APD/GBA (Belgium) - 01/2024: Difference between revisions
(Created page with "{{DPAdecisionBOX |Jurisdiction=Belgium |DPA-BG-Color= |DPAlogo=LogoBE.png |DPA_Abbrevation=APD/GBA |DPA_With_Country=APD/GBA (Belgium) |Case_Number_Name=01/2024 |ECLI= |Original_Source_Name_1=APD/GBA |Original_Source_Link_1=https://www.gegevensbeschermingsautoriteit.be/publications/bevel-nr.-01-2024.pdf |Original_Source_Language_1=Dutch |Original_Source_Language__Code_1=NL |Original_Source_Name_2= |Original_Source_Link_2= |Original_Source_Language_2= |Original_Source_...") |
m (→Facts) |
||
(One intermediate revision by one other user not shown) | |||
Line 71: | Line 71: | ||
}} | }} | ||
The Belgian DPA | The Belgian DPA found that a controller violated [[Article 5 GDPR#1|Article 5(1) GDPR]] for not timely deleting a former employee's mailbox. The DPA stated that the mailbox must be deactivated on the last work day and the auto-reply within one month or 3 months in some exceptions. | ||
== English Summary == | == English Summary == | ||
=== Facts === | === Facts === | ||
A data subject worked at the | A data subject worked at the controller for about ten months, until 6 June 2023. During his employment, a Microsoft account was created. | ||
After the employment contract was terminated, the data subject filed an access request with the controller requesting information on which data the controller was still processing but did not receive a response. | |||
The data subject claimed that his professional mailbox was still active because when he had sent an email to this address, he had received a delivery confirmation. Thus, on 24 October 2023, the data subject filed a complaint with the Belgian DPA. | |||
=== Holding === | === Holding === | ||
The DPA held that | The Belgian DPA held that to comply with the purpose limitation principle ([[Article 5 GDPR#1b|Article 5(1)(b) GDPR]]), in combination with the principles of data minimisation ([[Article 5 GDPR#1c|Article 5(1)(c) GDPR]]) and storage limitation ([[Article 5 GDPR#1e|Article 5(1)(e) GDPR]]), the controller should have provided the mailbox of the data subject with an automatic notification no later than his last day and he should have been informed in advance of this. | ||
The DPA stated that this automatic message alerts all subsequent correspondents that the data subject is no longer performing his activities within the controller and should be in place for a reasonable period of time, in principle 1 month. Depending on the context and the degree of responsibility exercised by the employee, a longer period may be allowed, not exceeding 3 months. | |||
In this instance, the DPA confirmed that the period could have been between 1 and 3 months and that it should have been extended only after the data subject gave his consent. Indeed, since the data subject ended his employment on 6 June 2023, the email address should have been closed on 6 July 2023 or 6 September 2023. Meanwhile, the data subject proved that on 13 November 2023, the email was still active. Therefore, the DPA found a violation of [[Article 5 GDPR#1b|Article 5(1)(b) GDPR]], [[Article 5 GDPR#1c|Article 5(1)(c) GDPR]] and [[Article 5 GDPR#1e|Article 5(1)(e) GDPR]]. | |||
In terms of legal basis, the DPA acknowledged that the legal basis for this processing activity could be the legitimate interest of the controller to ensure the proper functioning of the company under [[Article 6 GDPR#1f|Article 6(1)(f) GDPR]]. However, the DPA noted that there was no evidence proving that the controller informed the data subject of the applicable legal basis. Consequently, it can be said that the controller processed the data subject's personal data against his expectations. Thus, the DPA found that there was no legal basis applicable to the processing of the email address after the termination of the contract between the data subject and the controller. Thus, the controller violated [[Article 6 GDPR#1|Article 6(1) GDPR]]. | |||
For not closing the professional mailbox | For not closing the professional mailbox on time, the DPA issued a warning to the controller. | ||
Regarding the access request, the DPA held that the controller | Regarding the access request, the DPA held that the controller infringed the right to access of the data subject since there is no proof that the controller ever responded, breaching [[Article 15 GDPR#1|Article 15(1) GDPR]], in conjunction with [[Article 12 GDPR|Article 12(3) and (4) GDPR]]. Hence, the DPA ordered the controller to comply within 30 days after the decision. | ||
