APD/GBA (Belgium) - 35/2024: Difference between revisions

From GDPRhub
 
(4 intermediate revisions by 3 users not shown)
Line 81: Line 81:
}}
}}


The DPA held that the publication of a former employee's photo in an online recruitment campaign by the former employer constitutes unlawful processing. As a consequence, the right to be forgotten under [[Article 17 GDPR#1d|Article 17(1)(d) GDPR]] applies.
The DPA held that the publication of a former employee's photo in an online recruitment campaign by the former employer constitutes unlawful processing as it could not be based on consent, contract or legitimate interest.  


== English Summary ==
== English Summary ==


=== Facts ===
=== Facts ===
X, the former employee, worked at Y until 2021. In August 2023 X noticed that Y published her photo in a recruitment campaign on Y's website and social media. X had never consented to this and was working at a competitor of Y at that time.
The data subject was a former employee of the controller and worked with them until 2021. In August 2023 the data subject noticed that the controller published her photo in a recruitment campaign on the controller's website and social media. The data subject had never consented to this and was working with one of the controller's competitors at that time.


On 31 August 2023 X requested Y to erase all here images on the website and social media and not use them again in the future. Y responded that arrangements were regarding the use of photo's after someone leaves the company. Therefore, Y refused to delete the images, but informed X that new photographs will be made to prevent situations like this.
On 31 August 2023, the data subject requested the controller to erase all her images on the website and social media and not use them again in the future. The controller responded that arrangements were being taken regarding the use of people's photos after their departure from the company. Therefore, the controller refused to delete the images, but informed the data subject that new photographs would be made to prevent situations like this.


On 6 November 2023 X filed a complaint with the DPA.
On 6 November 2023 the data subject filed a complaint with the Belgian DPA ("APD").


=== Holding ===
=== Holding ===
First, the DPA noted that a person's 'name, first name and photograph' are considered personal data under Article 4(1) GDPR and the publishing of such data is considered to be processing under [[Article 4 GDPR#2]].  
Firstly, the DPA noted that a person's name, first name and photograph are considered personal data under [[Article 4 GDPR#1|Article 4(1) GDPR]] and the publishing of such data is considered to be processing under [[Article 4 GDPR#2|Article 4(2) GDPR]].  


Second, the DPA noted that each processing activity should have a legal basis according to [[Article 5 GDPR#1a]] read together with [[Article 6 GDPR#1]]. The DPA examined consent, contract and legitimate interest as possible legal bases.
Secondly, the APD noted that each processing activity should have a legal basis according to [[Article 5 GDPR#1a|Article 5(1)(a) GDPR]] read together with [[Article 6 GDPR#1|Article 6(1) GDPR]]. The DPA examined consent, contract and legitimate interest as possible legal bases.


Regarding consent. The DPA stressed that consent seemed impossible because there can be no 'free' consent in the context of an employee-employer relationship according to [[Article 6 GDPR#1a]] and [[Article 4 GDPR#11]].
Regarding consent, the DPA stressed that consent seemed impossible because there can be no 'free' consent in the context of an employee-employer relationship according to [[Article 6 GDPR#1a|Article 6(1)(a) GDPR]] and [[Article 4 GDPR#11|Article 4(11) GDPR]].


Regarding contract. The DPA stated that to successfully invoke the performance of a contract as a legal base the processing needs to be necessary to perform that contract according to [[Article 6 GDPR#1b]]. Since X's contract had already ended in 2021, Y could no longer invoke this legal base. Additionally, the DPA stated that Y would also not be able to invoke contract as a legal base during the employment contract, since the publishing of X's photo on Y's social media and website did not seem necessary to perform that the employment contract.  
Regarding contract, the APD stated that to successfully invoke the performance of a contract as a legal basis, the processing needs to be necessary to perform that contract according to [[Article 6 GDPR#1b|Article 6(1)(b) GDPR]]. Since the data subject's contract had already ended in 2021, the controller could no longer invoke this legal basis. Additionally, the DPA stated that the controller would also not be able to invoke contract as a legal basis during the employment contract, since the publishing of the data subject's photo on the controller's social media and website did not seem necessary to perform that the employment contract.  


