APD/GBA (Belgium) - 07/2021: Difference between revisions
From GDPRhub
(→Facts) |
mNo edit summary |
||
| Line 92: | Line 92: | ||
'''Safety of processing and data breach''' | '''Safety of processing and data breach''' | ||
The access of defendant 2 to the e-mail was not related to insufficient technical and organisatorial measures to ensure adequate safety. The DPA is of the opinion that no security measure can be of a nature to completely exclude an e-mail being sent to a non-intended recipient as a result of human error. It cannot therefore be concluded that, by sending the e-mail to the defendant 2, the defendant 1 did not take sufficient measures to protect the personal data of the complainant against security risks, so that no infringement of | The access of defendant 2 to the e-mail was not related to insufficient technical and organisatorial measures to ensure adequate safety. The DPA is of the opinion that no security measure can be of a nature to completely exclude an e-mail being sent to a non-intended recipient as a result of human error. It cannot therefore be concluded that, by sending the e-mail to the defendant 2, the defendant 1 did not take sufficient measures to protect the personal data of the complainant against security risks, so that no infringement of [[Article 32 GDPR|Article 32]] and [[Article 33 GDPR|Article 33]]can be established in this case. | ||
====Complaint to defendant 2==== | ====Complaint to defendant 2==== | ||
Revision as of 19:10, 15 February 2021
| APD/GBA - 07/2021 | |
|---|---|
 | |
| Authority: | APD/GBA (Belgium) |
| Jurisdiction: | Belgium |
| Relevant Law: | Article 5(1) GDPR Article 6(1) GDPR Article 15(1) GDPR Article 32 GDPR Article 33 GDPR |
| Type: | Complaint |
| Outcome: | Upheld |
| Started: | |
| Decided: | 01.2021 |
| Published: | 01.2021 |
| Fine: | None |
| Parties: | n/a |
| National Case Number/Name: | 07/2021 |
| European Case Law Identifier: | n/a |
| Appeal: | n/a |
| Original Language(s): | Dutch |
| Original Source: | Beslissing ten gronde nr. 07/2021 van 29 januari 2021 (in NL) |
| Initial Contributor: | Enzo Marquet |
The Belgian DPA upholds that intention is not a criterium to assess processing and that mistakenly sending an e-mail may be seen as not constituting a data breach as a human error does not always mean the technical and organisational measures weren't adequate. On top of that, merely receiving an e-mail does not constitute processing.
English Summary
Facts
The defendant 1 allegedly did not grant access to the personal data he holds of the complainant.The defendant 1 had sent an e-mail with 32 attachments concerning the company of complainant to the defendant 2, a former associate of the complainant. The attachments had a lot of personal data about the complainant and no consent was given to send the e-mail.
On top of that, that e-mail was then send to the lawyer of the defendant 2. The lawyer then forwarded that mail to the lawyer of the complainant.
Dispute
Holding
Complaint to defendant 1
Right to defence Defendant 1 stated that his right to defence was violated because in the original complaint, no specific rule of law infractions were included and thus the defendant couldn't adequately prepare.
The DPA reiterates that submitting a complaint should be uncomplicated for the parties whose personal data is being processed. The DPA notes that it is up to each of the parties to provide the necessary evidence for the alleged infringements or for refuting them. The complainant does not have to submit this evidence in the complaint itself. It is up to the DPA to assess which alleged violations it considers sufficiently proven as violations of the GDPR. In doing so, the DPA has considerable policy discretion to determine the scope of the proceedings.The absence of supporting documents for certain allegations cannot be relied upon by the other party as a violation of its right of defence.
Lawful processing Here, the DPA judged the legality of sending the e-mail between defendant 1 and 2. Defendant 1 states that this was a human error and that such a non-intentional, unintended action cannot constitute a breach of the GDPR.
Intention however, is not a criterium for processing under the GDPR, the DPA states. The mere fact that the e-mail was sent constitutes processing. In line with Article 5(1)(b), processing for other purposes than initially stated can only be done if those purposes are compatible with those original purposes.
To asses if this is the case, the reasonable expactations of the data subject play a critical role. The DPA states that the complainant used the services of defendant 1 for its bookkeeping and there was no reasonable expecation that this would be shared with defendant 2. As such, the processing does not have a compatible purpose.
As the defendant 1 stated, the sending was an error, which means there is no legal basis to conduct the processing.
The DPA then assesses whether the defendant 1 could rely on the legal basis of legitimate interest under Article 6(1)(f). It confirms earlier case law of the CJEU in which three requirements have to be fulfilled, cumulatively; legitimate interest pursued by controller, necessity of the processing and fundamental rights and freedoms of the data subject do not override the legitimate interest.
The DPA states that the defendant 1 had a purpose, reaching all parties with all the document and this can be seen as a legitimate interest. However, the processing was not necessary as two e-mails, without mixed attachment, could have achieved the same goal. The third requirment is also not fulfilled as stated earlier, the complainant did not reasonable expect this processing to happen. As such, there is no legitimate interest legal basis possible.
Right to access The DPA states that the complainant provided no proof of not being granted right to access.
Safety of processing and data breach The access of defendant 2 to the e-mail was not related to insufficient technical and organisatorial measures to ensure adequate safety. The DPA is of the opinion that no security measure can be of a nature to completely exclude an e-mail being sent to a non-intended recipient as a result of human error. It cannot therefore be concluded that, by sending the e-mail to the defendant 2, the defendant 1 did not take sufficient measures to protect the personal data of the complainant against security risks, so that no infringement of Article 32 and Article 33can be established in this case.
Complaint to defendant 2
The defendant 2claims that there is no processing on its part as there is no intentional element present and no initiative was taken by him.
The DPA states that just receiving personal data an sich constitutes no processing as defined in Article 4(2). Accessing or forwarding the attachments with personal data however, does constitute processing. Even though the defendant 2 claims not having read the attachment, it was sent to hislawyer. This means the defendant 2 must be seen as a data controller as defined in Article 4(7) because he defined the purposes and means of processing. His statement that the defendant 2 deleted the e-mail with attachment is irrelevant as the processing already took place.
Additionally, the defendant 2 did not deliver evidence that he had asked his lawyer to remove the e-mail with attachments, a responsibility which comes to all data controllers under Article 19 when deleting personal data in line with Article 17.
The defendant 2 reasons that this processing is lawful as article 237 of the Codex Deontology for Lawyers and WP29 169 state that you can provide information to your lawyer to help exercise your rights/legal defense. Interpreting this any other way would prevent the defendant 2 from sending information to his lawyer.
The DPA states that the personal data was sent to the defendant 2 without a lawful basis. The defendant 2 could not utilise this information as he should not have gotten it in the first place.The DPA can only conclude that there is no legal basis as provided for in Article 6(1) that justifies the forwarding of the e-mail by the defendant 2 to his counsel. The defendant 2 also does not invoke any legal basis of Article 6(1)(f) and explicitly confirms in its reply to the statement of defence with regard to the legitimate interest Article 6(1)(f) that it does not even invoke this legal ground.
