APD/GBA (Belgium) - 135/2023: Difference between revisions
mNo edit summary |
No edit summary |
||
Line 65: | Line 65: | ||
}} | }} | ||
The Belgian DPA issued a warning in response to violations of Articles 5(1)(b) and 5(1)(c) GDPR, [[Article 6 GDPR#1|Article 6(1) GDPR]] and [[Article 13 GDPR#1c|Article 13(1)(c) GDPR]] committed by an employer, who had continued to use their employee’s e-mail address for company purposes following the termination of the employment contract. | The Belgian DPA issued a warning in response to violations of [[Article 5 GDPR|Articles 5(1)(b)]] and [[Article 5 GDPR|5(1)(c) GDPR]], [[Article 6 GDPR#1|Article 6(1) GDPR]] and [[Article 13 GDPR#1c|Article 13(1)(c) GDPR]] committed by an employer, who had continued to use their employee’s e-mail address for company purposes following the termination of the employment contract. | ||
== English Summary == | == English Summary == | ||
Line 79: | Line 79: | ||
=== Holding === | === Holding === | ||
The Belgian DPA found a breach of Articles 5(1)(b) and 5(1)(c) GDPR, [[Article 6 GDPR#1|Article 6(1) GDPR]] and [[Article 13 GDPR#1c|Article 13(1)(c) GDPR]]. | The Belgian DPA found a breach of [[Article 5 GDPR|Articles 5(1)(b)]] and [[Article 5 GDPR|5(1)(c) GDPR]], [[Article 6 GDPR#1|Article 6(1) GDPR]] and [[Article 13 GDPR#1c|Article 13(1)(c) GDPR]]. | ||
Firstly, the Belgian DPA found that there had been a violation of the principles of data minimisation (Article 5(1)(c) GDPR) and purpose limitation (Article 5(1)(b) GDPR) as the data subject’s e-mail account remained active and in-use following the termination of the employment relationship on 30 April 2023 and following the e-mail of 9 May 2023. The controller, following these two events, continued to access, use and send e-mails to external persons from the data subject’s e-mail address. | Firstly, the Belgian DPA found that there had been a violation of the principles of data minimisation ([[Article 5 GDPR|Article 5(1)(c) GDPR]]) and purpose limitation ([[Article 5 GDPR|Article 5(1)(b) GDPR]]) as the data subject’s e-mail account remained active and in-use following the termination of the employment relationship on 30 April 2023 and following the e-mail of 9 May 2023. The controller, following these two events, continued to access, use and send e-mails to external persons from the data subject’s e-mail address. | ||
Secondly, the Belgian DPA found a breach of [[Article 6 GDPR#1|Article 6(1) GDPR]] and [[Article 13 GDPR#1c|Article 13(1)(c) GDPR]]. The DPA found that the controller could not seek to rely on [[Article 6 GDPR#1b|Article 6(1)(b) GDPR]] as a legal basis, because the processing continued following the termination of the employment contract. Moreover, neither could the controller rely on [[Article 6 GDPR#1f|Article 6(1)(f) GDPR]] as a legal basis. Keeping the mailbox active after the termination would only have been legitimate for the purposes of [[Article 6 GDPR#1f|Article 6(1)(f) GDPR]], if this was done during the transition period following the end of the employment contract ''“…so far as this is limited to the automatic transmission of standard communications concerning the departure of the employee, with a view to ensuring the proper functioning of the company and the continuity of its services.”'' However, the DPA noted that this could have only been done in a GDPR-compliant manner if the data subject was informed as per the requirements under [[Article 13 GDPR|Article 13 GDPR]]. In the present instance, the data subject was neither informed of the continued use of his e-mail account or the e-mail of 9 May 2023, and the controller continued to use the data subject’s e-mail account beyond the transition period. | Secondly, the Belgian DPA found a breach of [[Article 6 GDPR#1|Article 6(1) GDPR]] and [[Article 13 GDPR#1c|Article 13(1)(c) GDPR]]. The DPA found that the controller could not seek to rely on [[Article 6 GDPR#1b|Article 6(1)(b) GDPR]] as a legal basis, because the processing continued following the termination of the employment contract. Moreover, neither could the controller rely on [[Article 6 GDPR#1f|Article 6(1)(f) GDPR]] as a legal basis. Keeping the mailbox active after the termination would only have been legitimate for the purposes of [[Article 6 GDPR#1f|Article 6(1)(f) GDPR]], if this was done during the transition period following the end of the employment contract ''“…so far as this is limited to the automatic transmission of standard communications concerning the departure of the employee, with a view to ensuring the proper functioning of the company and the continuity of its services.”'' However, the DPA noted that this could have only been done in a GDPR-compliant manner if the data subject was informed as per the requirements under [[Article 13 GDPR|Article 13 GDPR]]. In the present instance, the data subject was neither informed of the continued use of his e-mail account or the e-mail of 9 May 2023, and the controller continued to use the data subject’s e-mail account beyond the transition period. | ||