== Comment == | == Comment == | ||
''Comment from the original contributor:'' | |||
As this is a 'prima facie' decision, not much information is available. The Litigation Chamber of the DPA has ruled solely based on the complaint without having a procedure. The controller can still demand for a procedure if it does not agree. | As this is a 'prima facie' decision, not much information is available. The Litigation Chamber of the DPA has ruled solely based on the complaint without having a procedure. The controller can still demand for a procedure if it does not agree. | ||
Latest revision as of 16:10, 19 March 2024
APD/GBA - 01/2024 | |
---|---|
Authority: | APD/GBA (Belgium) |
Jurisdiction: | Belgium |
Relevant Law: | Article 5(1)(c) GDPR Article 5(1)(e) GDPR Article 5(1)(b) GDPR Article 6(1)(f) GDPR Article 12 GDPR Article 13(1)(c) GDPR Article 15 GDPR |
Type: | Complaint |
Outcome: | Upheld |
Started: | 24.10.2023 |
Decided: | 05.01.2024 |
Published: | 05.01.2024 |
Fine: | n/a |
Parties: | n/a |
National Case Number/Name: | 01/2024 |
European Case Law Identifier: | n/a |
Appeal: | Unknown |
Original Language(s): | Dutch |
Original Source: | APD/GBA (in NL) |
Initial Contributor: | Matthias Vandamme |
The Belgian DPA found that a controller violated Article 5(1) GDPR for not timely deleting a former employee's mailbox. The DPA stated that the mailbox must be deactivated on the last work day and the auto-reply within one month or 3 months in some exceptions.
English Summary
Facts
A data subject worked at the controller for about ten months, until 6 June 2023. During his employment, a Microsoft account was created.
After the employment contract was terminated, the data subject filed an access request with the controller requesting information on which data the controller was still processing but did not receive a response.
The data subject claimed that his professional mailbox was still active because when he had sent an email to this address, he had received a delivery confirmation. Thus, on 24 October 2023, the data subject filed a complaint with the Belgian DPA.
Holding
The Belgian DPA held that to comply with the purpose limitation principle (Article 5(1)(b) GDPR), in combination with the principles of data minimisation (Article 5(1)(c) GDPR) and storage limitation (Article 5(1)(e) GDPR), the controller should have provided the mailbox of the data subject with an automatic notification no later than his last day and he should have been informed in advance of this.
The DPA stated that this automatic message alerts all subsequent correspondents that the data subject is no longer performing his activities within the controller and should be in place for a reasonable period of time, in principle 1 month. Depending on the context and the degree of responsibility exercised by the employee, a longer period may be allowed, not exceeding 3 months.
In this instance, the DPA confirmed that the period could have been between 1 and 3 months and that it should have been extended only after the data subject gave his consent. Indeed, since the data subject ended his employment on 6 June 2023, the email address should have been closed on 6 July 2023 or 6 September 2023. Meanwhile, the data subject proved that on 13 November 2023, the email was still active. Therefore, the DPA found a violation of Article 5(1)(b) GDPR, Article 5(1)(c) GDPR and Article 5(1)(e) GDPR.
In terms of legal basis, the DPA acknowledged that the legal basis for this processing activity could be the legitimate interest of the controller to ensure the proper functioning of the company under Article 6(1)(f) GDPR. However, the DPA noted that there was no evidence proving that the controller informed the data subject of the applicable legal basis. Consequently, it can be said that the controller processed the data subject's personal data against his expectations. Thus, the DPA found that there was no legal basis applicable to the processing of the email address after the termination of the contract between the data subject and the controller. Thus, the controller violated Article 6(1) GDPR.
For not closing the professional mailbox on time, the DPA issued a warning to the controller.