Regarding legitimate interest. The DPA performed a legitimate interest assessment.  
Regarding legitimate interest, the DPA performed a legitimate interest assessment composed of a purpose test, a necessity test and a balancing test between the consequences for the data subject and the consequences for the controller. Concerning the purpose test, the DPA confirmed that attracting new employees can be considered as a legitimate interest for the controller. Regarding the necessity test, the DPA did not find it necessary to publish images of employees to reach this purpose, especially since the employee in question was no longer working for the controller. Concerning the balancing test, the DPA considered that it may not be within the data subject's reasonable expectations as a former employee that her photograph be published on the data subject's website and social media to recruit new colleagues. Especially, since the data subject was employed by a competitor. The DPA also took into account that the data subject had not been employed by the controller since 2021. The DPA found that that legitimate interest as a legal basis under [[Article 6 GDPR#1f|Article 6(1)(f) GDPR]] did not apply.
- Purpose test. The DPA confirmed that attracting new employees can be considered as a legitimate interest for Y.
- Necessity test. The DPA did not find it necessary to publish images of employees to reach this purpose. Especially if the employee in question is no longer working for Y.
- Balancing test. The DPA raises that it may not be within X's reasonable expectations as a former employee that her photograph is published on X's website and social media to recruit new colleagues. Especially, since X is now employed by a competitor. The DPA also took into account that X has not been employed by Y since 2021.
Legitimate interest as a legal base under [[Article 6 GDPR#1f]] does not seem to apply.


The DPA noted that no other legal bases under [[Article 6 GDPR#1]] seem to apply and therefore did not need to be examined. The DPA concludes that the publication of the X's photograph constitutes unlawful processing.  
The DPA noted that no other legal bases under [[Article 6 GDPR#1|Article 6(1) GDPR]] seemed to apply and therefore did not need to be examined. The DPA concluded that the publication of the the data subject's photograph constituted unlawful processing.  


Third, the DPA confirmed that X has the right to request the erasure of her personal data under [[Article 17 GDPR#1d]]. X exercised this right on 31 August 2023 and Y responded the same day that it refused to erase the photographs since according to X this was covered by the work regulations. The DPA therefore held no infringement regarding [[Article 12 GDPR#3]] and [[Article 12 GDPR#4]].
Thirdly, the DPA confirmed that the data subject has the right to request the erasure of her personal data under [[Article 17 GDPR#1d|Article 17(1)(d) GDPR]]. This Article establishes that the data subject may obtain the erasure of their personal data if such data has been unlawfully processed. The DPA held that there might have been a breach of [[Article 17 GDPR#1d|Article 17(1)(d) GDPR]].


However, the DPA held that there might have been a breach of [[Article 17 GDPR#1d]].
Finally, [[Article 12 GDPR#3|Article 12(3) GDPR]] indicates that the controller shall provide information on action taken regarding data subject's rights without undue delay. The data subject exercised this right on 31 August 2023 and the controller responded the same day that it refused to erase the photographs since this was covered by the work regulations. The DPA therefore held no infringement regarding [[Article 12 GDPR#3|Article 12(3) GDPR]] as the controller did respond (negatively) to the request.


Therefore, the DPA ordered Y to comply with X's erasure request within 30 days of the notification of the decision.
Therefore, the DPA ordered the controller to comply with the data subject's erasure request within 30 days of the notification of the decision.


== Comment ==
== Comment ==
As this is a 'prima facie' decision, not much information is available. The Litigation Chamber of the DPA has ruled solely based on the complaint without having a procedure. The controller could demand for a procedure on the merits within 30 days after the decision.
''Comment from the initial contributor'': As this is a 'prima facie' decision, not much information is available. The Litigation Chamber of the DPA has ruled solely based on the complaint without having a procedure. The controller could demand for a procedure on the merits within 30 days after the decision.