In response to the violations of Articles 5(1)(b) and 5(1)(c) GDPR, [[Article 6 GDPR#1|Article 6(1) GDPR]] and [[Article 13 GDPR#1c|Article 13(1)(c) GDPR]], the DPA issued a warning. | In response to the violations of [[Article 5 GDPR|Articles 5(1)(b)]] and [[Article 5 GDPR|5(1)(c) GDPR]], [[Article 6 GDPR#1|Article 6(1) GDPR]] and [[Article 13 GDPR#1c|Article 13(1)(c) GDPR]], the DPA issued a warning. | ||
== Comment == | == Comment == |
Latest revision as of 11:36, 11 October 2023
APD/GBA - 135/2023 | |
---|---|
Authority: | APD/GBA (Belgium) |
Jurisdiction: | Belgium |
Relevant Law: | Article 5(1)(b) GDPR Article 5(1)(c) GDPR Article 6(1) GDPR Article 13(1)(c) GDPR |
Type: | Complaint |
Outcome: | Upheld |
Started: | |
Decided: | 21.09.2023 |
Published: | |
Fine: | n/a |
Parties: | n/a |
National Case Number/Name: | 135/2023 |
European Case Law Identifier: | n/a |
Appeal: | n/a |
Original Language(s): | Dutch |
Original Source: | APD (in NL) |
Initial Contributor: | n/a |
The Belgian DPA issued a warning in response to violations of Articles 5(1)(b) and 5(1)(c) GDPR, Article 6(1) GDPR and Article 13(1)(c) GDPR committed by an employer, who had continued to use their employee’s e-mail address for company purposes following the termination of the employment contract.
English Summary
Facts
The complaint concerned the unlawful use of the data subject's former employee e-mail account. The data subject was an employee of the controller until 30 April 2023.
On 9 May 2023, an email was sent without the data subject's knowledge from their former employee e-mail address, informing the controller’s clientele that the data subject was no longer employed with them and of the new contact point.
Following the email of 9 May 2023, the data subject’s work e-mail was still active and its contents were being read. The data subject discovered this and on 8 July 2023, requested the controller to delete their former employee e-mail. The data subject received no response to their request.
On 17 July 2023, the data subject filed a complaint with the Belgian DPA.
Holding
The Belgian DPA found a breach of Articles 5(1)(b) and 5(1)(c) GDPR, Article 6(1) GDPR and Article 13(1)(c) GDPR.
Firstly, the Belgian DPA found that there had been a violation of the principles of data minimisation (Article 5(1)(c) GDPR) and purpose limitation (Article 5(1)(b) GDPR) as the data subject’s e-mail account remained active and in-use following the termination of the employment relationship on 30 April 2023 and following the e-mail of 9 May 2023. The controller, following these two events, continued to access, use and send e-mails to external persons from the data subject’s e-mail address.
Secondly, the Belgian DPA found a breach of Article 6(1) GDPR and Article 13(1)(c) GDPR. The DPA found that the controller could not seek to rely on Article 6(1)(b) GDPR as a legal basis, because the processing continued following the termination of the employment contract. Moreover, neither could the controller rely on Article 6(1)(f) GDPR as a legal basis. Keeping the mailbox active after the termination would only have been legitimate for the purposes of Article 6(1)(f) GDPR, if this was done during the transition period following the end of the employment contract “…so far as this is limited to the automatic transmission of standard communications concerning the departure of the employee, with a view to ensuring the proper functioning of the company and the continuity of its services.” However, the DPA noted that this could have only been done in a GDPR-compliant manner if the data subject was informed as per the requirements under Article 13 GDPR. In the present instance, the data subject was neither informed of the continued use of his e-mail account or the e-mail of 9 May 2023, and the controller continued to use the data subject’s e-mail account beyond the transition period.
