APD/GBA (Belgium) - 07/2021: Difference between revisions
No edit summary |
m (Ar moved page APD/GBA - 07/2021 to APD/GBA (Belgium) - 07/2021) |
||
(3 intermediate revisions by 3 users not shown) | |||
Line 56: | Line 56: | ||
}} | }} | ||
The Belgian DPA | The Belgian DPA (APD/GBA) held that intent is not a criterium to assess processing and that mistakenly sending an e-mail does not necessarily constitute a data breach as a human error does not always mean the technical and organisational measures are not adequate. Finally, the DPA held that merely receiving an e-mail is not processing. | ||
== English Summary == | ==English Summary== | ||
=== Facts === | ===Facts=== | ||
The defendant 1 allegedly did not grant | The defendant 1 allegedly did not grant access to the personal data he holds of the complainant.The defendant 1 had sent an e-mail with 32 attachments concerning the company of complainant to the defendant 2, a former associate of the complainant. The attachments had a lot of personal data about the complainant and no consent was given to send the e-mail. | ||
On top of that, that e-mail was then send to the lawyer of the defendant 2. The lawyer then forwarded that mail to the lawyer of the complainant. | On top of that, that e-mail was then send to the lawyer of the defendant 2. The lawyer then forwarded that mail to the lawyer of the complainant. | ||
=== Dispute === | ===Dispute=== | ||
===Holding=== | |||
====Complaint to defendant 1==== | |||
'''Right to defence''' | |||
Defendant 1 stated that his right to defence was violated because in the original complaint, no specific rule of law infractions were included and thus the defendant couldn't adequately prepare. | |||
Defendant 1 stated that his right to defence | |||
The DPA reiterates that submitting a complaint should be uncomplicated for the parties whose personal data is being processed. The DPA notes that it is up to each of the parties to provide the necessary evidence for the alleged infringements or for refuting them. The complainant does not have to submit this evidence in the complaint itself. It is up to the DPA to assess which alleged violations it considers sufficiently proven as violations of the GDPR.In doing so, the DPA has considerable policy discretion to determine the scope of the proceedings.The absence of supporting documents for certain allegations cannot be relied upon by the other party as a violation of its right of defence. | The DPA reiterates that submitting a complaint should be uncomplicated for the parties whose personal data is being processed. The DPA notes that it is up to each of the parties to provide the necessary evidence for the alleged infringements or for refuting them. The complainant does not have to submit this evidence in the complaint itself. It is up to the DPA to assess which alleged violations it considers sufficiently proven as violations of the GDPR. In doing so, the DPA has considerable policy discretion to determine the scope of the proceedings.The absence of supporting documents for certain allegations cannot be relied upon by the other party as a violation of its right of defence. | ||
'''Lawful processing''' | '''Lawful processing''' | ||
Here, the DPA judged the legality of sending the e-mail between defendant 1 and 2. Defendant 1 states that this was a human error and that such a non-intentional, unintended action cannot constitute a breach of the GDPR. | |||
To asses if this is the case, the reasonable | Intention however, is not a criterium for processing under the GDPR, the DPA states. The mere fact that the e-mail was sent constitutes processing. In line with [[Article 5 GDPR#1b|Article 5(1)(b)]], processing for other purposes than initially stated can only be done if those purposes are compatible with those original purposes. | ||
To asses if this is the case, the reasonable expectations of the data subject play a critical role. The DPA states that the complainant used the services of defendant 1 for its bookkeeping and there was no reasonable expectation that this would be shared with defendant 2. As such, the processing does not have a compatible purpose. | |||
As the defendant 1 stated, the sending was an error, which means there is no legal basis to conduct the processing. | As the defendant 1 stated, the sending was an error, which means there is no legal basis to conduct the processing. | ||
Line 86: | Line 87: | ||
The DPA then assesses whether the defendant 1 could rely on the legal basis of legitimate interest under [[Article 6 GDPR#1f|Article 6(1)(f)]]. It confirms earlier case law of the CJEU in which three requirements have to be fulfilled, cumulatively; legitimate interest pursued by controller, necessity of the processing and fundamental rights and freedoms of the data subject do not override the legitimate interest. | The DPA then assesses whether the defendant 1 could rely on the legal basis of legitimate interest under [[Article 6 GDPR#1f|Article 6(1)(f)]]. It confirms earlier case law of the CJEU in which three requirements have to be fulfilled, cumulatively; legitimate interest pursued by controller, necessity of the processing and fundamental rights and freedoms of the data subject do not override the legitimate interest. | ||
The DPA states that the defendant 1 had a purpose, reaching all parties with all the document and this can be seen as a legitimate interest. However, the processing was not necessary as two e-mails, without mixed attachment, could have achieved the same goal. The third | The DPA states that the defendant 1 had a purpose, reaching all parties with all the document and this can be seen as a legitimate interest. However, the processing was not necessary as two e-mails, without mixed attachment, could have achieved the same goal. The third requirement is also not fulfilled as stated earlier, the complainant did not reasonable expect this processing to happen. As such, there is no legitimate interest legal basis possible. | ||
''' | |||
Right to access''' | '''Right to access''' | ||
The DPA states that the complainant provided no proof of not being granted right to access. | The DPA states that the complainant provided no proof of not being granted right to access. | ||
Safety of processing and data breach | '''Safety of processing and data breach''' | ||
The access of defendant 2 to the e-mail was not related to insufficient technical and organisational measures to ensure adequate safety. The DPA is of the opinion that no security measure can be of a nature to completely exclude an e-mail being sent to a non-intended recipient as a result of human error. It cannot therefore be concluded that, by sending the e-mail to the defendant 2, the defendant 1 did not take sufficient measures to protect the personal data of the complainant against security risks, so that no infringement of [[Article 32 GDPR|Article 32]] and [[Article 33 GDPR|Article 33]]can be established in this case. | |||
The defendant 2 | |||
The | ====Complaint to defendant 2==== | ||
The defendant 2claims that there is no processing on its part as there is no intentional element present and no initiative was taken by him. | |||
Additionally, the defendant 2 did not deliver evidence that he had asked his lawyer to remove the e-mail with attachments, a responsibility which comes to all data controllers under [[Article 19 GDPR|Article 19]] when deleting personal data in line with [[Article 17 GDPR|Article 17]] | The DPA states that just receiving personal data ''an sich'' constitutes no processing as defined in [[Article 4 GDPR#2|Article 4(2)]]. Accessing or forwarding the attachments with personal data however, does constitute processing. Even though the defendant 2 claims not having read the attachment, it was sent to his lawyer. This means the defendant 2 must be seen as a data controller as defined in [[Article 4 GDPR#7|Article 4(7)]] because he defined the purposes and means of processing. His statement that the defendant 2 deleted the e-mail with attachment is irrelevant as the processing already took place. | ||
Additionally, the defendant 2 did not deliver evidence that he had asked his lawyer to remove the e-mail with attachments, a responsibility which comes to all data controllers under [[Article 19 GDPR|Article 19]] when deleting personal data in line with [[Article 17 GDPR|Article 17]]. | |||
The defendant 2 reasons that this processing is lawful as article 237 of the Codex Deontology for Lawyers and WP29 169 state that you can provide information to your lawyer to help exercise your rights/legal defense. Interpreting this any other way would prevent the defendant 2 from sending information to his lawyer. | The defendant 2 reasons that this processing is lawful as article 237 of the Codex Deontology for Lawyers and WP29 169 state that you can provide information to your lawyer to help exercise your rights/legal defense. Interpreting this any other way would prevent the defendant 2 from sending information to his lawyer. | ||
