IDPC (Malta) - CDP/COMP/577/2023: Difference between revisions

From GDPRhub
(In general a good summary! Please ensure that the facts are specific and in chronological order. If the decision is split into sections, please try and follow this for the Holding. For example, that the DPA considered the access and the deletion as two seperate points. Thank you so much!)
Line 66: Line 66:


=== Facts ===
=== Facts ===
The data subject lodged a complaint with the Commissioner, alleging that his employer (the controller) accessed his work email account and failed to provide him with the option to delete all personal documents contained in such account after terminating his employment.  
On the 14th of May 2023 a data subject lodged a complaint with the Maltese DPA. He complained that when terminating his employment, his employer (the controller) accessed his work emails and failed to provide him with a right to clear his mailbox. The data subject highlighted that he had personal documents on the account such as electricity bills.


The controller sought to argue that, although the data subject was not permitted to use his work email for his own private purposes, access to the account had been granted after the termination, precisely to allow deletion of personal data unrelated to work. The work email was later wiped, and this was confirmed by the data subject a few months after.  
The controller defended himself against these allegations to the DPA under when given the opportunity under [[Article 58 GDPR|Article 58(1)(a) GDPR.]] The controller stated that the access to the account had been granted desppite the termination of employment. This access had been granted because the data subject had highlighted the personal documents contained on the account. The controller submitted an email of this grant of access as evidence. The data subject was informed that after he had accessed what he required, the account would be deleted permanently.


Nevertheless, the data subject was of the opinion that the controller had already snooped into his mailbox.
The data subject rebutted these claims by only claiming that he was 'suspicious' that the government has already 'snooped' into all his mail.
 
The controller was given one final chance to rebutt the data subject's arguments. The controller gave evidence that at no point had they accessed the data subject's personal data within his work email. In fact, when they did access it in order to delete it, they noted that everything had already been erased within the account. This fact was confirmed by the data subject himself in an email.


=== Holding ===
=== Holding ===
The Commissioner held that the work email account contained the data subjects personal data, as defined in [[Article 4 GDPR#1|Article 4(1) GDPR]], as it contained their name and surname. Consequently, when the controller processes personal data, such processing operation must comply with the appropriate legal criteria and principles established under the Regulation.
The Commissioner dismissed the complaint.
 
As a preliminary point, the DPA noted that the work email account contained the data subjects personal data, as defined in [[Article 4 GDPR#1|Article 4(1) GDPR.]] Consequently, processing operations by the contoller must be GDPR compliant.  


In addition, following a termination of an employment relationship, the controller shall provide the data subject the opportunity to keep a copy of any personal emails stored in the mailbox and delete them accordingly.  
As to whether the controller accessed the data subject's work account, the DPA noted that the data subject failed to put forward any concrete evidence to support their claim that third parties accessed his mailbox. The Commissioner held here that a mere suspicion that someone has infringed your rights is not enough to lodge a complaint under [[Article 77 GDPR|Article 77 GDPR.]] Other than the deletion of the account, it cannot be proved that any other person accessed his email accounts.


The data subject failed to put forward any concrete evidence to support their claim that third parties accessed his mailbox. In accordance with [[Article 77 GDPR|Article 77 GDPR]], data subjects are entitled to lodge a complaint with a supervisory authority if they consider that a particular processing relating to them infringes the GDPR. The Commissioner held here that a mere suspicion that someone has infringed your rights is not enough to lodge a complaint. Other than the webmaster hosting the email accounts, it cannot be proved that any other person accessed his email accounts.  
The DPA analysed the evidence given by the controller. They noted that the data subject himself admitted that he had been given access to delete information on the account.


On the above basis, the Commissioner found no grounds to unequivocally state that the controller infringed the GDPR and dismissed the complaint.
On the above basis, the Commissioner found no grounds to unequivocally state that the controller infringed the GDPR and dismissed the complaint.

Revision as of 09:36, 7 November 2023

IDPC - CDP/COMP/577/2023
LogoMT.jpg
Authority: IDPC (Malta)
Jurisdiction: Malta
Relevant Law: Article 4(1) GDPR
Article 77 GDPR
Type: Complaint
Outcome: Rejected
Started:
Decided:
Published:
Fine: n/a
Parties: n/a
National Case Number/Name: CDP/COMP/577/2023
European Case Law Identifier: n/a
Appeal: n/a
Original Language(s): English
Original Source: IDPC (in EN)
Initial Contributor: Sainey Belle

The Maltese DPA rejected a complaint due to a lack of concrete evidence of an infringement of data protection rights

English Summary

Facts

On the 14th of May 2023 a data subject lodged a complaint with the Maltese DPA. He complained that when terminating his employment, his employer (the controller) accessed his work emails and failed to provide him with a right to clear his mailbox. The data subject highlighted that he had personal documents on the account such as electricity bills.

The controller defended himself against these allegations to the DPA under when given the opportunity under Article 58(1)(a) GDPR. The controller stated that the access to the account had been granted desppite the termination of employment. This access had been granted because the data subject had highlighted the personal documents contained on the account. The controller submitted an email of this grant of access as evidence. The data subject was informed that after he had accessed what he required, the account would be deleted permanently.

The data subject rebutted these claims by only claiming that he was 'suspicious' that the government has already 'snooped' into all his mail.

The controller was given one final chance to rebutt the data subject's arguments. The controller gave evidence that at no point had they accessed the data subject's personal data within his work email. In fact, when they did access it in order to delete it, they noted that everything had already been erased within the account. This fact was confirmed by the data subject himself in an email.

Holding

The Commissioner dismissed the complaint.

As a preliminary point, the DPA noted that the work email account contained the data subjects personal data, as defined in Article 4(1) GDPR. Consequently, processing operations by the contoller must be GDPR compliant.

As to whether the controller accessed the data subject's work account, the DPA noted that the data subject failed to put forward any concrete evidence to support their claim that third parties accessed his mailbox. The Commissioner held here that a mere suspicion that someone has infringed your rights is not enough to lodge a complaint under Article 77 GDPR. Other than the deletion of the account, it cannot be proved that any other person accessed his email accounts.

The DPA analysed the evidence given by the controller. They noted that the data subject himself admitted that he had been given access to delete information on the account.

On the above basis, the Commissioner found no grounds to unequivocally state that the controller infringed the GDPR and dismissed the complaint.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the English original. Please refer to the English original for more details.