Regarding the access request, the DPA held that the controller infringed the right to access of the data subject since there is no proof that the controller ever responded, breaching Article 15(1) GDPR, in conjunction with Article 12(3) and (4) GDPR. Hence, the DPA ordered the controller to comply within 30 days after the decision.
Comment
Comment from the original contributor:
As this is a 'prima facie' decision, not much information is available. The Litigation Chamber of the DPA has ruled solely based on the complaint without having a procedure. The controller can still demand for a procedure if it does not agree.
Regarding the mailbox it is interesting to note that the DPA has confirmed it stance since many years (see for example decision 64/2020 of the Belgian DPA). Controllers would do best to prepare for this situation in advance and include clear procedures (e.g., in an IT-policy).
In the legal doctrine the maximum period of three months is often disputed. It is generally held that, depending on the circumstances, a longer period could be justifiable. For example, someone who often came into contact with clients and worked for many years with the controller.
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Dutch original. Please refer to the Dutch original for more details.
1/11 Dispute Chamber Decision 01/2024 of January 5, 2024 File number: DOS-2023-04440 Subject: Failure to close a professional mailbox and insufficient follow-up to the exercise of the right of access The Disputes Chamber of the Data Protection Authority, composed of Mr Hielke HIJMANS, sole chairman; Having regard to Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and regarding the free movement of such data and to the revocation of Directive 95/46/EC (General Data Protection Regulation), hereinafter “GDPR”; Having regard to the law of 3 December 2017 establishing the Data Protection Authority, hereinafter “WOG”; In view of the internal rules of order, as approved by the House of Representatives Representatives on December 20, 2018 and published in the Belgian Official Gazette on January 15, 2019; Considering the documents in the file; Has made the following decision regarding: Complainant: X, hereinafter “the complainant”; The defendant: Y, with registered office in [...], hereinafter “the defendant”. Decision 01/2024 – 2/11 I. Facts and procedure 1. The subject of the complaint concerns the failure to comply with a request inspection and failure to close the professional mailbox in time after departure employee. 2. The complainant explains the facts as follows. From August 1, 2022 to June 6, 2023, the company had of the complainant entered into a contract with the defendant. The complainant states that he is in the performance of that contract has been employed by the defendant. In this context there was created a Microsoft account for him. According to the complainant, certain of the rights from the account had already been withdrawn from the defendant before his departure, but would it e-mail address [...] with mailbox still exist. The complainant states that he has addressed a letter to the defendant asking which of his personal data are still being processed, but would not have received an answer. The complainant also states that after the departure of an ex-colleague, emails were still sent in the name of this ex-employee. 3. On October 16, 2023, the defendant will be given notice of default by the complainant. In this notice of default, a request for inspection will be included. The complainant currently has have not yet received a response from the defendant after filing the complaint. 4. On October 24, 2023, the complainant will submit a complaint to the Data Protection Authority against the defendants. 5. On November 13, 2023, the complainant allegedly notes that his old professional mailbox still existed. After all, the complainant himself sent an email to the old mailbox and received a delivery confirmation. The complainant forwards this confirmation to the First line service. On December 19, 2023, the complainant confirms that he has not yet received an answer received from the defendant upon his request for access. On January 3, 2024 The complainant submits a new delivery note to the Dispute Chamber on the basis of which The complainant states that the mailbox in question had not yet been closed on that date. 6. On November 17, 2023, the complaint will be declared admissible by the First Line Service on 1 on the basis of Articles 58 and 60 of the WOG and the complaint is filed on the basis of Article 62, 2 § 1 of the WOG transferred to the Disputes Chamber. II. Justification 7. The elements in this case are divided into two different processes. On the one hand it is there is an alleged failure to clean the complainant's former business mailbox removal, on the other hand there is insufficient follow-up to the exercising the right of inspection of the complainant. The allegations regarding the sending of 1 In accordance with Article 61 of the WOG, the Disputes Chamber hereby informs the parties that the complaint is admissible. declared. 