APD/GBA (Belgium) - 145/2023: Difference between revisions

From GDPRhub
(overall good, well done! Just remember to use past tense when writing and to include the dates in the facts :))
Line 61: Line 61:
}}
}}


The APD/GBA reprimands a college after unlawfully communicating by email to (former) students and staff about the dismissal of one of its teachers following a physical incident.
The Belgian DPA found that a college's communication of the reasons for dismissal of one of its former teachers to their colleagues and students was in violation of [[Article 6 GDPR|Article 6(1)(f) GDPR]], as including the reason for dismissal in the communication did not meet the necessity test under [[Article 6 GDPR|Article 6(1)(f) GDPR]].


== English Summary ==
== English Summary ==


=== Facts ===
=== Facts ===
A college dismissed one of its teachers after a physical incident with a student. A dispute allegedly arose after the student tried to secretly check his/her marks on the lecturer's computer screen. In the aftermath of this dispute, the lecturer allegedly became physically aggressive towards the student. However, the lecturer believes that this was a misunderstanding. He allegedly made a waving gesture to the student and accidentally hit him/her.  
A college (the controller) dismissed one of its teachers after a student had alleged that  they had committed a physical assault against them. Following an internal investigation, the lecturer was dismissed for urgent cause.


Following an internal investigation, the lecturer was dismissed for urgent cause. The college's management decided to inform its staff and the lecturer's students. As the mailboxes of former students are not closed until the following academic year, a number of former students also received the notice. In total, at least 195 (former) students received the notice.
The college's management decided to inform its staff and the lecturer's students of the dismissal via three emails sent emails on 21 and 22 March 2019. As the mailboxes of former students are not closed until the following academic year, a number of former students also received the emails. In total, at least 195 students received the emails.


The notice of dismissal was worded as follows
The emails stated the following:<blockquote>'''This [dismissal] follows physical aggression towards one of the students [...] a thorough investigation has shown that this incident makes any further functioning of [complainant's name] as an employee of [controller] impossible''<nowiki/>'.</blockquote>The emails led the lecturer to lodge a complaint with the Belgian DPA on 17 January 2020.
 
"This follows physical aggression towards one of the students [...] a thorough investigation has shown that this incident makes any further functioning of [complainant's name] as an employee of [respondent] impossible". (non-official translation)
 
This ultimately led the lecturer to lodge a complaint with the APD/GBA.


=== Holding ===
=== Holding ===
The APD/GBA ruled that the communication was unlawful and reprimanded the college. In its decision, the APD/GBA distinguished between communications to current professors and students, on the one hand, and communications to former students, on the other. In both cases, it applied the three-step test required to invoke legitimate interest:
The Belgian DPA held that the emails were unlawful and reprimanded the college. The controller (the college) had relied on [[Article 6 GDPR|Article&nbsp;6(1)(f)&nbsp;GDPR]] as a lawful ground for processing. The Belgian DPA held that for the purposes of [[Article 6 GDPR|Article&nbsp;6(1)(f)&nbsp;GDPR]], the controller had no legitimate interest to send the emails, and thus the processing was unlawful.  


1. '''Purpose test.''' First, the APD/GBA confirmed that the mere fact that the lecturer has been dismissed for cause is sufficient to establish that there is an immediate and legitimate need to communicate this to students and colleagues.
In reaching its conclusion, the Belgian DPA applied the following three-step test to determine legitimate interest, as outlined by the CJEU in Case C-13/16<ref>Case C-13/16, ''Rīgas satiksme'', para 28.                              </ref>:


2. '''Necessity test.''' For the former students, the AP/GBA argued that the communication was not necessary and found a breach. In doing so, the GBA also confirmed the need to keep student accounts and associated mailboxes up to date. This is particularly so as these are used for communication on such matters.  
'''1. Purpose test:''' First, the Belgian DPA confirmed that the mere fact that the lecturer has been dismissed for cause is sufficient to establish that there is an immediate and legitimate need to communicate this to students and colleagues.


In relation to current students and colleagues, the APD/GBA found that there was no need to communicate the reason for dismissal, which was 'physical aggression'. It considered that there was no current need for the college to do so. The APD/GBA explicitly states that fear of backbiting or mistrust is not sufficient. However, the GBA does not rule out that there may be situations where it is necessary to state the reason for dismissal.  
'''2. Necessity test:''' In relation to sending the email to former students, the Belgian DPA argued that the communication was not necessary and found a breach of [[Article 6 GDPR|Article&nbsp;6(1)(f)&nbsp;GDPR]]. In relation to current students and colleagues, the Belgian DPA found that there was no need to communicate the reason for dismissal, which was 'physical aggression'. It considered that there was no current need for the college to do so. The Belgian DPA did acknowledge that there may be situations where it is necessary to state the reason for dismissal. However, in this instance, it was not necessary.