The DPA seems to contract itself with regards to the applicability of consent as a legal base. On its website, the DPA explicitly states that an employee's consent is required to use his/her photograph taken for the purpose of a security badge, for other purposes. Also, in the past the DPA has on numerous occasions held that as a rule of thumb consent should be used in the context of 'nice to have' photographs and other legal bases can be relied on for 'need to have' photographs.
The DPA seems to contradict itself with regards to the applicability of consent as a legal base. On its website, the DPA explicitly states that an employee's consent is required to use his/her photograph taken for the purpose of a security badge, for other purposes. Also, in the past the DPA has on numerous occasions held that as a rule of thumb consent should be used in the context of 'nice to have' photographs and other legal bases can be relied on for 'need to have' photographs.


== Further Resources ==
== Further Resources ==

Latest revision as of 10:14, 17 March 2024

APD/GBA - 35/2024
LogoBE.png
Authority: APD/GBA (Belgium)
Jurisdiction: Belgium
Relevant Law: Article 4(1) GDPR
Article 4(2) GDPR
Article 4(11) GDPR
Article 5(1)(a) GDPR
Article 6(1)(b) GDPR
Article 6(1)(a) GDPR
Article 6(1)(f) GDPR
Article 12(3) GDPR
Article 12(4) GDPR
Article 17(1)(d) GDPR
Type: Complaint
Outcome: Upheld
Started: 06.11.2023
Decided: 20.02.2024
Published: 28.02.2024
Fine: n/a
Parties: X
Y
National Case Number/Name: 35/2024
European Case Law Identifier: n/a
Appeal: Unknown
Original Language(s): Dutch
Original Source: Belgian DPA (in NL)
Initial Contributor: Matthias Vandamme

The DPA held that the publication of a former employee's photo in an online recruitment campaign by the former employer constitutes unlawful processing as it could not be based on consent, contract or legitimate interest.

English Summary

Facts

The data subject was a former employee of the controller and worked with them until 2021. In August 2023 the data subject noticed that the controller published her photo in a recruitment campaign on the controller's website and social media. The data subject had never consented to this and was working with one of the controller's competitors at that time.

On 31 August 2023, the data subject requested the controller to erase all her images on the website and social media and not use them again in the future. The controller responded that arrangements were being taken regarding the use of people's photos after their departure from the company. Therefore, the controller refused to delete the images, but informed the data subject that new photographs would be made to prevent situations like this.

On 6 November 2023 the data subject filed a complaint with the Belgian DPA ("APD").

Holding

Firstly, the DPA noted that a person's name, first name and photograph are considered personal data under Article 4(1) GDPR and the publishing of such data is considered to be processing under Article 4(2) GDPR.

Secondly, the APD noted that each processing activity should have a legal basis according to Article 5(1)(a) GDPR read together with Article 6(1) GDPR. The DPA examined consent, contract and legitimate interest as possible legal bases.

Regarding consent, the DPA stressed that consent seemed impossible because there can be no 'free' consent in the context of an employee-employer relationship according to Article 6(1)(a) GDPR and Article 4(11) GDPR.

Regarding contract, the APD stated that to successfully invoke the performance of a contract as a legal basis, the processing needs to be necessary to perform that contract according to Article 6(1)(b) GDPR. Since the data subject's contract had already ended in 2021, the controller could no longer invoke this legal basis. Additionally, the DPA stated that the controller would also not be able to invoke contract as a legal basis during the employment contract, since the publishing of the data subject's photo on the controller's social media and website did not seem necessary to perform that the employment contract.

Regarding legitimate interest, the DPA performed a legitimate interest assessment composed of a purpose test, a necessity test and a balancing test between the consequences for the data subject and the consequences for the controller. Concerning the purpose test, the DPA confirmed that attracting new employees can be considered as a legitimate interest for the controller. Regarding the necessity test, the DPA did not find it necessary to publish images of employees to reach this purpose, especially since the employee in question was no longer working for the controller. Concerning the balancing test, the DPA considered that it may not be within the data subject's reasonable expectations as a former employee that her photograph be published on the data subject's website and social media to recruit new colleagues. Especially, since the data subject was employed by a competitor. The DPA also took into account that the data subject had not been employed by the controller since 2021. The DPA found that that legitimate interest as a legal basis under Article 6(1)(f) GDPR did not apply.

The DPA noted that no other legal bases under Article 6(1) GDPR seemed to apply and therefore did not need to be examined. The DPA concluded that the publication of the the data subject's photograph constituted unlawful processing.

