APD/GBA (Belgium) - 35/2024: Difference between revisions
Abel.kaszian (talk | contribs) m (→Comment) |
|||
(4 intermediate revisions by 3 users not shown) | |||
Line 81: | Line 81: | ||
}} | }} | ||
The DPA held that the publication of a former employee's photo in an online recruitment campaign by the former employer constitutes unlawful processing | The DPA held that the publication of a former employee's photo in an online recruitment campaign by the former employer constitutes unlawful processing as it could not be based on consent, contract or legitimate interest. | ||
== English Summary == | == English Summary == | ||
=== Facts === | === Facts === | ||
The data subject was a former employee of the controller and worked with them until 2021. In August 2023 the data subject noticed that the controller published her photo in a recruitment campaign on the controller's website and social media. The data subject had never consented to this and was working with one of the controller's competitors at that time. | |||
On 31 August 2023 | On 31 August 2023, the data subject requested the controller to erase all her images on the website and social media and not use them again in the future. The controller responded that arrangements were being taken regarding the use of people's photos after their departure from the company. Therefore, the controller refused to delete the images, but informed the data subject that new photographs would be made to prevent situations like this. | ||
On 6 November 2023 | On 6 November 2023 the data subject filed a complaint with the Belgian DPA ("APD"). | ||
=== Holding === | === Holding === | ||
Firstly, the DPA noted that a person's name, first name and photograph are considered personal data under [[Article 4 GDPR#1|Article 4(1) GDPR]] and the publishing of such data is considered to be processing under [[Article 4 GDPR#2|Article 4(2) GDPR]]. | |||
Secondly, the APD noted that each processing activity should have a legal basis according to [[Article 5 GDPR#1a|Article 5(1)(a) GDPR]] read together with [[Article 6 GDPR#1|Article 6(1) GDPR]]. The DPA examined consent, contract and legitimate interest as possible legal bases. | |||
Regarding consent | Regarding consent, the DPA stressed that consent seemed impossible because there can be no 'free' consent in the context of an employee-employer relationship according to [[Article 6 GDPR#1a|Article 6(1)(a) GDPR]] and [[Article 4 GDPR#11|Article 4(11) GDPR]]. | ||
Regarding contract | Regarding contract, the APD stated that to successfully invoke the performance of a contract as a legal basis, the processing needs to be necessary to perform that contract according to [[Article 6 GDPR#1b|Article 6(1)(b) GDPR]]. Since the data subject's contract had already ended in 2021, the controller could no longer invoke this legal basis. Additionally, the DPA stated that the controller would also not be able to invoke contract as a legal basis during the employment contract, since the publishing of the data subject's photo on the controller's social media and website did not seem necessary to perform that the employment contract. | ||
Regarding legitimate interest | Regarding legitimate interest, the DPA performed a legitimate interest assessment composed of a purpose test, a necessity test and a balancing test between the consequences for the data subject and the consequences for the controller. Concerning the purpose test, the DPA confirmed that attracting new employees can be considered as a legitimate interest for the controller. Regarding the necessity test, the DPA did not find it necessary to publish images of employees to reach this purpose, especially since the employee in question was no longer working for the controller. Concerning the balancing test, the DPA considered that it may not be within the data subject's reasonable expectations as a former employee that her photograph be published on the data subject's website and social media to recruit new colleagues. Especially, since the data subject was employed by a competitor. The DPA also took into account that the data subject had not been employed by the controller since 2021. The DPA found that that legitimate interest as a legal basis under [[Article 6 GDPR#1f|Article 6(1)(f) GDPR]] did not apply. | ||
The DPA noted that no other legal bases under [[Article 6 GDPR#1]] | The DPA noted that no other legal bases under [[Article 6 GDPR#1|Article 6(1) GDPR]] seemed to apply and therefore did not need to be examined. The DPA concluded that the publication of the the data subject's photograph constituted unlawful processing. | ||
Thirdly, the DPA confirmed that the data subject has the right to request the erasure of her personal data under [[Article 17 GDPR#1d|Article 17(1)(d) GDPR]]. This Article establishes that the data subject may obtain the erasure of their personal data if such data has been unlawfully processed. The DPA held that there might have been a breach of [[Article 17 GDPR#1d|Article 17(1)(d) GDPR]]. | |||