The DPA states that the personal data was sent to the defendant 2 without a lawful basis. The defendant 2 could not utilise this information as he should not have gotten it in the first place.The DPA can only conclude that there is no legal basis as provided for in [[Article 6 GDPR#1|Article 6(1)]] that justifies the forwarding of the e-mail by the defendant 2 to his counsel. The defendant 2 also does not invoke any legal basis of [[Article 6 GDPR#1f|Article 6(1)(f)]] and explicitly confirms in its reply to the statement of | The DPA states that the personal data was sent to the defendant 2 without a lawful basis. The defendant 2 could not utilise this information as he should not have gotten it in the first place.The DPA can only conclude that there is no legal basis as provided for in [[Article 6 GDPR#1|Article 6(1)]] that justifies the forwarding of the e-mail by the defendant 2 to his counsel. The defendant 2 also does not invoke any legal basis of [[Article 6 GDPR#1f|Article 6(1)(f)]] and explicitly confirms in its reply to the statement of defense with regard to the legitimate interest [[Article 6 GDPR#1f|Article 6(1)(f)]] that it does not even invoke this legal ground. | ||
Of course, the communication with one's counsel is secret, but only on the condition that the information was received in a lawful manner and this was not the case here and a breach of [[Article 5 GDPR#1a|Article 5(1)(a)]] and [[Article 6 GDPR#1|Article 6(1)]]. | Of course, the communication with one's counsel is secret, but only on the condition that the information was received in a lawful manner and this was not the case here and a breach of [[Article 5 GDPR#1a|Article 5(1)(a)]] and [[Article 6 GDPR#1|Article 6(1)]]. | ||
Further grievances regarding transparency and purpose limitation are not relevant as the processing itself is unlawful. | Further grievances regarding transparency and purpose limitation are not relevant as the processing itself is unlawful. | ||
==Comment== | |||
== Comment == | |||
This decision was part of a larger one before another court. | This decision was part of a larger one before another court. | ||
== Further Resources == | ==Further Resources== | ||
''Share blogs or news articles here!'' | ''Share blogs or news articles here!'' | ||
== English Machine Translation of the Decision == | ==English Machine Translation of the Decision== | ||
The decision below is a machine translation of the Dutch original. Please refer to the Dutch original for more details. | The decision below is a machine translation of the Dutch original. Please refer to the Dutch original for more details. | ||
Latest revision as of 16:51, 12 December 2023
APD/GBA - 07/2021 | |
---|---|
Authority: | APD/GBA (Belgium) |
Jurisdiction: | Belgium |
Relevant Law: | Article 5(1) GDPR Article 6(1) GDPR Article 15(1) GDPR Article 32 GDPR Article 33 GDPR |
Type: | Complaint |
Outcome: | Upheld |
Started: | |
Decided: | 01.2021 |
Published: | 01.2021 |
Fine: | None |
Parties: | n/a |
National Case Number/Name: | 07/2021 |
European Case Law Identifier: | n/a |
Appeal: | n/a |
Original Language(s): | Dutch |
Original Source: | Beslissing ten gronde nr. 07/2021 van 29 januari 2021 (in NL) |
Initial Contributor: | Enzo Marquet |
The Belgian DPA (APD/GBA) held that intent is not a criterium to assess processing and that mistakenly sending an e-mail does not necessarily constitute a data breach as a human error does not always mean the technical and organisational measures are not adequate. Finally, the DPA held that merely receiving an e-mail is not processing.
English Summary
Facts
The defendant 1 allegedly did not grant access to the personal data he holds of the complainant.The defendant 1 had sent an e-mail with 32 attachments concerning the company of complainant to the defendant 2, a former associate of the complainant. The attachments had a lot of personal data about the complainant and no consent was given to send the e-mail.
On top of that, that e-mail was then send to the lawyer of the defendant 2. The lawyer then forwarded that mail to the lawyer of the complainant.
Dispute
Holding
Complaint to defendant 1
Right to defence
Defendant 1 stated that his right to defence was violated because in the original complaint, no specific rule of law infractions were included and thus the defendant couldn't adequately prepare.
The DPA reiterates that submitting a complaint should be uncomplicated for the parties whose personal data is being processed. The DPA notes that it is up to each of the parties to provide the necessary evidence for the alleged infringements or for refuting them. The complainant does not have to submit this evidence in the complaint itself. It is up to the DPA to assess which alleged violations it considers sufficiently proven as violations of the GDPR. In doing so, the DPA has considerable policy discretion to determine the scope of the proceedings.The absence of supporting documents for certain allegations cannot be relied upon by the other party as a violation of its right of defence.
Lawful processing
Here, the DPA judged the legality of sending the e-mail between defendant 1 and 2. Defendant 1 states that this was a human error and that such a non-intentional, unintended action cannot constitute a breach of the GDPR.
Intention however, is not a criterium for processing under the GDPR, the DPA states. The mere fact that the e-mail was sent constitutes processing. In line with Article 5(1)(b), processing for other purposes than initially stated can only be done if those purposes are compatible with those original purposes.
To asses if this is the case, the reasonable expectations of the data subject play a critical role. The DPA states that the complainant used the services of defendant 1 for its bookkeeping and there was no reasonable expectation that this would be shared with defendant 2. As such, the processing does not have a compatible purpose.
As the defendant 1 stated, the sending was an error, which means there is no legal basis to conduct the processing.
The DPA then assesses whether the defendant 1 could rely on the legal basis of legitimate interest under Article 6(1)(f). It confirms earlier case law of the CJEU in which three requirements have to be fulfilled, cumulatively; legitimate interest pursued by controller, necessity of the processing and fundamental rights and freedoms of the data subject do not override the legitimate interest.
The DPA states that the defendant 1 had a purpose, reaching all parties with all the document and this can be seen as a legitimate interest. However, the processing was not necessary as two e-mails, without mixed attachment, could have achieved the same goal. The third requirement is also not fulfilled as stated earlier, the complainant did not reasonable expect this processing to happen. As such, there is no legitimate interest legal basis possible.
Right to access
The DPA states that the complainant provided no proof of not being granted right to access.
Safety of processing and data breach
The access of defendant 2 to the e-mail was not related to insufficient technical and organisational measures to ensure adequate safety. The DPA is of the opinion that no security measure can be of a nature to completely exclude an e-mail being sent to a non-intended recipient as a result of human error. It cannot therefore be concluded that, by sending the e-mail to the defendant 2, the defendant 1 did not take sufficient measures to protect the personal data of the complainant against security risks, so that no infringement of Article 32 and Article 33can be established in this case.
Complaint to defendant 2
The defendant 2claims that there is no processing on its part as there is no intentional element present and no initiative was taken by him.
The DPA states that just receiving personal data an sich constitutes no processing as defined in Article 4(2). Accessing or forwarding the attachments with personal data however, does constitute processing. Even though the defendant 2 claims not having read the attachment, it was sent to his lawyer. This means the defendant 2 must be seen as a data controller as defined in Article 4(7) because he defined the purposes and means of processing. His statement that the defendant 2 deleted the e-mail with attachment is irrelevant as the processing already took place.
Additionally, the defendant 2 did not deliver evidence that he had asked his lawyer to remove the e-mail with attachments, a responsibility which comes to all data controllers under Article 19 when deleting personal data in line with Article 17.
The defendant 2 reasons that this processing is lawful as article 237 of the Codex Deontology for Lawyers and WP29 169 state that you can provide information to your lawyer to help exercise your rights/legal defense. Interpreting this any other way would prevent the defendant 2 from sending information to his lawyer.
The DPA states that the personal data was sent to the defendant 2 without a lawful basis. The defendant 2 could not utilise this information as he should not have gotten it in the first place.The DPA can only conclude that there is no legal basis as provided for in Article 6(1) that justifies the forwarding of the e-mail by the defendant 2 to his counsel. The defendant 2 also does not invoke any legal basis of Article 6(1)(f) and explicitly confirms in its reply to the statement of defense with regard to the legitimate interest Article 6(1)(f) that it does not even invoke this legal ground.
Of course, the communication with one's counsel is secret, but only on the condition that the information was received in a lawful manner and this was not the case here and a breach of Article 5(1)(a) and Article 6(1).