Of course, the communication with one's counsel is secret, but only on the condition that the information was received in a lawful manner and this was not the case here and a breach of Article 5(1)(a) and Article 6(1).
Further grievances regarding transparency and purpose limitation are not relevant as the processing itself is unlawful.
Comment
This decision was part of a larger one before another court.
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Dutch original. Please refer to the Dutch original for more details.
1/25
s
Litigation chamber
Decision on the merits 07/2021 of 29 January 2021
File number: DOS-2019-06201
Subject: Disclosure of personal information to third parties without permission from
the person concerned
The Disputes Chamber of the Data Protection Authority, composed of Mr Hielke
Hijmans, chairman and Messrs. Christophe Boeraeve and Jelle Stassijns, members;
Having regard to Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016
on the protection of natural persons with regard to the processing of
personal data and on the free movement of such data and repealing Directive
95/46 / EC (General Data Protection Regulation), hereinafter GDPR;
In view of the law of 3 December 2017 establishing the Data Protection Authority, hereinafter
WOG;
Having regard to the rules of internal procedure, as approved by the Chamber of
Representatives on December 20, 2018 and published in the Belgian Official Gazette on
January 15, 2019;
Considering the documents in the file;
.
.
. Decision on the merits 07/2021 - 2/25
has taken the following decision regarding:
- Mrs. X, hereinafter “the complainant”
- Y1, hereinafter “defendant 1”
- Mr Y2, hereinafter “Respondent 2”
1. Facts and procedure
1. On December 11, 2019, the complainant files a complaint with the Data Protection Authority, hereinafter
GBA, against the defendants.
The subject of the complaint concerns:
- the refusal by respondent 1 to provide the complainant with access to personal data.
- the sending by Mrs. Z, partner at defendant 1, of an e-mail with 32 attachments, in part
concerning the company X bv of which the complainant is a 100% shareholder, making it
information would allow access to the personal activities, finances and personal data of
the complainant, to respondent 2, the complainant's former associate. This information would have been provided
without the consent of the complainant.
In addition, the respective e-mail containing the information concerning X bv, would be sent by
Respondent 2 forwarded to his counsel who would then in turn send the email
forwarded to the complainant's counsel.
2. On 7 January 2020, the complaint will be declared admissible on the basis of articles 58 and 60 of
the WOG, and the complaint on the basis of art. 62, §1 WOG submitted to the Disputes Chamber.
3. On January 29, 2020, the Disputes Chamber will notify the complainant that pursuant to Article
95, § 1, 3 ° WOG, it was decided to dismiss the complaint for reasons of expediency. The
decision states that the complaint does not contain any grievances that have a broad social impact
as well as that with regard to the deontological and professional errors that were made
committed by Ms. Z is a complaint pending with the competent authority and the Dispute Chamber
wish to avoid a possible double investigation.
4. On March 5, 2020, the Disputes Chamber will receive the
notification of a petition from the complainant against the GBA, deposited at the registry of the Court. Decision on the merits 07/2021 - 3/25
5. On April 30, 2020, the registry of the Brussels Court of Appeal will notify the Disputes Chamber of this
the initiation of the case was originally set during the period March-April 2020,
has been canceled and a new initiation date has been set for May 6, 2020.
6. By decision of 6 May 2020, the Marktenhof establishes the conclusion calendar. In it it states
Court also established that the counsel declare that they agree in writing to a written consultation
name, which will take place on August 7, 2020 with delivery of the judgment in public
hearing on 2 September 2020.
7. On September 2, 2020, the Marktenhof will pass judgment.
The judgment contains the following points for attention regarding the assessment of the
subject of the petition:
Annulment of the decision to dismiss the Disputes Chamber for lack of adequate
motivation
Granting by the Court to the measure claimed by the complainant, ie to rule that
the file is ready for treatment on the merits within the meaning of Article 95, §1, 1 ° WOG and the
Order the data protection authority to consider the merits of the file in
the meaning of article 98 WOG.
The Marktenhof not only overturns the decision of the Disputes Chamber of January 28, 2020,
but also orders the Dispute Chamber to decide within five months from the
notification of the judgment to make a new decision on the complaint lodged.
Since the Marktenhof still wishes to assess the claims of the complainant against the
contradiction by the GBA, the Court claims that the GBA should take a position on the
claim as stated by the complainant.
The Court will adjourn the case in order to verify whether the Dispute Chamber is within the stated time limit
period has taken a new decision and in order to allow the complainant to make a claim
to the full jurisdiction of the Marktenhof, the Disputes Chamber was not allowed a new one
have made a decision. The Court refers the case for review in open court of
February 24, 2021, where the Court specifies that it is not for it to make the new decision
to judge on its merits in the context of the present proceedings.
1
The judgment is available on the website of the Data Protection Authority via the following link:
https://www.gegevensbeschermingingsautoriteit.be/publications/tussenarrest-van-02-september-2020-van-het-markthof.pdf Decision on the merits 07/2021 - 4/25
8. Following up on the judgment, the Disputes Chamber will decide on 8 September 2020 on the basis of art. 95,
§1, 1 ° and art. 98 WOG that the file is ready for consideration on the merits.
9. On September 8, 2020, the parties concerned will be notified by registered mail
of the provisions as stated in article 95, §2, as well as of those in art. 98 WOG. Also were
the parties involved on the basis of art. 99 WOG of the deadlines to their
file defenses. The deadline for receipt of the response
of the defendants was recorded on October 20, 2020, before receipt of the
statement of reply of the complainant on 10 November 2020, with the
possibility to submit a statement of reply until December 1, 2020.
10. On October 19, 2020, the Disputes Chamber will receive the statement of defense from the respondent
2. The defenses put forward can be summarized as follows:
With regard to the authority of the GBA, it is argued that the Dispute Chamber is
on the basis of article 100, §1 WOG, the complaint can be dismissed. Furthermore, be
arguments drawn from the judgment of the Marktenhof to demonstrate this in the proceedings
on the merits the Disputes Chamber has power to dismiss. This brings respondent 2
to urge the Disputes Chamber to renew a
decision to dismiss after reviewing the factual elements and the basis of the
complaint to the strategic plan and the internal dismissal guidelines of the GBA.
According to respondent 2, there would be no processing of personal data (Article 2.1 GDPR)
lack of an intentional element on the part of respondent 2 of the personal data
as he was only the recipient of the email and only one
act, namely forwarding the e-mail to his lawyer, after which the
email with attachments has been deleted.
Respondent 2 states that he can neither act as controller nor as processor
are labeled. He states that he only meets the criteria of the GDPR as a recipient
and third, as defined in Article 4 GDPR.