Thirdly, the DPA confirmed that the data subject has the right to request the erasure of her personal data under Article 17(1)(d) GDPR. This Article establishes that the data subject may obtain the erasure of their personal data if such data has been unlawfully processed. The DPA held that there might have been a breach of Article 17(1)(d) GDPR.

Finally, Article 12(3) GDPR indicates that the controller shall provide information on action taken regarding data subject's rights without undue delay. The data subject exercised this right on 31 August 2023 and the controller responded the same day that it refused to erase the photographs since this was covered by the work regulations. The DPA therefore held no infringement regarding Article 12(3) GDPR as the controller did respond (negatively) to the request.

Therefore, the DPA ordered the controller to comply with the data subject's erasure request within 30 days of the notification of the decision.

Comment

Comment from the initial contributor: As this is a 'prima facie' decision, not much information is available. The Litigation Chamber of the DPA has ruled solely based on the complaint without having a procedure. The controller could demand for a procedure on the merits within 30 days after the decision.

The DPA seems to contradict itself with regards to the applicability of consent as a legal base. On its website, the DPA explicitly states that an employee's consent is required to use his/her photograph taken for the purpose of a security badge, for other purposes. Also, in the past the DPA has on numerous occasions held that as a rule of thumb consent should be used in the context of 'nice to have' photographs and other legal bases can be relied on for 'need to have' photographs.

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Dutch original. Please refer to the Dutch original for more details.

1/8



                                                                          Dispute Chamber


                                                Decision35/2024 of February 20, 2024


File number: DOS-2023-04528


Subject: Failure to comply with a request for data erasure



The Disputes Chamber of the Data Protection Authority, composed of Mr

Hielke HIJMANS, sole chairman;

Having regard to Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016

on the protection of natural persons with regard to the processing of

personal data and regarding the free movement of such data and to the revocation of

Directive 95/46/EC (General Data Protection Regulation), hereinafter “GDPR”;


Having regard to the law of 3 December 2017 establishing the Data Protection Authority,

hereinafter “WOG”;

In view of the internal rules of order, as approved by the House of Representatives

Representatives on December 20, 2018 and published in the Belgian Official Gazette on

January 15, 2019;


Considering the documents in the file;


Has made the following decision regarding:


Complainant: X, hereinafter “the complainant”;



The defendant: Y, hereinafter “the defendant”. Decision 35/2024 — 2/8



I. Facts and procedure


 1. The complainant worked as an employee of the defendant until 2021. In August 2023

       the complainant found that a photo of her was published on the website of the
       defendant in a campaign to recruit new colleagues. The complainant points out that she

       never gave permission for this. The complainant is currently employed by a

       colleague at the defendant where she was confronted about this by colleagues. Consequently

       the complainant wrote to the defendant on August 31, 2023 with the request for the

       delete photos on social media accounts and no more images in the future

       publish on which she or her name appears. The defendant answers

       the same day that a regulation for the use of photo material after termination of employment was introduced

       elaborated, as a result of which he claims to be in order. The defendant also states that this is the case

       worked on new photo material to avoid such situations in the future. The

       Defendant states that he had already requested that no more names be mentioned, but that

       he has not yet been able to verify whether this has happened.

 2. On November 6, 2023, the complainant will submit a complaint to the Data Protection Authority

       against the defendant.


 3. On February 6, 2024, the First Line Service informs the complainant that it has received a version of the complaint

       without signature, nor the requested additional information, i.e.

       has received supporting documents.

 4. On February 6, 2024, the complainant submits the complaint with signature and the requested information

       supporting documents, namely the correspondence between her and the defendant and

       screenshots of the photos in question on the defendant's website as well as on the

       profile of the defendant on LinkedIn, Facebook and Instagram.

 5. On February 13, 2024, the complaint will be declared admissible by the First Line Service on

       on the basis of articles 58 and 60 of the WOG and the complaint is filed on the basis of article 62, § 1

       of the WOG transferred to the Disputes Chamber. 2


 6. In accordance with Article 95, § 2, 3° of the WOG as well as Article 47 of the internal regulations

       order of the GBA, the parties can request a copy of the file. If one

       both parties wish to make use of the opportunity to consult and

       copying the file, he or she must contact the secretariat of the

       Disputes Chamber, preferably via litigationchamber@apd-gba.be.