Further grievances regarding transparency and purpose limitation are not relevant as the processing itself is unlawful.
Comment
This decision was part of a larger one before another court.
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Dutch original. Please refer to the Dutch original for more details.
1/25 s Litigation chamber Decision on the merits 07/2021 of 29 January 2021 File number: DOS-2019-06201 Subject: Disclosure of personal information to third parties without permission from the person concerned The Disputes Chamber of the Data Protection Authority, composed of Mr Hielke Hijmans, chairman and Messrs. Christophe Boeraeve and Jelle Stassijns, members; Having regard to Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46 / EC (General Data Protection Regulation), hereinafter GDPR; In view of the law of 3 December 2017 establishing the Data Protection Authority, hereinafter WOG; Having regard to the rules of internal procedure, as approved by the Chamber of Representatives on December 20, 2018 and published in the Belgian Official Gazette on January 15, 2019; Considering the documents in the file; . . . Decision on the merits 07/2021 - 2/25 has taken the following decision regarding: - Mrs. X, hereinafter “the complainant” - Y1, hereinafter “defendant 1” - Mr Y2, hereinafter “Respondent 2” 1. Facts and procedure 1. On December 11, 2019, the complainant files a complaint with the Data Protection Authority, hereinafter GBA, against the defendants. The subject of the complaint concerns: - the refusal by respondent 1 to provide the complainant with access to personal data. - the sending by Mrs. Z, partner at defendant 1, of an e-mail with 32 attachments, in part concerning the company X bv of which the complainant is a 100% shareholder, making it information would allow access to the personal activities, finances and personal data of the complainant, to respondent 2, the complainant's former associate. This information would have been provided without the consent of the complainant. In addition, the respective e-mail containing the information concerning X bv, would be sent by Respondent 2 forwarded to his counsel who would then in turn send the email forwarded to the complainant's counsel. 2. On 7 January 2020, the complaint will be declared admissible on the basis of articles 58 and 60 of the WOG, and the complaint on the basis of art. 62, §1 WOG submitted to the Disputes Chamber. 3. On January 29, 2020, the Disputes Chamber will notify the complainant that pursuant to Article 95, § 1, 3 ° WOG, it was decided to dismiss the complaint for reasons of expediency. The decision states that the complaint does not contain any grievances that have a broad social impact as well as that with regard to the deontological and professional errors that were made committed by Ms. Z is a complaint pending with the competent authority and the Dispute Chamber wish to avoid a possible double investigation. 4. On March 5, 2020, the Disputes Chamber will receive the notification of a petition from the complainant against the GBA, deposited at the registry of the Court. Decision on the merits 07/2021 - 3/25 5. On April 30, 2020, the registry of the Brussels Court of Appeal will notify the Disputes Chamber of this the initiation of the case was originally set during the period March-April 2020, has been canceled and a new initiation date has been set for May 6, 2020. 6. By decision of 6 May 2020, the Marktenhof establishes the conclusion calendar. In it it states Court also established that the counsel declare that they agree in writing to a written consultation name, which will take place on August 7, 2020 with delivery of the judgment in public hearing on 2 September 2020. 7. On September 2, 2020, the Marktenhof will pass judgment. The judgment contains the following points for attention regarding the assessment of the subject of the petition: Annulment of the decision to dismiss the Disputes Chamber for lack of adequate motivation Granting by the Court to the measure claimed by the complainant, ie to rule that the file is ready for treatment on the merits within the meaning of Article 95, §1, 1 ° WOG and the Order the data protection authority to consider the merits of the file in the meaning of article 98 WOG. The Marktenhof not only overturns the decision of the Disputes Chamber of January 28, 2020, but also orders the Dispute Chamber to decide within five months from the notification of the judgment to make a new decision on the complaint lodged. Since the Marktenhof still wishes to assess the claims of the complainant against the contradiction by the GBA, the Court claims that the GBA should take a position on the claim as stated by the complainant. The Court will adjourn the case in order to verify whether the Dispute Chamber is within the stated time limit period has taken a new decision and in order to allow the complainant to make a claim to the full jurisdiction of the Marktenhof, the Disputes Chamber was not allowed a new one have made a decision. The Court refers the case for review in open court of February 24, 2021, where the Court specifies that it is not for it to make the new decision to judge on its merits in the context of the present proceedings. 1 The judgment is available on the website of the Data Protection Authority via the following link: https://www.gegevensbeschermingingsautoriteit.be/publications/tussenarrest-van-02-september-2020-van-het-markthof.pdf Decision on the merits 07/2021 - 4/25 8. Following up on the judgment, the Disputes Chamber will decide on 8 September 2020 on the basis of art. 95, §1, 1 ° and art. 98 WOG that the file is ready for consideration on the merits. 9. On September 8, 2020, the parties concerned will be notified by registered mail of the provisions as stated in article 95, §2, as well as of those in art. 98 WOG. Also were the parties involved on the basis of art. 99 WOG of the deadlines to their file defenses. The deadline for receipt of the response of the defendants was recorded on October 20, 2020, before receipt of the statement of reply of the complainant on 10 November 2020, with the possibility to submit a statement of reply until December 1, 2020. 10. On October 19, 2020, the Disputes Chamber will receive the statement of defense from the respondent 2. The defenses put forward can be summarized as follows: With regard to the authority of the GBA, it is argued that the Dispute Chamber is on the basis of article 100, §1 WOG, the complaint can be dismissed. Furthermore, be arguments drawn from the judgment of the Marktenhof to demonstrate this in the proceedings on the merits the Disputes Chamber has power to dismiss. This brings respondent 2 to urge the Disputes Chamber to renew a decision to dismiss after reviewing the factual elements and the basis of the complaint to the strategic plan and the internal dismissal guidelines of the GBA. According to respondent 2, there would be no processing of personal data (Article 2.1 GDPR) lack of an intentional element on the part of respondent 2 of the personal data as he was only the recipient of the email and only one act, namely forwarding the e-mail to his lawyer, after which the email with attachments has been deleted. Respondent 2 states that he can neither act as controller nor as processor are labeled. He states that he only meets the criteria of the GDPR as a recipient and third, as defined in Article 4 GDPR. Forwarding the e-mail to his counsel does not constitute an infringement according to respondent 2 on the GDPR. To this end, he refers to Article 237 of the Codex Deontology for Lawyers and Opinion 1/2010 on the concepts of “controller” and “processor” 2 of the Article 29 Working Party on Data Protection, adopted on 16 February 2010, to state that a legal subject may provide information to his / her lawyer. Different Judging, according to respondent 2, would have the effect of prohibiting the 2 https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2010/wp169_en.pdf Decision on the merits 07/2021 - 5/25 passing on information to counsel insofar as that information relates to personal data. Respondent 2 adds that his counsel is there in turn was ethically obliged to pass on the information obtained to counsel of the complainant. Even if an infringement were established, Respondent 2 considers him no sanction can be imposed, given the specific circumstances of the case. Specific with regard to the possibility of imposing an administrative one fine, respondent 2 indicates for each of the criteria stated in Article 83.2 GDPR to what extent these apply or not and this leads him to the conclusion that he no fine can be imposed. 11. On October 20, 2020, the Disputes Chamber will receive the statement of defense from the respondent 1. The defenses put forward can be summarized as follows: With regard to the competence of the GBA, this is also raised in the context of a proceedings on the merits the Dispute Chamber can proceed to dismissal, which was confirmed by the judgment of the Marktenhof dated September 2, 2020. The sending of the e-mail with respondent 2 as one of the addressees concerns a one-time human mistake in which certain data unintentionally entered into one only e-mails were sent to defendant 2. Respondent 1 claims to have acted in good faith by immediately taking the necessary action to obtain the removal of the email from Respondent 2. The rights of defense are alleged to have been violated because the complaint contains no legal rules to be mentioned. Respondent 1 points out that it has always complied with its privacy obligations. Respondent 1 is of the opinion that no infringement has been committed and cannot be sanctioned imposed. 