Forwarding the e-mail to his counsel does not constitute an infringement according to respondent 2
on the GDPR. To this end, he refers to Article 237 of the Codex Deontology for Lawyers
and Opinion 1/2010 on the concepts of “controller” and “processor”
2
of the Article 29 Working Party on Data Protection, adopted on 16 February 2010, to
state that a legal subject may provide information to his / her lawyer. Different
Judging, according to respondent 2, would have the effect of prohibiting the
2
https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2010/wp169_en.pdf Decision on the merits 07/2021 - 5/25
passing on information to counsel insofar as that information relates to
personal data. Respondent 2 adds that his counsel is there in turn
was ethically obliged to pass on the information obtained to counsel
of the complainant.
Even if an infringement were established, Respondent 2 considers him
no sanction can be imposed, given the specific circumstances of the case.
Specific with regard to the possibility of imposing an administrative one
fine, respondent 2 indicates for each of the criteria stated in Article 83.2 GDPR
to what extent these apply or not and this leads him to the conclusion that he
no fine can be imposed.
11. On October 20, 2020, the Disputes Chamber will receive the statement of defense from the respondent
1. The defenses put forward can be summarized as follows:
With regard to the competence of the GBA, this is also raised in the context of a
proceedings on the merits the Dispute Chamber can proceed to dismissal, which was
confirmed by the judgment of the Marktenhof dated September 2, 2020.
The sending of the e-mail with respondent 2 as one of the addressees concerns a
one-time human mistake in which certain data unintentionally entered into one
only e-mails were sent to defendant 2.
Respondent 1 claims to have acted in good faith by immediately taking the necessary action
to obtain the removal of the email from Respondent 2.
The rights of defense are alleged to have been violated because the complaint contains no legal rules
to be mentioned.
Respondent 1 points out that it has always complied with its privacy obligations.
Respondent 1 is of the opinion that no infringement has been committed and cannot be sanctioned
imposed.
12. On November 10, 2020, the Disputes Chamber will receive the statement of reply from the complainant.
The complainant argues that respondent 1 would have committed the following violations:
- Violation of the right of access (Article 15 GDPR)
- Violation of the legal basis requirement (Article 6.1 GDPR); the legality- transparency-
and the principle of fairness (art. 5.1 a) GDPR); the purpose limitation principle (Article 5.1 b) GDPR) and
the principle of minimum data processing (Article 5.1 c) GDPR) and this in each case
as to it still retained by defendant 1 today, as to
forwarding by e-mail to defendant 2
- Violation of the integrity and confidentiality principle (Article 5.1 f) GDPR and 32 GDPR)
and of the obligation to report a data breach (Article 33 GDPR) Decision on the substance 07/2021 - 6/25
As regards respondent 2, the complainant alleges the following violations:
- Respondent 2 is jointly controller for the violations
defendant 1
- Violation of the legal basis requirement (Article 6.1 GDPR), the legality and
transparency principle (Article 5.1 a) GDPR), as well as the purpose limitation principle (Article 5.1 b) GDPR)
13. On November 28, 2020, the Disputes Chamber will receive the statement of reply from the respondent
2. The statement of reply fully reproduces the statement of opinion submitted on 19 October 2020
answer. The defendant adds the following points:
According to respondent 2, the complaint should be declared inadmissible because the
the complainant maintains in the reply that "the use by respondent 2 of the e-mail
against the complainant "is the problem and not so much" the forwarding by respondent 2 of
that e-mail to his counsel ", as formulated in the complaint. Thus the complaint would not
meet the requirement of Article 60, paragraph 2 of the WOG, which includes a complaint
admissible if it contains a statement of the facts and the necessary indications
for the identification of the processing to which it relates. This requirement would
are not satisfied.
Regarding the complainant's statement in the reply that respondent 1 only the
Instructions from Respondent 2 follows by which Respondent 2 would determine the object and means
determining the processing within the meaning of Article 4.7) GDPR, with reference to a
oral statement by respondent 1 that respondent 2 would have ordered her to
not to deliver any document to the complainant without informing Respondent 2 thereof
Respondent 2 responds that no evidence is provided for this, so that in
Contrary to what the complainant maintains, respondent 1 and respondent 2 are not as joint
controllers can be labeled.
With regard to the complainant's statement in the reply regarding the
legitimate interest as the legal basis for the processing, respondent 2 states that these
legal basis is not put forward by him.
The complainant's request to impose a penalty is inadmissible, at least
unfounded, because without object, since the e-mail and attachments on first request already
were deleted.
14. On December 1, 2020, the Disputes Chamber will receive the statement of reply from the respondent
1, which fully repeats and adds to the elements of its statement of defense
that the extension of the complainant's arguments through its statement of defense leads to this
that the rights of defense of respondent 1 have been violated. Also disputed Decision on the merits 07/2021 - 7/25
defendant 1, in fact and in law, any fact that is not expressly acknowledged in his
statement of reply.
2. Legal basis
Principles regarding processing of personal data
Article 5.1 GDPR
1. Personal data must:
a) processed in a manner that is lawful, proper and with regard to the data subject
is transparent ('lawfulness, fairness and transparency');
(b) collected for specified, explicit and legitimate purposes and
may not be further processed in a way incompatible with those purposes; the
further processing for archiving in the public interest, scientific or historical
research or statistical purposes is not considered incompatible in accordance with Article 89 (1)
considered with the original purposes ('purpose limitation');
(c) adequate, relevant and limited to what is necessary for the purposes for which
they are processed ('data minimization');
[…]
f) by taking appropriate technical or organizational measures in such a way
processed to ensure adequate security, including protection
are against unauthorized or unlawful processing and against accidental loss, destruction or
damage (“integrity and confidentiality”).
Lawfulness of the processing
Article 6.1. AVG
1. The processing is only lawful if and insofar as at least one of the following
conditions are met:
a) the data subject has consented to the processing of his personal data for
one or more specific purposes;
b) the processing is necessary for the performance of a contract with which the data subject
party, or to take measures at the request of the data subject prior to the conclusion of an agreement
take; Decision on the merits 07/2021 - 8/25
c) the processing is necessary to comply with a legal obligation on the
controller rests;
d) the processing is necessary for the vital interests of the data subject or of another
protect a natural person;
e) processing is necessary for the performance of a task carried out in the public interest or for a task
in the exercise of official authority vested in the controller
commissioned;
f) the processing is necessary for the representation of the legitimate interests of the
controller or of a third party, except when the interests or fundamental rights and
the fundamental freedoms of the data subject requiring the protection of personal data,
outweigh those interests, especially if the data subject is a child. The first paragraph,
point f) does not apply to processing by public authorities in the exercise of
their duties.
Right of access
Article 15.1 GDPR
1. The data subject has the right to obtain information from the controller about
whether or not to process personal data concerning him and, where that is the case, to
obtain access to those personal data and the following information:
a) the purposes of the processing;
b) the categories of personal data concerned;
c) the recipients or categories of recipients to whom the personal data have been or will be
, in particular recipients in third countries or international organizations;
d) if possible, the period during which the personal data are expected to be obtained
stored, or if that is not possible, the criteria for determining that period;
e) that the data subject has the right to request that the controller do so
personal data are rectified or erased, or that concerning the processing of him
personal data is limited, as well as the right to object to that processing;
f) that the data subject has the right to lodge a complaint with a supervisory authority;
g) where the personal data are not collected from the data subject, all available
information about the source of that data;
h) the existence of automated decision-making, including those referred to in Article 22 (1) and (4),
intended profiling, and, at least in those cases, useful information about the underlying logic,
as well as the importance and the expected consequences of that processing for the data subject. Decision on the merits 07/2021 - 9/25
3. Justification
A. Procedure
15. This case is the follow-up to the judgment of the Marktenhof dated September 2, 2020 in a case
against the Data Protection Authority (GBA), following the appeal lodged by the complainant
against the decision of the Disputes Chamber on the basis of Article 95, § 1, 3 ° WOG, his complaint
to dismiss.
