APD/GBA (Belgium) - 71/2024: Difference between revisions
From GDPRhub
mNo edit summary |
m (→Facts) |
||
| Line 68: | Line 68: | ||
=== Facts === | === Facts === | ||
The | The senior director of marketing and managing director of a company ('data subject') was dismissed from her workplace in August 2022, after which she had to serve a six-week notice period. During these six weeks, a dispute arose regarding whether she was still allowed to access her professional mailbox. The access to her mailbox was cut off on 12 September 2022. An access to said mailbox was allegedly given to her superior. However, he was requested not to access the mailbox. | ||
On 15 September 2022, the data subject made an access request and asked that the controller confirm that no one had accessed her mailbox on the basis of IT logs. | On 15 September 2022, the data subject made an access request and asked that the controller confirm that no one had accessed her mailbox on the basis of IT logs. | ||
| Line 77: | Line 77: | ||
=== Holding === | === Holding === | ||
Firstly, the DPA held that in principle | Firstly, the DPA held that in principle further processing of a mailbox is lawful, as long as some conditions are respected. The DPA said the mailbox can remain active for a certain period of time after the dismissal of the data subject as long as it is limited to the automatic sending of standard communications regarding the departure of the data subject, in order to ensure the proper functioning of the company. However, the GBA added that the other provisions of the GDPR must also be respected. | ||
The GBA then established that the controller has one month after which it must delete the data subject’s email address and mailbox, unless other agreements have been made between the controller and former employee in that regard. A longer period may be granted depending on the context and degree of responsibility of the data subject but this extension must be done with the data subject’s consent. | The GBA then established that the controller has one month after which it must delete the data subject’s email address and mailbox, unless other agreements have been made between the controller and former employee in that regard. A longer period may be granted depending on the context and degree of responsibility of the data subject but this extension must be done with the data subject’s consent. | ||
In the present case, the DPA noted that the modalities of this closure were not transparently defined and implemented. For example, it was not clear how long the email continued existing after the data subject’s departure, and who had access to it. | In the present case, the DPA noted that the modalities of this closure were not transparently defined and implemented. For example, it was not clear how long the email continued existing after the data subject’s departure, and who had access to it. Additionally, the data subject was not informed of the extended transition period implemented by the controller. In the present case, the data subject had a prominent position in the company. Therefore, the GBA held that a transition period of more than one month seemed justified. However, the exact timing of the closure of the mailbox was unclear and appeared to be longer than the recommended three months, as the email account still existed in January 2023. Moreover, doubts were raison about the possible access by others to the data subject’s mailbox. | ||
Additionally, the data subject was not informed of the extended transition period implemented by the controller. In the present case, the data subject had a prominent position in the company. | |||
Thus, the GBA considered that the controller had not taken technical and organisational measures to ensure compliance with the GDPR. It held that this highlights a lack of transparent arrangements regarding policy concerning the closure of former employees’ mailboxes, which may violate [[Article 5 GDPR#1a|Article 5(1)(a) GDPR]] and [[Article 25 GDPR|25 GDPR]]. There was also a suspected violation of [[Article 6 GDPR#1|Articles 6(1)]] and [[Article 5 GDPR#1a|5(1)(a) GDPR]] as the mailbox was kept open without legal basis. | Thus, the GBA considered that the controller had not taken technical and organisational measures to ensure compliance with the GDPR. It held that this highlights a lack of transparent arrangements regarding policy concerning the closure of former employees’ mailboxes, which may violate [[Article 5 GDPR#1a|Article 5(1)(a) GDPR]] and [[Article 25 GDPR|25 GDPR]]. There was also a suspected violation of [[Article 6 GDPR#1|Articles 6(1)]] and [[Article 5 GDPR#1a|5(1)(a) GDPR]] as the mailbox was kept open without legal basis. | ||
Revision as of 14:21, 14 May 2024
| APD/GBA - 71/2024 | |
|---|---|
 | |
| Authority: | APD/GBA (Belgium) |
| Jurisdiction: | Belgium |
| Relevant Law: | Article 5(1)(a) GDPR Article 12(3) GDPR Article 25 GDPR |
| Type: | Complaint |
| Outcome: | Upheld |
| Started: | 08.11.2023 |
| Decided: | 06.05.2024 |
| Published: | |
| Fine: | n/a |
| Parties: | n/a |
| National Case Number/Name: | 71/2024 |
| European Case Law Identifier: | n/a |
| Appeal: | n/a |
| Original Language(s): | Dutch |
| Original Source: | GBA (in NL) |
| Initial Contributor: | nzm |
The DPA issued a warning against a controller for not implementing a proper policy regarding the closure of former employees’ mailboxes and for not responding to an access request regarding said closure in a timely manner.
