. She indicates that she has hired a part-time lawyer in this regard since the events
denounced. It indicates that it has also put in place an internal policy for the use of
IT tools intended for employees and emphasizes that this policy will be part of
integral part of the new work regulations being implemented on the date of dispatch
of its conclusions. As part of the overall reflection aimed at compliance with
the GDPR for which the recruited lawyer is responsible, a confidentiality policy
Decision on merits 97/2024 — 17/18
intended for employees as well as a confidentiality policy intended for customers have been
written.
74. The Litigation Chamber takes note of these steps.
75. Breaches of Article 5.1 b) of the GDPR – combined with Article 5.1 c) and e) of the GDPR –
(point 37), article 6.1 of the GDPR (point 55) as well as article 17.1. combined with article 12.4
of the GDPR (point 68) being proven, the Litigation Chamber decides to send a
reprimand to the defendant for the said breaches.
76. Without calling into question the defendant's assertions regarding the projects initiated in
2021 already, the Litigation Chamber nevertheless matches this reprimand with an order
compliance. Taking into account the time elapsed since the deadline for
timetable of the conclusions under which the defendant relates its implementation
compliance and its commitments and projects, it orders the defendant to communicate to it
the policy governing the issue of closing electronic mail in the event of
departure of one of its directors, employees and other possible functions in the
month of this decision in accordance with its operative part.
77. The Litigation Chamber is of the opinion that these are appropriate, effective and