16. At present, the defendants in the proceedings on the merits which will be brought before the Disputes Chamber
the Disputes Chamber can still proceed to dismiss the complaint
and that this would be appropriate in the present file, after checking against the strategic plan
and the internal dismissal guidelines of the Disputes Chamber.
17. However, the complainant believes that he can state in this regard that the Disputes Chamber does not have the
possibility of termination, and this deduces from the relevant judgment of the Marktenhof
stating that the measure claimed by the complainant to decide that file
is ready for treatment on the merits within the meaning of Article 95, 1 ° WOG and the dossier on the merits
to be treated within the meaning of article 98 et seq. of the WOG. is granted by the Marktenhof.
18. The Disputes Chamber wishes to provide clarity on this point, without prejudging
on the assessment of the facts underlying the complaint and any infringements
on the GDPR that could result from it. The Disputes Chamber refers to this
Article 100 WOG 3, in which its decision-making power is determined in the context of a
3 Art. 100. § 1. The disputes chamber has the power to:
1 ° to dismiss a complaint;
2 ° order the non-prosecution;
3 ° order the suspension of the judgment;
4 ° propose a settlement;
5 ° to formulate warnings and reprimands;
6 ° order that the requests of the data subject to exercise his rights be complied with;
7 ° order that the person concerned is informed of the safety problem;
8 ° order that the processing be temporarily or permanently frozen, restricted or prohibited;
9 ° order that the processing is brought into conformity;
10 ° the rectification, limitation or deletion of data and the notification thereof to the recipients of the
to order data;
11 ° order the withdrawal of the accreditation of certification bodies;
12 ° to impose penalties;
13 ° impose administrative fines; Decision on the merits 07/2021 - 10/25
procedure on the merits. This provision expressly provides that, in addition to many other measures,
the Disputes Chamber also has the option to file a complaint in the proceedings on the merits
to be dismissed (Article 100, §1, 1 ° WOG). The Disputes Chamber emphasizes that it is free to
to dismiss complaints also at this stage for technical or policy reasons,
in accordance with the conditions in the case law of the Marktenhof. 4
19. After this, the Disputes Chamber will investigate whether or not there has been any infringement of the
GDPR and assess which sanction, if any, should be considered appropriate.
20. Contrary to what the complainant claims, the Marktenhof in its judgment of 2 September
2020 does not include any restrictions regarding the possible sanctions to be taken by the
Disputes Chamber and the option to proceed with dismissal is therefore retained. It
judgment explicitly states that the Disputes Chamber is free to make a new decision
5
and that this can indeed be a dismissal decision. After all, the judgment states that if the
new decision would again be a dismissal decision, care must be taken that this
new decision is properly justified.
B. Investigation of the complaint as formulated with regard to the defendant 1
a. Subject of the complaint and rights of defense
21. Respondent 1 accuses the complainant of extending the complaint in the reply.
Because the complainant did not include this argumentation in the original complaint, but only in the
conclusion, respondent 1 is of the opinion that his rights of defense have been violated. Respondent 1
14 ° the suspension of cross-border data flows to another State or an international institution
to command;
15 ° transfer the file to the public prosecutor's office in Brussels, who informs it of the consequences
that is given to the file;
16 ° decide on a case-by-case basis to publish its decisions on the website of the Data Protection Authority.
§ 2. If, after application of § 1, 15 °, the public prosecutor refrains from instituting criminal proceedings, an amicable
propose a settlement or mediation in criminal matters referred to in Article 216ter of the Code of Criminal Procedure, or
if the Public Prosecution Service has not taken a decision within a period of six months from the day
upon receipt of the file, the Data Protection Authority decides whether the administrative procedure should be
resume.
4 Judgment of the Marktenhof dated 2 September 2020, 9.4.
5
The judgment of the Marktenhof dated September 2, 2020 states in 9.11. “Is the dismissal decision - as in this case - not sound
motivated, it will be destroyed. In that case, the Disputes Chamber is free to make a new decision and
if that would again be a dismissal decision, to ensure that this new decision is properly substantiated this time
is. ” Decision on the merits 07/2021 - 11/25
adds that in the complaint no legal rules are invoked, affecting his rights
of defense would also have been violated.
22. The Disputes Chamber establishes that the complaint becomes as it is with regard to respondent 1
formulated, contains two elements:
- the refusal by respondent 1 to allow the complainant access to personal
information data
- the sending by respondent 1 of an e-mail with 32 attachments concerning the complainant through which
this information would allow access to personal activities, finances and personal data
of the complainant, to respondent 2, the complainant's former associate. This information would be
provided without the consent of the complainant.
23. The Disputes Chamber is of the opinion that the complainant's statement of reply is both of these
repeats elements and the complainant does exactly what defendant 1 puts forward in his conclusion of
answer in which he states that the complainant should further explain her complaint, stating
of the invoked legal rules, in order to give respondent 1 the opportunity to act
to be able to conclude in an appropriate manner.
24. Although Respondent 1 thus had the opportunity to respond to this in his Opinion of
reply and to fully exercise his rights of defense, respondent 1 limits himself to it
to state only that the legal and factual discourse contained in the statement of defense of the
the complainant has been disputed and this should be clear in both fact and in law and the complainant
on which it attempts to substantiate its claims.
25. The Disputes Chamber emphasizes that impartial and fair treatment of the entire
trajectory must be assured. The rights of defense of defendant 1 are not
violated, because he has been given the opportunity to fully present his argument
by means of its claims, at least by means of its statement of reply.
26. With regard to the defense against the complainant, namely that it must be clear
provide information about the evidence on which its allegations are based, the Dispute Chamber points out
reiterate that filing a complaint for those affected whose personal data
6
processed should be straightforward. More specifically, the Dispute Chamber notes
that it is up to each of the parties to make the alleged violations or rebuttal
to provide the necessary evidence of this. The complainant does not have to submit this proof in the complaint itself
6 See more in detail Decision on the merits 05/2021 of 22 January 2021, 11. Decision on the merits 07/2021 - 12/25
lay. It is up to the Dispute Chamber to assess the alleged violations
deemed sufficiently proven to be considered as an infringement of the GDPR. The Dispute Chamber has
considerable discretion in determining the scope of the procedure. 7 The
lack of supporting documents for certain assertions cannot be made by the counterparty
invoked as a violation of its rights of defense.
b. Lawfulness of the processing
27. The complainant argues that any legal basis for the processing of the personal data of the
complainant by defendant 1 completely lacks both as far as it is still under itself
keeping the complainant's accounts, as well as for the processing of personal data
consists of forwarding the e-mail with attachments to defendant 2.