In response to the violations of Articles 5(1)(b) and 5(1)(c) GDPR, Article 6(1) GDPR and Article 13(1)(c) GDPR, the DPA issued a warning.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Dutch original. Please refer to the Dutch original for more details.
1/9 Dispute Chamber Decision 135/2023 of September 21, 2023 File number: DOS-2023-03073 Subject: The alleged unlawful use of the former business employee email account The Disputes Chamber of the Data Protection Authority, composed of Mr Hielke HIJMANS, sole chairman; Having regard to Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and regarding the free movement of such data and to the revocation of Directive 95/46/EC (General Data Protection Regulation), hereinafter “GDPR”; Having regard to the law of 3 December 2017 establishing the Data Protection Authority, hereinafter “WOG”; In view of the internal rules of order, as approved by the House of Representatives Representatives on December 20, 2018 and published in the Belgian Official Gazette on January 15, 2019; Considering the documents in the file; Has made the following decision regarding: Complainant: Mr X, hereinafter “the complainant” The defendant: Y, hereinafter “the defendant” Decision 135/2023 — 2/9 I. Facts and procedure 1. The subject of the complaint concerns the alleged unlawful use of the complainant's former work email account. 2. Complainant was an employee of the defendant until April 30, 2023. On May 9, 2023, an e-mail was sent email sent from the complainant's former work email account (…) to the clientele of the defendant to inform them of the new employment of complainant and to appoint a new contact person in this regard. The email became sent in the capacity of the complainant himself, although he indicates that he has nothing to do with this to have made, nor to have given his consent. 3. On May 17, 2023 and June 26, 2023, the complainant allegedly found that his old mailbox was still always existed and that its contents were read. Reply to emails to this email email address would be answered from another account (no answer will follow from(..) ). 4. On July 8, 2023, the defendant is given notice of default by the complainant. In this notice of default also becomes a request to delete his former business mailbox included. At the time of filing the complaint, the complainant does not have any may receive a response from the defendant. 5. On July 17, 2023, the complainant files a complaint with the Data Protection Authority against the defendant. 6. On July 20, 2023, the complaint will be declared admissible by the First Line Service on the grounds of Articles 58 and 60 WOG and the complaint is filed on the basis of Article 62, § 1 WOG transferred to the Disputes Chamber. II. Justification 7. The elements in this case are divided into two different processes. On the one hand it is there is a failure to delete the complainant's former business mailbox and the alleged access to this by the defendant, on the other hand there is the matter of sending of the email on May 9, 2023 by the defendant on behalf of the complainant, using from his business mailbox. As for failure to delete the mailbox and gain access to it provided by the defendant: 8. On the basis of the elements in the file that are known to the Disputes Chamber, and on the basis of the powers granted to it by the legislature on the basis of Article 95, § 1 WOG assigned, the Disputes Chamber will decide on the further follow-up of the file; in this case Decision 135/2023 — 3/9 the Disputes Chamber will proceed to dismiss these aspects of the complaint in accordance with Article 95, § 1, 3° WOG, on the basis of the following justification. 9. If a complaint is dismissed, the Disputes Chamber will make its decision 1 to motivate gradually and: - to issue a technical dismissal if the file does not exist or is insufficient contains elements that could lead to a conviction, or if there is insufficient there is a prospect of a conviction due to a technical obstacle, which prevents her from reaching a decision; - or declare a policy rejection, if despite the presence of elements that could lead to a sanction, the continuation of the investigation dossier does not seem appropriate in the light of the priorities of the Data Protection Authority, as specified and explained in the 2 dismissal policy of the Disputes Chamber. 10. In the event of dismissal on more than one ground, the grounds for dismissal (resp. 3 technical dismissal and policy dismissal) should be treated in order of importance. 11. In the present file, the Disputes Chamber will dismiss this case aspects of the complaint, on the basis of a policy grounds for dismissal. A complaint will not be filed sufficiently supported by documentary evidence, allowing the Dispute Chamber to accept the considers it undesirable to take further action on these aspects of the file and therefore decides not to proceed, inter alia, to a hearing on the merits. 