APD/GBA (Belgium) - 93/2024
From GDPRhub
| APD/GBA - 93/2024 | |
|---|---|
 | |
| Authority: | APD/GBA (Belgium) |
| Jurisdiction: | Belgium |
| Relevant Law: | Article 15 GDPR Article 17(3)(e) GDPR |
| Type: | Complaint |
| Outcome: | Other Outcome |
| Started: | |
| Decided: | 17.06.2024 |
| Published: | |
| Fine: | n/a |
| Parties: | n/a |
| National Case Number/Name: | 93/2024 |
| European Case Law Identifier: | n/a |
| Appeal: | Unknown |
| Original Language(s): | French |
| Original Source: | APD/GBA (Belgium) (in FR) |
| Initial Contributor: | wp |
The DPA decided to close the case referring to unlawful processing of a business e-mail address data, since the case encompassed a broader dispute.
English Summary
Facts
A data subject entered into contract with a company. Under the terms of the contract, the company created a dedicated business e-mail address for data subject. Due to a conflict that arisen between the data subject and the company, the parties decide to end business relations.
One of disputed issues was data subject’s e-mail address. The data subject expected the company to properly close their e-mail address and inform interested parties about the cessation of collaboration and new contact data. Allegedly, the company (data controller) did not shut down the e-mail address once the collaboration was over. The e-mail address remained active. According to the data subject, the controller accessed the e-mail inbox, as well as read the incoming messages.
The data subject decided to exercise his rights of access, as well as restriction of processing and deletion of data. The controller responded to the access request. Yet, by invoking the confidentiality of the data at hand, provided the data subject with data partially unreadable (data referring to third-parties). Regarding the right to deletion and right to restriction of processing, the controller rejected the request, claiming, in general, that the data may be necessary for possible legal actions.
In response, the data subject lodged a complaint with the Belgian DPA (ADP/GBA).
Holding
The DPA decided to close the case. They emphasised the subject matter of complaint referred to a broader dispute that to be examined by a competent court. Because of that, the alleged violations of the GDPR, and the case before the DPA, were only ancillary to the main dispute going beyond the provisions of the GDPR.
Nevertheless, the DPA referred to the merits of the case. The DPA did not contest the fact the controller, in response to the access request under Article 15 GDPR, disclosed the unreadable data, since in that way the controller prevented from infringing the right of third-parties data. The alleged violation of Article 17 GDPR were also dubious, because Article 17(3)(e) GDPR mentioned by the controller, did not require the weighting the rights and freedoms of data subject, as indicated in the complaint.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the French original. Please refer to the French original for more details.
1/10 Litigation Chamber Decision 93/2024 of 17 June 2024 File number: DOS-2023-02477 Subject: Complaint regarding the late closure, access to a nominative professional email address and its use after the end of the collaboration contract, as well as the lack of an appropriate response to requests to exercise rights, in particular access, limitation and deletion of personal data The Litigation Chamber of the Data Protection Authority, consisting of Mr. Hielke HIJMANS, President, sitting alone; Having regard to Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation), (hereinafter "GDPR"); Having regard to the Law of 3 December 2017 establishing the Data Protection Authority, (hereinafter "LCA"); Having regard to the Law of 30 July 2018 on the protection of natural persons with regard to the processing of personal data, (hereinafter "LTD"); Having regard to the Rules of Procedure as approved by the Chamber of Representatives on 20 December 2018 and published in the Belgian Official Journal on 15 January 2019; Having regard to the documents in the file; Has taken the following decision concerning: The complainant: X, represented by Maître Christophe D ELMARCELLE, hereinafter “the complainant”; The defendant: Y, represented by Maître Vincent D ECKERS, hereinafter “the defendant”. Decision 93/2024 — 2/10 I. Facts and procedure 1. The complaint concerns the complainant’s professional email address and the exercise of the rights conferred on the complainant by the GDPR. 2. On 30 June 2022, the defendant entered into a service provision contract with the complainant’s company, also including the creation of a nominative professional email address for the complainant. 3. Following the termination of the collaboration, which occurred in the second half of 2022 in a litigious context marked by threats according to the complainant, numerous disagreements arose between the complainant and the defendant: • The defendant allegedly failed to close the complainant's professional personal email address (hereinafter referred to as the "disputed address"), thus causing confusion and sending errors for senders. In addition, it allegedly continued to access this disputed address and read incoming emails without informing the complainant. The latter alleges that the defendant maintained this access in order to offer its own services to email recipients. ; • In addition, problems arose regarding the payment of the services provided by the complainant to the defendant. ; • Questions were also raised regarding copyright in the documents provided by the complainant and intellectual property. ; • Finally, disputes arose regarding the terms of termination of the service provision contract between the complainant and the defendant. 