2In accordance with Article 95, § 2 of the WOG, the Disputes Chamber hereby informs the parties that the file will be sent to has been transferred to her as a result of this complaint. Decision 01/2024 – 3/11 emails in the name of a former employee are not part of this decision as the complainant, on the one hand, does not provide evidence and, on the other, the alleged dispute processing does not concern his personal data and he has no power of attorney to do so submits. II.1. As for the failure to delete the mailbox 8. The Disputes Chamber was taken by the complaint that the professional had not been concluded e-mail address in the name of the complainant and the respondent concerned after the termination of the contractual relationship. Purpose limitation principle as referred to in Article 5.1.b) GDPR in combination with the non- compliance with articles 5.1.c) (data minimization) and 5.1.e), GDPR (storage limitation) 9. Any processing of personal data must be in line with the principles such as included in article 5.1 GDPR. Article 5.1.b) of the GDPR reinforces it purpose limitation principle, being the requirement that the data be collected for specific, expressly described and legitimate purposes and no further are processed in a manner that is incompatible with those purposes. Also the principle of minimum data processing – under which only data is allowed processed that are adequate, relevant and limited to what is necessary with regard to the purpose (Article 5.1.c.) of the GDPR) – and the principle of limited retention period - under which the data may not be retained in any form which allows those involved to be identified and no longer allowed to be identified kept as necessary in relation to the purposes for which they are processed (Article 5.1.e) of the GDPR) apply to the processing of personal data. 10. These principles and the resulting obligations for the controller also apply to the rights of the data subject, as the data subject is in accordance with Article 17.1. a) AVG has the right to obtain from the controller to request the deletion of data concerning him obtain if this data is no longer necessary for the purposes for which they were collected or processed. 11. The email address that is the subject of the complaint and the information constitutes a personal data within the meaning of Article 4.1) of the GDPR, as it relates to information about an identified or identifiable natural person. This email address and the associated mailbox, which is used for professional purposes in the context of the activities of the defendant were created were intended to enable the complainant to receive and send emails in the context of its activities for the defendant. 12. The Disputes Chamber is of the opinion that in order to comply with the purpose limitation principle (Article 5.1.b) GDPR), in combination with the principles of minimum data processing Decision 01/2024 — 4/11 (Article 5.1.c) GDPR) and storage limitation (Article 5.1.e) GDPR), to the controller is the holder of the mailbox that fulfills his function or has ceased activities, and must be provided with a certificate no later than on the day of his actual departure automatic message. The holder must be notified in advance of this. This automatic message warns all subsequent correspondents that the data subject are no longer carries out activities within the company and provides the contact details of the person (or general email address) who should be contacted instead and this for a reasonable period (a priori 1 month). Depending on the contexts in particular the degree of responsibility that the person concerned exercises may be a longer period be allowed, ideally no longer than three months. The extension must happen with the consent of the person concerned or at least after the extension has been terminated has been notified. Moreover, an alternative solution must be found as soon as possible be searched for and entered without the deadline for this extension having to expire are awaited. However, this does not alter the fact that after the termination of his function that the person concerned can still have access to for a certain period mailbox if there is an agreement between him and the controller. 3 This gives the employee the opportunity to: for example, to complete the current files.4 13. The Disputes Chamber establishes that prima facie the defendant has not complied with all the provisions of the Dispute chamber regarding the management of e-mail accounts of former employees 5 seems to have been complied with, although a processing of the business mailbox is in principle 6 legitimate . Since the activities of the complainant for the defendant were terminated on June 6, 2023, the Disputes Chamber is of the opinion that the processing of his personal data based on the relevant email address and mailbox within a should have been terminated within a reasonable period and the complainant should have been notified informed.The Disputes Chamber is of the opinion that this period could have varied from 1 to 3 months