12. On November 10, 2020, the Disputes Chamber will receive the statement of reply from the complainant. The complainant argues that respondent 1 would have committed the following violations: - Violation of the right of access (Article 15 GDPR) - Violation of the legal basis requirement (Article 6.1 GDPR); the legality- transparency- and the principle of fairness (art. 5.1 a) GDPR); the purpose limitation principle (Article 5.1 b) GDPR) and the principle of minimum data processing (Article 5.1 c) GDPR) and this in each case as to it still retained by defendant 1 today, as to forwarding by e-mail to defendant 2 - Violation of the integrity and confidentiality principle (Article 5.1 f) GDPR and 32 GDPR) and of the obligation to report a data breach (Article 33 GDPR) Decision on the substance 07/2021 - 6/25 As regards respondent 2, the complainant alleges the following violations: - Respondent 2 is jointly controller for the violations defendant 1 - Violation of the legal basis requirement (Article 6.1 GDPR), the legality and transparency principle (Article 5.1 a) GDPR), as well as the purpose limitation principle (Article 5.1 b) GDPR) 13. On November 28, 2020, the Disputes Chamber will receive the statement of reply from the respondent 2. The statement of reply fully reproduces the statement of opinion submitted on 19 October 2020 answer. The defendant adds the following points: According to respondent 2, the complaint should be declared inadmissible because the the complainant maintains in the reply that "the use by respondent 2 of the e-mail against the complainant "is the problem and not so much" the forwarding by respondent 2 of that e-mail to his counsel ", as formulated in the complaint. Thus the complaint would not meet the requirement of Article 60, paragraph 2 of the WOG, which includes a complaint admissible if it contains a statement of the facts and the necessary indications for the identification of the processing to which it relates. This requirement would are not satisfied. Regarding the complainant's statement in the reply that respondent 1 only the Instructions from Respondent 2 follows by which Respondent 2 would determine the object and means determining the processing within the meaning of Article 4.7) GDPR, with reference to a oral statement by respondent 1 that respondent 2 would have ordered her to not to deliver any document to the complainant without informing Respondent 2 thereof Respondent 2 responds that no evidence is provided for this, so that in Contrary to what the complainant maintains, respondent 1 and respondent 2 are not as joint controllers can be labeled. With regard to the complainant's statement in the reply regarding the legitimate interest as the legal basis for the processing, respondent 2 states that these legal basis is not put forward by him. The complainant's request to impose a penalty is inadmissible, at least unfounded, because without object, since the e-mail and attachments on first request already were deleted. 14. On December 1, 2020, the Disputes Chamber will receive the statement of reply from the respondent 1, which fully repeats and adds to the elements of its statement of defense that the extension of the complainant's arguments through its statement of defense leads to this that the rights of defense of respondent 1 have been violated. Also disputed Decision on the merits 07/2021 - 7/25 defendant 1, in fact and in law, any fact that is not expressly acknowledged in his statement of reply. 2. Legal basis Principles regarding processing of personal data Article 5.1 GDPR 1. Personal data must: a) processed in a manner that is lawful, proper and with regard to the data subject is transparent ('lawfulness, fairness and transparency'); (b) collected for specified, explicit and legitimate purposes and may not be further processed in a way incompatible with those purposes; the further processing for archiving in the public interest, scientific or historical research or statistical purposes is not considered incompatible in accordance with Article 89 (1) considered with the original purposes ('purpose limitation'); (c) adequate, relevant and limited to what is necessary for the purposes for which they are processed ('data minimization'); […] f) by taking appropriate technical or organizational measures in such a way processed to ensure adequate security, including protection are against unauthorized or unlawful processing and against accidental loss, destruction or damage (“integrity and confidentiality”). Lawfulness of the processing Article 6.1. AVG 1. The processing is only lawful if and insofar as at least one of the following conditions are met: a) the data subject has consented to the processing of his personal data for one or more specific purposes; b) the processing is necessary for the performance of a contract with which the data subject party, or to take measures at the request of the data subject prior to the conclusion of an agreement take; Decision on the merits 07/2021 - 8/25 c) the processing is necessary to comply with a legal obligation on the controller rests; d) the processing is necessary for the vital interests of the data subject or of another protect a natural person; e) processing is necessary for the performance of a task carried out in the public interest or for a task in the exercise of official authority vested in the controller commissioned; f) the processing is necessary for the representation of the legitimate interests of the controller or of a third party, except when the interests or fundamental rights and the fundamental freedoms of the data subject requiring the protection of personal data, outweigh those interests, especially if the data subject is a child. The first paragraph, point f) does not apply to processing by public authorities in the exercise of their duties. Right of access Article 15.1 GDPR 1. The data subject has the right to obtain information from the controller about whether or not to process personal data concerning him and, where that is the case, to obtain access to those personal data and the following information: a) the purposes of the processing; b) the categories of personal data concerned; c) the recipients or categories of recipients to whom the personal data have been or will be , in particular recipients in third countries or international organizations; d) if possible, the period during which the personal data are expected to be obtained stored, or if that is not possible, the criteria for determining that period; e) that the data subject has the right to request that the controller do so personal data are rectified or erased, or that concerning the processing of him personal data is limited, as well as the right to object to that processing; f) that the data subject has the right to lodge a complaint with a supervisory authority; g) where the personal data are not collected from the data subject, all available information about the source of that data; h) the existence of automated decision-making, including those referred to in Article 22 (1) and (4), intended profiling, and, at least in those cases, useful information about the underlying logic, as well as the importance and the expected consequences of that processing for the data subject. Decision on the merits 07/2021 - 9/25 3. Justification A. Procedure 15. This case is the follow-up to the judgment of the Marktenhof dated September 2, 2020 in a case against the Data Protection Authority (GBA), following the appeal lodged by the complainant against the decision of the Disputes Chamber on the basis of Article 95, § 1, 3 ° WOG, his complaint to dismiss. 16. At present, the defendants in the proceedings on the merits which will be brought before the Disputes Chamber the Disputes Chamber can still proceed to dismiss the complaint and that this would be appropriate in the present file, after checking against the strategic plan and the internal dismissal guidelines of the Disputes Chamber. 17. However, the complainant believes that he can state in this regard that the Disputes Chamber does not have the possibility of termination, and this deduces from the relevant judgment of the Marktenhof stating that the measure claimed by the complainant to decide that file is ready for treatment on the merits within the meaning of Article 95, 1 ° WOG and the dossier on the merits to be treated within the meaning of article 98 et seq. of the WOG. is granted by the Marktenhof. 18. The Disputes Chamber wishes to provide clarity on this point, without prejudging on the assessment of the facts underlying the complaint and any infringements on the GDPR that could result from it. The Disputes Chamber refers to this Article 100 WOG 3, in which its decision-making power is determined in the context of a 3 Art. 100. § 1. The disputes chamber has the power to: 1 ° to dismiss a complaint; 2 ° order the non-prosecution; 3 ° order the suspension of the judgment; 4 ° propose a settlement; 5 ° to formulate warnings and reprimands; 6 ° order that the requests of the data subject to exercise his rights be complied with; 7 ° order that the person concerned is informed of the safety problem; 8 ° order that the processing be temporarily or permanently frozen, restricted or prohibited; 9 ° order that the processing is brought into conformity; 10 ° the rectification, limitation or deletion of data and the notification thereof to the recipients of the to order data; 11 ° order the withdrawal of the accreditation of certification bodies; 12 ° to impose penalties; 13 ° impose administrative fines; Decision on the merits 07/2021 - 10/25 procedure on the merits. This provision expressly provides that, in addition to many other measures, the Disputes Chamber also has the option to file a complaint in the proceedings on the merits to be dismissed (Article 100, §1, 1 ° WOG). The Disputes Chamber emphasizes that it is free to to dismiss complaints also at this stage for technical or policy reasons, in accordance with the conditions in the case law of the Marktenhof. 4 19. After this, the Disputes Chamber will investigate whether or not there has been any infringement of the GDPR and assess which sanction, if any, should be considered appropriate. 