APD/GBA (Belgium) - 71/2024: Difference between revisions

From GDPRhub
(Created page with "{{DPAdecisionBOX |Jurisdiction=Belgium |DPA-BG-Color= |DPAlogo=LogoBE.png |DPA_Abbrevation=APD/GBA |DPA_With_Country=APD/GBA (Belgium) |Case_Number_Name=71/2024 |ECLI= |Original_Source_Name_1=GBA |Original_Source_Link_1=https://www.gegevensbeschermingsautoriteit.be/publications/waarschuwing-nr.-71-2024.pdf |Original_Source_Language_1=Dutch |Original_Source_Language__Code_1=NL |Original_Source_Name_2= |Original_Source_Link_2= |Original_Source_Language_2= |Original_Sour...")
 
mNo edit summary
 
(3 intermediate revisions by 2 users not shown)
Line 63: Line 63:
}}
}}


The DPA issued a warning against a controller for not implementing a proper policy regarding the closure of former employees’ mailboxes and for not responding to an access request regarding said closure in a timely manner.
The DPA issued a warning against a controller for not implementing transparent modalities regarding the closure of former employees’ mailboxes, specifically the retention period of the mailbox. The controller has one month to proceed to the deletion of the email address and mailbox, period which can be extended to three months with the data subject's consent.


== English Summary ==
== English Summary ==


=== Facts ===
=== Facts ===
The data subject was dismissed from her workplace in August 2022, after which she had to serve a six-week notice period. She was the CEO, Senior Director marketing and managing director . During these six weeks, a dispute arose regarding whether she was still allowed to access her professional mailbox. The access to her mailbox was cut off on 12 September 2022. An access to said mailbox was allegedly given to her superior. However, he was requested not to use the access.  
The senior director of marketing and managing director of a company ('data subject') was dismissed from her workplace in August 2022, after which she had to serve a six-week notice period. During these six weeks, a dispute arose regarding whether she was still allowed to access her professional mailbox. The access to her mailbox was cut off on 12 September 2022. An access to said mailbox was allegedly given to her superior. However, he was requested not to access the mailbox.  


On 15 September 2022, the data subject made an access request and asked that the controller confirm that no one had accessed her mailbox on the basis of IT logs.  
On 15 September 2022, the data subject made an access request and asked that the controller confirm that no one had accessed her mailbox on the basis of IT logs.  
Line 77: Line 77:


=== Holding ===
=== Holding ===
Firstly, the DPA held that in principle, further processing of a mailbox is in principle lawful, as long as some conditions are respected. The DPA illustrates with the following example: the mailbox can remain active for a certain period of time after the dismissal of the data subject as long as it is limited to the automatic sending of standard communications regarding the departure of the data subject, in order to ensure the proper functioning of the company. However, the GBA adds that the other provisions of the GDPR must also be respected.  
Firstly, the DPA held that in principle further processing of a mailbox is lawful, as long as some conditions are respected. The DPA said the mailbox can remain active for a certain period of time after the dismissal of the data subject as long as it is limited to the automatic sending of standard communications regarding the departure of the data subject, in order to ensure the proper functioning of the company. However, the GBA added that the other provisions of the GDPR must also be respected.  


The GBA then established that the controller has one month after which it must delete the data subject’s email address and mailbox, unless other agreements have been made between the controller and former employee in that regard. A longer period may be granted depending on the context and degree of responsibility of the data subject but this extension must be done with the data subject’s consent.
The GBA then established that the controller has one month after which it must delete the data subject’s email address and mailbox, unless other agreements have been made between the controller and former employee in that regard. A longer period may be granted depending on the context and degree of responsibility of the data subject but this extension must be done with the data subject’s consent.