28. First of all, the Dispute Chamber points out that as far as it is concerned, it is still retained
of the complainant's accounts, based on the elements available to it, it cannot
assess the extent to which the documents relating to the complainant's accounts hold them
are still required by respondent 1 in the context of the existing dispute between
respondent 1 and respondent 2. The Disputes Chamber will only examine below to what extent the
forwarding the e-mail with attachments to respondent 2 can be considered lawful.
29. Respondent 1 admits that the email was indeed addressed to Respondent 2 as one of the
recipients, but that this was the result of a one-time human error involving
personal data concerning the complainant was unintentionally sent to respondent 2. He light
admits that at the root of this mistake is the fact that e-mails were sent for many years
sent to both the complainant and respondent 2 in the context of the notary association between
both. He specifies that the e-mail that is the subject of the complaint has both attachments
relating to the notary's association, as appendices relating to the
personal partnership of the complainant. Respondent 1 argues that such unintentional, no
intentional act, cannot give rise to an infringement of the GDPR.
30. The Disputes Chamber draws attention to the presence or absence of an intention
does not constitute a criterion for the processing of personal data within the meaning of Article 4.2) GDPR. 8
7 See, inter alia, Decision on the merits 05/2021 of 22 January 2021, 10-13.
8 Art. 4. GDPR
For the purposes of this Regulation:
[…] Decision on the merits 07/2021 - 13/25
Even if respondent 1 did not intend to send the email to respondent 2,
the mere fact that the e-mail was actually sent to defendant 2 is sufficient for this
shipping as processing.
31. The sending by Respondent 1 to Respondent 2, of an email containing 32 attachments regarding
the complainant through which this information would give access to personal activities, finances and
personal data of the complainant, constitutes a processing of which the lawfulness must be
be checked.
32. In accordance with article 5.1. b) GDPR may allow the processing of personal data for other
purposes other than those for which the personal data were initially collected
permitted if the processing is compatible with the purposes for which the personal data
initially collected. Taking into account the criteria included in article 6.4. AVG and
Recital 50 of the GDPR must thus be ascertained whether the further processing, in this case the
forwarding the email with attachments to respondent 2, whether or not it is compatible with the initial
processing consisting of keeping the accounts of the complainant's company
by respondent 1. The reasonable expectations of the
involved an important role. The Disputes Chamber reaches the decision that the complainant should appeal
has performed on the services of defendant 1 solely for the purposes of accounting
its company and it could not reasonably be expected that respondent 1 would accept that
share data with respondent 2.
33. This leads to the finding that there is no compatible further processing, so that
a separate legal basis is required for the communication of the personal data of the
complainant to respondent 2 could be considered lawful.
34. Processing of personal data, including incompatible further processing
as in the present case, is only lawful if there is a legal basis for this.
For incompatible further processing operations, it is necessary to fall back on article 6.1. AVG and
2) 'processing' means an operation or a set of operations relating to personal data or a set of
personal data, whether or not carried out by automated processes, such as collecting, recording, organizing,
structure, save, update or change, retrieve, consult, use, provide by means of transmission,
disseminate or otherwise make available, align or combine, shield, erase or destroy
data;
9 Recital 50 GDPR: […] To determine whether a purpose of further processing is compatible with the purpose for which the
personal data were initially collected, the controller must, after he has complied with all rules on
lawfulness of the original processing, including taking into account: a possible link
between those purposes and the purposes of the intended further processing; the framework in which the data was collected;
in particular, the reasonable expectations of data subjects based on their relationship with the controller
regarding its further use; the nature of the personal data; the consequences of the intended further
processing for data subjects; and appropriate safeguards for both the original and the intended further ones
processing. Decision on the merits 07/2021 - 14/25
10
recital 50 GDPR. Recital 50 of the GDPR states that this is a separate legal basis
required for the processing of personal data for other purposes that are incompatible
with the purposes for which the personal data was initially collected. That
separate legal grounds on the basis of which a processing, including
incompatible further processing, which can be considered lawful, are provided in
article 6.1. AVG.
35. To this end, the Disputes Chamber examines the extent to which the legal grounds as determined in Article 6.1.
GDPR can be invoked by defendant 1 in order to further process the
justify personal data relating to the complainant.
36. Respondent 1 himself does not mention any legal basis which would allow him to transfer
proceed to the data processing that is the subject of the complaint, being the forwarding
of the e-mail to Respondent 2. In addition, Respondent 1 expressly admits that this
forwarding was a mistake and it was by no means the intention to send the email as well
respondent 2. Respondent 1 therefore does not argue that such forwarding was allowed
take place and therefore does not try to justify it by relying on any
legal basis.
37. On the basis of the factual elements present in the file, the Disputes Chamber proceeds ex officio
whether a legal ground can be invoked, if any, that respondent 1 would allow over
to proceed until the e-mail is sent to the defendant. 2. The Disputes Chamber will investigate this
whether the sending of the e-mail containing the complainant's personal data can be based on
any legitimate interest on the part of respondent 1 (Article 6.1. f) GDPR).
38. The other legal grounds included in Article 6.1. points a), b), c), d) and e) GDPR are in
present case not applicable.
39. In accordance with Article 6.1 f) GDPR and the case law of the Court of Justice of the European
Union (hereinafter “the Court”) three cumulative conditions must be fulfilled for a
controller can validly invoke this ground of lawfulness, “te
know, in the first place, the promotion of a legitimate interest of the
controller or of the third party (ies) to whom the data are provided, in the
second, the necessity of the processing of personal data for the purpose of
10 Recital 50 GDPR: The processing of personal data for purposes other than those for which the personal data
initially collected should only be allowed if the processing is compatible with the purposes for which
the personal data was initially collected. In such case, no separate legal basis other than that on
grounds for which the collection of personal data was permitted. […] Decision on the merits 07/2021 - 15/25
the legitimate interest, and, thirdly, the condition that the fundamental rights
and freedoms of the person concerned with data protection do not prevail ”(judgment
“Rigas”).
40. In order to be able to rely on the ground of lawfulness of the
"Legitimate interest", in other words, must be indicated by the controller
show that:
the interests pursued by this processing can be justified
be recognized (the “target test”);
the intended processing is necessary for the realization of these interests
(the “necessity test”); and
the balancing of these interests against the interests, fundamental
freedoms and fundamental rights of data subjects weighs in favor of the
controller (the “balancing test”).
41. With regard to the first condition (the so-called “target test”), the Disputes Chamber of
consider that the purpose of reaching all parties involved at the same time
by sending a single email with attachments to all parties involved
interests, must be considered as performed for a legitimate interest.
The interest that respondent 1 pursued as controller may be similar
Recital 47 GDPR can be considered justified in itself. Consequently, it is satisfied
the first condition contained in Article 6.1, f) GDPR.