English Summary
Facts
The senior director of marketing and managing director of a company ('data subject') was dismissed from her workplace in August 2022, after which she had to serve a six-week notice period. During these six weeks, a dispute arose regarding whether she was still allowed to access her professional mailbox. The access to her mailbox was cut off on 12 September 2022. An access to said mailbox was allegedly given to her superior. However, he was requested not to access the mailbox.
On 15 September 2022, the data subject made an access request and asked that the controller confirm that no one had accessed her mailbox on the basis of IT logs.
On 25 January 2023, the controller responded by providing a summary of the logs relating to the disputed mailbox. These logs showed that there was no access to this mailbox. However, the data subject claimed that this document was inaccurate or incomplete. She also noted that her professional email account still existed in January 2023, well after her departure from her workplace.
The data subject filed a complaint with the Belgian DPA ('GBA').
Holding
Firstly, the DPA held that in principle further processing of a mailbox is lawful, as long as some conditions are respected. The DPA said the mailbox can remain active for a certain period of time after the dismissal of the data subject as long as it is limited to the automatic sending of standard communications regarding the departure of the data subject, in order to ensure the proper functioning of the company. However, the GBA added that the other provisions of the GDPR must also be respected.
The GBA then established that the controller has one month after which it must delete the data subject’s email address and mailbox, unless other agreements have been made between the controller and former employee in that regard. A longer period may be granted depending on the context and degree of responsibility of the data subject but this extension must be done with the data subject’s consent.
In the present case, the DPA noted that the modalities of this closure were not transparently defined and implemented. For example, it was not clear how long the email continued existing after the data subject’s departure, and who had access to it. Additionally, the data subject was not informed of the extended transition period implemented by the controller. In the present case, the data subject had a prominent position in the company. Therefore, the GBA held that a transition period of more than one month seemed justified. However, the exact timing of the closure of the mailbox was unclear and appeared to be longer than the recommended three months, as the email account still existed in January 2023. Moreover, doubts were raison about the possible access by others to the data subject’s mailbox.
Thus, the GBA considered that the controller had not taken technical and organisational measures to ensure compliance with the GDPR. It held that this highlights a lack of transparent arrangements regarding policy concerning the closure of former employees’ mailboxes, which may violate Article 5(1)(a) GDPR and 25 GDPR. There was also a suspected violation of Articles 6(1) and 5(1)(a) GDPR as the mailbox was kept open without legal basis.
Secondly, the DPA discussed the late response to the data subject’s access request. The GBA noted that the data subject made an access request in September 2022, and that it appears from the evidence that the first response she got was dated January 2023. Thus, the controller failed to respond in a timely manner pursuant to Article 12(3) GDPR.
Therefore, the GBA issued a prima facie warning against the controller about the lack of a proper policy concerning the closure of former employees’ mailboxes and for the late response to the access request.
Comment
As this is a 'prima facie' decision, not much information is available. The Litigation Chamber of the DPA has ruled solely based on the complaint without having a procedure. The controller could demand for a procedure within 30 days after the decision.
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Dutch original. Please refer to the Dutch original for more details.