Finally, [[Article 12 GDPR#3|Article 12(3) GDPR]] indicates that the controller shall provide information on action taken regarding data subject's rights without undue delay. The data subject exercised this right on 31 August 2023 and the controller responded the same day that it refused to erase the photographs since this was covered by the work regulations. The DPA therefore held no infringement regarding [[Article 12 GDPR#3|Article 12(3) GDPR]] as the controller did respond (negatively) to the request. | |||
Therefore, the DPA ordered | Therefore, the DPA ordered the controller to comply with the data subject's erasure request within 30 days of the notification of the decision. | ||
== Comment == | == Comment == | ||
As this is a 'prima facie' decision, not much information is available. The Litigation Chamber of the DPA has ruled solely based on the complaint without having a procedure. The controller could demand for a procedure on the merits within 30 days after the decision. | ''Comment from the initial contributor'': As this is a 'prima facie' decision, not much information is available. The Litigation Chamber of the DPA has ruled solely based on the complaint without having a procedure. The controller could demand for a procedure on the merits within 30 days after the decision. | ||
The DPA seems to | The DPA seems to contradict itself with regards to the applicability of consent as a legal base. On its website, the DPA explicitly states that an employee's consent is required to use his/her photograph taken for the purpose of a security badge, for other purposes. Also, in the past the DPA has on numerous occasions held that as a rule of thumb consent should be used in the context of 'nice to have' photographs and other legal bases can be relied on for 'need to have' photographs. | ||
== Further Resources == | == Further Resources == |
Latest revision as of 10:14, 17 March 2024
APD/GBA - 35/2024 | |
---|---|
Authority: | APD/GBA (Belgium) |
Jurisdiction: | Belgium |
Relevant Law: | Article 4(1) GDPR Article 4(2) GDPR Article 4(11) GDPR Article 5(1)(a) GDPR Article 6(1)(b) GDPR Article 6(1)(a) GDPR Article 6(1)(f) GDPR Article 12(3) GDPR Article 12(4) GDPR Article 17(1)(d) GDPR |
Type: | Complaint |
Outcome: | Upheld |
Started: | 06.11.2023 |
Decided: | 20.02.2024 |
Published: | 28.02.2024 |
Fine: | n/a |
Parties: | X Y |
National Case Number/Name: | 35/2024 |
European Case Law Identifier: | n/a |
Appeal: | Unknown |
Original Language(s): | Dutch |
Original Source: | Belgian DPA (in NL) |
Initial Contributor: | Matthias Vandamme |
The DPA held that the publication of a former employee's photo in an online recruitment campaign by the former employer constitutes unlawful processing as it could not be based on consent, contract or legitimate interest.
English Summary
Facts
The data subject was a former employee of the controller and worked with them until 2021. In August 2023 the data subject noticed that the controller published her photo in a recruitment campaign on the controller's website and social media. The data subject had never consented to this and was working with one of the controller's competitors at that time.
On 31 August 2023, the data subject requested the controller to erase all her images on the website and social media and not use them again in the future. The controller responded that arrangements were being taken regarding the use of people's photos after their departure from the company. Therefore, the controller refused to delete the images, but informed the data subject that new photographs would be made to prevent situations like this.
On 6 November 2023 the data subject filed a complaint with the Belgian DPA ("APD").
Holding
Firstly, the DPA noted that a person's name, first name and photograph are considered personal data under Article 4(1) GDPR and the publishing of such data is considered to be processing under Article 4(2) GDPR.
Secondly, the APD noted that each processing activity should have a legal basis according to Article 5(1)(a) GDPR read together with Article 6(1) GDPR. The DPA examined consent, contract and legitimate interest as possible legal bases.
Regarding consent, the DPA stressed that consent seemed impossible because there can be no 'free' consent in the context of an employee-employer relationship according to Article 6(1)(a) GDPR and Article 4(11) GDPR.
Regarding contract, the APD stated that to successfully invoke the performance of a contract as a legal basis, the processing needs to be necessary to perform that contract according to Article 6(1)(b) GDPR. Since the data subject's contract had already ended in 2021, the controller could no longer invoke this legal basis. Additionally, the DPA stated that the controller would also not be able to invoke contract as a legal basis during the employment contract, since the publishing of the data subject's photo on the controller's social media and website did not seem necessary to perform that the employment contract.