20. Contrary to what the complainant claims, the Marktenhof in its judgment of 2 September 2020 does not include any restrictions regarding the possible sanctions to be taken by the Disputes Chamber and the option to proceed with dismissal is therefore retained. It judgment explicitly states that the Disputes Chamber is free to make a new decision 5 and that this can indeed be a dismissal decision. After all, the judgment states that if the new decision would again be a dismissal decision, care must be taken that this new decision is properly justified. B. Investigation of the complaint as formulated with regard to the defendant 1 a. Subject of the complaint and rights of defense 21. Respondent 1 accuses the complainant of extending the complaint in the reply. Because the complainant did not include this argumentation in the original complaint, but only in the conclusion, respondent 1 is of the opinion that his rights of defense have been violated. Respondent 1 14 ° the suspension of cross-border data flows to another State or an international institution to command; 15 ° transfer the file to the public prosecutor's office in Brussels, who informs it of the consequences that is given to the file; 16 ° decide on a case-by-case basis to publish its decisions on the website of the Data Protection Authority. § 2. If, after application of § 1, 15 °, the public prosecutor refrains from instituting criminal proceedings, an amicable propose a settlement or mediation in criminal matters referred to in Article 216ter of the Code of Criminal Procedure, or if the Public Prosecution Service has not taken a decision within a period of six months from the day upon receipt of the file, the Data Protection Authority decides whether the administrative procedure should be resume. 4 Judgment of the Marktenhof dated 2 September 2020, 9.4. 5 The judgment of the Marktenhof dated September 2, 2020 states in 9.11. “Is the dismissal decision - as in this case - not sound motivated, it will be destroyed. In that case, the Disputes Chamber is free to make a new decision and if that would again be a dismissal decision, to ensure that this new decision is properly substantiated this time is. ” Decision on the merits 07/2021 - 11/25 adds that in the complaint no legal rules are invoked, affecting his rights of defense would also have been violated. 22. The Disputes Chamber establishes that the complaint becomes as it is with regard to respondent 1 formulated, contains two elements: - the refusal by respondent 1 to allow the complainant access to personal information data - the sending by respondent 1 of an e-mail with 32 attachments concerning the complainant through which this information would allow access to personal activities, finances and personal data of the complainant, to respondent 2, the complainant's former associate. This information would be provided without the consent of the complainant. 23. The Disputes Chamber is of the opinion that the complainant's statement of reply is both of these repeats elements and the complainant does exactly what defendant 1 puts forward in his conclusion of answer in which he states that the complainant should further explain her complaint, stating of the invoked legal rules, in order to give respondent 1 the opportunity to act to be able to conclude in an appropriate manner. 24. Although Respondent 1 thus had the opportunity to respond to this in his Opinion of reply and to fully exercise his rights of defense, respondent 1 limits himself to it to state only that the legal and factual discourse contained in the statement of defense of the the complainant has been disputed and this should be clear in both fact and in law and the complainant on which it attempts to substantiate its claims. 25. The Disputes Chamber emphasizes that impartial and fair treatment of the entire trajectory must be assured. The rights of defense of defendant 1 are not violated, because he has been given the opportunity to fully present his argument by means of its claims, at least by means of its statement of reply. 26. With regard to the defense against the complainant, namely that it must be clear provide information about the evidence on which its allegations are based, the Dispute Chamber points out reiterate that filing a complaint for those affected whose personal data 6 processed should be straightforward. More specifically, the Dispute Chamber notes that it is up to each of the parties to make the alleged violations or rebuttal to provide the necessary evidence of this. The complainant does not have to submit this proof in the complaint itself 6 See more in detail Decision on the merits 05/2021 of 22 January 2021, 11. Decision on the merits 07/2021 - 12/25 lay. It is up to the Dispute Chamber to assess the alleged violations deemed sufficiently proven to be considered as an infringement of the GDPR. The Dispute Chamber has considerable discretion in determining the scope of the procedure. 7 The lack of supporting documents for certain assertions cannot be made by the counterparty invoked as a violation of its rights of defense. b. Lawfulness of the processing 27. The complainant argues that any legal basis for the processing of the personal data of the complainant by defendant 1 completely lacks both as far as it is still under itself keeping the complainant's accounts, as well as for the processing of personal data consists of forwarding the e-mail with attachments to defendant 2. 28. First of all, the Dispute Chamber points out that as far as it is concerned, it is still retained of the complainant's accounts, based on the elements available to it, it cannot assess the extent to which the documents relating to the complainant's accounts hold them are still required by respondent 1 in the context of the existing dispute between respondent 1 and respondent 2. The Disputes Chamber will only examine below to what extent the forwarding the e-mail with attachments to respondent 2 can be considered lawful. 29. Respondent 1 admits that the email was indeed addressed to Respondent 2 as one of the recipients, but that this was the result of a one-time human error involving personal data concerning the complainant was unintentionally sent to respondent 2. He light admits that at the root of this mistake is the fact that e-mails were sent for many years sent to both the complainant and respondent 2 in the context of the notary association between both. He specifies that the e-mail that is the subject of the complaint has both attachments relating to the notary's association, as appendices relating to the personal partnership of the complainant. Respondent 1 argues that such unintentional, no intentional act, cannot give rise to an infringement of the GDPR. 30. The Disputes Chamber draws attention to the presence or absence of an intention does not constitute a criterion for the processing of personal data within the meaning of Article 4.2) GDPR. 8 7 See, inter alia, Decision on the merits 05/2021 of 22 January 2021, 10-13. 8 Art. 4. GDPR For the purposes of this Regulation: […] Decision on the merits 07/2021 - 13/25 Even if respondent 1 did not intend to send the email to respondent 2, the mere fact that the e-mail was actually sent to defendant 2 is sufficient for this shipping as processing. 31. The sending by Respondent 1 to Respondent 2, of an email containing 32 attachments regarding the complainant through which this information would give access to personal activities, finances and personal data of the complainant, constitutes a processing of which the lawfulness must be be checked. 32. In accordance with article 5.1. b) GDPR may allow the processing of personal data for other purposes other than those for which the personal data were initially collected permitted if the processing is compatible with the purposes for which the personal data initially collected. Taking into account the criteria included in article 6.4. AVG and Recital 50 of the GDPR must thus be ascertained whether the further processing, in this case the forwarding the email with attachments to respondent 2, whether or not it is compatible with the initial processing consisting of keeping the accounts of the complainant's company by respondent 1. The reasonable expectations of the involved an important role. The Disputes Chamber reaches the decision that the complainant should appeal has performed on the services of defendant 1 solely for the purposes of accounting its company and it could not reasonably be expected that respondent 1 would accept that share data with respondent 2. 33. This leads to the finding that there is no compatible further processing, so that a separate legal basis is required for the communication of the personal data of the complainant to respondent 2 could be considered lawful. 34. Processing of personal data, including incompatible further processing as in the present case, is only lawful if there is a legal basis for this. For incompatible further processing operations, it is necessary to fall back on article 6.1. AVG and 2) 'processing' means an operation or a set of operations relating to personal data or a set of personal data, whether or not carried out by automated processes, such as collecting, recording, organizing, structure, save, update or change, retrieve, consult, use, provide by means of transmission, disseminate or otherwise make available, align or combine, shield, erase or destroy data; 9 Recital 50 GDPR: […] To determine whether a purpose of further processing is compatible with the purpose for which the personal data were initially collected, the controller must, after he has complied with all rules on lawfulness of the original processing, including taking into account: a possible link between those purposes and the purposes of the intended further processing; the framework in which the data was collected; in particular, the reasonable expectations of data subjects based on their relationship with the controller regarding its further use; the nature of the personal data; the consequences of the intended further processing for data subjects; and appropriate safeguards for both the original and the intended further ones processing. Decision on the merits 07/2021 - 14/25 10 recital 50 GDPR. Recital 50 of the GDPR states that this is a separate legal basis required for the processing of personal data for other purposes that are incompatible with the purposes for which the personal data was initially collected. That separate legal grounds on the basis of which a processing, including incompatible further processing, which can be considered lawful, are provided in article 6.1. AVG. 35. To this end, the Disputes Chamber examines the extent to which the legal grounds as determined in Article 6.1. GDPR can be invoked by defendant 1 in order to further process the justify personal data relating to the complainant. 