where, as mentioned, the senders of messages to the 3In its recommendation CM/Rec (2015)5 on the processing of personal data in the context of the employment relationship, it states the Committee of Minister of the Council of Europe in principle 14.5 the following: when an employee his or her job leaves, the employer must take technical and organizational measures to ensure that the email from the employee is automatically deactivated. If the contents of the email must be requested for good functioning of the organization, the employer must take appropriate measures to retrieve the contents of the email before the employee's departure and, if possible, in his presence. The explanation accompanying the recommendation states further (para. 122) that in these situations where the employee leaves the organization, the employer retains the account of the former employee must deactivate so that there is no longer access to the former employee's communications after his departure. If the employer wishes to recover the contents of the employee's account, the employer must take the necessary steps to take steps before the employee's departure, preferably in his presence. This sectoral recommendation that and completes the Convention for the Protection of Individuals with regard to Automated Processing personal data (STE108), illustrates how the principles regarding purpose limitation, minimal data processing proportionate retention, which are confirmed in both this Treaty and the GDPR, should be applied. 4Cf. decisions 64/2020 and 133/2021. 5Cf. decisions 64/2020 and 133/2021. 6Cf. decision 64/2020, legal basis. 29 et seq. and decision 133/2021 para. 56 et seq. Decision 01/2024 - 5/11 relevant email address were automatically informed that the data subject was no longer active within the company, and therefore without the intervention of any third party person. Possibly (if so agreed between both parties) and in general such a period could also cause a departing employee still has temporary access to the information in the mailbox of his former partner client. 14. The complainant indicates that the agreement between his acting defendant has expired since June 6, 2023. This means, given the above, that the email address would must be closed on July 6, 2023, or no later than September 6, 2023. The complainant argues that this is not the case. In support of this claim, the claimant sends a piece This should demonstrate that the mailbox was not closed in time. This concerns: a delivery note dated. November 13, 2023 that an email was successfully delivered to the disputed email address. This leads the Disputes Chamber to suspect that the defendant has committed an infringement of Article 5.1.b), Article 5.1.c) and Article 5.1.e). From the pieces it does not appear that the complainant had not received any information regarding the further use of his mailbox and his e-mail address, nor that there was anything between the parties in this regard agreed. 15. This leads the Disputes Chamber to suspect that the defendant has committed an infringement committed under Article 5.1 b, Article 5.1.c) and Article 5.1 e) GDPR. Lawfulness of the processing 16. Article 6 of the GDPR requires that all processing must be based on a legal basis. This means that the controller may not start or, as in this case, continue with data processing without relying on one of the legality criteria listed in Article 6.1 GDPR, which is the embodiment of the principle of lawfulness as referred to in Article 5.1 a) GDPR. 7Article 6.1 GDPR The processing is only lawful if and to the extent that at least one of the conditions below is met: a) the data subject has given consent to the processing of his personal data for one or more specific purposes purposes; b) the processing is necessary for the performance of a contract to which the data subject is party, or upon request of the to take measures before concluding a contract; c) the processing is necessary for compliance with a legal obligation to which the controller is subject; d) the processing is necessary to protect the vital interests of the data subject or of another natural person to protect; e) the processing is necessary for the performance of a task carried out in the public interest or in connection with the exercise of the public authority assigned to the controller; f) the processing is necessary for the purposes of the legitimate interests pursued by the controller or from one third party, except where the interests or fundamental rights and freedoms of the data subject are such protection of personal data outweigh those interests, in particular when the data subject is a child. Point (f) of the first paragraph shall not apply to processing by public authorities in the exercise of their tasks. Decision 01/2024 – 6/11 17. It is true that the mailbox can, in view of the defendant's legitimate interest accordance with the terms of Article 6.1.f) of the GDPR, for a period of one certain period after the termination of the agreement between the data subject and the defendant, will continue to be active insofar