1/8
Dispute Chamber
Decision 71/2024 of May 6, 2024
File number: DOS-2023-04299
Relates to: the failure to close the professional email account of a former employee
Close
The Disputes Chamber of the Data Protection Authority, composed of Mr
Hielke HIJMANS, sole chairman;
Having regard to Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016
on the protection of natural persons with regard to the processing of
personal data and regarding the free movement of such data and to the revocation of
Directive 95/46/EC (General Data Protection Regulation), hereinafter “GDPR”;
Having regard to the law of 3 December 2017 establishing the Data Protection Authority,
hereinafter “WOG”;
In view of the internal rules of order, as approved by the House of Representatives
Representatives on December 20, 2018 and published in the Belgian Official Gazette on
January 15, 2019;
Considering the documents in the file;
Has made the following decision regarding:
Defendant: X, hereinafter “the complainant”
The defendant: Y, hereinafter “the defendant” Decision 71/2024 — 2/8
I. Facts and procedure
1. The subject of the complaint concerns the defendant's failure to act professionally
to close the complainant's email account.
2. The complainant, former employee and managing director of the defendant,
was dismissed in August 2022, after which she had to give six weeks' notice
performance. During these six weeks, disagreement arose about the question whether the complainant
still got access to her professional mailbox. After all, she still made use of this,
as she continued her work for the duration of the notice period. The
the complainant's access to her mailbox was closed on September 12, 2022. There would
according to the complainant, access to the mailbox was given to the in-line manager. It
was asked not to use the access.
3. On September 15, 2022, the complainant reportedly submitted a request for information
the unauthorized access to the professional email account. The request is already following
stated: “I further ask that you please confirm that no one has access
has accessed my mailbox, based on the respective IT logs,[…].” She requests
furthermore, to receive confirmation by September 21, 2022 at the latest that the
professional mailbox was closed correctly.
4. The defendant is said to have responded on January 25, 2023. In this response a
provides an overview of the logs related to the disputed mailbox. The defendant
claims that these logs show that there has been no access to the professional email
email account of the complainant. Nevertheless, the complainant notes that it was forwarded
document appears to be incorrect or incomplete in its opinion.
5. Furthermore, the complainant notes that her professional email account still existed on 3
January 2023, well after her departure from the defendant.
6. On 25 October 2023, the complainant filed a complaint with the Data Protection Authority
against the defendant. On the one hand, the defendant does not blame her professional mailbox
in accordance with data protection law, and on the other hand accuses
she accused the defendant of manipulating the logs she passed on. Moreover
The defendant did not respond in a timely manner to the complainant's request for inspection
dated September 21, 2022 and to which a full answer will not be provided until January 25, 2023
came. Decision 71/2024 — 3/8
7. On November 8, 2023, the complaint will be declared admissible by the First Line Service
1
on the basis of articles 58 and 60 of the WOG and the complaint is filed on the basis of article 62, § 1
2
of the WOG transferred to the Disputes Chamber.
II. Justification
8. The Disputes Chamber first points out that there are guidelines for professional
3
manage and close the mail account of former employees in good order. Thereby
it must be said that the further processing of a business mailbox is in principle
is lawful, as long as certain conditions are respected. So can the mailbox, with it
in view of the legitimate interest of the defendant in accordance with the
conditions of Article 6.1.f) of the GDPR, for a certain period after dismissal
of the complainant will still remain active insofar as this is limited to automatic transmission
of standard communication regarding the departure of an employee, with a view to
guaranteeing the proper functioning of the company and its continuity
services. This is of course only possible if the other provisions of the GDPR are also complied with
are respected, in particular article 13.1.c) GDPR, which means that before it starts
is related to the processing activities, it must be determined which legal basis is applicable
5
applies, and in connection with which specific purpose, with the obligation for the
controller to inform the data subject of this.
9. The controller generally has one month after which the e-mail address
and the mailbox of the data subject must be deleted, unless mutually agreed upon
controller and former employee other agreements have been made in
this connection. 6
1In accordance with Article 61 of the WOG, the Disputes Chamber hereby informs the parties that the complaint is admissible
declared.
2
In accordance with Article 95, § 2 of the WOG, the Disputes Chamber hereby informs the parties that the file will be sent to
has been transferred to her as a result of this complaint.
3
Cf. decisions 64/2020 and 133/2021 of the Disputes Chamber.
4Cf. decision 46/2020 of the Disputes Chamber, para. 29 and decision 133/2021 of the Disputes Chamber, para. 56 et seq.