36. Respondent 1 himself does not mention any legal basis which would allow him to transfer proceed to the data processing that is the subject of the complaint, being the forwarding of the e-mail to Respondent 2. In addition, Respondent 1 expressly admits that this forwarding was a mistake and it was by no means the intention to send the email as well respondent 2. Respondent 1 therefore does not argue that such forwarding was allowed take place and therefore does not try to justify it by relying on any legal basis. 37. On the basis of the factual elements present in the file, the Disputes Chamber proceeds ex officio whether a legal ground can be invoked, if any, that respondent 1 would allow over to proceed until the e-mail is sent to the defendant. 2. The Disputes Chamber will investigate this whether the sending of the e-mail containing the complainant's personal data can be based on any legitimate interest on the part of respondent 1 (Article 6.1. f) GDPR). 38. The other legal grounds included in Article 6.1. points a), b), c), d) and e) GDPR are in present case not applicable. 39. In accordance with Article 6.1 f) GDPR and the case law of the Court of Justice of the European Union (hereinafter “the Court”) three cumulative conditions must be fulfilled for a controller can validly invoke this ground of lawfulness, “te know, in the first place, the promotion of a legitimate interest of the controller or of the third party (ies) to whom the data are provided, in the second, the necessity of the processing of personal data for the purpose of 10 Recital 50 GDPR: The processing of personal data for purposes other than those for which the personal data initially collected should only be allowed if the processing is compatible with the purposes for which the personal data was initially collected. In such case, no separate legal basis other than that on grounds for which the collection of personal data was permitted. […] Decision on the merits 07/2021 - 15/25 the legitimate interest, and, thirdly, the condition that the fundamental rights and freedoms of the person concerned with data protection do not prevail ”(judgment “Rigas”). 40. In order to be able to rely on the ground of lawfulness of the "Legitimate interest", in other words, must be indicated by the controller show that: the interests pursued by this processing can be justified be recognized (the “target test”); the intended processing is necessary for the realization of these interests (the “necessity test”); and the balancing of these interests against the interests, fundamental freedoms and fundamental rights of data subjects weighs in favor of the controller (the “balancing test”). 41. With regard to the first condition (the so-called “target test”), the Disputes Chamber of consider that the purpose of reaching all parties involved at the same time by sending a single email with attachments to all parties involved interests, must be considered as performed for a legitimate interest. The interest that respondent 1 pursued as controller may be similar Recital 47 GDPR can be considered justified in itself. Consequently, it is satisfied the first condition contained in Article 6.1, f) GDPR. 42. In order to fulfill the second condition, it must be demonstrated that the processing necessary for the achievement of the objectives pursued. This means more stipulates that the question should be asked whether the same result can be achieved by other means are achieved without processing of personal data or without unnecessarily invasive processing for the data subjects. 43. Based on the purpose, being to reach all parties involved by means of sending a single e-mail with attachments affecting all parties involved serves the The litigation chamber found that the email contained both attachments pertaining to the notary association between the complainant and respondent 2 as well as annexes relating to the personal partnership of the complainant. In order to avoid mixing of both types of attachments avoid, Respondent 1 could have simply sent an email to the complainant and respondent 2 with the appendices relating to the notary association between the complainant and defendant 2 and a separate email addressed only to the complainant with the attachments provided related to her personal partnership. The second condition is thus not Decision on the substance 07/2021 - 16/25 met because the principle of minimum data processing (Article 5.1. c) GDPR) was not complied. 44. In order to verify whether the third condition of Article 6.1, f) GDPR - the so-called “Balancing test” between the interests of the controller, on the one hand, and the fundamental freedoms and fundamental rights of the person concerned, on the other hand - can be fulfilled, should reasonable, in accordance with Recital 47 GDPR expectations of the data subject. More specifically, it should be evaluated whether “data subject at the time and in the context of the collection of the personal data is reasonably permitted expect processing to take place for that purpose ”. 45. This is also emphasized by the Court in its judgment “TK t / Asociaţia de Proprietari bloc M5A- ScaraA ”of December 11, 2019, in which it states: “Also relevant to this assessment are the reasonable expectations of the data subject that are or her personal data will not be processed when, in the circumstances of the case, the data subject cannot reasonably further process the data expect". 46. With regard to this third condition, the Disputes Chamber can only establish that the complainant is on could not expect a single moment to share the attachments pertaining to her personal partnership with defendant 2. 47. The Disputes Chamber is of the opinion that all of the elements set out demonstrate that Respondent 1 cannot rely on any legal basis proving the legality of the data processing as set up by him. Moreover, respondent 1 disputes the facts and states that in the relevant e-mail that is the subject of the complaint the Respondent 2's email address was placed in the “CC” field, although not intentionally happened. By doing so, he indicates that he has infringed the processing of the personal data of the complainant. The Disputes Chamber thus decides that the infringement of Article 5.1 b) in conjunction with Article 6.4. AVG, on article 5.1 a) in conjunction with article 6.1. AVG and on article 5.1 c) GDPR has been proven. 48. The complainant also submits that respondent 1 applies the principles of transparency (Article 5.1 a) GDPR, Articles 12 and 13 GDPR) and propriety (Article 5.1 a) GDPR). In that regard 11 See in the same sentence: Decision on the merits 03/2021 of 13 January 2021 Decision on the merits 07/2021 - 17/25 the Disputes Chamber is of the opinion that in view of the fact that the forwarding was an error and it was by no means the intention to also send the e-mail to defendant 2, defendant 2 had not foreseen that such forwarding would occur. This stems from the very nature of a mistake. In the absence of any intention to send the email to Respondent 2, Respondent 1 also failed to comply with the principles of transparency and fairness that require that certain communications prior to the forwarding by defendant 1 to defendant 2 should have happened. However, the breach of these principles does not affect in any way the sanction imposed by this decision, in view of the fact that an error was the basis lay of data processing. 49. Taking into account the fact that respondent 1 claims that the necessary steps were taken immediately to from defendant 2 to obtain the removal of the e-mail and became counsel for the complainant informed of the confirmation of this removal by Respondent 2, proving that Respondent 1 acted in good faith, as well as the fact that the infringement was only for a first time, the Disputes Chamber is of the opinion that it is appropriate to refer to respondent 1 to formulate a reprimand. In view of these circumstances, the Disputes Chamber sees from imposing an administrative fine. c. Right of access 50. The complainant argues that respondent 1 refuses to allow inspection and to provide a copy of the complete accounts of its sole proprietorship. Respondent 1 asserts in this regard does not specifically state any position in his conclusions, but merely indicates that he does not have any fact is expressly recognized in his claims, is disputed by him. 51. The Disputes Chamber finds that the complainant does not provide any document proving the refusal respondent 1 to allow access to its complete accounts sole proprietorship appears. Consequently, the Disputes Chamber cannot proceed with the determination of any infringement by respondent 1 of the complainant's right of access (Article 15 GDPR). d. Security of processing and data breach 52. The complainant argues that respondent 1, in application of Article 33 GDPR, meets the Data protection authority should have reported that forwarding the personal data of the complainant to respondent 2, an infringement related to personal data. Decision on the merits 07/2021 - 18/25 53. The Disputes Chamber explains that Article 33 GDPR relates to violations regarding the security of personal data as described in Article 32 GDPR. Recital 83 GDPR 12 determines that the controller has appropriate technical and organizational take measures to limit data security risks. 