1In accordance with Article 61 of the WOG, the Disputes Chamber hereby informs the parties that the complaint is admissible
declared.
2In accordance with Article 95, § 2 of the WOG, the Disputes Chamber hereby informs the parties that the file will be sent to
has been transferred to her as a result of this complaint. Decision 35/2024 — 3/8


II. Justification


 7. It is up to the Disputes Chamber to assess prima facie whether the complainant has opted out

       can successfully invoke the right to erasure of data under Article 17 GDPR and/or

       where appropriate, the defendant has given appropriate response to this request.

 8. The Disputes Chamber points out that the contact details of a natural person, such as

       name, first name and photo are personal data within the meaning of Article 4.1 of the GDPR. This is

       information relating to an identified or identifiable natural person
       person (the "data subject"), in this case the complainant, who can be contacted directly

       identified based on this information. The publication of such data on the

       website and social media accounts constitutes processing within the meaning of Article 4.2 GDPR. The

       Dispute Chamber reminds that any processing must comply with the basic principles

       of data protection as set out in article 5.1 GDPR, such as the legality of

       the processing (Article 5.1.a) GDPR). The Disputes Chamber notes that the name of the complainant
       is not mentioned in the supporting documents submitted by the complainant.


 9. In accordance with Article 5.1.a) j° Article 6.1 of the GDPR, any processing of

       personal data have a legal basis. Article 6.1 of the GDPR stipulates that the
       processing must take place on the basis of one of the following legal bases: de

       the person concerned has given permission for the processing of his personal data

       for one or more specific purposes (Article 6.1.a) GDPR - consent); the processing

       is necessary for the execution of an agreement to which the data subject is a party or

       for the implementation of pre-contractual measures at the request of the data subject
       taken (Article 6.1.b) GDPR - execution of the agreement); the processing is

       necessary to comply with a legal obligation to which the

       controller is subject (Article 6.1.c) GDPR - legal obligation);

       the processing is necessary for the vital interests of the data subject or of another person

       protect natural person (Article 6.1.d) GDPR - vital interest); the processing is
       necessary for the performance of a task of general interest or a task in the

       in the exercise of official authority vested in the controller

       is assigned (Article 6.1.e) GDPR - task of public interest) or the processing is

       necessary for the representation of the legitimate interests of the

       controller or of a third party, except where the interests or

       fundamental rights and freedoms of the data subject which are intended to protect
       personal data outweigh those interests, especially when the

       the data subject is a child (Article 6.1.f) GDPR - legitimate interest).


 10. The Disputes Chamber will then assess whether the processing of the personal data
       is based on one of the above legal bases. Decision 35/2024 — 4/8


11. Based on the defendant's email dated. The Disputes Chamber will determine August 31, 2023

     that the defendant points out that the publication of images on the website and on social media

     media accounts of the defendant is regulated by the employment regulations, that part
     forms part of the employment contract.


12. Article 6.1.b) GDPR provides a legal basis for the processing of

     personal data if the “processing [is] necessary for the execution of a

     agreement to which the data subject is a party, or at the request of the data subject before the
     conclusion of an agreement to take measures'. A successful appeal to this one

     legal basis therefore requires that the processing is necessary for that specific purpose

     to execute the agreement with the data subject. Since the

     employment contract between the parties was terminated in 2021, according to the

     Disputes Chamber established on the basis of the complaint, is a successful appeal to Article 6.1.b) GDPR
     primafacie is no longer possible in the absence of an agreement. Moreover, primafacie also appears

     the necessity requirement is not met as the publication of a photo on the

     website or on social media to attract new colleagues, not necessarily to

     to execute the employment contract. This therefore suggests that it was not successful

     an appeal to Article 6.1.b) GDPR is possible in the present case.