4. These disagreements led the defendant to threaten the complainant with criminal proceedings against him and to possibly claim damages from the complainant. For his part, the complainant put the defendant on formal notice and reserved the right to bring the matter before a competent court. 5. According to the complainant, the defendant also violated the fundamental principles of the GDPR by failing to comply with the principles of purpose, minimization and limitation of data retention. Despite its alleged specialisation in data protection and the certification of its managers, the defendant allegedly failed to take the necessary measures to block the complainant’s email, insert an automatic message informing correspondents of the cessation of activity, and provide new contact details. 6. In January 2023, the complainant allegedly exercised his data protection rights, including the right to access, limit and erase his personal data. Decision 93/2024 — 3/10 However, the defendant allegedly responded unsatisfactorily by contesting the right of access and the disclosure of personal data, invoking confidentiality clauses and claiming that disclosure would be prejudicial to its own rights. 7. Furthermore, the defendant allegedly challenged the complainant's right to erasure of his personal data based on the possibility of legal action, without concretely assessing the legitimate interest pursued and without providing a precise justification for the restriction of processing. The complainant contests this justification, claiming that it does not prevent a disproportionate impact on his rights and freedoms. 8. Finally, the defendant allegedly also challenged the restriction of processing of the complainant's personal data based on the possibility of legal action, without adequately assessing the legitimate interest pursued. 9. On 2 June 2023, the complainant filed a complaint with the Data Protection Authority. 10. On 30 June 2023, the Frontline Service of the Data Protection Authority declared the complaint admissible on the basis of Articles 58 and 60 of the LCA, and forwarded it to the Litigation Chamber in accordance with Article 62, § 1 of the LCA. II. Grounds 11. Pursuant to Article 4, § 1 of the LCA, the DPA is responsible for monitoring the data protection principles contained in the GDPR and other laws containing provisions relating to the protection of the processing of personal data. 12. Pursuant to Article 33, § 1 of the LCA, the Litigation Chamber is the administrative litigation body of the DPA. It is seized of complaints that the SPL transmits to it in application of Article 62, § 1 of the LCA, i.e. admissible complaints. In accordance with Article 60, paragraph 2 of the LCA, complaints are admissible if they are written in one of the national languages, contain a statement of the facts and the information necessary to identify the processing of personal data to which they relate and which fall within the jurisdiction of the APD. 13. On the basis of the facts described in the complaint file as summarised above, and on the basis of the powers assigned to it by the legislator under Article er 95, § 1 of the LCA, the Litigation Chamber decides on the follow-up to be given to the file; in this case, the Litigation Chamber decides to proceed with the dismissal of the complaint, in accordance with Article 95, § 1, 3° of the LCA, for the reasons set out below. Decision 93/2024 — 4/10 14. In matters of dismissal, the Litigation Chamber is required to justify its 1 decision by stage and to: - pronounce a dismissal of technical action if the file does not contain or not enough elements likely to lead to a sanction or if it contains a technical obstacle preventing it from rendering a decision; - or pronounce a dismissal of opportunity, if despite the presence of elements likely to lead to a sanction, the continuation of the examination of the file does not seem appropriate to it taking into account the priorities of the Data Protection Authority as specified and illustrated in the Dismissal Policy of the Litigation Chamber. 2 15. In the event of a dismissal based on several grounds for dismissal, the latter (respectively, dismissal on technical grounds and dismissal on expediency grounds) must be treated in order of importance. 3 16. In this case, the Litigation Chamber decides to dismiss the complaint on grounds of expediency. The decision of the Litigation Chamber is based more specifically on a reason why it considers that it is inappropriate to pursue the case, and consequently decides not to proceed, among other things, with an examination of the case on the merits. 