APD/GBA (Belgium) - 115/2022: Difference between revisions
No edit summary |
(→Facts) |
||
Line 72: | Line 72: | ||
=== Facts === | === Facts === | ||
During a meeting where the data subject was not present, the data subject's manager (controller) announced her departure and read out a document issued by the company | During a meeting where the data subject was not present, the data subject's manager (controller) announced her departure and read out a document issued by the company doctor, stating that she was unfit to work and would leave the company. This statement was also included in the minutes of that meeting. | ||
When the data subject discovered this, she filed a | When the data subject discovered this, she filed a complaint against the controller with the Belgian DPA for unlawfully disclosing health related personal data to third parties. She added that the minutes were then saved on the controller´s server, freely accessible to all its staff, including from other departments. | ||
=== Holding === | === Holding === | ||
The DPA noted that the data subject did not dispute the lawfulness of processing of the information that she was unfit to work, but the subsequent communication about her health to her | The DPA noted that the data subject did not dispute the lawfulness of processing of the information that she was unfit to work, but the subsequent communication about her health to her colleagues and other staff members. The DPA noted that it was not able to verify whether the minutes were actually made available on the controller's server. However if that was the case, this would amount to an additional processing activity and the following findings of the infringement also apply. | ||
The DPA first assessed whether the further processing was compatible with the purpose of the original processing ([[Article 5 GDPR|Article 5(1)(b)]]). It found that the purpose of the original processing was | The DPA first assessed whether the further processing was compatible with the purpose of the original processing ([[Article 5 GDPR|Article 5(1)(b) GDPR]]). It found that the purpose of the original processing was personnel management. The DPA held that the data subject could not reasonably expect that the same data would be communicated widely beyond the persons authorised for personnel management. Especially considering the sensitive nature of the data. Therefore the DPA held that the further processing was incompatible with the purpose of the original processing. | ||
As the further processing was incompatible with the purpose of the original processing, the DPA noted that it could only be lawful if it had its own legal basis pursuant to [[Article 9 GDPR|Article 9(2)]] juncto [[Article 6 GDPR|Article 6(1)]]. However the DPA found that this was also not present. | As the further processing was incompatible with the purpose of the original processing, the DPA noted that it could only be lawful if it had its own legal basis pursuant to [[Article 9 GDPR|Article 9(2)]] juncto [[Article 6 GDPR|Article 6(1)]]. However the DPA found that this was also not present. Therefore, the DPA held that the controller did not have a proper legal basis for processing the data subject's health related data and thereby violated [[Index.php?title=Article 5 GDPR#1b|Article 5(1)(b)]] juncto [[Index.php?title=Article 6 GDPR#4|Article 6(4)]] and [[Index.php?title=Article 9 GDPR#2|Article 9(2)]]. | ||
Therefore, the DPA held that the controller did not have a proper legal basis for processing the data subject's health related data and thereby violated [[Index.php?title=Article 5 GDPR#1b|Article 5(1)(b)]] juncto [[Index.php?title=Article 6 GDPR#4|Article 6(4)]] and [[Index.php?title=Article 9 GDPR#2|Article 9(2)]]. | |||
The DPA issued a reprimand against the controller. The DPA noted that it was not competent to issue a fine as the controller was a public authority. | The DPA issued a reprimand against the controller. The DPA noted that it was not competent to issue a fine as the controller was a public authority. |
Revision as of 12:28, 3 August 2022
APD/GBA - 115/2022 | |
---|---|
Authority: | APD/GBA (Belgium) |
Jurisdiction: | Belgium |
Relevant Law: | Article 5(1)(c) GDPR Article 6(1) GDPR Article 6(4) GDPR Article 9(2) GDPR Article 9(4) GDPR |
Type: | Complaint |
Outcome: | Upheld |
Started: | 16.03.2020 |
Decided: | 19.07.2022 |
Published: | 26.07.2022 |
Fine: | n/a |
Parties: | n/a |
National Case Number/Name: | 115/2022 |
European Case Law Identifier: | n/a |
Appeal: | Unknown |
Original Language(s): | French |
Original Source: | APD/GBA (in FR) |
Initial Contributor: | Jette |
The Belgian DPA held that discussing a data subjects health related personal data in a staff meeting where she was absent and consequently including the data in the minutes of the meeting was incompatible with the purpose of the original processing (personell management) and did not have any other legal basis to rely on.