as this is limited to automatic transmission of standard communication regarding the employee's departure, with a view to guaranteeing the proper functioning of the company and its continuity services. This is of course only possible provided that the other provisions of the GDPR regarding the legal basis must also be respected, in particular Article 13.1.c) GDPR, from which follows that it must be determined before starting processing activities which legal basis applies, and in relation to which specific purpose, with the obligation for the controller to inform the complainant thereof The file does not prima facie show that the defendant was aware of the complainant of the applicable legal basis. Consequently, it can be said that the The defendant has processed the complainant's personal data against his expectations in. 18. For cases where the data subject and the controller are in mutual agreement agree that the person concerned will remain for a period of one year after his departure may have access to his mailbox for a certain period of time – for example to allow the data subject to to provide an opportunity to complete ongoing files - permission may be granted (Article 6.1 a) GDPR) are a valid legal basis for continuing to use the mailbox after termination of cooperation. Based on the documents accompanying the complaint, the Disputes Chamber cannot determine whether such an arrangement had been agreed between the complainant and the defendant. 19. Finally, reference should also be made to the legal basis contained in Article 6.1.b) GDPR, on the basis of which processing can take place if it is necessary for the execution of an agreement. Incaseyoucannotfallbackonhere, as the complainant had already terminated his contractual relationship with the defendant on 6 June 2023. 20. Consequently, the Disputes Chamber must determine that there is no prima facie legal basis is the processing of the email address after the termination of the agreement with the complainant can justify in the manner used by the defendant. This brings the Disputes Chamber to suspect that the defendant has violated Article 5.1.a in conjunction with 6.1 GDPR has committed. 21. Based on the above analyses, the Disputes Chamber assumes that the defendant infringes the provisions of the GDPR, and in particular Articles 5.1.b), c) and e) GDPR on the one hand and Article 5.1.a) j° Article 6.1 GDPR on the other hand, which 8 In this regard, see Guidelines 05/2020 on consent in accordance with Regulation 2016/679 (edition nos. 121-123); https://edpb.europa.eu/sites/default/files/files/file1/edpb_guidelines_202005_consent_nl.pdf. Decision 01/2024 — 7/11 justifies that in this case a decision is taken on the basis of Article 95, §1, 4° of the WOG, more specifically a warning for the future formulate against the defendant with regard to the failure to conclude the professional mailbox after the complainant's departure. 22. This decision is a prima facie decision taken by the Disputes Chamber in accordance with Article 95 of the WOG on the basis of the complaint submitted by the complainant complaint, in the context of the “procedure prior to the decision on the merits” and not 9 decision on the merits of the Disputes Chamber within the meaning of Article 100 of the WOG. The Disputes Chamber has thus decided, on the basis of Article 58.2.a) GDPR and Article 95, §1, 4° of the WOG, to formulate a warning regarding the defendant, for what concerns the failure to close the complainant's professional mailbox in a timely manner after termination of employment. 23. However, if the defendant does not agree with the content of this prima facie statement decisions are of the opinion that they can apply factual and/or legal arguments that could lead to a different decision, this can be done via the e-mail address litigationchamber@apd-gba.beeenrequesttohandlethesubstancesofthecase to the Disputes Chamber within thirty days after notification of the decision. The implementation of this decision will be carried out if necessary suspended for the aforementioned period. 24. Finally, for the sake of completeness, the Disputes Chamber points out that a substantive hearing of the case may lead to the imposition of the measures referred to in Article 100 of the 10 WOG. 9 Section 3, Subsection 2 of the WOG (Articles 94 to 97). 10Article 100, §1 WOG: “The Disputes Chamber has the authority to: 1° to dismiss a complaint; 2° to order the dismissal of prosecution; 3° order the suspension of the ruling; 4° to propose a settlement; 5° formulate warnings and reprimands; 6° order that the data subject's requests to exercise his rights be complied with; 7° to order that the person concerned is informed of the security problem. 