In the present case, the DPA noted that the modalities of this closure were not transparently defined and implemented. For example, it was not clear how long the email continued existing after the data subject’s departure, and who had access to it.  
In the present case, the DPA noted that the modalities of this closure were not transparently defined and implemented. For example, it was not clear how long the email continued existing after the data subject’s departure, and who had access to it. Additionally, the data subject was not informed of the extended transition period implemented by the controller. In the present case, the data subject had a prominent position in the company. Therefore, the GBA held that a transition period of more than one month seemed justified. However, the exact timing of the closure of the mailbox was unclear and appeared to be longer than the recommended periods, as the email account still existed in January 2023. Moreover, doubts were raised about the possible access by others to the data subject’s mailbox.
Additionally, the data subject was not informed of the extended transition period implemented by the controller. In the present case, the data subject had a prominent position in the company. However, the GBA held that a transition period of more than one month seemed justified. However, the exact timing of the closure of the mailbox was unclear and appeared to be longer than the recommended three months, as the email account still existed in January 2023. Moreover, doubts were raison about the possible access by others to the data subject’s mailbox.


Thus, the GBA considered that the controller had not taken technical and organisational measures to ensure compliance with the GDPR. It held that this highlights a lack of transparent arrangements regarding policy concerning the closure of former employees’ mailboxes, which may violate [[Article 5 GDPR#1a|Article 5(1)(a) GDPR]] and 25 GDPR. There was also a suspected violation of Articles 6(1) and 5(1)(a) GDPR as the mailbox was kept open without legal basis.
Thus, the GBA considered that the controller had not taken technical and organisational measures to ensure compliance with the GDPR. It held that this highlights a lack of transparent arrangements regarding policy concerning the closure of former employees’ mailboxes, which may violate [[Article 5 GDPR#1a|Article 5(1)(a) GDPR]] and [[Article 25 GDPR|25 GDPR]]. There was also a suspected violation of [[Article 6 GDPR#1|Articles 6(1)]] and [[Article 5 GDPR#1a|5(1)(a) GDPR]] as the mailbox was kept open without legal basis.


Secondly, the DPA discussed the late response to the data subject’s access request. The GBA noted that the data subject made an access request in September 2022, and that it appears from the evidence that the first response she got was dated January 2023. Thus, the controller failed to respond in a timely manner pursuant to [[Article 12 GDPR#3|Article 12(3) GDPR]].
Secondly, the DPA discussed the late response to the data subject’s access request. The GBA noted that the data subject made an access request in September 2022, and that it appears from the evidence that the first response she got was dated January 2023. Thus, the controller failed to respond in a timely manner pursuant to [[Article 12 GDPR#3|Article 12(3) GDPR]].

Latest revision as of 11:28, 15 May 2024

APD/GBA - 71/2024
LogoBE.png
Authority: APD/GBA (Belgium)
Jurisdiction: Belgium
Relevant Law: Article 5(1)(a) GDPR
Article 12(3) GDPR
Article 25 GDPR
Type: Complaint
Outcome: Upheld
Started: 08.11.2023
Decided: 06.05.2024
Published:
Fine: n/a
Parties: n/a
National Case Number/Name: 71/2024
European Case Law Identifier: n/a
Appeal: n/a
Original Language(s): Dutch
Original Source: GBA (in NL)
Initial Contributor: nzm

The DPA issued a warning against a controller for not implementing transparent modalities regarding the closure of former employees’ mailboxes, specifically the retention period of the mailbox. The controller has one month to proceed to the deletion of the email address and mailbox, period which can be extended to three months with the data subject's consent.

English Summary

Facts

The senior director of marketing and managing director of a company ('data subject') was dismissed from her workplace in August 2022, after which she had to serve a six-week notice period. During these six weeks, a dispute arose regarding whether she was still allowed to access her professional mailbox. The access to her mailbox was cut off on 12 September 2022. An access to said mailbox was allegedly given to her superior. However, he was requested not to access the mailbox.

On 15 September 2022, the data subject made an access request and asked that the controller confirm that no one had accessed her mailbox on the basis of IT logs.