English Summary
Facts
During a meeting where the data subject was not present, the data subject's manager (controller) announced her departure and read out a document issued by the company doctor, stating that she was unfit to work and would leave the company. This statement was also included in the minutes of that meeting.
When the data subject discovered this, she filed a complaint against the controller with the Belgian DPA for unlawfully disclosing health related personal data to third parties. She added that the minutes were then saved on the controller´s server, freely accessible to all its staff, including from other departments.
Holding
The DPA noted that the data subject did not dispute the lawfulness of processing of the information that she was unfit to work, but the subsequent communication about her health to her colleagues and other staff members. The DPA noted that it was not able to verify whether the minutes were actually made available on the controller's server. However if that was the case, this would amount to an additional processing activity and the following findings of the infringement also apply.
The DPA first assessed whether the further processing was compatible with the purpose of the original processing (Article 5(1)(b) GDPR). It found that the purpose of the original processing was personnel management. The DPA held that the data subject could not reasonably expect that the same data would be communicated widely beyond the persons authorised for personnel management. Especially considering the sensitive nature of the data. Therefore the DPA held that the further processing was incompatible with the purpose of the original processing.
As the further processing was incompatible with the purpose of the original processing, the DPA noted that it could only be lawful if it had its own legal basis pursuant to Article 9(2) juncto Article 6(1). However the DPA found that this was also not present. Therefore, the DPA held that the controller did not have a proper legal basis for processing the data subject's health related data and thereby violated Article 5(1)(b) juncto Article 6(4) and Article 9(2).
The DPA issued a reprimand against the controller. The DPA noted that it was not competent to issue a fine as the controller was a public authority.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the French original. Please refer to the French original for more details.
1/13 Litigation Chamber Decision on the merits 115/2022 of 19 July 2022 File number: DOS-2020-01492 Subject: Complaint relating to the communication of data relating to the health of employees (staff movements – declaration of incapacity) - reprimand The Litigation Chamber of the Data Protection Authority, made up of Mr. Hielke Hijmans, chairman, and Messrs. Jelle Stassijns and Romain Robert, members, taking over the business in this composition; Having regard to Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and to the free movement of such data, and repealing Directive 95/46/EC (General Regulation on the data protection), hereinafter "GDPR"; Having regard to the Law of 3 December 2017 establishing the Data Protection Authority (hereinafter ACL); Having regard to the Law of 30 July 2018 relating to the protection of natural persons with regard to processing of personal data (hereinafter LTD); Having regard to the internal regulations as approved by the House of Representatives on 20 December 2018 and published in the Belgian Official Gazette on January 15, 2019; Considering the documents in the file; Made the following decision regarding: The complainant: X, hereinafter "the complainant". The Respondent: Y, hereinafter "the Respondent", Decision on the Merits 115/2022 - 2/13 I. Facts and procedure 1. On March 16, 2020, the complainant lodged a complaint with the Authority for the Protection of data (APD) against his immediate superior, Mr Z, director at Y, defendant. 2. Under the terms of her complaint, the complainant denounces the disclosure of personal data about her health by her manager at a department meeting at which she was not present. In concrete terms, the complainant reports that she was contacted by telephone by some of her colleagues who wanted to hear from her, she realized that during the meeting of his service on February 18, 2020 - i.e. the service (....) of Y -, the Director Z had announced his departure as well as read the document issued by Cohezio to destination of the defendant stating her inability to work in the future in india the defendant. 3. It appears from the documents in the file that on February 7, 2020, a prevention adviser – doctor du travail de Cohezio informed the defendant of the plaintiff’s inability to occupy any position within it. This information was passed on internally by the resources to the general management of the defendant who informed the director of the service concerned, Mr Z. 4. On April 29, 2020, the APD Front Line Service (SPL) reminded the Complainant that the GDPR applies to the processing of personal data, automated, in whole or in in part, as well as the non-automated processing of data contained in or intended to appear in a file. If these conditions are not met (for example, specifies the SPL, if it is questionofthevoicetransmissionofpersonalinformationthatdoesnotcomefrom of a database or a file and which are not intended to be saved there), 1 the DPA is not competent. The SPL concludes at this stage that in the event of this complaint under which the complainant denounces only oral remarks, the complaint will be declared inadmissible and the file closed, unless there is a new element on the part of the complainant. 