12. The Disputes Chamber establishes that the defendant prima facie has not complied with all the provisions of the Dispute chamber regarding the management of e-mail accounts of former employees seems to have been complied with, although a processing of the business mailbox is in principle lawful. According to the Disputes Chamber, it is to the controller the holder of the mailbox who has terminated his position, at the latest on the day of his actual departure with an automatic message. Decision 133/2021 expressly states inform that “this automatic message warns all subsequent correspondents that the the person concerned no longer performs his position within the company and provides the contact details of the person (or general email address) who should take his place will be contacted during a reasonable period (a priori 1 month).Depending 1st Brussels Court of Appeal, Market Court Section, 19 Chamber A, Chamber for Market Affairs, judgment 2020/AR/329, September 2, 2020, p. 18. 2In this context, the Disputes Chamber refers to its dismissal policy as explained in detail on the GBA website: https://www.gegevensbeschermingsautoriteit.be/publications/sepotbeleid-van-de-geschikkamer.pdf 3 Cf. Title 3 – In which cases is my complaint likely to be dismissed by the Disputes Chamber? from the dismissal policy of the Disputes Chamber. 4Cf. decisions 64/2020 and 133/2021. 5Cf. decision 46/2020, legal basis. 29 et seq. and decision 133/2021 para. 56 et seq. Decision 135/2023 — 4/9 of the contexts and in particular the degree of responsibility that the person concerned exercises, a longer period may be permitted, ideally no longer than three months. The extension must be done with the consent of the person concerned or at least after has been informed of the extension.” 13. In summary, it can be said that the controller is a transition period of one month in principle, after which it will receive the e-mail address and the mailbox of the data subject must be deleted, unless mutually agreed upon controller and ex-employee other agreements have been made in this regard 6 bandage . The complainant provides two documents in support of the allegation must demonstrate that in this case the mailbox was not closed in time and even here still had access to laundry by the defendant on May 17, 2023 and June 26, 2023. The Disputes Chamber notes, however, that these documents do not sufficiently assist the Disputes Chamber to decide whether or not there has been a violation of the GDPR. This is because of the next reason; it concerns email traffic in which not all emails are included (complainant seems to have extracts of emails pasted under each card).Can be seen from the emails that the defendant's clients were confused about who they should contact. However, The Disputes Chamber cannot automatically conclude from this that the mailbox still existed and the defendant took note of its contents. Some of the pieces added by the complainant are said to be emails addressed to (…) , after which defendant would have responded from a different email address. However, the Disputes Chamber determines that neither the original email nor the sender(s) of these were provided by the complainant in the documents, resulting in the complete exchange and a concrete indication that a response followed from the defendant to an e-mail that was purely addressed to the complainant's business mailbox is missing. The Disputes Chamber eight These documents are too suggestive and not sufficiently convincing to establish that there is a violation of the GDPR has occurred. 14. Due to this lack of supporting evidence, the Disputes Chamber is forced to the complaint, with regard to the current existence of the former business mailbox 6 In its recommendation CM/Rec (2015)5 on the processing of personal data in the context of the employment relationship, the Committee of Minister of the Council of Europe in principle 14.5 the following: when an employee his or her job leaves, the employer must take technical and organizational measures to ensure that the email from the employee is automatically deactivated. If the contents of the email must be requested for good functioning of the organization, the employer must take appropriate measures to retrieve the contents of the email before the employee's departure and, if possible, in his presence. The explanation accompanying the recommendation states further (para 122) that in these situations where the employee leaves the organization, the employer retains the account of the former employee must deactivate so that there is no longer access to the former employee's communications after his departure. If the employer wishes to recover the contents of the employee's account, the employer must take the necessary steps to take steps before the employee's departure, preferably in his presence. This sectoral recommendation that and completes the Convention for the Protection of Individuals with regard to Automated Processing personal data (STE108), illustrates how the principles regarding purpose limitation, minimal data processing proportionate retention, which are confirmed in both this Treaty and the GDPR, should be applied. Decision 135/2023 — 5/9 to dismiss, although she recommends that, if this has not yet happened in the meantime, still to be adjusted. With regard to the email dated May 9, 2023 that was sent