On 25 January 2023, the controller responded by providing a summary of the logs relating to the disputed mailbox. These logs showed that there was no access to this mailbox. However, the data subject claimed that this document was inaccurate or incomplete. She also noted that her professional email account still existed in January 2023, well after her departure from her workplace.

The data subject filed a complaint with the Belgian DPA ('GBA').

Holding

Firstly, the DPA held that in principle further processing of a mailbox is lawful, as long as some conditions are respected. The DPA said the mailbox can remain active for a certain period of time after the dismissal of the data subject as long as it is limited to the automatic sending of standard communications regarding the departure of the data subject, in order to ensure the proper functioning of the company. However, the GBA added that the other provisions of the GDPR must also be respected.

The GBA then established that the controller has one month after which it must delete the data subject’s email address and mailbox, unless other agreements have been made between the controller and former employee in that regard. A longer period may be granted depending on the context and degree of responsibility of the data subject but this extension must be done with the data subject’s consent.

In the present case, the DPA noted that the modalities of this closure were not transparently defined and implemented. For example, it was not clear how long the email continued existing after the data subject’s departure, and who had access to it. Additionally, the data subject was not informed of the extended transition period implemented by the controller. In the present case, the data subject had a prominent position in the company. Therefore, the GBA held that a transition period of more than one month seemed justified. However, the exact timing of the closure of the mailbox was unclear and appeared to be longer than the recommended periods, as the email account still existed in January 2023. Moreover, doubts were raised about the possible access by others to the data subject’s mailbox.

Thus, the GBA considered that the controller had not taken technical and organisational measures to ensure compliance with the GDPR. It held that this highlights a lack of transparent arrangements regarding policy concerning the closure of former employees’ mailboxes, which may violate Article 5(1)(a) GDPR and 25 GDPR. There was also a suspected violation of Articles 6(1) and 5(1)(a) GDPR as the mailbox was kept open without legal basis.

Secondly, the DPA discussed the late response to the data subject’s access request. The GBA noted that the data subject made an access request in September 2022, and that it appears from the evidence that the first response she got was dated January 2023. Thus, the controller failed to respond in a timely manner pursuant to Article 12(3) GDPR.

Therefore, the GBA issued a prima facie warning against the controller about the lack of a proper policy concerning the closure of former employees’ mailboxes and for the late response to the access request.

Comment

As this is a 'prima facie' decision, not much information is available. The Litigation Chamber of the DPA has ruled solely based on the complaint without having a procedure. The controller could demand for a procedure within 30 days after the decision.

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Dutch original. Please refer to the Dutch original for more details.

1/8



                                                                          Dispute Chamber


                                                      Decision 71/2024 of May 6, 2024


File number: DOS-2023-04299


Relates to: the failure to close the professional email account of a former employee

Close



The Disputes Chamber of the Data Protection Authority, composed of Mr

Hielke HIJMANS, sole chairman;

Having regard to Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016

on the protection of natural persons with regard to the processing of

personal data and regarding the free movement of such data and to the revocation of

Directive 95/46/EC (General Data Protection Regulation), hereinafter “GDPR”;


Having regard to the law of 3 December 2017 establishing the Data Protection Authority,
hereinafter “WOG”;


In view of the internal rules of order, as approved by the House of Representatives

Representatives on December 20, 2018 and published in the Belgian Official Gazette on

January 15, 2019;


Considering the documents in the file;


Has made the following decision regarding:


Defendant: X, hereinafter “the complainant”



The defendant: Y, hereinafter “the defendant” Decision 71/2024 — 2/8


I. Facts and procedure


 1. The subject of the complaint concerns the defendant's failure to act professionally

       to close the complainant's email account.

 2. The complainant, former employee and managing director of the defendant,

       was dismissed in August 2022, after which she had to give six weeks' notice

       performance. During these six weeks, disagreement arose about the question whether the complainant

       still got access to her professional mailbox. After all, she still made use of this,
       as she continued her work for the duration of the notice period. The

       the complainant's access to her mailbox was closed on September 12, 2022. There would

       according to the complainant, access to the mailbox was given to the in-line manager. It

       was asked not to use the access.