5. On April 30, 2020, the complainant reported to the SPL that the information given during the meeting mentioned above was recorded in the minutes of this service meeting. She produces this minutes and adds that this is communicated by e-mail to all members department (present or absent at the meeting, i.e. 17 people). It is moreover stored on the defendant's server with free access and thus made accessible to 1The Litigation Chamber here draws the reader's attention to its decision 143/2021 of December 22, 2021 under the terms of which she insisted on the fact that "in order to achieve the intended purpose - to recruit only candidates who have been vaccinated - the response to the verification of the vaccination status which is carried out orally during the application interview involves necessarily a processing of personal data. It is hardly conceivable that no treatment does not intervene, especially given the size of the hospital network which employs thousands of collaborators". In other words, the Chambre Litigation specifies that personal data communicated orally must be protected by the GDPR when they are (necessarily) required to appear in a file, for example recorded in a file or in a meeting minutes as in this case., Decision on the merits 115/2022 - 3 /13 all the members of its personnel, including departments other than that in where the complainant worked. 6. The minutes of the meeting produced by the complainant mention in particular the following: as far as she is concerned: her absence for several weeks, the fact that she was the subject of of a report by Cohezio, the fact that she was declared unfit for work within the defendant by Cohezio and the fact that she will no longer work with the defendant. For the rest, the part of the minutes concerning the complainant relates the announcement of her departure and mentions that colleagues have wondered about the allocation of his office, on their personal effects and on the future recruitment of a replacement for the position which she occupied. 7. On September 30, 2020, after further examination, the complaint was declared admissible by the SPL on the basis of Articles 58 and 60 of the LCA and the complaint is transmitted to the Chamber Litigation under Article 62, § 1 of the LCA. 8. On October 13, 2020, the Litigation Chamber decides, pursuant to Article 95, § 1, 1° and article 98 of the LCA, that the case can be dealt with on the merits. 9. On the same date, the parties concerned are informed by registered letter of the provisions as set out in article 95, § 2 as well as in article 98 of the LCA. They are also informed, pursuant to Article 99 of the LCA, of the deadlines for transmitting their conclusions, i.e. November 25, 2020 and January 8, 2021 respectively for the submissions in response and reply of the defendant on the one hand and on December 17 2020 for the submissions in response of the complainant on the other hand. 10. A copy of the file (art. 95, §2, 3° LCA) is sent to the parties by means of this same letter of October 13, 2020. 11. By return email of October 13, 2020, the defendant agrees to receive all case-related communications electronically. 12. This e-mail sent directly to the Litigation Chamber by the director Z implicated by the complainant further states the following: Mr. Z indicates that with regard to the complaint against him, he wishes bring to the attention of the Litigation Chamber that in the context of the meeting of service mentioned, he informed the entire team of the movements in personnel matters. Aware of the delicate nature of the situation of the complainant and in order to avoid any discussion or rumor about her departure from the management and, more broadly, of the defendant, he reports that it seemed to him relevant to use the same terms as those used by the General Secretariat (management General) of the Respondent., Decision on the Merits 115/2022 - 4/13 He specifies that he was never in possession of the medical diagnosis of the complainant and that it is on the basis of a note between the Human Resources Department and the General Management of the defendant, and in particular of the terminology used in Article 410 of the Civil Service Code (unsuitability), which he informed the co-workers in his management. He adds that his intention was to remain as factual as possible in order to avoid any form of interpretation of the situation and that in no case did it intend to harm the complainant or disseminate confidential information concerning her. On the contrary, he continues, he wished to be able to ensure maximum serenity to the within his team. On October 28, 2020, Mr Z will send the same message to the Litigation Chamber, these messages being worth “conclusions” for the defendant (see below points 22 et seq.). 