17. The Litigation Chamber notes that the complainant complains of a late closure but also of access to his personal email address and its use after the termination of the collaboration contract. In addition, it notes the complaints that the defendant has not provided an appropriate response to the complainant's requests to exercise the rights of access, limitation and deletion of personal data. 18. Firstly, the Litigation Chamber notes that the complaint is incidental to a broader dispute that needs to be debated before the judicial and administrative courts and tribunals or another competent authority; and decides to dismiss the complaint without further action on grounds of expediency (criterion B.3). 4 19. The Litigation Chamber notes that the termination of the collaboration entered into by the defendant under a service provision contract with the complainant, 1Court of Markets (Brussels Court of Appeal), 2 September 2020, judgment 2020/AR/329, p. 18. 2 APD, “Policy for the classification without further action of the Litigation Chamber”, 18 June 2021, available at https://www.autoriteprotectiondonnees.be/publications/politique-de-classement-sans-suite-de-la-chambre-contentieuse.pdf 3 APD, “Policy for the classification without further action of the Litigation Chamber: 3. – In which cases is my complaint likely to be classified without further action by the Litigation Chamber?”, 18 June 2021, available at https://www.autoriteprotectiondonnees.be/publications/politique-de- classement-sans-suite-de-la-chambre-contentieuse.pdf. 4APD, “PolitiquedeclassementsanssuitedelaChambreContentieuse:3.2Critèresdeclassementsanssuited’opportunité –B.3– Votre complainte est ancillary à un broader dispute qui necessiter être débatté avant la cours et administratifs ou une autreautorité competente”, 18 June 2021, available at https://www.autoriteprotectiondonnees.be/publications/politique-de-classement-sans-suite-de-la- chambre-contentieuse.pdf. Decision 93/2024 — 5/10 intervenes in a litigious context where the latter alleges threats from the defendant. 20. By examining the documents in the file, it appears that the dispute between the parties goes beyond the only issues related to the alleged violations of the GDPR. It also encompasses conflicts concerning the payment of the complainant for the services provided, the conditions for terminating the contract, as well as copyright issues. This diversity of conflicts demonstrates that the complaint submitted to the DPA is incidental to a broader dispute. In addition, the Litigation Chamber underlines that this conflictual context seems to be confirmed through the exchanges between the parties, as well as their nature. Whether it is the requests for data formulated with a view to bringing legal actions or the defendant's response aimed at protecting itself from possible legal proceedings, these elements indicate, or even confirm, the existence of a broader and complex dispute that goes beyond the simple questions of alleged violations of the GDPR (see points 3, 4, 7, 8 and 19), which the parties are trying to resolve. 21. Therefore, given that the complaint is part of a broader context of breach of the service contract between the complainant and the respondent, encompassing issues that go beyond the alleged violations of the GDPR, such as disputes over the payment of the complainant for the services provided, the terms of termination of the contract or copyright issues, the Litigation Chamber considers that its intervention is, in this case, not strictly necessary. It would be more appropriate to submit the complaint to a competent court or appropriate authority, which will be able to examine in depth all the elements of the main dispute, including access to the professional mailbox, thus ensuring that the complaint is properly handled with a view to taking the best possible decision. 22. Secondly, and without prejudice to the foregoing, the Disputes Chamber questions the possible existence of ongoing or closed judicial or administrative proceedings dealing with the same grievances as those raised in this 5 complaint; and decides to dismiss the complaint on grounds of expediency (criterion B.2). 23. The elements of the complaint file, in particular the allegations of threats, the possibility of legal action, the disagreements over payment for services, the termination of the contract and the copyright issues, reveal the complexity and scale of the dispute between the parties. This dispute goes far beyond the simple issues of alleged violations of the GDPR. This complexity suggests that it could currently be examined by the Courts and Tribunals, or other competent authorities; or at least that it will be in the future. 5 APD, “Policy for classification without further action of the Contentious Chamber: 3.2.2 – Efficiency criteria - B.2 There is a judicial procedure or https://www.autoriteprotectiondonnees.be/publications/politique-de-classement-sans-suite-de-la-chambre-contentieuse.pdf, available on Decision 93/2024 — 6/10 24. In addition, other elements of the file, such as the defendant’s mentions of the “criminal setbacks” that the complainant could encounter, the formal notice of payment under penalty of legal action, or the complainant’s intention to bring the case [relating to non-payment for his services, the email address, the conditions for termination of the collaboration or questions related to copyright] before the competent courts, suggest that the dispute could also be currently being examined or that it could be the subject of judicial or administrative proceedings in the future. 