54. The Disputes Chamber finds that the access that respondent 2 has been given to the personal data of the complainant is not related to insufficient technical and organizational measures that defendant 1 would have taken to protect the personal data of the complainant against security risks. The email was addressed by respondent 1 to both the complainant and respondent 2. The fact that the e-mail has reached respondent 2 cannot associated with a security problem for the personal data that are processed by defendant 1. The Disputes Chamber is of the opinion that none security measure may be to completely rule out the possibility that human error causes a e-mail is sent to an unintended recipient. It cannot be decided thus that defendant 1 by sending the email to defendant 2 insufficient action would have taken to protect the complainant's personal data from security risks, so that no violation of Articles 32 and 33 GDPR can be established. C. Investigation of the complaint as formulated with regard to the defendant 2 a. Processing and controller 55. Respondent 2 disputes that there would be any processing of personal data on his part ground, within the meaning of Article 2.1. AVG. He argues that since he is merely in his capacity of the recipient of the e-mail in question, there can be no processing at all lack of any initiative on his part. Respondent 2 is of the opinion that a processing involves an intentional element to be able to use personal data. 12 Recital 83 GDPR: In order to ensure security and to prevent the processing from infringing this Regulation, the controller or processor should assess the risks inherent in the processing and take measures, such as encryption, to limit those risks. Those measures should be at an appropriate level of safeguard security, including confidentiality, taking into account the state of the art and the implementation costs set against the risks and the nature of the personal data to be protected. When assessing the data security risks, attention should be paid to risks arising from personal data processing, such as the destruction, loss, alteration, unauthorized disclosure of, or unauthorized access to the data transmitted, stored or otherwise processed, whether accidentally or unlawfully, which in particular leads to physical, material or immaterial damage. Decision on the merits 07/2021 - 19/25 56. With regard to the notion of "processing", the Disputes Chamber notes that this concept is defined in Article 4.2) GDPR, and clearly delineated. Just receiving personal data does not constitute processing within the meaning of Article 4.2) GDPR. On the other hand, must consult it, as well as forward the e-mail with the corresponding attachments contain personal data, indeed as processing within the meaning of the GDPR considered. Although respondent 2 argues that he has not taken note of the annexes to the e-mail in question and therefore no consultation took place, he admits that he received the e-mail to his counsel, thus making it unmistakably established that the defendant 2 has provided personal data by means of forwarding within the meaning of Article 4.2) GDPR and must defendant 2 on this aspect, consisting of forwarding the email with attachments containing personal data about the complainant, if controller 14 within the meaning of Article 4. 7) GDPR, because he has the determines the purpose and means of this transmission. He simply cannot be himself label as recipient 15 of the email within the meaning of Article 4.9) GDPR, since defendant 2 has not limited himself to receiving the e-mail, but because he has it in turn forwarded, he has himself as to that forwarding to controller. By that act he received the after all, personal data used for its own purpose 16. Given its capacity as controller with regard to the transfer, respondent 2 cannot, and this contrary to what he argues, be considered third 17 within the meaning of Article 4.10) 13 Art. 4. GDPR For the purposes of this Regulation: […] 2) 'processing' means an operation or a set of operations relating to personal data or a set of personal data, whether or not carried out by automated processes, such as collecting, recording, organizing, structure, save, update or change, retrieve, consult, use, provide by means of transmission, disseminate or otherwise make available, align or combine, shield, erase or destroy data; 14 Art. 4. GDPR For the purposes of this Regulation: […] 7) 'controller' means a natural or legal person, public authority, agency or other body that determines, alone or together with others, the purpose and means of the processing of personal data; where the purposes and means of such processing become in Union or Member State law determined, it may determine who the controller is or according to which criteria he becomes designated; 15 Art. 4. GDPR For the purposes of this Regulation: […] 9) 'recipient' means any natural or legal person, public authority, agency or other body, whether or not a third party to whom / to whom the personal data are provided. […] 16 Guidelines of the European Data Protection Board 07/2020 on the concepts of controller and processor in the GDPR (p. 29): “A third party recipient shall be considered a controller for any processing that it carries out for its own purpose (s) after it receives the data. ” 17 1 Art. 4. GDPR Decision on the substance 07/2021 - 20/25 AVG. His statement that he deleted the e-mail with attachments after the forwarding does this no detriment. 57. For the sake of completeness, the Disputes Chamber notes that respondent 2 does not provide proof that his counsel has also proceeded to delete the e-mail with attachments, as Article 19 GDPR implies an obligation for the controller to inform each recipient to whom personal data have been provided, of any erasure of personal data in accordance with Article 17 GDPR, unless this proves impossible or requires a disproportionate effort. On this basis, Respondent 2 should also have had to delete the email in question requests regarding his counsel in his capacity as recipient of the by defendant 2 forwarded email. 58. The Disputes Chamber also adds that with regard to the plaintiff's assertion that defendant 2 is jointly controller with respondent 1, it considers that none piece of the file demonstrates this assertion. After all, the complainant bases this allegation solely on an oral statement allegedly made by respondent 1 at the last meeting which the complainant had with defendant 1. It would then have been declared that defendant 2 to defendant 1 had instructed not to deliver any document to the complainant without his notification was informed. There is no evidence whatsoever for this one-sided allegation of the complainant so that there is no reason for the Disputes Chamber to assume that both defendants acted as joint controllers. b. Admissibility of the complaint 59. Although defendant 2 denies that there would be any data processing on his behalf it appears from the above that based on the factual elements, the Dispute Chamber has determined that Respondent 2, as controller for the forwarding of the e-mail mail to his counsel should be considered. 60. The complainant argues in the reply that the forwarding of the e-mail by respondent 2 is processing to his counsel for which respondent 2 de is the controller and states that it is not accused that respondent 2 has the data of For the purposes of this Regulation: […] 10) 'third party' means any natural or legal person, public authority, agency or other body other than the data subject, nor the controller, nor the processor, nor any person under the direct authority of the controller or processor are authorized to process the personal data; Decision on the merits 07/2021 - 21/25 the complainant has forwarded it to his lawyer, but that respondent 2 has forwarded that information to him in violation of the GDPR, then used as a document in the dispute against the complainant. 61. The latter, being that "it is not accused that respondent 2 has the complainant's data forwarded to his attorney, but that defendant 2 violates that information sent to him with the GDPR, then used as a document in the dispute against the complainant "is by respondent 2 seized to argue that the complaint should be declared inadmissible. 62. As the complainant maintains in the reply that "the use by respondent 2 of the email against the complainant "is the problem and not merely" the forwarding by itself. " Respondent 2 of that e-mail to his counsel ", as formulated in the complaint," believes Respondent 2 to be able to argue that the complainant in the reply is suddenly a completely new one claim / violation. In that view, the complaint would not meet the requirement of Article 60 (2) WOG which states that a complaint is admissible when it is an explanation of the facts, as well as the necessary indications for identifying the processing on which they relates. Because the violation of the GDPR alleged in the complaint is fundamental would be different from those set out in the complainant's reply, it would meet this requirement have not been met. 63. The Disputes Chamber notes that the complainant already referred to in the initial complaint document 7, which was attached to the complaint as an appendix. That piece is exactly an email from the counsel for the complainant, which is addressed to the complainant himself in order to inform the latter of the to notify that the email forwarded by defendant 2 to his counsel concerning personal data of the complainant "as a document" is communicated by defense counsel 2 to the complainant's counsel. The complainant repeats this fact with reference to the same document in the reply. The problem that the e-mail is used "as piece" in a pending proceedings between the complainant and respondent 2 are thus not new like respondent 2 tries to make it appear. The Disputes Chamber therefore decided that Article 60, paragraph 2, became WOG respected, the admissibility of the complaint has not been affected and the rights of defense are respected. 