13. On December 15, 2020, the Litigation Chamber received the conclusions in reply of the complainant. The complainant highlights that it is not disputed that Mr. Z read the document sent by Cohezio mentioning his inability to perform his duties during the service meeting on the one hand and which he has also validated, according to the internal procedure which requires, the provision of the minutes of the meeting on the server of the defendant on the other hand. The complainant further adds that her manager could have announce his departure to his colleagues without mentioning the reason for this departure or asking him his possible consent to the communication of this sensitive data. 14. The Litigation Division did not receive any submissions in reply from the defendant and none of the parties requested a hearing within the meaning of Article 93 of the LCA and Article 51 of the Internal Regulations (RoI) of the APD as they had been invited to do so if they so wish via the aforementioned letter of October 13, 2020 from the Litigation Chamber. II. Motivation As for the identification of the data processing in question 15. As the SPL recalled in its letter of April 29, 2020 to the complainant's address (point 4), the GDPR - whose DPA is responsible for ensuring the correct application - applies 2 Art. 410. § 1. Subject to Article 412 and by way of derogation from Article 405, a staff member shall be granted leave without time limits: 1° when his illness is caused by an accident at work, by an accident occurring on the way to work or by an occupational disease; 2° when the agent has been removed from his post following a decision of the occupational physician noting his inaptitude to occupy a post (referred to in article 2 of the royal decree of 28 May 2003 relating to the surveillance of workers' health – AGW of 18 October 2012, art. 31) and that no work of replacement could not be assigned to him. (…) Version in force of 1 January 2020:, Decision on the merits 115/2022 - 5 /13 “to the processing of personal data, automated in whole or in part, as well as only to the non-automated processing of personal data called upon to appear in a file" (article 2.1 of the GDPR). 16. It is not disputed that the comments made orally by Director Z during the meeting of service that their recording in the minutes of this meeting constitute personal data relating to the complainant. Section 4.1. of the GDPR defines in effect of personal data as being “any information relating to a identified or identifiable natural person”. The information that the complainant (cited by name – see point 6) had been absent for several weeks, had was the subject of a Cohezio report, had been declared unfit for work and would no longer work with the defendant in the future are indeed information which makes it possible to identify it, in this case directly. 17. The Litigation Chamber further notes that the information that the complainant has been declared unfit for work by the well-being and prevention at work service also constitutes data relating to the complainant's health within the meaning of article 4.15 of the GDPR. 18. The Litigation Chamber recalls in this regard that the GDPR has opted for a broad definition health data. Article 4.15 of the GDPR thus defines the data relating to health as "personal data relating to the physical health or mental health of a natural person, including the provision of health care services, which reveal information about that person's state of health. Recital 35 of the GDPR which sheds light on this definition confirms the choice of a broad concept and not restrictive. The information that the complainant was declared unfit for work by professionals whose mission is specifically to assess the capacity of workers to perform their job, certainly does not reveal the physical or mental pathology from which the plaintiff suffers. Such a service is indeed not authorized to reveal a any medical diagnosis or any other consideration of a medical nature that the mere information that the employee is unable or no longer able to exercise his functions is sufficient for the purpose pursued: either to allow the employer to derive the 3 It is the Litigation Chamber which underlines. 4Recital(35): Personal data relating to health should include all data relating to the state of health of a data subject which reveal information about the state of physical or mental past, present or future of the person concerned. This includes information about the natural person collected during the registration of this natural person in order to benefit from health care services or during the provision of these services within the meaning of Directive 2011/24/EU of the European Parliament and of the Council1 for the benefit of this Physical person; a specific number, symbol or element assigned to a natural person to identify him from unique way for health purposes; information obtained during the testing or examination of a part of the body or a bodily substance, including from genetic data and biological samples; and any information regarding, for example, illness, disability, risk of illness, medical history, clinical treatment or the physiological or biomedical condition of the data subject, regardless of its source, whether by exampleofadoctororotherhealthprofessional,ahospital,amedicaldeviceoradiagnostictest