42. In order to fulfill the second condition, it must be demonstrated that the processing
necessary for the achievement of the objectives pursued. This means more
stipulates that the question should be asked whether the same result can be achieved by other means
are achieved without processing of personal data or without unnecessarily invasive
processing for the data subjects.
43. Based on the purpose, being to reach all parties involved by means of
sending a single e-mail with attachments affecting all parties involved serves the
The litigation chamber found that the email contained both attachments pertaining to the
notary association between the complainant and respondent 2 as well as annexes relating to the
personal partnership of the complainant. In order to avoid mixing of both types of attachments
avoid, Respondent 1 could have simply sent an email to the complainant and
respondent 2 with the appendices relating to the notary association between the complainant and
defendant 2 and a separate email addressed only to the complainant with the attachments provided
related to her personal partnership. The second condition is thus not Decision on the substance 07/2021 - 16/25
met because the principle of minimum data processing (Article 5.1. c) GDPR) was not
complied.
44. In order to verify whether the third condition of Article 6.1, f) GDPR - the so-called
“Balancing test” between the interests of the controller, on the one hand, and the
fundamental freedoms and fundamental rights of the person concerned, on the other hand - can be fulfilled, should
reasonable, in accordance with Recital 47 GDPR
expectations of the data subject. More specifically, it should be evaluated whether “data subject
at the time and in the context of the collection of the personal data is reasonably permitted
expect processing to take place for that purpose ”.
45. This is also emphasized by the Court in its judgment “TK t / Asociaţia de Proprietari bloc M5A-
ScaraA ”of December 11, 2019, in which it states:
“Also relevant to this assessment are the reasonable expectations of the data subject that are or
her personal data will not be processed when, in the circumstances of
the case, the data subject cannot reasonably further process the data
expect".
46. With regard to this third condition, the Disputes Chamber can only establish that the complainant is on
could not expect a single moment to share the attachments pertaining to her
personal partnership with defendant 2.
47. The Disputes Chamber is of the opinion that all of the elements set out demonstrate that
Respondent 1 cannot rely on any legal basis proving the legality of
the data processing as set up by him. Moreover, respondent 1 disputes the
facts and states that in the relevant e-mail that is the subject of the complaint the
Respondent 2's email address was placed in the “CC” field, although not intentionally
happened. By doing so, he indicates that he has infringed the processing of the
personal data of the complainant. The Disputes Chamber thus decides that the infringement of Article
5.1 b) in conjunction with Article 6.4. AVG, on article 5.1 a) in conjunction with article 6.1. AVG and on article
5.1 c) GDPR has been proven.
48. The complainant also submits that respondent 1 applies the principles of transparency (Article 5.1 a) GDPR,
Articles 12 and 13 GDPR) and propriety (Article 5.1 a) GDPR). In that regard
11
See in the same sentence: Decision on the merits 03/2021 of 13 January 2021 Decision on the merits 07/2021 - 17/25
the Disputes Chamber is of the opinion that in view of the fact that the forwarding was an error
and it was by no means the intention to also send the e-mail to defendant 2, defendant 2
had not foreseen that such forwarding would occur. This stems from the very nature of
a mistake. In the absence of any intention to send the email to Respondent 2,
Respondent 1 also failed to comply with the principles of transparency and fairness that require
that certain communications prior to the forwarding by defendant 1 to defendant
2 should have happened. However, the breach of these principles does not affect in any way
the sanction imposed by this decision, in view of the fact that an error was the basis
lay of data processing.
49. Taking into account the fact that respondent 1 claims that the necessary steps were taken immediately to
from defendant 2 to obtain the removal of the e-mail and became counsel for the complainant
informed of the confirmation of this removal by Respondent 2, proving that
Respondent 1 acted in good faith, as well as the fact that the infringement was only for a first
time, the Disputes Chamber is of the opinion that it is appropriate to refer to
respondent 1 to formulate a reprimand. In view of these circumstances, the Disputes Chamber sees
from imposing an administrative fine.
c. Right of access
50. The complainant argues that respondent 1 refuses to allow inspection and to provide a copy
of the complete accounts of its sole proprietorship. Respondent 1 asserts in this regard
does not specifically state any position in his conclusions, but merely indicates that he does not have any fact
is expressly recognized in his claims, is disputed by him.
51. The Disputes Chamber finds that the complainant does not provide any document proving the refusal
respondent 1 to allow access to its complete accounts
sole proprietorship appears. Consequently, the Disputes Chamber cannot proceed with the determination
of any infringement by respondent 1 of the complainant's right of access (Article 15 GDPR).
d. Security of processing and data breach
52. The complainant argues that respondent 1, in application of Article 33 GDPR, meets the
Data protection authority should have reported that forwarding the
personal data of the complainant to respondent 2, an infringement related to
personal data. Decision on the merits 07/2021 - 18/25
53. The Disputes Chamber explains that Article 33 GDPR relates to violations regarding the
security of personal data as described in Article 32 GDPR. Recital 83 GDPR 12
determines that the controller has appropriate technical and organizational
take measures to limit data security risks.
54. The Disputes Chamber finds that the access that respondent 2 has been given to the
personal data of the complainant is not related to insufficient technical and
organizational measures that defendant 1 would have taken to protect the personal data
of the complainant against security risks. The email was addressed by respondent 1
to both the complainant and respondent 2. The fact that the e-mail has reached respondent 2 cannot
associated with a security problem for the personal data that
are processed by defendant 1. The Disputes Chamber is of the opinion that none
security measure may be to completely rule out the possibility that human error causes a
e-mail is sent to an unintended recipient. It cannot be decided thus
that defendant 1 by sending the email to defendant 2 insufficient action
would have taken to protect the complainant's personal data from
security risks, so that no violation of Articles 32 and 33 GDPR can be established.
C. Investigation of the complaint as formulated with regard to the defendant 2
a. Processing and controller
55. Respondent 2 disputes that there would be any processing of personal data on his part
ground, within the meaning of Article 2.1. AVG. He argues that since he is merely in his capacity
of the recipient of the e-mail in question, there can be no processing at all
lack of any initiative on his part. Respondent 2 is of the opinion that a
processing involves an intentional element to be able to use personal data.