18 c. Lawfulness of the processing 64. Respondent 2 argues that the only act he has committed is the forwarding of the e-mail to his counsel and that this was done lawfully on the basis of a specific legal basis that 18 See also the statements in point 26 regarding respondent 1. Decision on the merits 07/2021 - 22/25 lawyers to receive information from their clients. To this end, he refers to Article 237 of the Codex Deontology for Lawyers and Advice 1/2010 on the concepts “for the controller ”and“ processor ”of the Article 29 Data Protection Working Party, 19 approved on February 16, 2010, to state that any legal information is allowed deliver to his / her lawyer. To judge otherwise would, according to respondent 2, have the effect that there would be a prohibition on passing on information to counsel insofar as that information relates to personal data. 65. The complainant responds by stating that defendant 2, wrongly, argues that it would are allowed to transfer personal data obtained in violation of the GDPR from a counterparty to a lawyer to use in this way against the opposing party. This is according to the complainant completely violates the GDPR. The complainant states that respondent 2 uses her personal data email has been forwarded to his attorney and has been used in the dispute against her without it to be able to rely on one of the legal grounds specified in Article 6.1 GDPR. 66. The Disputes Chamber finds that respondent 2 ignores the fact that he is in possession came from the e-mail at the hands of defendant 1 who forwarded it to him without it that there was some legal basis for this (see above). Forwarding by defendant 1 Respondent 2 was thus affected by a lack of legality. It's clear that defendant 2 - in his capacity as recipient - obtained them unlawfully personal data, in turn - this time in the capacity of controller - by forwarding it to his lawyer to send this email with subsequently use the complainant's personal data as a document in pending proceedings. 67. After all, a processing of personal data is only lawful if a legal basis exists. The Disputes Chamber can only establish that there are none legal basis as defined in article 6.1. GDPR the forwarding of the email by the defendant 2 to his counsel. Respondent 2 also does not rely on any legal basis article 6.1. AVG and explicitly confirms in its reply statement with regard to the legitimate interest (Article 6.1. f) GDPR) that he does not even invoke this legal basis. Respondent 2 relies only on Article 237 of the Codex Deontology for Lawyers confirming that the client's confidential communications to his attorney take place, which are covered by professional secrecy. The Disputes Chamber recognizes, of course the principle that a client must be able to make confidential statements to his lawyer, but this is only possible, insofar as it concerns personal data, on the condition that it 19 https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2010/wp169_en.pdf Decision on the merits 07/2021 - 23/25 personal data is processed in a manner that is lawful with regard to the data subject is (Article 5.1 a) GDPR and Article 6.1. GDPR). However, in the present case it appears that the forwarding to defense counsel for defendant 2, with disregard of the principle of legality in the absence of any legal basis as provided in Article 6.1. AVG. 68. The Disputes Chamber is of the opinion that the entirety of the elements set out demonstrates that Respondent 2 cannot rely on any legal basis proving the legality of the data processing as set up by him. The Disputes Chamber thus concludes the violation of article 5.1. a) GDPR and Article 6.1. AVG has been proven. 69. In addition to the breach of the principle of lawfulness, the complainant also submits that the transparency principle (Article 5.1. a), Article 12 and Article 14 GDPR) and the purpose limitation principle (Article 5.1. b) GDPR) would have been violated by respondent 2. 70. With regard to the purpose limitation principle, the Disputes Chamber draws attention to the fact that this principle requires personal data for specified, explicitly defined and justified 20 purposes are "collected". Of any collection for an expressly defined and legitimate purpose of the complainant's personal data by respondent 2 no way. He has merely received the email with personal data without this at all legal basis could be supported. Because he forwarded that data to appropriated his counsel, also without any legal basis, to use as a document defendant 2 assumes the capacity of controller, which in principle means that he to respect all applicable provisions of the GDPR, including the purpose limitation principle and the transparency principle. 71. Both principles could not be applied simply because the processing by defendant 2 is fundamentally affected by a lack of legal basis, so that the Disputes Chamber not in breach of the principle of transparency (Article 5.1. A), Article 12 and Article 14 GDPR) and the purpose limitation principle (Article 5.1. B) GDPR). Because the forwarding is unlawful by respondent 1 to respondent 2 ab initio, any processing by respondent 2 also unlawful for any own purpose. As for the transparency principle adds the Disputes Chamber that even if defendant 2 had the principle of transparency 20 Article 5.1. Personal data must: […] (b) collected for specified, explicit and legitimate purposes and may not be subsequently further processed in a manner incompatible with those purposes; further processing for archiving purposes the public interest, scientific or historical research or statistical purposes becomes in accordance with Article 89 (1) 1, not considered incompatible with the original purposes (“purpose limitation”); Decision on the merits 07/2021 - 24/25 endeavor to respect, the forwarding to his attorney and the use that is made of it made nonetheless remains unlawful. 72. Taking into account that Respondent 2 states that the email with attachments will be sent immediately first request was cleared, as well as that the infringement was committed only for the first time the Disputes Chamber is of the opinion that it is appropriate to order the defendant 2 to do so definitively prohibit the processing of the e-mail in question with attachments (art. 100, §1, 8 ° WOG), as well as to order the notification of this definitive prohibition to his counsel (Article 100, §1, 10 ° WOG) both for the processing of the e-mail with attachments that have already taken place and for these in the future. 73. In determining these sanctions, the Disputes Chamber also takes into account that the complaint is part of a broader conflict between the parties that is the subject of a arbitration procedure regarding financial matters and the refusal to hand over accounting and other documents in the context of the liquidation of the partnership in which the notary activity was exercised by the complainant and defendant 2, of which the Disputes Chamber notes that it is not the task of the Data Protection Authority to intervene with regard to aspects that do not relate to the processing of personal data. The Disputes Chamber therefore decides that, in the concrete factual circumstances of this case, the sanctions imposed are sufficient. Considering this In circumstances, the Disputes Chamber will refrain from imposing an administrative fine. D. No decision to dismiss 74. Although the Disputes Chamber in the context of the proceedings prior to the decision ten on the merits has proceeded to dismiss the complaint, is in the proceedings on the basis of the full statement of the factual elements in the claims of each of the parties, found that there have been breaches of fundamental principles of processing of personal data. As a result, the Disputes Chamber is of the opinion that a decision on the merits seeking to dismiss the complaint cannot be reconciled with the infringements established, but that, on the contrary, it is necessary to proceed to the following sanctions. E. Publication of the decision 75. Considering the importance of transparency with regard to the decision-making of the Disputes Chamber, this decision will be published on the GBA website. However, it is Decision on the merits 07/2021 - 25/25 does not need to be directly identifying the parties announced. FOR THESE REASONS, the Disputes Chamber of the Data Protection Authority decides, after deliberation, to: with regard to the defendant 1, on the grounds of Article 100, §1, 5 ° WOG, a formulate a reprimand as a result of the infringement of article 5.1 b) in conjunction with article 6.4. AVG, op Article 5.1 a) in conjunction with Article 6.1. GDPR and Article 5.1 c) GDPR. with regard to respondent 2 as a result of the infringement of Article 5.1. a) GDPR and Article 6.1. GDPR: - on the basis of Article 100, §1, 8 ° WOG, to order the processing of the e-mail in question permanently ban with attachments; - on the basis of Article 100, §1, 10 ° WOG, to order notification of this final prohibition to his counsel both for the processing of the e-mail with attachments already occurred as well as for future processing. On the basis of article 108, §1 WOG, an appeal can be lodged against this decision within a period of thirty days from the notification at the Marktenhof, with the Data protection authority as defendant. Hielke Hijmans Chairman of the Disputes Chamber