in vitro., Decision on the Merits 115/2022 - 6/13 consequences in terms of the rights of the employee, possible departure/reclassification, staff movements etc. This incapacity information does not reveal less information relating to the complainant's state of health and must therefore be considered as personal data relating to his health within the meaning of Article 4.15 of the GDPR. 19. Along the same lines, the other information recorded in the minutes (such as identified in point 15) relating to the long absence of the complainant and the fact that she is the subject of a report by Cohezio also constitute, and for the same reasons, health data. 20. The material scope of the GDPR further requires that there be “processing” of personal data within the meaning of Article 4.2 of the GDPR, this processing being defined as “any operation or set of operations whether or not performed using processes automated and applied to personal data or sets of data such as the collection, recording (…), communication by transmission, dissemination or any other form of provision, (…)”. 21. In this case, the Litigation Chamber therefore considers that the recording in writing of the aforementioned information relating to the complainant (point 15) - including in particular her incapacity -, in the minutes of the meeting (which was communicated to the Litigation Chamber as part) is a processing of personal data within the meaning of Article 4.2 of the GDPR subject to its application in execution of its article 2. 22. The availability of the minutes of the service meeting is not challenged by Mr Z in the writings he sent to the Litigation Chamber (point 12). However, the Litigation Chamber was not able to verify materially that these meeting minutes have indeed been made available to the staff of the defendant through mail and on its server. Sitelshould be the case, this provision of the complainant's personal data is additional processing which is added to the recording of these data in the minutes drawn up and saved electronically and the following findings of violation also apply to it. Regarding the identification of the data controller 23. The Litigation Chamber notes that under the terms of the complaint form filed, the complainant directs her complaint directly against her supervisor, Mr. Z. It nevertheless mentions his status as director within the Respondent., Decision on the Merits 115/2022 - 7 /13 5 24. The Litigation Chamber has already had the opportunity to point out that it is often complex to the complainant to correctly identify the data controller with regard to the treatment(s) that he denounces, these notions being legally defined in articles 4.7 of the GDPR and probably difficult to understand by a person not versed in the matter. 25. The Litigation Chamber recalls here that a data controller is defined “the natural or legal person or any other entity which alone or jointly with others, determines the purposes and means of the processing of personal data personnel” (article 4.7 of the GDPR). It is an autonomous concept, specific to the data protection regulations, the assessment of which must be made at the starting from the criteria it sets out: the determination of the purposes of the data processing concerned as well as that of the latter's means. 26. In its Guidelines 07/2020, the European Data Protection Board (EDPS) states that if the data controller may, under the terms of the aforementioned definition of section 4.7. of the GDPR, of course being a natural person, in practice, it is usually the organization itself, not a person within it (such as the general manager, an employee or a member of the board of directors), who acts as a controller within the meaning of the GDPR. Indeed, even though it has certainly a certain autonomy in the exercise of its functions, it is in this case not Director Z as such who determines the purposes and means of processing but the organization in which he works. Except to exceed its functions - this which has not been demonstrated in this case - he is not responsible for processing. Bedroom Contentious therefore considers that it is the defendant, and not one of its directors, who is the data controller since it is up to the defendant to determine the purposes and means of the processing carried out within it. 27. Accordingly, the Litigation Division sent the invitation to conclude on April 8, 2020 both to plaintiff than to the defendant as data controller. Regarding the compliance of the processing with the GDPR 28. Any processing of personal data must be based on one of the databases lawfulness provided for in Article 6.1 of the GDPR. Regarding the processing of categories particular data such as data relating to health as in the present case (points 16-17), the lawfulness condition referred to in Article 6.1 of the GDPR only applies if Article 9.2 of the GDPR provides a specific derogation from the general prohibition on processing categories particulars of Article 9.1. In other words, when data within the meaning of Article 9 5 See. for example decisions 81/2020 and 76/2021 of the Litigation Chamber. 