5
In this regard, see Guidelines 05/2020 on consent in accordance with Regulation 2016/679 (edition nos. 121-123);
https://edpb.europa.eu/sites/default/files/files/file1/edpb guidelines 202005 consent en.pdf
6
In its recommendation CM/Rec (2015)5 on the processing of personal data in the context of the employment relationship,
the Committee of Ministers of the Council of Europe in principle 14.5 the following: when an employee leaves his or her job
leaves, the employer must take technical and organizational measures to ensure that the email from the
employee is automatically deactivated. If the contents of the email must be retrieved for good
functioning of the organization, the employer must take appropriate measures to retrieve the contents of the email
before the employee's departure and, if possible, in his presence. The explanation accompanying the recommendation states further
(para. 122) that in these situations where the employee leaves the organization, the employer retains the account of the former
employee must deactivate so that there is no longer access to the former employee's communications after his
departure. If the employer wishes to recover the contents of the employee's account, the employer must take the necessary steps
to take steps before the employee's departure, preferably in his presence. This sectoral recommendation that
and completes the Convention for the Protection of Individuals with regard to Automated Processing
personal data (STE 108), illustrates how the principles of purpose limitation, minimum data processing
proportionate retention, which are confirmed in both this Treaty and the GDPR, should be applied. Decision 71/2024 — 4/8
Depending on the context and in particular the degree of responsibility that the
exercised by the person concerned, a longer period may be granted, ideally no longer
than three months. The extension must be done with the consent of the person concerned
or at least after it has been informed of the extension. Moreover, it should be like this
an alternative solution must be sought and implemented as quickly as possible without
deadline for this extension must be awaited.
10. In this case, it must be established that the complainant has not received any
no longer had access to her professional mailbox. From the email traffic between the complainant
and the defendant appeared to have indeed reported this closure of her access to the complainant
did not agree to the closure of access.
11. However, from the complainant's documents, the Disputes Chamber can prima facie establish that
the modalities of this transition period were not laid down transparently and
executed. It is therefore not clear how long the mailbox continued to exist after the departure of
the complainant and who gets access to this. As stated earlier, the person concerned must be awake
least be informed of an extended transition period. In this case, it seems
prima facie this is not the case.
12. The Disputes Chamber must investigate whether the mailbox is within a reasonable period of time
concluded, namely within one month, or within three months if the person concerned has a
had a prominent role within the organization. Given the important position of the complainant
within the company – namely as CEO, Senior Director Marketing and managing director
– the Disputes Chamber has no choice but to state that a transition period of longer than
a month seems justified. The exact timing of the final closing of the
However, the mailbox is unclear to the Disputes Chamber. This appears to be longer than the recommended three
to be months, as an automatic response is still being sent to
emails addressed to this email address in January 2023.
13. It can be deduced from the documents attached to the complaint (in particular appendix 7) that the
mailbox was still active and sent automatic responses on January 3, 2023, while the
cooperation already ended in September 2022. The complainant has no information
received over this extended transition period. As a result, the original is already
extended period of three months has been exceeded.
14. In addition, doubts have been raised about possible access by others to the mailbox of the
complainant, as evidenced by her email correspondence and a registered letter in which
the complainant expresses her concerns.
15. Finally, the Disputes Chamber also wishes to address the defendant's possible late response
to discuss the request for access. In the correspondence between the complainant and the
It is also suggested to the defendant that there may be a violation of Decision 71/2024 - 5/8
Article 12.3 of the GDPR, as the defendant did not respond to it in a timely manner
access request. Appendix 14 contains an email from the defendant's counsel dated 25
January 2023 with an attachment entitled “IT log data supporting that there were no other
successful logins to X account after September 9, 2022”. If this is actually the first
response to the complainant's request, which was made for the first time in September 2022
submitted, then the defendant is perfectly late to comply with the requirements of Article
12.3 of the GDPR.
16. In this context, the Disputes Chamber suspects that the defendant has no technical and
has taken organizational measures to ensure compliance with the GDPR.