13. Article 6.1.f) GDPR stipulates that the processing is lawful if “the processing[…]

     necessary for the pursuit of the legitimate interests of the

     controller or of a third party, except when fundamental

     freedoms of the data subject that require the protection of personal data are more stringent
     weigh those interests, in particular when the person concerned is a child”. The case law of

     the Court of Justice of the European Union requires that an appeal to Article 6.1.f) of the GDPR

     meets three cumulative conditions. The controller must:

     show that:

     a. the interests he pursues with the processing can be justified

     recognized ('the target test');

     b. the intended processing is necessary for the realization of these interests ('de

     necessity test'); and


     c. the weighing of these interests against fundamental interests, freedoms and
     fundamental rights of the data subjects in favor of the controller or

     of a third party ('the assessment test').


14. With regard to the first condition, the Disputes Chamber acknowledges that attracting
     new employees constitutes a legitimate interest on the part of the defendant

     so that the first condition, the target test, appears to be met. As for the

     second condition, the Disputes Chamber notes that the publication of a photo of a Decision 35/2024 - 5/8


       employee, a fortiori a former employee, does not seem necessary for this purpose

       reaches. The Disputes Chamber refers to the strict interpretation of the

       necessity requirement by the Court of Justice. Also the third condition, the

       assessment, prima facie, does not seem to be satisfied. According to consideration 47 GDPR, it must exist

       of a legitimate interest are carefully assessed. When determining whether the

       legitimate interest outweighs the interest or fundamental rights and
       freedoms of the data subject must be taken into account, among other things

       reasonable expectations based on his relationship with the controller.

       The Disputes Chamber notes that it may not fall within reasonable expectations

       of the complainant as a former employee that her photo is published on the website for new reasons

       to recruit colleagues, and certainly not if she herself works for a competitor. Hereby

       the Disputes Chamber takes into account the fact that the complainant no longer works at the

       defendant since 2021. A successful appeal to Article 6.1.f) GDPR seems prima facie
       ruled out.


 15. The Dispute Chamber then reminds that consent can only become valid

       invoked if, in accordance with the definition in Article 4.11 GDPR, it is free, specific,

       is informed and unambiguous. The Disputes Chamber emphasizes that this is not possible
       are of free consent in the context of an employee-employer relationship

       prima facie no successful appeal to Article 6.1.a) GDPR appears possible.


 16. Finally, the Disputes Chamber notes that the other legal grounds from Article 6.1 GDPR do not apply

       seem to apply to the present case.

 17. The above makes the Dispute Chamber suspect that the publication of the photo of the

       complainant constitutes unlawful processing.

 18. The right to erasure under Article 17.1.d) GDPR expressly recognizes the right

       of data subjects to obtain the erasure of data without delay

       controller if the personal data has been processed unlawfully.


 19. In accordance with Article 12.3 GDPR, the controller shall provide the
       person concerned without delay and in any case within one month of receipt of the request

       pursuant to Articles 15 to 22 GDPR information about the outcome of the request

       is given. Depending on the complexity of the requests and the number of requests

       that period may be extended by a further two months if necessary. The

       the controller shall inform the data subject within one month of receipt of the

       request of such extension.

 20. The Disputes Chamber determines, based on the e-mail conversation attached to the complaint,

       that the complainant has exercised her right to erasure in accordance with Article 17.1 GDPR


3
 CJEU Judgment of 4 May 2017, Rīgas Satiksme, C-13/16 ECLI:EU:C:2017:336, para. 30. Decision 35/2024 — 6/8


     August 31, 2023. Pursuant to Article 12.3 GDPR, the controller must, in

     in this case the defendant, without delay and no later than one month after receipt of the request

     to respond to the request for data erasure. This period may possibly be extended

     may be extended for another two months, given the complexity of the request. The complainer
     This extension must be submitted within one month of the request for data deletion

     to be informed. If the defendant decides not to comply with the

     request of the complainant, it must do so within one month of receipt of the request

     communicate to the data subject, in accordance with Article 12.4 GDPR.

21. The Disputes Chamber determines that the complainant will have an answer on August 31, 2023

     may receive about the consequences that the defendant has of the data erasure

     is given. The defendant states that her name had already been deleted and that the photo was

     published on the basis of the employment regulations. Prima facie, the defendant has

     responded in a timely manner to the complainant's request for data erasure.