on behalf of the complainant: 15. The documents in this file show that the complainant's former business email address was still active within the defendant's organization on May 9, 2023, while the cooperation had already ended on April 30, 2023 and the complainant had no information received information about the further use of his mailbox and email address. Although the indicative period of one month after termination of the complainant's activities at the moment sending of the e-mail in question had not yet expired, which could possibly be the case it is stated that the principle of storage limitation has been complied with (the contrary is stated). in any case not proven), the Disputes Chamber must nevertheless determine that both purpose limitation principle as the principle of data minimization was by no means established respected because the defendant was able to gain access after the complainant's departure to the complainant's mailbox, has also used it and to the messages were sent to external parties using the complainant's email address persons. 16. This leads the Disputes Chamber to suspect that the defendant has committed an infringement committed under Article 5.1.b) and Article 5.1.c) GDPR. 17. Furthermore, the Disputes Chamber must determine that there is no legal basis for this processing was. It is true that the mailbox can, in view of the legitimate interest of defendant in accordance with the terms of Article 6.1.f) of the GDPR, remain active in this regard for a certain period after the complainant's resignation this is limited to the automatic sending of standard communications regarding the departure of the employee, with a view to ensuring the proper functioning of the company and the continuity of its services. This is of course only possible provided the other provisions of the GDPR regarding the legal basis are also respected, in particular article 13.1.c) GDPR, from which it follows that before starting the processing activities, it must be determined which legal basis applies, and in connection with which specific purpose, with the obligation for the controller to inform the complainant thereof. 18. It does not appear prima facie from the file that the defendant informed the complainant processed on the legal basis and on the basis of his consent. Consequently, it has The defendant processes the complainant's personal data against his expectations. In this In this connection, reference must also be made to the judgment of the Court of Cassation dated 20 May 2019, which stipulates that no one may intentionally learn of its existence 7In this context, reference can also be made to a judgment of the Court of Cassation. Decision 135/2023 — 6/9 of information of any kind that is sent electronically and that is not personal intended for him, if permission has not been obtained from everyone other persons directly or indirectly involved. 19. Finally, reference should also be made to the legal basis contained in Article 6.1.b) GDPR, on the basis of which processing can take place if it is necessary for the execution of an agreement. In this case, this cannot be relied on either, as the complainant had already terminated his contractual employment relationship with the respondent on April 30, 2023. 20. Based on the above analysis, the Dispute Chamber assumes that the defendant has committed an infringement of the provisions of the GDPR, which justifies that in this case a decision is made on the basis of Article 95, §1, 4° of the WOG, more specifically to formulate a warning with regard to from the defendant with regard to the email dated May 9, 2023 that was sent from name of the complainant. The documents submitted do not in any way show that the defendant op systematically and purposefully processes personal data of data subjects without appropriate legal basis and without informing the data subjects. Accordingly, the Disputes Chamber does not need to impose other sanctions defendant. The Disputes Chamber determines that the defendant has violated the articles 5.1.a), b) and c), and Articles 6.1 GDPR in conjunction with Article 13.1.c) GDPR. 21. This decision is a prima facie decision taken by the Disputes Chamber in accordance with Article 95 of the WOG on the basis of the complaint submitted by the complainant 9 complaint, in the context of the “procedure prior to the decision on the merits” and none decision on the merits of the Disputes Chamber within the meaning of Article 100 of the WOG. The Disputes Chamber has thus decided on the basis of Article 58.2.a) GDPR and Article 95, §1, 4° of the WOG, to formulate a warning regarding the defendant, for what concerns the unlawful processing of personal data that took place in the in the context of broadcasting the email dated May 9, 2023 that was sent on behalf of the complainant. 22. The purpose of this decision is to inform the defendant of the fact that this has committed an infringement of the provisions of the GDPR and has the opportunity to do so still agree to comply with the aforementioned provisions. 