Regarding legitimate interest, the DPA performed a legitimate interest assessment composed of a purpose test, a necessity test and a balancing test between the consequences for the data subject and the consequences for the controller. Concerning the purpose test, the DPA confirmed that attracting new employees can be considered as a legitimate interest for the controller. Regarding the necessity test, the DPA did not find it necessary to publish images of employees to reach this purpose, especially since the employee in question was no longer working for the controller. Concerning the balancing test, the DPA considered that it may not be within the data subject's reasonable expectations as a former employee that her photograph be published on the data subject's website and social media to recruit new colleagues. Especially, since the data subject was employed by a competitor. The DPA also took into account that the data subject had not been employed by the controller since 2021. The DPA found that that legitimate interest as a legal basis under Article 6(1)(f) GDPR did not apply.
The DPA noted that no other legal bases under Article 6(1) GDPR seemed to apply and therefore did not need to be examined. The DPA concluded that the publication of the the data subject's photograph constituted unlawful processing.
Thirdly, the DPA confirmed that the data subject has the right to request the erasure of her personal data under Article 17(1)(d) GDPR. This Article establishes that the data subject may obtain the erasure of their personal data if such data has been unlawfully processed. The DPA held that there might have been a breach of Article 17(1)(d) GDPR.
Finally, Article 12(3) GDPR indicates that the controller shall provide information on action taken regarding data subject's rights without undue delay. The data subject exercised this right on 31 August 2023 and the controller responded the same day that it refused to erase the photographs since this was covered by the work regulations. The DPA therefore held no infringement regarding Article 12(3) GDPR as the controller did respond (negatively) to the request.
Therefore, the DPA ordered the controller to comply with the data subject's erasure request within 30 days of the notification of the decision.
Comment
Comment from the initial contributor: As this is a 'prima facie' decision, not much information is available. The Litigation Chamber of the DPA has ruled solely based on the complaint without having a procedure. The controller could demand for a procedure on the merits within 30 days after the decision.
The DPA seems to contradict itself with regards to the applicability of consent as a legal base. On its website, the DPA explicitly states that an employee's consent is required to use his/her photograph taken for the purpose of a security badge, for other purposes. Also, in the past the DPA has on numerous occasions held that as a rule of thumb consent should be used in the context of 'nice to have' photographs and other legal bases can be relied on for 'need to have' photographs.
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Dutch original. Please refer to the Dutch original for more details.
1/8 Dispute Chamber Decision35/2024 of February 20, 2024 File number: DOS-2023-04528 Subject: Failure to comply with a request for data erasure The Disputes Chamber of the Data Protection Authority, composed of Mr Hielke HIJMANS, sole chairman; Having regard to Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and regarding the free movement of such data and to the revocation of Directive 95/46/EC (General Data Protection Regulation), hereinafter “GDPR”; Having regard to the law of 3 December 2017 establishing the Data Protection Authority, hereinafter “WOG”; In view of the internal rules of order, as approved by the House of Representatives Representatives on December 20, 2018 and published in the Belgian Official Gazette on January 15, 2019; Considering the documents in the file; Has made the following decision regarding: Complainant: X, hereinafter “the complainant”; The defendant: Y, hereinafter “the defendant”. Decision 35/2024 — 2/8 I. Facts and procedure 1. The complainant worked as an employee of the defendant until 2021. In August 2023 the complainant found that a photo of her was published on the website of the defendant in a campaign to recruit new colleagues. The complainant points out that she never gave permission for this. The complainant is currently employed by a colleague at the defendant where she was confronted about this by colleagues. Consequently the complainant wrote to the defendant on August 31, 2023 with the request for the delete photos on social media accounts and no more images in the future publish on which she or her name appears. The defendant answers the same day that a regulation for the use of photo material after termination of employment was introduced elaborated, as a result of which he claims to be in order. The defendant also states that this is the case worked on new photo material to avoid such situations in the future. The Defendant states that he had already requested that no more names be mentioned, but that he has not yet been able to verify whether this has happened. 