25. The Litigation Chamber recalls that it assesses the efficiency of its intervention and the means necessary to deal with the complaint in depth. In this case, without minimising the importance of the incident reported, a thorough investigation would require considerable means to gather additional evidence, question the parties involved and assess the circumstances surrounding the allegations. 26. Thirdly, and without prejudice to the foregoing, the Litigation Chamber considers that a thorough examination of the complaint would not be proportionate, taking into account, for example, the means necessary to examine it, the chances of success of the complaint, or the volume of complaints received on the same topic; and decides to dismiss the complaint on grounds of expediency (criterion B.7). 6 27. In this case, it is clear that the complainant and the respondent are engaged in a complex conflict involving various requests and claims regarding the processing of personal data. The complainant claims several rights, including the right of access, erasure and restriction of processing, while the respondent puts forward arguments to justify its actions in accordance with the GDPR. 28. Regarding the right of access, the complainant argues that certain information is omitted, which restricts its ability to fully exercise this right. The respondent justifies this omission by invoking the need to protect its professional secrets and prevent violations of the rights of others. In response, it allegedly provided as much personal data as possible while preserving the confidentiality of third parties, including by rendering third-party data illegible. 6APD, “PolitiquedeclassementsanssuitedelaChambreContentieuse:3.2.2 –Criteriaforefficiency-B.7Athoroughexaminationofyourcomplaintwouldnotbeproportionatetakinginto,forexample,theresourcesnecessarytoexamineit,theprobabilitiesofsuccessofthecomplaint,ortakingintoaccountthevolumeofcomplaintsreceivedonthesametheme”,18June2021,availableathttps://www.autoriteprotectiondonnees.be/publications/politique-de-classement-sans-suite-de-la-chambre-contentieuse.pdf; A classification without follow-up on grounds of expediency does not, however, mean that theContemptible Chamber legally finds that no violation has taken place, but that the resourcesnecessarytosupportthecomplaintarepotentiallyexcessive. ; APD, “Policy for filing without follow-up of the Contentious Chamber”, 18 June 2021, available at https://www.autoriteprotectiondonnees.be/publications/politique-de-classement-sans- suite-de-la-chambre-contentieuse.pdf 7In addition to providing a secure USB stick containing a copy of the complainant’s data, the defendant also transmitted a detailed table including the different categories of personal data, the purposes of the processing, the recipients, the retention period, information on the exercise of the complainant’s rights in accordance with the GDPR, as well as information on the existence of automated decision-making. Decision 93/2024 — 7/10 8 29. The complainant refers to a previous decision of the Contentious Chamber concerning the non-disclosure of personal data to protect the rights of third parties to contest the defendant’s arguments. This previous decision establishes that rendering third-party personal data illegible before the data subject exercises his right of access satisfies the requirement of not infringing their rights. In the present case, the defendant gave the complainant a copy of the data, while rendering any third-party data illegible. 30. Regarding the right to erasure and restriction of processing, the complainant criticises the defendant for not having adequately responded to his requests. He alleges a failure to balance the fundamental rights and freedoms of the data subject with the legitimate interest of the defendant. He adds that the defendant’s refusal to fully comply with his requests, by invoking the establishment, exercise or defence of his rights in court, is “purely rhetorical and not precise”. Furthermore, the complainant claims that the defendant has no legitimate interest, citing the decision on the merits 46/2022 of the Contentious Chamber. In addition to the fact that Article 17.3 e) of the GDPR does not require balancing the fundamental rights and freedoms of the data subject and the legitimate interest of the defendant, and that the cited decision concerns the legal basis and the legitimate interest of an employer to recover files that have been deleted by an employee (these are therefore not the same facts), the defendant has, in this case, indicated in its response that some of the applicant's personal data would be deleted. As for the limitation of processing, the defendant maintains that it limits the processing of the complainant's personal data to simple retention and states that any other processing would require the complainant's consent. 