This emphasizes the lack of transparent agreements, which may be in conflict with
Articles 5.1.a), 13.1.c) and 25 of the GDPR. There is a suspected violation of Article
6.1 j° Article 5.1.a) of the GDPR as the mailbox became without legal basis
kept open. Finally, there is a suspected violation of Article 12.3 of the GDPR
due to the defendant's late response.
17. The Disputes Chamber is of the opinion that on the basis of the above analysis
concluded that the defendant committed a suspected violation of the provisions of the
GDPR was committed, which justifies taking action in this case
to warn a decision pursuant to Article 95, § 1, 4° of the WOG, in particular
for the lack of a solid policy regarding closing a business mailbox
from a former employee.
18. The Disputes Chamber hereby establishes that the defendant has used the email account since then
closed properly. The Disputes Chamber therefore does not consider it necessary to do anything
impose other corrective measures.
19. The accuracy of the logs forwarded by the defendant is also disputed. According to the
complainant, these may be incorrect or even manipulated, while the defendant denies this.
However, since the inaccuracy of the logs is not supported by concrete
evidence and the Disputes Chamber does not have sufficient information to establish prima facie
to conclude that this constitutes a violation, it will refrain from making a statement
this issue.
20. This decision is a prima facie decision taken by the Disputes Chamber
in accordance with Article 95 of the WOG on the basis of the complaint submitted by the complainant,
7
in the context of the “procedure prior to the decision on the merits” and none
decision on the merits of the Disputes Chamber within the meaning of Article 100 of the WOG.
7Section 3, Subsection 2 of the WOG (Articles 94 to 97). Decision 71/2024 — 6/8
The Disputes Chamber has thus decided, on the basis of Article 58.2.a) GDPR and
Article 95, § 1, 4° of the WOG, to warn the defendant about late closing
of the mailbox.
21. The purpose of this decision is to inform the defendant of the fact that this
may have committed an infringement of the provisions of the GDPR and this in the
the opportunity to still comply with the aforementioned provisions.
22. If the defendant does not agree with the content of this prima facie case
decision and is of the opinion that it can put forward factual and/or legal arguments that
could lead to a new decision, it can request a reconsideration
submit to the Disputes Chamber in accordance with the procedure established in Articles 98 in conjunction
99 of the WOG, known as a “treatment on the merits”. This request must be
sent to the email address litigationchamber@apd-gba.be within a period of 30
days after notification of this primafacie decision. If applicable, implementation will take place
of this decision is suspended for the above-mentioned period.
23. In the event of a continuation of the merits of the case, the
Disputes Chamber the parties on the basis of Articles 98, 2° and 3° in conjunction with Article 99 of the
invite WOG to submit their defenses and any documents they consider useful
to be added to the file. If necessary, the present decision will become final
suspended.
24. Finally, for the sake of completeness, the Disputes Chamber points out that a hearing on the merits
of the case may lead to the imposition of the measures referred to in Article 100 of the
WOG . 8
8Article 100. § 1. The Disputes Chamber has the authority to:
1° to dismiss a complaint;
2° to order the dismissal of prosecution;
3° order the suspension of the ruling;
4° to propose a settlement;
5° formulate warnings and reprimands;
6° order that the data subject's requests to exercise his rights be complied with;
7° to order that the person concerned is informed of the security problem;
8° order that processing be temporarily or permanently frozen, restricted or prohibited;
9° to order that the processing be brought into compliance;
10°the rectification, limitation or deletion of data and its notification to the recipients of the data
recommend data;
11° order the withdrawal of the recognition of certification bodies;
12° to impose penalty payments;
13° to impose administrative fines;
14° the suspension of cross-border data flows to another State or an international institution
command;
15° to transfer the file to the public prosecutor's office in Brussels, who will inform it of the
follow-up given to the file;
16° decide on a case-by-case basis to publish its decisions on the website of the
Data Protection Authority. Decision 71/2024 — 8/8
10
in accordance with Article 1034quinquies of the Dutch Civil Code. , or via the e-Deposit information system
of the Ministry of Justice (Article 32ter of the Dutch Civil Code).
(get). Hielke H IJMANS
Chairman of the Disputes Chamber
10The petition with its attachment will be sent by registered letter in as many copies as there are parties involved
deposited with the clerk of the court or at the registry.