2. On November 6, 2023, the complainant will submit a complaint to the Data Protection Authority against the defendant. 3. On February 6, 2024, the First Line Service informs the complainant that it has received a version of the complaint without signature, nor the requested additional information, i.e. has received supporting documents. 4. On February 6, 2024, the complainant submits the complaint with signature and the requested information supporting documents, namely the correspondence between her and the defendant and screenshots of the photos in question on the defendant's website as well as on the profile of the defendant on LinkedIn, Facebook and Instagram. 5. On February 13, 2024, the complaint will be declared admissible by the First Line Service on on the basis of articles 58 and 60 of the WOG and the complaint is filed on the basis of article 62, § 1 of the WOG transferred to the Disputes Chamber. 2 6. In accordance with Article 95, § 2, 3° of the WOG as well as Article 47 of the internal regulations order of the GBA, the parties can request a copy of the file. If one both parties wish to make use of the opportunity to consult and copying the file, he or she must contact the secretariat of the Disputes Chamber, preferably via litigationchamber@apd-gba.be. 1In accordance with Article 61 of the WOG, the Disputes Chamber hereby informs the parties that the complaint is admissible declared. 2In accordance with Article 95, § 2 of the WOG, the Disputes Chamber hereby informs the parties that the file will be sent to has been transferred to her as a result of this complaint. Decision 35/2024 — 3/8 II. Justification 7. It is up to the Disputes Chamber to assess prima facie whether the complainant has opted out can successfully invoke the right to erasure of data under Article 17 GDPR and/or where appropriate, the defendant has given appropriate response to this request. 8. The Disputes Chamber points out that the contact details of a natural person, such as name, first name and photo are personal data within the meaning of Article 4.1 of the GDPR. This is information relating to an identified or identifiable natural person person (the "data subject"), in this case the complainant, who can be contacted directly identified based on this information. The publication of such data on the website and social media accounts constitutes processing within the meaning of Article 4.2 GDPR. The Dispute Chamber reminds that any processing must comply with the basic principles of data protection as set out in article 5.1 GDPR, such as the legality of the processing (Article 5.1.a) GDPR). The Disputes Chamber notes that the name of the complainant is not mentioned in the supporting documents submitted by the complainant. 9. In accordance with Article 5.1.a) j° Article 6.1 of the GDPR, any processing of personal data have a legal basis. Article 6.1 of the GDPR stipulates that the processing must take place on the basis of one of the following legal bases: de the person concerned has given permission for the processing of his personal data for one or more specific purposes (Article 6.1.a) GDPR - consent); the processing is necessary for the execution of an agreement to which the data subject is a party or for the implementation of pre-contractual measures at the request of the data subject taken (Article 6.1.b) GDPR - execution of the agreement); the processing is necessary to comply with a legal obligation to which the controller is subject (Article 6.1.c) GDPR - legal obligation); the processing is necessary for the vital interests of the data subject or of another person protect natural person (Article 6.1.d) GDPR - vital interest); the processing is necessary for the performance of a task of general interest or a task in the in the exercise of official authority vested in the controller is assigned (Article 6.1.e) GDPR - task of public interest) or the processing is necessary for the representation of the legitimate interests of the controller or of a third party, except where the interests or fundamental rights and freedoms of the data subject which are intended to protect personal data outweigh those interests, especially when the the data subject is a child (Article 6.1.f) GDPR - legitimate interest). 10. The Disputes Chamber will then assess whether the processing of the personal data is based on one of the above legal bases. Decision 35/2024 — 4/8 11. Based on the defendant's email dated. The Disputes Chamber will determine August 31, 2023 that the defendant points out that the publication of images on the website and on social media media accounts of the defendant is regulated by the employment regulations, that part forms part of the employment contract. 