31. In these circumstances, the Litigation Chamber considers that it would be excessive to mobilise the resources of the Inspection Service to support the evidence concerning the requests for access, erasure and restriction of processing. This conclusion is motivated by the complexity and scale of the broader conflict, where the intervention of the Litigation Chamber is not strictly necessary. It would be more judicious to call upon other competent courts or appropriate authorities to examine exhaustively all aspects of the main dispute, including access to the professional mailbox. This would ensure that the complaint is properly handled and would promote the most informed decision-making possible. 32. Finally, and without prejudice to the foregoing, the Litigation Chamber notes that on the one hand, the complaint does not provide the necessary details or the required evidence 8 Decision on the merits No. 15/2021 of the Litigation Chamber of the APD of 9 February 2021, available at https://www.autoriteprotectiondonnees.be/publications/decision-quant-au-fond-n-15-2021.pdf; 9 Decision on the merits No. 46/2022 of the Litigation Chamber of the APD of 1 April 2022, available on https://www.autoriteprotectiondonnees.be/publications/decision-quant-au-fond-n-46-2022.pdf Decision 93/2024 — 8/10 allowing the existence of a manifest violation of the GDPR to be assessed; on the other hand, it does not appear to have a high societal and/or personal impact; consequently, the Litigation Chamber decides to dismiss the complaint on grounds of expediency 10 (criterion B.5). 33. On the one hand, the Litigation Chamber notes that the grievances raised by the complainant do not meet the criteria of high general or personal impact, as defined by 11 the APD in its note on the policy of dismissal of 18 June 2021. 34. On the other hand, if the criteria of high general or personal impact do not apply, the Litigation Chamber balances the personal impact of the circumstances of the complaint for the complainant's fundamental rights and freedoms, and the efficiency of its intervention, to decide whether it considers it appropriate to deal with the complaint in depth. 35. In this case, the Litigation Chamber notes that it does not have, as mentioned above in this decision, sufficient evidence that would allow it to verify whether the complainant's allegations constitute a manifest violation of the GDPR and data protection laws. 36. The Disputes Chamber recalls that it assesses the efficiency of its intervention and the means necessary to deal with the complaint in depth. In this case, without minimising the importance of the incident reported, and as already mentioned above, a thorough investigation would require considerable resources to gather additional evidence, question the parties involved and assess the circumstances surrounding the allegations. It should be noted that the complaint is part of a broader conflict context, including the breakdown of a contractual collaboration between the complainant and the defendant, the allegations of threats made by the complainant, the prospect of legal action initiated by the latter, as well as disputes related to payment and copyright issues (see above). It is precisely because of these main considerations that the efficiency of its intervention is, in this case, not demonstrated and that the means to be implemented to support the complaint are potentially excessive, which leads the Litigation Chamber not to uphold the complainant's grievances and to decide to 12 dismiss the complaint on grounds of expediency. 1APD, "Dismissal policy of the Litigation Chamber: 3.2 Dismissal criteria for expediency - B.5 - Your complaint is not sufficiently detailed or is not supported by evidence that would allow the Litigation Chamber to rule on whether or not there is a violation of the GDPR AND your complaint does not have a high societal and/or personal impact. », 18 June 2021, available 11r https://www.autoriteprotectiondonnees.be/publications/politique-de-classement-sans-suite-de-la-chambre-contentieuse.pdf. APD, « Policy for classification without follow-up of the Contentious Chamber: 3. – In which cases is my complaint likely to be classified without follow-up by the Contentious Chamber? », 18 June 2021, available at https://www.autoriteprotectiondonnees.be/publications/politique-de- 12assement sans-suite-de-la-chambre-contentieuse.pdf. A classification without follow-up on grounds of expediency does not mean that the Contentious Chamber legally finds that no violation has taken place, but that the resources needed to support the complaint are potentially excessive. ;APD, “Politiquedeclassement sans suite de la Chambre Contentieuse”, 18 June 2021, available at https://www.autoriteprotectiondonnees.be/publications/politique-de- classement-sans-suite-de-la-chambre-contentieuse.pdf Decision 93/2024 — 10/10 To allow the complainant to consider any other possible course of action, the Chamber Contentieuse refers the complainant to the explanations provided in its policy on classification without further action. 17 (sé). Hielke HIJMANS President of the Chamber Contentieuse 17APD, “Policy on classification without further action of the Chamber Contentieuse: 4. – What can I do if my complaint is classified without further action? », June 18, 2021, available at https://www.autoriteprotectiondonnees.be/publications/politique-de-classement-sans-suite-de-la-chambre- contentieuse.pdf.
