IDPC (Malta) - CDP/COMP/577/2023: Difference between revisions

Latest revision as of 09:37, 7 November 2023

IDPC - CDP/COMP/577/2023

Authority:	IDPC (Malta)
Jurisdiction:	Malta
Relevant Law:	Article 4(1) GDPR Article 77 GDPR
Type:	Complaint
Outcome:	Rejected
Started:
Decided:
Published:
Fine:	n/a
Parties:	n/a
National Case Number/Name:	CDP/COMP/577/2023
European Case Law Identifier:	n/a
Appeal:	n/a
Original Language(s):	English
Original Source:	IDPC (in EN)
Initial Contributor:	Sainey Belle

The Maltese DPA rejected a complaint due to a lack of concrete evidence from the data subject.

English Summary

Facts

On the 14th of May 2023 a data subject lodged a complaint with the Maltese DPA. He complained that when terminating his employment, his employer (the controller) accessed his work emails and failed to provide him with a right to clear his mailbox. The data subject highlighted that he had personal documents on the account such as electricity bills.

The controller defended himself against these allegations to the DPA under when given the opportunity under Article 58(1)(a) GDPR. The controller stated that the access to the account had been granted desppite the termination of employment. This access had been granted because the data subject had highlighted the personal documents contained on the account. The controller submitted an email of this grant of access as evidence. The data subject was informed that after he had accessed what he required, the account would be deleted permanently.

The data subject rebutted these claims by only claiming that he was 'suspicious' that the government has already 'snooped' into all his mail.

The controller was given one final chance to rebutt the data subject's arguments. The controller gave evidence that at no point had they accessed the data subject's personal data within his work email. In fact, when they did access it in order to delete it, they noted that everything had already been erased within the account. This fact was confirmed by the data subject himself in an email.

Holding

The DPA dismissed the complaint.

As a preliminary point, the DPA noted that the work email account contained the data subjects personal data, as defined in Article 4(1) GDPR. Consequently, processing operations by the contoller must be GDPR compliant.

As to whether the controller accessed the data subject's work account, the DPA noted that the data subject failed to put forward any concrete evidence to support their claim that third parties accessed his mailbox. The Commissioner held here that a mere suspicion that someone has infringed your rights is not enough to lodge a complaint under Article 77 GDPR. Other than the deletion of the account, it cannot be proved that any other person accessed his email accounts.

The DPA analysed the evidence given by the controller. They noted that the data subject himself admitted that he had been given access to delete information on the account.

On the above basis, the Commissioner found no grounds to unequivocally state that the controller infringed the GDPR and dismissed the complaint.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the English original. Please refer to the English original for more details.

@@ Line 61: / Line 61: @@
 }}
-The Maltese DPA rejected a complaint due to a lack of concrete evidence of an infringement of data protection rights
+The Maltese DPA rejected a complaint due to a lack of concrete evidence from the data subject.
 == English Summary ==
 === Facts ===
-The data subject lodged a complaint with the Commissioner, alleging that his employer ( the controller) accessed his work email account and failed to provide him with the option to delete all personal documents in his work email account after terminating his employment.
+On the 14th of May 2023 a data subject lodged a complaint with the Maltese DPA. He complained that when terminating his employment, his employer (the controller) accessed his work emails and failed to provide him with a right to clear his mailbox. The data subject highlighted that he had personal documents on the account such as electricity bills.
-The controller sought to argue that, although the data subject was not permitted to use his work email for his own private purposes, access was granted after the termination of his employment to the work email account in order to delete all personal data present. The work email was later wiped, and this was confirmed by the data subject a few months after.
+The controller defended himself against these allegations to the DPA under when given the opportunity under [[Article 58 GDPR|Article 58(1)(a) GDPR.]] The controller stated that the access to the account had been granted desppite the termination of employment. This access had been granted because the data subject had highlighted the personal documents contained on the account. The controller submitted an email of this grant of access as evidence. The data subject was informed that after he had accessed what he required, the account would be deleted permanently.
-Nevertheless, the data subject was of the opinion that the controller had already snooped into his mailbox.
+The data subject rebutted these claims by only claiming that he was 'suspicious' that the government has already 'snooped' into all his mail.
+The controller was given one final chance to rebutt the data subject's arguments. The controller gave evidence that at no point had they accessed the data subject's personal data within his work email. In fact, when they did access it in order to delete it, they noted that everything had already been erased within the account. This fact was confirmed by the data subject himself in an email.
 === Holding ===
-The Commissioner held that the work email account contained the data subjects personal data, as defined in [[Article 4 GDPR#1|Article 4(1) GDPR]], as it contained their name and surname. Consequently, when the controller processes personal data, such processing operation must comply with the appropriate legal criteria and principles established under the Regulation.
+The DPA dismissed the complaint.
+As a preliminary point, the DPA noted that the work email account contained the data subjects personal data, as defined in [[Article 4 GDPR#1|Article 4(1) GDPR.]] Consequently, processing operations by the contoller must be GDPR compliant.
-In addition, following a termination of an employment relationship, the controller shall provide the data subject the opportunity to keep a copy of any personal emails stored in the mailbox and delete them accordingly.
+As to whether the controller accessed the data subject's work account, the DPA noted that the data subject failed to put forward any concrete evidence to support their claim that third parties accessed his mailbox. The Commissioner held here that a mere suspicion that someone has infringed your rights is not enough to lodge a complaint under [[Article 77 GDPR|Article 77 GDPR.]] Other than the deletion of the account, it cannot be proved that any other person accessed his email accounts.
-The data subject failed to put forward any concrete evidence to support their claim that third parties accessed his mailbox. In accordance with [[Article 77 GDPR|Article 77 GDPR]], data subjects are entitled to lodge a complaint with a supervisory authority if they consider that a particular processing relating to them infringes the GDPR. The Commissioner held here that a mere suspicion that someone has infringed your rights is not enough to lodge a complaint. Other than the webmaster hosting the email accounts, it cannot be proved that any other person accessed his email accounts.
+The DPA analysed the evidence given by the controller. They noted that the data subject himself admitted that he had been given access to delete information on the account.
 On the above basis, the Commissioner found no grounds to unequivocally state that the controller infringed the GDPR and dismissed the complaint.