22. The above analysis suggests to the Disputes Chamber that this should be done

     concluded that the defendant may have violated Article 17.1.d) of the GDPR

     was committed, which justifies taking one in this case

     decision on the basis of Article 95, § 1, 5° of the WOG, more specifically

23. This decision is a prima facie decision taken by the Disputes Chamber

     in accordance with Article 95 of the WOG on the basis of the complaint submitted by the complainant,

     in the context of the “procedure prior to the decision on the merits” and none

     decision on the merits of the Disputes Chamber within the meaning of Article 100 of the WOG.

24. The Disputes Chamber has thus decided, on the basis of Article 58.2.c GDPR and Article 95, §

     1, 5° WOG, to order the defendant to comply with the data subject's request

     to exercise its rights, in particular the right to erasure ("right to

     oblivion”) as provided for in Article 17 GDPR.

25. The purpose of this decision is to inform the defendant of the fact that this

     has committed an infringement of the provisions of the GDPR and has the opportunity to do so

     still agree to comply with the aforementioned provisions.

26. If the defendant does not agree with the content of this primafacie case

     decision and is of the opinion that it can apply factual and/or legal arguments

     that could lead to a different decision, this can be done via the e-mail address

     litigationchamber@apd-gba.be send a request to hear the merits of the case
     to the Disputes Chamber within 30 days after notification of this

     decision. The implementation of this decision will, if necessary, continue for a period of time

     suspended for the aforementioned period. Decision 35/2024 — 7/8


 27. In the event of a continuation of the merits of the case, the

      Dispute Chamber the parties on the basis of Articles 98, 2° and 3° in conjunction with Article 99 WOG

      invite them to submit their defenses as well as any documents they consider useful in the case
      file to add. If necessary, the present decision will be permanently suspended.


 28. Finally, for the sake of completeness, the Disputes Chamber points out that a hearing on the merits

      of the case may lead to the imposition of the measures stated in Article 100 of the WOG.


III. Publication of the decision


    29. Considering the importance of transparency with regard to decision-making

       Dispute Chamber, this decision will be published on the website of the

       Data Protection Authority. However, it is not necessary that the

       identification details of the parties are disclosed directly.



    FOR THESE REASONS   ,

    the Disputes Chamber of the Data Protection Authority decides, with reservations

    from the submission of a request by the defendant for a hearing on the merits

    in accordance with Article 98 et seq. of the WOG, to:

       - on the basis of Article 58.2.c) of the GDPR and Article 95, § 1, 5° of the WOG the

           to order the defendant to comply with the complainant's request

           to exercise rights, in particular the right to erasure (Article 17.1

           GDPR), and to erase the personal data of the data subject
           website and social media accounts, within 30 days

           count from the notification of this decision;


       - order the defendant to contact the Data Protection Authority (Dispute Chamber)

           by e-mail within the same period of the consequences
           this decision will be given via the email address litigationchamber@apd-gba.be;

           and


       - in the absence of timely implementation of the above by the defendant,
           to consider the merits of the case ex officio in accordance with Articles 98 et seq.

           of the WOG.



Pursuant to Article 108, § 1 of the WOG, within a period of thirty days from the

notice, an appeal against this decision will be filed with the Market Court (court of

appeal Brussels), with the Data Protection Authority as defendant. Decision 35/2024 — 8/8


Such an appeal can be lodged by means of an inter partes petition

                                                                                                        4
must contain statements listed in Article 1034ter of the Judicial Code. It

an objection petition must be submitted to the registry of the Market Court
                                                                       5
in accordance with Article 1034quinquies of the Dutch Civil Code. , or via the e-Deposit

IT system of Justice (Article 32ter of the Judicial Code).









   (ge). Hielke H IJMANS

   Chairman of the Disputes Chamber















































4The petition states, under penalty of nullity:

 1° the day, month and year;
 2° the surname, first name, place of residence of the applicant and, where applicable, his capacity and his national register or
     company number;
 3° the surname, first name, place of residence and, where applicable, the capacity of the person to be
     summoned;
 4° the subject matter and brief summary of the grounds of the claim;

 5° the judge before whom the claim is brought;
 6° the signature of the applicant or his lawyer.
5The petition with its attachment will be sent by registered letter in as many copies as there are parties involved
deposited with the clerk of the court or at the registry.