6 European Data Protection Board (EDPB), Guidelines 07/2020 on the concepts of responsible of processing and processor in the GDPR, adopted on July 7, 2021 (version after public consultation) available here: https://edpb.europa.eu/system/files/2022-02/eppb_guidelines_202007_controllerprocessor_final_fr.pdf, Decision on the merits 115/2022 - 8 /13 of the GDPR are processed, their processing must find a basis in article 9.2 of the GDPR read in conjunction with Article 6.1. of the GDPR. 29. Since the defendant processed data relating to the complainant's health, the processing of such data should, as just mentioned, find a based on Article 9.2 of the GDPR, read in conjunction with Article 6.1. of the GDPR. 30. In the present case, the plaintiff does not dispute the lawfulness of the processing by the defendant of the information that, at the end of the Cohezio report, she was declared unfit for work. The Litigation Chamber recalls that in addition to the fact that the lawfulness of the processing must be based on a combined reading of Articles 6.1. and 9.2. of the GDPR, article 9 of the LTD also applies in this case when data relating to health are processed. 7 The national legislator has provided that in execution of Article 9.4 of the GDPR, the person responsible of the treatmenttakesthefollowingadditionalmeasureswhenparticularlyduringthetreatment health data: 1° the categories of persons having access to the personal data, are designated by the controller or, where applicable, by the data processor. treating, with a precise description of their function in relation to the treatment of targeted data. This requirement translates the “need to know” principle according to which only persons for whom the processing of this data is necessary to performance of their duties are authorized to do so; 2° the list of the categories of persons thus designated is made available of the competent supervisory authority by the controller or, where appropriate where applicable, by the subcontractor; 3° it ensures that the designated persons are bound by a legal obligation or statutory, or by an equivalent contractual provision, in compliance with the confidentiality of the data concerned. 31. What is disputed by the complainant is the subsequent communication of information relating to his health to colleagues in his department as well as to all the staff of the defendant by making the minutes of the meeting available on the server. 32. As it has already had occasion to specify in other decisions, the Chamber Litigation recalls here that the processing of personal data carried out for purposes other than those for which the personal data was collected initially cannot be authorized in accordance with article 5.1. b) GDPR that 7 Article9.4. :Member States may maintain or introduce additional conditions, including limitations, with regard to the processing of genetic data, biometric data or data concerning health. 8See. for example decision 80/2022 of the Litigation Chamber and the references cited., Decision on the merits 115/2022 - 9 /13 if it is compatible with the purposes for which the personal data were were originally collected. 9 33. In view of the criteria set out in Article 6.4. of the GDPR and in recital 50, it is appropriate to verify whether the subsequent processing – in this case the communication of said information to other staff to inform them about staff movements - is or is not compatible with the purpose of the initial processing. 34. In this case, the Litigation Division notes that this subsequent communication pursues an objective distinct from the primary purpose, which was to receive information and to process at the level of human resources departments for personnel management purposes (end of the employment relationship, granting of rights, possible redeployment/mobility, etc.) At this respect, only certain persons are, in the exercise of their specific function, authorized to receive this information, particularly given its sensitivity and its impact for the data subject and the principle of data minimization (proportionality - article 5.1.c) of the GDPR). 35. The Litigation Division concludes in this case that this subsequent communication is not not compatible with the original purpose. This communication does not meet expectations reasonableness of the person concerned. Given the specific legal framework of which the processing of information processed by Cohezio (personal data relating to to health) is subject to (limitation of recipients, lack of precise diagnosis), the person concerned – here the complainant – cannot reasonably expect that these same data are, on the contrary, communicated widely beyond the only persons having a functional need to know them. Data sensitivity collides also to broadly designed compatibility. 36. It follows that there is no question of compatible further processing so that a separate legal basis was required for said communication to be qualified as 10 lawful. 