8° order that processing be temporarily or permanently frozen, restricted or prohibited; 9° to order that the processing be brought into compliance; 10° the rectification, restriction or deletion of data and its notification to the recipients of the data recommend data; 11° order the withdrawal of the recognition of certification bodies; 12° to impose penalty payments; 13° to impose administrative fines; 14° the suspension of cross-border data flows to another State or an international institution command; 15° to transfer the file to the public prosecutor's office in Brussels, who will inform it of the outcome that is given to the file; 16° decide on a case-by-case basis to publish its decisions on the website of the Decision 01/2024 - 8/11 II.2. With regard to the insufficient enforcement of the right of access 25. To begin with, the Dispute Chamber recalls that the right of access is one of the most important requirements of the right to data protection. It is the “gateway” that allows the exercise of other rights granted by the GDPR to the data subject, such as the right to rectification, the right to erasure and the 11 right to restriction of processing. 26. Pursuant to Article 12.1 of the GDPR, the controller must provide appropriate take measures to respond to requests from data subjects exercising their rights wish to exercise pursuant to Articles 15 to 22 and Article 34 of the GDPR. Pursuant to Article 12.3 GDPR, the controller must, as soon as possible and in in any case within one month of the request (this period may be possible under certain circumstances). conditions are extended by two months). As the data controller decides not to respond to a request from the data subject, the controller the data subject within one month of receipt of it request, provide an answer stating the reasons for the decision (Article 12.4 GDPR). 27. According to Article 15.1 of the GDPR, the data subject has the right to obtain from the to obtain a decision from the controller as to whether or not to process it regarding personal data. If the latter is the case, the person concerned has it right to inspect those personal data and information referred to in Article 15.1.a)–h) of the GDPR is stated, such as the purpose of the processing of the data and the possible recipients of the data, as well as information about it existence of his rights, including the right to rectification or erasure of his data or to file a complaint with the GBA. The purpose of the right of access is the to enable the data subject to understand how his data are processed and what the consequences are as well as the accuracy of the processed data control without having to justify his intention.12 28. Based on the documents in the file, the Disputes Chamber determines that the complainant was on 16 exercised his right of inspection in October 2023, but the documents do not show that the complainant should receive an answer from the defendant. Consequently, the Dispute Chamber also stated that the defendant may have acted contrary to Article 12.3 and 12.4 of the GDPR, as well as Article 15.1 of the GDPR. Data Protection Authority. 11 See, among others. CJEU, January 12, 2023, ÖsterreichischePost AG, C-154/21, ECLI:EU:C:2023:3, edge no. 38;CJEU, July 17, 2014, YS etal., C-141/12 and C-372/12, EU:C:2014:2081, edge no. 44, and CJEU, 20 December 2017; Nowak, C-434/16,EU:C:2017:994, edge no. 57. See also decision 15/2021 of February 9, 2021, edge no. 141, and decision 41/2020 of July 29, 2020, edge no. 47, to be consulted on the GBA website. 1EDPB — Guidelines 01/2022 on data subject rights – Right of access (v2.0, March 28, 2023), edge no. 13, can be consulted via https://edpb.europa.eu/system/files/2023-04/edpb_guidelines_202201_data_subject_rights_access_v2_en.pdf. Decision 01/2024 — 9/11 29. The Disputes Chamber is of the opinion that an analysis should be carried out on the basis of the above concluded that the controller may have committed an infringement of the provisions of the GDPR was committed, which justifies this in this case proceeded to make a decision on the basis of Article 95, §1, 5° WOG, more stipulates that the controller should be ordered to take action where appropriate indicate the exercise by the complainant of his right of access (Article 15.1 GDPR) and this in particularly in view of the document that the complainant has provided which shows that the complainant has indeed exercised his right of access, but the controller prima facie did not comply with that." 30. This decision is a prima facie decision taken by the Disputes Chamber in accordance with Article 95 of the WOG on the basis of the complaint submitted by the complainant, in the context of the “procedure prior to the decision on the merits” 13 and none decision on the merits of the Disputes Chamber within the meaning of Article 100 of the WOG. 31. The Disputes Chamber has thus decided on the basis of Article 58.2.c) GDPR and Article 95, § 1, 5° of the WOG, ordering the defendant to comply with the request of the data subject to exercise his rights, in particular the right of access such as determined in Article 15 GDPR. 32. The purpose of this decision is to inform the defendant of the fact that it has committed an infringement of the provisions of the GDPR and this is possible to still comply with the aforementioned provisions. 