 3. On September 15, 2022, the complainant reportedly submitted a request for information

       the unauthorized access to the professional email account. The request is already following

       stated: “I further ask that you please confirm that no one has access

       has accessed my mailbox, based on the respective IT logs,[…].” She requests

       furthermore, to receive confirmation by September 21, 2022 at the latest that the
       professional mailbox was closed correctly.


 4. The defendant is said to have responded on January 25, 2023. In this response a

       provides an overview of the logs related to the disputed mailbox. The defendant
       claims that these logs show that there has been no access to the professional email

       email account of the complainant. Nevertheless, the complainant notes that it was forwarded

       document appears to be incorrect or incomplete in its opinion.

 5. Furthermore, the complainant notes that her professional email account still existed on 3

       January 2023, well after her departure from the defendant.


 6. On 25 October 2023, the complainant filed a complaint with the Data Protection Authority
       against the defendant. On the one hand, the defendant does not blame her professional mailbox

       in accordance with data protection law, and on the other hand accuses

       she accused the defendant of manipulating the logs she passed on. Moreover

       The defendant did not respond in a timely manner to the complainant's request for inspection

       dated September 21, 2022 and to which a full answer will not be provided until January 25, 2023

       came. Decision 71/2024 — 3/8



  7. On November 8, 2023, the complaint will be declared admissible by the First Line Service
                                                                1
        on the basis of articles 58 and 60 of the WOG and the complaint is filed on the basis of article 62, § 1
                                                                       2
        of the WOG transferred to the Disputes Chamber.



II. Justification



  8. The Disputes Chamber first points out that there are guidelines for professional
                                                                                                               3
        manage and close the mail account of former employees in good order. Thereby

        it must be said that the further processing of a business mailbox is in principle

        is lawful, as long as certain conditions are respected. So can the mailbox, with it

        in view of the legitimate interest of the defendant in accordance with the

        conditions of Article 6.1.f) of the GDPR, for a certain period after dismissal


        of the complainant will still remain active insofar as this is limited to automatic transmission

        of standard communication regarding the departure of an employee, with a view to

        guaranteeing the proper functioning of the company and its continuity

        services. This is of course only possible if the other provisions of the GDPR are also complied with

        are respected, in particular article 13.1.c) GDPR, which means that before it starts

        is related to the processing activities, it must be determined which legal basis is applicable

                                                                                5
        applies, and in connection with which specific purpose, with the obligation for the

        controller to inform the data subject of this.


  9. The controller generally has one month after which the e-mail address

        and the mailbox of the data subject must be deleted, unless mutually agreed upon

        controller and former employee other agreements have been made in

        this connection. 6






1In accordance with Article 61 of the WOG, the Disputes Chamber hereby informs the parties that the complaint is admissible
declared.
2
 In accordance with Article 95, § 2 of the WOG, the Disputes Chamber hereby informs the parties that the file will be sent to
has been transferred to her as a result of this complaint.
3
 Cf. decisions 64/2020 and 133/2021 of the Disputes Chamber.
4Cf. decision 46/2020 of the Disputes Chamber, para. 29 and decision 133/2021 of the Disputes Chamber, para. 56 et seq.
5
 In this regard, see Guidelines 05/2020 on consent in accordance with Regulation 2016/679 (edition nos. 121-123);
https://edpb.europa.eu/sites/default/files/files/file1/edpb guidelines 202005 consent en.pdf
6
 In its recommendation CM/Rec (2015)5 on the processing of personal data in the context of the employment relationship,
the Committee of Ministers of the Council of Europe in principle 14.5 the following: when an employee leaves his or her job
leaves, the employer must take technical and organizational measures to ensure that the email from the
employee is automatically deactivated. If the contents of the email must be retrieved for good
functioning of the organization, the employer must take appropriate measures to retrieve the contents of the email
before the employee's departure and, if possible, in his presence. The explanation accompanying the recommendation states further
(para. 122) that in these situations where the employee leaves the organization, the employer retains the account of the former