37. Processing of personal data, including further processing incompatible as in the present case, is in fact lawful only if it is based on a basis of lawfulness own. Recital 50 of the GDPR 11 is explicit in this regard. These legal bases 9Recital 50 of the GDPR: [...] In order to establish whether the purposes of further processing are compatible with those for which the personal data was initially collected, the controller, after having complied with all requirements relating to the lawfulness of the initial processing, should take into account, inter alia: any link between these purposes and purposes of the intended further processing; the context in which the personal data was collected, in particular the reasonable expectations of the persons concerned, according to their relationship with the responsible for the processing, as to the subsequent use of said data; the nature of the personal data; the consequences for data subjects of the intended further processing; and the existence of appropriate safeguards both as part of the initial treatment and as part of the planned subsequent treatment. 10In the same direction see. the substantive decision 03/2021 of January 13, 2021 of the Litigation Chamber, point 14 https://www.autoriteprotectiondonnees.be/publications/decision-quant-au-fond-n-03-2021.pdf. 11 Recital 50 of the GDPR: The processing of personal data for purposes other than those for which the personal data was originally collected should only be allowed if compatible, Decision on the merits 115/2022 - 10/13 distinct are those defined in article 6.1. of the GDPR and, where applicable, when it comes to of data relating to health as in the present case, of Article 9.2. GDPR read in conjunction with its article 6.1. 38. The Respondent itself does not cite any basis of legality and the Chamber Litigation could confine itself to this finding. The Litigation Chamber is however of the opinion that the complainant's communication of (health) data cannot in this case be based on no basis of proper lawfulness, 39. The Litigation Division certainly does not question the will or the legitimacy of the defendant to inform its employees of staff movements. In this meaning, the Litigation Chamber has already stated in its decision 63/2021, that it is appropriate, within the framework of personnel policy, to inform employees of such movements. However, to comply with the principle of data minimization (proportionality) of the data, it is sufficient that this communication remains limited to the factual communication of the fact that the person concerned, such as the complainant here, is no longer in service. 40. Regarding the assumptions of Article 9.2. read in conjunction with Article 6.1. of the GDPR, the Litigation Chamber finds that - said communication to other members of staff and its recording in a minutes of the meeting are not based on the consent of the complainant, although on the contrary (article 9.2. a) of the GDPR) and this, even assuming that it can constitute a valid basis of lawfulness in the context of the professional relationship which binds it to the defendant, quod non; - said communication to other members of staff and its recording in a minutes of the meeting cannot be considered necessary for the purposes of the execution of the obligations and the exercise of the rights specific to the person in charge of the treatment or the complainant in matters of labor law, social security and social protection (article 9.2. b) of the GDPR); - this communication to other staff members and its recording in a meeting minutes are not necessary to safeguard vital interests of the complainant (article 9.2. c) of the GDPR); - communication and recording in meeting minutes are not carried out by a foundation, an association or any other non-profit organization lucrative and pursuing a political, philosophical, religious or union purpose, in the context of their legitimate activities (article 9.2. d) of the GDPR); with the purposes for which the personal data was originally collected. In this case, none separate legal basis from that which allowed the collection of personal data will be required. [...], Decision on the merits 115/2022 - 11 /13 - the communication and recording in the minutes of the meeting do not relate on personal data which would obviously have been made public by the complainant (Article 9.2. e) of the GDPR); - communication and recording in the meeting minutes are not necessary for the establishment, exercise or defense of legal claims or whenever courts act within the framework of their judicial function (article 9.2. f) of the GDPR); - communication and recording in the meeting minutes are not necessary for reasons of important public interest (Article 9.2. g) of the GDPR); - communication to other staff members and recording in the meeting minutes are not necessary for the purposes of preventive medicine or occupational medicine, the assessment of the worker's ability to work, medical diagnoses, health or social care, or management health care or social protection systems and services on the basis of Union law, the law of a Member State or under a contract concluded with a healthcare professional (article 9.2. h) of the GDPR); - this communication and the recording in the minutes of the meeting are not necessary for reasons of public interest in the field of public health, such as that protection against serious cross-border threats to health, or for the purpose of ensuring high standards of quality and safety in healthcare and medicines or medical devices (Article 9.2. i) of the GDPR); - communication and recording in the meeting minutes are not necessary for archival purposes in the public interest, for research purposes scientific or historical or for statistical purposes (Article 9.2. j) of the GDPR). 