12 Recital 83 GDPR: In order to ensure security and to prevent the processing from infringing this
Regulation, the controller or processor should assess the risks inherent in the processing and
take measures, such as encryption, to limit those risks. Those measures should be at an appropriate level of
safeguard security, including confidentiality, taking into account the state of the art and the
implementation costs set against the risks and the nature of the personal data to be protected. When assessing the
data security risks, attention should be paid to risks arising from personal data processing,
such as the destruction, loss, alteration, unauthorized disclosure of, or unauthorized access to the
data transmitted, stored or otherwise processed, whether accidentally or unlawfully, which in particular leads to
physical, material or immaterial damage. Decision on the merits 07/2021 - 19/25
56. With regard to the notion of "processing", the Disputes Chamber notes that this concept is defined
in Article 4.2) GDPR, and clearly delineated. Just receiving
personal data does not constitute processing within the meaning of Article 4.2) GDPR. On the other hand,
must consult it, as well as forward the e-mail with the corresponding attachments
contain personal data, indeed as processing within the meaning of the GDPR
considered. Although respondent 2 argues that he has not taken note of the annexes to
the e-mail in question and therefore no consultation took place, he admits that he received the e-mail
to his counsel, thus making it unmistakably established that the defendant
2 has provided personal data by means of forwarding within the meaning of Article 4.2) GDPR
and must defendant 2 on this aspect, consisting of forwarding the email
with attachments containing personal data about the complainant, if
controller 14 within the meaning of Article 4. 7) GDPR, because he has the
determines the purpose and means of this transmission. He simply cannot be himself
label as recipient 15 of the email within the meaning of Article 4.9) GDPR, since defendant 2
has not limited himself to receiving the e-mail, but because he has it in turn
forwarded, he has himself as to that forwarding to
controller. By that act he received the
after all, personal data used for its own purpose 16. Given its capacity as
controller with regard to the transfer, respondent 2 cannot, and this
contrary to what he argues, be considered third 17 within the meaning of Article 4.10)
13 Art. 4. GDPR
For the purposes of this Regulation:
[…]
2) 'processing' means an operation or a set of operations relating to personal data or a set of
personal data, whether or not carried out by automated processes, such as collecting, recording, organizing,
structure, save, update or change, retrieve, consult, use, provide by means of transmission,
disseminate or otherwise make available, align or combine, shield, erase or destroy
data;
14 Art. 4. GDPR
For the purposes of this Regulation:
[…]
7) 'controller' means a natural or legal person, public authority, agency or other
body that determines, alone or together with others, the purpose and means of the processing of personal data;
where the purposes and means of such processing become in Union or Member State law
determined, it may determine who the controller is or according to which criteria he becomes
designated;
15 Art. 4. GDPR
For the purposes of this Regulation:
[…]
9) 'recipient' means any natural or legal person, public authority, agency or other body, whether or not
a third party to whom / to whom the personal data are provided. […]
16 Guidelines of the European Data Protection Board 07/2020 on the concepts of controller and processor in the GDPR (p. 29):
“A third party recipient shall be considered a controller for any processing that it carries out for its own purpose (s) after it
receives the data. ”
17 1 Art. 4. GDPR Decision on the substance 07/2021 - 20/25
AVG. His statement that he deleted the e-mail with attachments after the forwarding does this
no detriment.
57. For the sake of completeness, the Disputes Chamber notes that respondent 2 does not provide proof that his
counsel has also proceeded to delete the e-mail with attachments, as Article 19
GDPR implies an obligation for the controller to inform each recipient to whom
personal data have been provided, of any erasure of personal data
in accordance with Article 17 GDPR, unless this proves impossible or requires a disproportionate effort.
On this basis, Respondent 2 should also have had to delete the email in question
requests regarding his counsel in his capacity as recipient of the by
defendant 2 forwarded email.
58. The Disputes Chamber also adds that with regard to the plaintiff's assertion that defendant
2 is jointly controller with respondent 1, it considers that none
piece of the file demonstrates this assertion. After all, the complainant bases this allegation solely on
an oral statement allegedly made by respondent 1 at the last meeting
which the complainant had with defendant 1. It would then have been declared that defendant 2 to defendant
1 had instructed not to deliver any document to the complainant without his notification
was informed. There is no evidence whatsoever for this one-sided allegation of the complainant
so that there is no reason for the Disputes Chamber to assume that both
defendants acted as joint controllers.
b. Admissibility of the complaint
59. Although defendant 2 denies that there would be any data processing on his behalf
it appears from the above that based on the factual elements, the Dispute Chamber has
determined that Respondent 2, as controller for the forwarding of the e-mail
mail to his counsel should be considered.
60. The complainant argues in the reply that the forwarding of the e-mail by
respondent 2 is processing to his counsel for which respondent 2 de
is the controller and states that it is not accused that respondent 2 has the data of
For the purposes of this Regulation:
[…]
10) 'third party' means any natural or legal person, public authority, agency or other body other than the
data subject, nor the controller, nor the processor, nor any person under the direct authority of the
controller or processor are authorized to process the personal data; Decision on the merits 07/2021 - 21/25
the complainant has forwarded it to his lawyer, but that respondent 2 has forwarded that information to him
in violation of the GDPR, then used as a document in the dispute against the complainant.
61. The latter, being that "it is not accused that respondent 2 has the complainant's data
forwarded to his attorney, but that defendant 2 violates that information sent to him
with the GDPR, then used as a document in the dispute against the complainant "is by respondent 2
seized to argue that the complaint should be declared inadmissible.
62. As the complainant maintains in the reply that "the use by respondent 2 of
the email against the complainant "is the problem and not merely" the forwarding by itself. "
Respondent 2 of that e-mail to his counsel ", as formulated in the complaint," believes
Respondent 2 to be able to argue that the complainant in the reply is suddenly a completely new one
claim / violation. In that view, the complaint would not meet the requirement of Article
60 (2) WOG which states that a complaint is admissible when it is an explanation
of the facts, as well as the necessary indications for identifying the processing on which they
relates. Because the violation of the GDPR alleged in the complaint is fundamental
would be different from those set out in the complainant's reply, it would meet this
requirement have not been met.
63. The Disputes Chamber notes that the complainant already referred to in the initial complaint
document 7, which was attached to the complaint as an appendix. That piece is exactly an email from the
counsel for the complainant, which is addressed to the complainant himself in order to inform the latter of the
to notify that the email forwarded by defendant 2 to his counsel concerning
personal data of the complainant "as a document" is communicated by defense counsel
2 to the complainant's counsel. The complainant repeats this fact with reference to the same document
in the reply. The problem that the e-mail is used "as piece" in a
pending proceedings between the complainant and respondent 2 are thus not new like respondent 2
tries to make it appear. The Disputes Chamber therefore decided that Article 60, paragraph 2, became WOG
respected, the admissibility of the complaint has not been affected and the rights of defense
are respected. 18
c. Lawfulness of the processing
64. Respondent 2 argues that the only act he has committed is the forwarding of the e-mail
to his counsel and that this was done lawfully on the basis of a specific legal basis that
18
See also the statements in point 26 regarding respondent 1. Decision on the merits 07/2021 - 22/25
lawyers to receive information from their clients. To this end, he refers to Article 237
of the Codex Deontology for Lawyers and Advice 1/2010 on the concepts “for the
controller ”and“ processor ”of the Article 29 Data Protection Working Party,
19
approved on February 16, 2010, to state that any legal information is allowed
deliver to his / her lawyer. To judge otherwise would, according to respondent 2, have the effect
that there would be a prohibition on passing on information to counsel insofar as that
information relates to personal data.