33. However, if the defendant does not agree with the contents of this fine facie decision and is of the opinion that it may allow factual and/or legal arguments funds that could lead to a different decision can be made via the e-mail address litigationchamber@apd-gba.beeenrequesttohandlethesubstancesofthecase to the Disputes Chamber and this within the period of 30 days after notification of this decision. The implementation of this decision will be carried out if necessary suspended for the aforementioned period. 34. In the event of a continuation of the merits of the case, the Dispute Chamber the parties on the basis of Articles 98, 2° and 3° in conjunction with Article 99 WOG invite them to submit their defenses as well as any documents they deem useful file to add. If necessary, the present decision will be permanently suspended. 35. Finally, for the sake of completeness, the Disputes Chamber points out that a substantive hearing 14 of the case may lead to the imposition of the measures stated in Article 100 of the WOG. 13Section 3, Subsection 2 of the WOG (Articles 94 to 97). 14Article 100. § 1. The Disputes Chamber has the authority to: 1° to dismiss a complaint; 2° to order the dismissal of prosecution; 3° order the suspension of the ruling; 4° to propose a settlement; 5° formulate warnings and reprimands; Decision 01/2024 – 10/11 III. Publication of the decision 36. Considering the importance of transparency with regard to decision-making Dispute Chamber, this decision will be published on the website of the Data Protection Authority. However, it is not necessary that the identification details of the parties are disclosed directly. FOR THESE REASONS , the Disputes Chamber of the Data Protection Authority decides, with reservations from the submission of a request by the defendant for a hearing on the merits in accordance with Article 98 et seq. of the WOG, to: - on the basis of Article 58.2.a) of the GDPR and Article 95, § 1, 4° of the WOG the to warn the defendant in the future that failure to conclude a contract in a timely manner mailbox of an employee after termination of service employment a constitutes an infringement of Article 5.1.b), c) and e) GDPR and Article 5.1.a) j° Article 6.1 GDPR; - on the basis of Article 58.2.c) of the GDPR and Article 95, § 1, 5° of the WOG the order the defendant to comply with the data subject's request to exercise its rights, in particular the right of access (Article 15.1 GDPR), and this within a period of 30 days from the notification of this decision; - order the defendant to contact the Data Protection Authority (Dispute Chamber) by e-mail within the same period of the consequences this decision will be given via the email address litigationchamber@apd-gba.be; and - in the absence of timely implementation of the above by the defendant, to consider the merits of the case ex officio in accordance with Articles 98 et seq. of the WOG. 6° order that the data subject's requests to exercise his rights be complied with; 7° to order that the person concerned is informed of the security problem; 8° order that processing be temporarily or permanently frozen, restricted or prohibited; 9° to order that the processing be brought into compliance; 10°the rectification, limitation or deletion of data and its notification to the recipients of the data recommend data; 11° order the withdrawal of the recognition of certification bodies; 12° to impose penalty payments; 13° to impose administrative fines; 14° the suspension of cross-border data flows to another State or an international institution command; 15° to transfer the file to the public prosecutor's office in Brussels, who will inform it of the follow-up given to the file; 16° decide on a case-by-case basis to publish its decisions on the website of the Data Protection Authority. Decision 01/2024 – 11/11 Pursuant to Article 108, § 1 of the WOG, within a period of thirty days from the notice, an appeal against this decision will be filed with the Market Court (court of appeal Brussels), with the Data Protection Authority as defendant. Such an appeal can be lodged by means of an inter partes petition must contain information listed in Article 1034ter of the Judicial Code. It 15 an objection petition must be submitted to the registry of the Market Court 16 in accordance with Article 1034quinquies of the Dutch Civil Code. , or via the e-Deposit IT system of Justice (Article 32ter of the Judicial Code). (transl.) Hielke H IJMANS Chairman of the Disputes Chamber 15The petition states, under penalty of nullity: 1° the day, month and year; 2° the surname, first name, place of residence of the applicant and, where applicable, his capacity and his national register or company number; 3° the surname, first name, place of residence and, where applicable, the capacity of the person to be summoned; 4° the subject matter and brief summary of the grounds of the claim; 5° the judge before whom the claim is brought; 6° the signature of the applicant or his lawyer. 16The application with its attachment will be sent by registered letter in as many copies as there are parties involved deposited with the clerk of the court or at the registry.