23. However, if the defendant does not agree with the content of this prima facie statement decision and is of the opinion that it can apply factual and/or legal arguments that could lead to a different decision, this can be done via the e-mail address 8See judgment HvC, S.17.0089.F, 20 May 2019, ECLI:BE:CASS:2019:ARR.20190520.5. 9Section 3, Subsection 2 of the WOG (Articles 94 to 97). Decision 135/2023 — 7/9 litigationchamber@apd-gba.be send a request to hear the merits of the case to the Disputes Chamber within thirty days after notification of the decision. The implementation of this decision will be carried out if necessary suspended for the aforementioned period. 24. Finally, for the sake of completeness, the Disputes Chamber points out that a hearing on the merits of the case may lead to the imposition of the measures referred to in Article 100 of the 10 WOG . III. Publication and communication of the decision 25. Considering the importance of transparency with regard to decision-making Dispute Chamber, this decision will be published on the website of the Data Protection Authority. On the other hand, it is not necessary that the identification details of the parties are disclosed directly. 26. In accordance with its deposit policy, the Disputes Chamber will issue the decision to the defendant to transfer . After all, the Disputes Chamber has decided to dismiss its decisions ex officio to the defendants. However, the Dispute Chamber decided not to do so such a notification when the complainant has requested anonymity in this regard of the defendant and the notification of the decision to the defendant, even if 10Article 100, §1 WOG: “The Disputes Chamber has the authority to: 1° to dismiss a complaint; 2° to order the dismissal of prosecution; 3° order the suspension of the ruling; 4° to propose a settlement; 5° formulate warnings and reprimands; 6° order that the data subject's requests to exercise his rights be complied with; 7° to order that the person concerned is informed of the security problem. 8° order that processing be temporarily or permanently frozen, restricted or prohibited; 9° to order that the processing be brought into compliance; 10° the rectification, restriction or deletion of data and its notification to the recipients of the data recommend data; 11° order the withdrawal of the recognition of certification bodies; 12° to impose penalty payments; 13° to impose administrative fines; 14° the suspension of cross-border data flows to another State or an international institution command; 15° to transfer the file to the public prosecutor's office in Brussels, who will inform it of the outcome that is given to the file; 16° decide on a case-by-case basis to publish its decisions on the website of the Data Protection Authority. 11Cf. Title 5 – Will the dismissal of my complaint be published? Will the other party be informed of this? of the dismissal policy of the Disputes Chamber. Decision 135/2023 — 8/9 it is pseudonymised, nevertheless makes it possible to contact the complainant (re)identify . However, this is not the case in the present case. FOR THESE REASONS , the Disputes Chamber of the Data Protection Authority decides, after deliberation, to: - the current complaint to the extent to which it relates to the removal of the mailbox on the basis of Article 95, § 1, 3° of the WOG. - issue a warning to the controller as regards the lack of the principles of purpose limitation and minimum data processing, as stated in articles 5.1.b) and c) GDPR, and a to issue a warning regarding the lack of legal basis, such as stated in articles 6.1 and 5.1.a) in conjunction with article 13.1.c) GDPR. Pursuant to Article 108, § 1 of the WOG, within a period of thirty days from the notice, an appeal against this decision will be filed with the Market Court (court of appeal Brussels), with the Data Protection Authority as defendant. Such an appeal can be lodged by means of an inter partes petition 13 must contain information listed in Article 1034ter of the Judicial Code. It an objection petition must be submitted to the registry of the Market Court in accordance with Article 1034quinquies of the Dutch Civil Code. , or via the e-Deposit IT system of Justice (Article 32ter of the Judicial Code). 12 Ibid. 13The petition states, under penalty of nullity: 1° the day, month and year; 2° the surname, first name, place of residence of the applicant and, where applicable, his capacity and his national register or company number; 3° the surname, first name, place of residence and, where applicable, the capacity of the person to be summoned; 4° the subject matter and brief summary of the grounds of the claim; 5° the judge before whom the claim is brought; 6° the signature of the applicant or his lawyer. 14 The petition with its attachment will be sent by registered letter in as many copies as there are parties involved. deposited with the clerk of the court or at the registry. Decision 135/2023 — 9/9 To enable the complainant to consider other possible remedies, the Disputes Chamber will refer the complainant to the explanation in its dismissal policy. 15 (get). Hielke H IJMANS Chairman of the Disputes Chamber 15Cf. Title 4 – What can I do if my complaint is closed? of the dismissal policy of the Disputes Chamber.