3. '''Balancing test.''' Finally, the APD/GBA argues that the balancing test has not been respected. Indeed, the college claimed in its communication that the decision to dismiss had been taken only after a "thorough investigation". However, it subsequently emerged that this was not the case. Furthermore, the college failed to mention in its communication that the lecturer could still appeal to the internal appeals body.
'''3. Balancing test.''' Finally, the Belgian DPA found that the balancing test was not respected. The Belgian DPA concluded that the college had failed to adequately consider the data subject's fundamental rights and freedoms when sending the emails. The DPA found that the controller in the emails ''<nowiki/>'did not provide enough objectively substantiated elements''<nowiki/>' and while the college claimed in its communication that the decision to dismiss had been taken only after a '''thorough investigation''<nowiki/>', this was insufficient for the purposes of the balancing test. As a result, the DPA found that the rights and freedoms of the data subject were excessively infringed.


Consequently, a breach of [[Article 6 GDPR#1f|Article 6(1)(f) GDPR]] was found.
Consequently, a breach of [[Article 6 GDPR#1f|Article 6(1)(f) GDPR]] was found, as a result the Belgian DPA reprimanded the college.  


== Comment ==
== Comment ==

Revision as of 09:27, 14 November 2023

APD/GBA - DOS-2020-00200
LogoBE.png
Authority: APD/GBA (Belgium)
Jurisdiction: Belgium
Relevant Law: Article 4(1) GDPR
Article 6(1)(f) GDPR
Type: Complaint
Outcome: Upheld
Started: 17.01.2020
Decided: 26.10.2023
Published: 27.10.2023
Fine: n/a
Parties: n/a
National Case Number/Name: DOS-2020-00200
European Case Law Identifier: n/a
Appeal: Unknown
Original Language(s): Dutch
Original Source: GBA (in NL)
Initial Contributor: Matthias Vandamme

The Belgian DPA found that a college's communication of the reasons for dismissal of one of its former teachers to their colleagues and students was in violation of Article 6(1)(f) GDPR, as including the reason for dismissal in the communication did not meet the necessity test under Article 6(1)(f) GDPR.

English Summary

Facts

A college (the controller) dismissed one of its teachers after a student had alleged that they had committed a physical assault against them. Following an internal investigation, the lecturer was dismissed for urgent cause.

The college's management decided to inform its staff and the lecturer's students of the dismissal via three emails sent emails on 21 and 22 March 2019. As the mailboxes of former students are not closed until the following academic year, a number of former students also received the emails. In total, at least 195 students received the emails.

The emails stated the following:

'This [dismissal] follows physical aggression towards one of the students [...] a thorough investigation has shown that this incident makes any further functioning of [complainant's name] as an employee of [controller] impossible'.

The emails led the lecturer to lodge a complaint with the Belgian DPA on 17 January 2020.

Holding

The Belgian DPA held that the emails were unlawful and reprimanded the college. The controller (the college) had relied on Article 6(1)(f) GDPR as a lawful ground for processing. The Belgian DPA held that for the purposes of Article 6(1)(f) GDPR, the controller had no legitimate interest to send the emails, and thus the processing was unlawful.

In reaching its conclusion, the Belgian DPA applied the following three-step test to determine legitimate interest, as outlined by the CJEU in Case C-13/16[1]:

1. Purpose test: First, the Belgian DPA confirmed that the mere fact that the lecturer has been dismissed for cause is sufficient to establish that there is an immediate and legitimate need to communicate this to students and colleagues.

2. Necessity test: In relation to sending the email to former students, the Belgian DPA argued that the communication was not necessary and found a breach of Article 6(1)(f) GDPR. In relation to current students and colleagues, the Belgian DPA found that there was no need to communicate the reason for dismissal, which was 'physical aggression'. It considered that there was no current need for the college to do so. The Belgian DPA did acknowledge that there may be situations where it is necessary to state the reason for dismissal. However, in this instance, it was not necessary.

'3. Balancing test. Finally, the Belgian DPA found that the balancing test was not respected. The Belgian DPA concluded that the college had failed to adequately consider the data subject's fundamental rights and freedoms when sending the emails. The DPA found that the controller in the emails 'did not provide enough objectively substantiated elements' and while the college claimed in its communication that the decision to dismiss had been taken only after a thorough investigation', this was insufficient for the purposes of the balancing test. As a result, the DPA found that the rights and freedoms of the data subject were excessively infringed.

Consequently, a breach of Article 6(1)(f) GDPR was found, as a result the Belgian DPA reprimanded the college.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Dutch original. Please refer to the Dutch original for more details.


  1. Case C-13/16, Rīgas satiksme, para 28.