41. In the absence of a basis of lawfulness legitimizing the processing complained of (subsequent incompatible) of the complainant's data, the Litigation Chamber concludes that the defendant has violates Articles 5.1.b) juncto 6.4 and 9.2. read in conjunction with Article 6.1. of the GDPR. The complainant's data were indeed the subject of further processing incompatible with the specified, lawful and legitimate purposes for which they were initially collected, without being able to rely on a basis of proper lawfulness. Regarding corrective measures and sanctions 42. Under Article 100 LCA, the Litigation Chamber has the power to: 1° dismiss the complaint without follow-up; 2° order the dismissal; 12 See. footnote 11 above. 13Article 5.1.b) of the GDPR., Decision on the substance 115/2022 - 12 /13 3° order a suspension of the pronouncement; 4° to propose a transaction; 5° issue warnings or reprimands; 6° order to comply with the data subject's requests to exercise these rights; (7) order that the person concerned be informed of the security problem; 8° order the freezing, limitation or temporary or permanent prohibition of processing; 9° order the processing to be brought into conformity; 10° order the rectification, the restriction or the erasure of the data and the notification of these to the recipients of the data; 11° order the withdrawal of accreditation from certification bodies 12° to issue periodic penalty payments; 13° to impose administrative fines; 14° order the suspension of cross-border data flows to another State or a international body; 15° forward the file to the public prosecutor's office in Brussels, which informs it of the follow-up given to the file; 16° decide on a case-by-case basis to publish its decisions on the website of the Authority of Data protection. 43. It is important to contextualize the breaches for which the defendant is responsible with a view to identifying the most appropriate corrective measures and sanctions. 44. In view of the breach of Article 5.1.b) juncto 6.4 and 9.2. read in conjunction with Article 6.1. of the GDPR noted in point 41, the Litigation Chamber is of the opinion that the measure adequate remedy is to issue a reprimand to the defendant. Like the defendant is a public authority within the meaning of Article 221, § 2, of the LTD, the Chambre Litigation is not competent to impose any fine on it. Bedroom Contentious also invites the defendant to raise awareness among its staff so that similar situations do not occur in the future. 45. In addition, the Litigation Division also notes that in support of the breaches found in this decision, it is for the defendant to take, in its capacity of data controller, the measures necessary to restrict or even eliminate henceforth the dissemination of information relating to the health of the complainant and as identified in points 17 and 19 with regard to third parties. In line with what it states in point 39 above, only the information covered by the certificate issued by Cohezio relating to the absence and reason for absence (inaptitude) are concerned here; the statement – reformulated if necessary - of that the Complainant will no longer be in service with the Respondent may stand., Decision on the Merits 115/2022 - 13/13 III. Publication of the decision 45. Given the importance of transparency regarding the decision-making process of the Chamber Litigation, this decision is published on the website of the Protection Authority data (APD). However, it is not necessary for this purpose that the data identification of the parties are directly mentioned. FOR THESE REASONS, the Litigation Chamber of the Data Protection Authority decides, after deliberation: - Pursuant to Article 100 §1, 5 of the LCA, to formulate a reprimand against the defendant. In accordance with Article 108, § 1 of the LCA, an appeal against this decision may be lodged, within thirty days of its notification, to the Court of Markets (court d'appel de Bruxelles), with the Data Protection Authority as defendant. Such an appeal may be introduced by means of an interlocutory request which must contain the information listed in article 1034ter of the Judicial Code. The interlocutory motion must be filed with the registry of the Court of Markets in accordance with article 1034quinquies of the C. jud. , or 15 via the e-Deposit information system of the Ministry of Justice (article 32ter of the C. jud.). (Sr.) Hielke HIJMANS President of the Litigation Chamber 14The application contains on pain of nullity: (1) indication of the day, month and year; 2° the surname, first name, domicile of the applicant, as well as, where applicable, his qualities and his national register number or Business Number; 3° the surname, first name, domicile and, where applicable, the capacity of the person to be summoned; (4) the object and summary of the grounds of the application; (5) the indication of the judge who is seized of the application; 6° the signature of the applicant or his lawyer. 15The request, accompanied by its annex, shall be sent, in as many copies as there are parties involved, by letter recommended to the court clerk or filed with the court office.