employee must deactivate so that there is no longer access to the former employee's communications after his
departure. If the employer wishes to recover the contents of the employee's account, the employer must take the necessary steps
to take steps before the employee's departure, preferably in his presence. This sectoral recommendation that
and completes the Convention for the Protection of Individuals with regard to Automated Processing
personal data (STE 108), illustrates how the principles of purpose limitation, minimum data processing
proportionate retention, which are confirmed in both this Treaty and the GDPR, should be applied. Decision 71/2024 — 4/8


      Depending on the context and in particular the degree of responsibility that the

      exercised by the person concerned, a longer period may be granted, ideally no longer

      than three months. The extension must be done with the consent of the person concerned

      or at least after it has been informed of the extension. Moreover, it should be like this
      an alternative solution must be sought and implemented as quickly as possible without

      deadline for this extension must be awaited.


10. In this case, it must be established that the complainant has not received any

      no longer had access to her professional mailbox. From the email traffic between the complainant
      and the defendant appeared to have indeed reported this closure of her access to the complainant

      did not agree to the closure of access.


11. However, from the complainant's documents, the Disputes Chamber can prima facie establish that

      the modalities of this transition period were not laid down transparently and
      executed. It is therefore not clear how long the mailbox continued to exist after the departure of

      the complainant and who gets access to this. As stated earlier, the person concerned must be awake

      least be informed of an extended transition period. In this case, it seems

      prima facie this is not the case.

12. The Disputes Chamber must investigate whether the mailbox is within a reasonable period of time

      concluded, namely within one month, or within three months if the person concerned has a

      had a prominent role within the organization. Given the important position of the complainant

      within the company – namely as CEO, Senior Director Marketing and managing director

      – the Disputes Chamber has no choice but to state that a transition period of longer than
      a month seems justified. The exact timing of the final closing of the

      However, the mailbox is unclear to the Disputes Chamber. This appears to be longer than the recommended three

      to be months, as an automatic response is still being sent to

      emails addressed to this email address in January 2023.

13. It can be deduced from the documents attached to the complaint (in particular appendix 7) that the

      mailbox was still active and sent automatic responses on January 3, 2023, while the

      cooperation already ended in September 2022. The complainant has no information

      received over this extended transition period. As a result, the original is already

      extended period of three months has been exceeded.

14. In addition, doubts have been raised about possible access by others to the mailbox of the

      complainant, as evidenced by her email correspondence and a registered letter in which

      the complainant expresses her concerns.

15. Finally, the Disputes Chamber also wishes to address the defendant's possible late response

      to discuss the request for access. In the correspondence between the complainant and the

      It is also suggested to the defendant that there may be a violation of Decision 71/2024 - 5/8


       Article 12.3 of the GDPR, as the defendant did not respond to it in a timely manner

       access request. Appendix 14 contains an email from the defendant's counsel dated 25

       January 2023 with an attachment entitled “IT log data supporting that there were no other

       successful logins to X account after September 9, 2022”. If this is actually the first

       response to the complainant's request, which was made for the first time in September 2022

       submitted, then the defendant is perfectly late to comply with the requirements of Article

       12.3 of the GDPR.

 16. In this context, the Disputes Chamber suspects that the defendant has no technical and

       has taken organizational measures to ensure compliance with the GDPR.

       This emphasizes the lack of transparent agreements, which may be in conflict with

       Articles 5.1.a), 13.1.c) and 25 of the GDPR. There is a suspected violation of Article

       6.1 j° Article 5.1.a) of the GDPR as the mailbox became without legal basis
       kept open. Finally, there is a suspected violation of Article 12.3 of the GDPR

       due to the defendant's late response.