12. Article 6.1.b) GDPR provides a legal basis for the processing of personal data if the “processing [is] necessary for the execution of a agreement to which the data subject is a party, or at the request of the data subject before the conclusion of an agreement to take measures'. A successful appeal to this one legal basis therefore requires that the processing is necessary for that specific purpose to execute the agreement with the data subject. Since the employment contract between the parties was terminated in 2021, according to the Disputes Chamber established on the basis of the complaint, is a successful appeal to Article 6.1.b) GDPR primafacie is no longer possible in the absence of an agreement. Moreover, primafacie also appears the necessity requirement is not met as the publication of a photo on the website or on social media to attract new colleagues, not necessarily to to execute the employment contract. This therefore suggests that it was not successful an appeal to Article 6.1.b) GDPR is possible in the present case. 13. Article 6.1.f) GDPR stipulates that the processing is lawful if “the processing[…] necessary for the pursuit of the legitimate interests of the controller or of a third party, except when fundamental freedoms of the data subject that require the protection of personal data are more stringent weigh those interests, in particular when the person concerned is a child”. The case law of the Court of Justice of the European Union requires that an appeal to Article 6.1.f) of the GDPR meets three cumulative conditions. The controller must: show that: a. the interests he pursues with the processing can be justified recognized ('the target test'); b. the intended processing is necessary for the realization of these interests ('de necessity test'); and c. the weighing of these interests against fundamental interests, freedoms and fundamental rights of the data subjects in favor of the controller or of a third party ('the assessment test'). 14. With regard to the first condition, the Disputes Chamber acknowledges that attracting new employees constitutes a legitimate interest on the part of the defendant so that the first condition, the target test, appears to be met. As for the second condition, the Disputes Chamber notes that the publication of a photo of a Decision 35/2024 - 5/8 employee, a fortiori a former employee, does not seem necessary for this purpose reaches. The Disputes Chamber refers to the strict interpretation of the necessity requirement by the Court of Justice. Also the third condition, the assessment, prima facie, does not seem to be satisfied. According to consideration 47 GDPR, it must exist of a legitimate interest are carefully assessed. When determining whether the legitimate interest outweighs the interest or fundamental rights and freedoms of the data subject must be taken into account, among other things reasonable expectations based on his relationship with the controller. The Disputes Chamber notes that it may not fall within reasonable expectations of the complainant as a former employee that her photo is published on the website for new reasons to recruit colleagues, and certainly not if she herself works for a competitor. Hereby the Disputes Chamber takes into account the fact that the complainant no longer works at the defendant since 2021. A successful appeal to Article 6.1.f) GDPR seems prima facie ruled out. 15. The Dispute Chamber then reminds that consent can only become valid invoked if, in accordance with the definition in Article 4.11 GDPR, it is free, specific, is informed and unambiguous. The Disputes Chamber emphasizes that this is not possible are of free consent in the context of an employee-employer relationship prima facie no successful appeal to Article 6.1.a) GDPR appears possible. 16. Finally, the Disputes Chamber notes that the other legal grounds from Article 6.1 GDPR do not apply seem to apply to the present case. 17. The above makes the Dispute Chamber suspect that the publication of the photo of the complainant constitutes unlawful processing. 18. The right to erasure under Article 17.1.d) GDPR expressly recognizes the right of data subjects to obtain the erasure of data without delay controller if the personal data has been processed unlawfully. 19. In accordance with Article 12.3 GDPR, the controller shall provide the person concerned without delay and in any case within one month of receipt of the request pursuant to Articles 15 to 22 GDPR information about the outcome of the request is given. Depending on the complexity of the requests and the number of requests that period may be extended by a further two months if necessary. The the controller shall inform the data subject within one month of receipt of the request of such extension. 20. The Disputes Chamber determines, based on the e-mail conversation attached to the complaint, that the complainant has exercised her right to erasure in accordance with Article 17.1 GDPR 3 CJEU Judgment of 4 May 2017, Rīgas Satiksme, C-13/16 ECLI:EU:C:2017:336, para. 30. Decision 35/2024 — 6/8 August 31, 2023. Pursuant to Article 12.3 GDPR, the controller must, in in this case the defendant, without delay and no later than one month after receipt of the request to respond to the request for data erasure. This period may possibly be extended may be extended for another two months, given the complexity of the request. The complainer This extension must be submitted within one month of the request for data deletion to be informed. If the defendant decides not to comply with the request of the complainant, it must do so within one month of receipt of the request communicate to the data subject, in accordance with Article 12.4 GDPR. 21. The Disputes Chamber determines that the complainant will have an answer on August 31, 2023 may receive about the consequences that the defendant has of the data erasure is given. The defendant states that her name had already been deleted and that the photo was published on the basis of the employment regulations. Prima facie, the defendant has responded in a timely manner to the complainant's request for data erasure. 