65. The complainant responds by stating that defendant 2, wrongly, argues that it would
are allowed to transfer personal data obtained in violation of the GDPR from a counterparty to a
lawyer to use in this way against the opposing party. This is according to the
complainant completely violates the GDPR. The complainant states that respondent 2 uses her personal data
email has been forwarded to his attorney and has been used in the dispute against her without it
to be able to rely on one of the legal grounds specified in Article 6.1 GDPR.
66. The Disputes Chamber finds that respondent 2 ignores the fact that he is in possession
came from the e-mail at the hands of defendant 1 who forwarded it to him without it
that there was some legal basis for this (see above). Forwarding by defendant 1
Respondent 2 was thus affected by a lack of legality. It's clear that
defendant 2 - in his capacity as recipient - obtained them unlawfully
personal data, in turn - this time in the capacity of
controller - by forwarding it to his lawyer to send this email with
subsequently use the complainant's personal data as a document in pending proceedings.
67. After all, a processing of personal data is only lawful if a
legal basis exists. The Disputes Chamber can only establish that there are none
legal basis as defined in article 6.1. GDPR the forwarding of the email by the defendant 2
to his counsel. Respondent 2 also does not rely on any legal basis
article 6.1. AVG and explicitly confirms in its reply statement with regard to the
legitimate interest (Article 6.1. f) GDPR) that he does not even invoke this legal basis.
Respondent 2 relies only on Article 237 of the Codex Deontology for Lawyers
confirming that the client's confidential communications to his attorney
take place, which are covered by professional secrecy. The Disputes Chamber recognizes, of course
the principle that a client must be able to make confidential statements to his lawyer,
but this is only possible, insofar as it concerns personal data, on the condition that it
19
https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2010/wp169_en.pdf Decision on the merits 07/2021 - 23/25
personal data is processed in a manner that is lawful with regard to the data subject
is (Article 5.1 a) GDPR and Article 6.1. GDPR). However, in the present case it appears that the forwarding
to defense counsel for defendant 2, with disregard of the principle of legality
in the absence of any legal basis as provided in Article 6.1. AVG.
68. The Disputes Chamber is of the opinion that the entirety of the elements set out demonstrates that
Respondent 2 cannot rely on any legal basis proving the legality of
the data processing as set up by him. The Disputes Chamber thus concludes
the violation of article 5.1. a) GDPR and Article 6.1. AVG has been proven.
69. In addition to the breach of the principle of lawfulness, the complainant also submits that the
transparency principle (Article 5.1. a), Article 12 and Article 14 GDPR) and the purpose limitation principle
(Article 5.1. b) GDPR) would have been violated by respondent 2.
70. With regard to the purpose limitation principle, the Disputes Chamber draws attention to the fact that this principle
requires personal data for specified, explicitly defined and justified
20
purposes are "collected". Of any collection for an expressly defined and
legitimate purpose of the complainant's personal data by respondent 2
no way. He has merely received the email with personal data without this at all
legal basis could be supported. Because he forwarded that data to
appropriated his counsel, also without any legal basis, to use as a document
defendant 2 assumes the capacity of controller, which in principle means that he
to respect all applicable provisions of the GDPR, including the
purpose limitation principle and the transparency principle.
71. Both principles could not be applied simply because the processing by
defendant 2 is fundamentally affected by a lack of legal basis, so that the
Disputes Chamber not in breach of the principle of transparency (Article 5.1. A), Article 12 and Article 14
GDPR) and the purpose limitation principle (Article 5.1. B) GDPR). Because the forwarding
is unlawful by respondent 1 to respondent 2 ab initio, any processing by respondent
2 also unlawful for any own purpose. As for the transparency principle
adds the Disputes Chamber that even if defendant 2 had the principle of transparency
20 Article 5.1. Personal data must:
[…]
(b) collected for specified, explicit and legitimate purposes and may not be subsequently
further processed in a manner incompatible with those purposes; further processing for archiving purposes
the public interest, scientific or historical research or statistical purposes becomes in accordance with Article 89 (1)
1, not considered incompatible with the original purposes (“purpose limitation”); Decision on the merits 07/2021 - 24/25
endeavor to respect, the forwarding to his attorney and the use that is made of it
made nonetheless remains unlawful.
72. Taking into account that Respondent 2 states that the email with attachments will be sent immediately
first request was cleared, as well as that the infringement was committed only for the first time
the Disputes Chamber is of the opinion that it is appropriate to order the defendant 2 to do so
definitively prohibit the processing of the e-mail in question with attachments (art. 100, §1, 8 °
WOG), as well as to order the notification of this definitive prohibition to his counsel (Article 100,
§1, 10 ° WOG) both for the processing of the e-mail with attachments that have already taken place and
for these in the future.
73. In determining these sanctions, the Disputes Chamber also takes into account that the complaint
is part of a broader conflict between the parties that is the subject of a
arbitration procedure regarding financial matters and the refusal to hand over
accounting and other documents in the context of the liquidation of the partnership
in which the notary activity was exercised by the complainant and defendant 2, of which the
Disputes Chamber notes that it is not the task of the Data Protection Authority
to intervene with regard to aspects that do not relate to the
processing of personal data. The Disputes Chamber therefore decides that, in the concrete
factual circumstances of this case, the sanctions imposed are sufficient. Considering this
In circumstances, the Disputes Chamber will refrain from imposing an administrative fine.
D. No decision to dismiss
74. Although the Disputes Chamber in the context of the proceedings prior to the decision ten
on the merits has proceeded to dismiss the complaint, is in the proceedings on the basis of
the full statement of the factual elements in the claims of each of the parties,
found that there have been breaches of fundamental principles of processing
of personal data. As a result, the Disputes Chamber is of the opinion that a decision on the merits
seeking to dismiss the complaint cannot be reconciled with the
infringements established, but that, on the contrary, it is necessary to proceed to the following
sanctions.
E. Publication of the decision
75. Considering the importance of transparency with regard to the decision-making of the
Disputes Chamber, this decision will be published on the GBA website. However, it is Decision on the merits 07/2021 - 25/25
does not need to be directly identifying the parties
announced.
FOR THESE REASONS,
the Disputes Chamber of the Data Protection Authority decides, after deliberation, to:
with regard to the defendant 1, on the grounds of Article 100, §1, 5 ° WOG, a
formulate a reprimand as a result of the infringement of article 5.1 b) in conjunction with article 6.4. AVG, op
Article 5.1 a) in conjunction with Article 6.1. GDPR and Article 5.1 c) GDPR.
with regard to respondent 2 as a result of the infringement of Article 5.1. a) GDPR and Article 6.1.
GDPR:
- on the basis of Article 100, §1, 8 ° WOG, to order the processing of the e-mail in question
permanently ban with attachments;
- on the basis of Article 100, §1, 10 ° WOG, to order notification of this final
prohibition to his counsel both for the processing of the e-mail with attachments already
occurred as well as for future processing.
On the basis of article 108, §1 WOG, an appeal can be lodged against this decision within
a period of thirty days from the notification at the Marktenhof, with the
Data protection authority as defendant.
Hielke Hijmans
Chairman of the Disputes Chamber