 17. The Disputes Chamber is of the opinion that on the basis of the above analysis

       concluded that the defendant committed a suspected violation of the provisions of the

       GDPR was committed, which justifies taking action in this case
       to warn a decision pursuant to Article 95, § 1, 4° of the WOG, in particular

       for the lack of a solid policy regarding closing a business mailbox

       from a former employee.


 18. The Disputes Chamber hereby establishes that the defendant has used the email account since then

       closed properly. The Disputes Chamber therefore does not consider it necessary to do anything

       impose other corrective measures.

 19. The accuracy of the logs forwarded by the defendant is also disputed. According to the

       complainant, these may be incorrect or even manipulated, while the defendant denies this.

       However, since the inaccuracy of the logs is not supported by concrete

       evidence and the Disputes Chamber does not have sufficient information to establish prima facie

       to conclude that this constitutes a violation, it will refrain from making a statement
       this issue.


 20. This decision is a prima facie decision taken by the Disputes Chamber

       in accordance with Article 95 of the WOG on the basis of the complaint submitted by the complainant,
                                                                                       7
       in the context of the “procedure prior to the decision on the merits” and none

       decision on the merits of the Disputes Chamber within the meaning of Article 100 of the WOG.






7Section 3, Subsection 2 of the WOG (Articles 94 to 97). Decision 71/2024 — 6/8


       The Disputes Chamber has thus decided, on the basis of Article 58.2.a) GDPR and

       Article 95, § 1, 4° of the WOG, to warn the defendant about late closing

       of the mailbox.


 21. The purpose of this decision is to inform the defendant of the fact that this

       may have committed an infringement of the provisions of the GDPR and this in the

       the opportunity to still comply with the aforementioned provisions.

 22. If the defendant does not agree with the content of this prima facie case


       decision and is of the opinion that it can put forward factual and/or legal arguments that

       could lead to a new decision, it can request a reconsideration

       submit to the Disputes Chamber in accordance with the procedure established in Articles 98 in conjunction

       99 of the WOG, known as a “treatment on the merits”. This request must be

       sent to the email address litigationchamber@apd-gba.be within a period of 30

       days after notification of this primafacie decision. If applicable, implementation will take place

       of this decision is suspended for the above-mentioned period.

 23. In the event of a continuation of the merits of the case, the

       Disputes Chamber the parties on the basis of Articles 98, 2° and 3° in conjunction with Article 99 of the

       invite WOG to submit their defenses and any documents they consider useful


       to be added to the file. If necessary, the present decision will become final

       suspended.

 24. Finally, for the sake of completeness, the Disputes Chamber points out that a hearing on the merits

       of the case may lead to the imposition of the measures referred to in Article 100 of the

       WOG . 8









8Article 100. § 1. The Disputes Chamber has the authority to:
 1° to dismiss a complaint;
 2° to order the dismissal of prosecution;
 3° order the suspension of the ruling;

 4° to propose a settlement;
 5° formulate warnings and reprimands;
 6° order that the data subject's requests to exercise his rights be complied with;
 7° to order that the person concerned is informed of the security problem;
 8° order that processing be temporarily or permanently frozen, restricted or prohibited;
 9° to order that the processing be brought into compliance;
 10°the rectification, limitation or deletion of data and its notification to the recipients of the data
     recommend data;
 11° order the withdrawal of the recognition of certification bodies;
 12° to impose penalty payments;
 13° to impose administrative fines;
 14° the suspension of cross-border data flows to another State or an international institution

     command;
 15° to transfer the file to the public prosecutor's office in Brussels, who will inform it of the
     follow-up given to the file;
 16° decide on a case-by-case basis to publish its decisions on the website of the
     Data Protection Authority. Decision 71/2024 — 8/8


                                                              10
in accordance with Article 1034quinquies of the Dutch Civil Code. , or via the e-Deposit information system

of the Ministry of Justice (Article 32ter of the Dutch Civil Code).







(get). Hielke H IJMANS

Chairman of the Disputes Chamber





































































10The petition with its attachment will be sent by registered letter in as many copies as there are parties involved
deposited with the clerk of the court or at the registry.