22. The above analysis suggests to the Disputes Chamber that this should be done concluded that the defendant may have violated Article 17.1.d) of the GDPR was committed, which justifies taking one in this case decision on the basis of Article 95, § 1, 5° of the WOG, more specifically 23. This decision is a prima facie decision taken by the Disputes Chamber in accordance with Article 95 of the WOG on the basis of the complaint submitted by the complainant, in the context of the “procedure prior to the decision on the merits” and none decision on the merits of the Disputes Chamber within the meaning of Article 100 of the WOG. 24. The Disputes Chamber has thus decided, on the basis of Article 58.2.c GDPR and Article 95, § 1, 5° WOG, to order the defendant to comply with the data subject's request to exercise its rights, in particular the right to erasure ("right to oblivion”) as provided for in Article 17 GDPR. 25. The purpose of this decision is to inform the defendant of the fact that this has committed an infringement of the provisions of the GDPR and has the opportunity to do so still agree to comply with the aforementioned provisions. 26. If the defendant does not agree with the content of this primafacie case decision and is of the opinion that it can apply factual and/or legal arguments that could lead to a different decision, this can be done via the e-mail address litigationchamber@apd-gba.be send a request to hear the merits of the case to the Disputes Chamber within 30 days after notification of this decision. The implementation of this decision will, if necessary, continue for a period of time suspended for the aforementioned period. Decision 35/2024 — 7/8 27. In the event of a continuation of the merits of the case, the Dispute Chamber the parties on the basis of Articles 98, 2° and 3° in conjunction with Article 99 WOG invite them to submit their defenses as well as any documents they consider useful in the case file to add. If necessary, the present decision will be permanently suspended. 28. Finally, for the sake of completeness, the Disputes Chamber points out that a hearing on the merits of the case may lead to the imposition of the measures stated in Article 100 of the WOG. III. Publication of the decision 29. Considering the importance of transparency with regard to decision-making Dispute Chamber, this decision will be published on the website of the Data Protection Authority. However, it is not necessary that the identification details of the parties are disclosed directly. FOR THESE REASONS , the Disputes Chamber of the Data Protection Authority decides, with reservations from the submission of a request by the defendant for a hearing on the merits in accordance with Article 98 et seq. of the WOG, to: - on the basis of Article 58.2.c) of the GDPR and Article 95, § 1, 5° of the WOG the to order the defendant to comply with the complainant's request to exercise rights, in particular the right to erasure (Article 17.1 GDPR), and to erase the personal data of the data subject website and social media accounts, within 30 days count from the notification of this decision; - order the defendant to contact the Data Protection Authority (Dispute Chamber) by e-mail within the same period of the consequences this decision will be given via the email address litigationchamber@apd-gba.be; and - in the absence of timely implementation of the above by the defendant, to consider the merits of the case ex officio in accordance with Articles 98 et seq. of the WOG. Pursuant to Article 108, § 1 of the WOG, within a period of thirty days from the notice, an appeal against this decision will be filed with the Market Court (court of appeal Brussels), with the Data Protection Authority as defendant. Decision 35/2024 — 8/8 Such an appeal can be lodged by means of an inter partes petition 4 must contain statements listed in Article 1034ter of the Judicial Code. It an objection petition must be submitted to the registry of the Market Court 5 in accordance with Article 1034quinquies of the Dutch Civil Code. , or via the e-Deposit IT system of Justice (Article 32ter of the Judicial Code). (ge). Hielke H IJMANS Chairman of the Disputes Chamber 4The petition states, under penalty of nullity: 1° the day, month and year; 2° the surname, first name, place of residence of the applicant and, where applicable, his capacity and his national register or company number; 3° the surname, first name, place of residence and, where applicable, the capacity of the person to be summoned; 4° the subject matter and brief summary of the grounds of the claim; 5° the judge before whom the claim is brought; 6° the signature of the applicant or his lawyer. 5The petition with its attachment will be sent by registered letter in as many copies as there are parties involved deposited with the clerk of the court or at the registry.