APD/GBA (Belgium) - 71/2024: Difference between revisions
(Created page with "{{DPAdecisionBOX |Jurisdiction=Belgium |DPA-BG-Color= |DPAlogo=LogoBE.png |DPA_Abbrevation=APD/GBA |DPA_With_Country=APD/GBA (Belgium) |Case_Number_Name=71/2024 |ECLI= |Original_Source_Name_1=GBA |Original_Source_Link_1=https://www.gegevensbeschermingsautoriteit.be/publications/waarschuwing-nr.-71-2024.pdf |Original_Source_Language_1=Dutch |Original_Source_Language__Code_1=NL |Original_Source_Name_2= |Original_Source_Link_2= |Original_Source_Language_2= |Original_Sour...") |
mNo edit summary |
||
(3 intermediate revisions by 2 users not shown) | |||
Line 63: | Line 63: | ||
}} | }} | ||
The DPA issued a warning against a controller for not implementing | The DPA issued a warning against a controller for not implementing transparent modalities regarding the closure of former employees’ mailboxes, specifically the retention period of the mailbox. The controller has one month to proceed to the deletion of the email address and mailbox, period which can be extended to three months with the data subject's consent. | ||
== English Summary == | == English Summary == | ||
=== Facts === | === Facts === | ||
The data subject was dismissed from her workplace in August 2022, after which she had to serve a six-week notice period | The senior director of marketing and managing director of a company ('data subject') was dismissed from her workplace in August 2022, after which she had to serve a six-week notice period. During these six weeks, a dispute arose regarding whether she was still allowed to access her professional mailbox. The access to her mailbox was cut off on 12 September 2022. An access to said mailbox was allegedly given to her superior. However, he was requested not to access the mailbox. | ||
On 15 September 2022, the data subject made an access request and asked that the controller confirm that no one had accessed her mailbox on the basis of IT logs. | On 15 September 2022, the data subject made an access request and asked that the controller confirm that no one had accessed her mailbox on the basis of IT logs. | ||
Line 77: | Line 77: | ||
=== Holding === | === Holding === | ||
Firstly, the DPA held that in principle | Firstly, the DPA held that in principle further processing of a mailbox is lawful, as long as some conditions are respected. The DPA said the mailbox can remain active for a certain period of time after the dismissal of the data subject as long as it is limited to the automatic sending of standard communications regarding the departure of the data subject, in order to ensure the proper functioning of the company. However, the GBA added that the other provisions of the GDPR must also be respected. | ||
The GBA then established that the controller has one month after which it must delete the data subject’s email address and mailbox, unless other agreements have been made between the controller and former employee in that regard. A longer period may be granted depending on the context and degree of responsibility of the data subject but this extension must be done with the data subject’s consent. | The GBA then established that the controller has one month after which it must delete the data subject’s email address and mailbox, unless other agreements have been made between the controller and former employee in that regard. A longer period may be granted depending on the context and degree of responsibility of the data subject but this extension must be done with the data subject’s consent. | ||
In the present case, the DPA noted that the modalities of this closure were not transparently defined and implemented. For example, it was not clear how long the email continued existing after the data subject’s departure, and who had access to it. | In the present case, the DPA noted that the modalities of this closure were not transparently defined and implemented. For example, it was not clear how long the email continued existing after the data subject’s departure, and who had access to it. Additionally, the data subject was not informed of the extended transition period implemented by the controller. In the present case, the data subject had a prominent position in the company. Therefore, the GBA held that a transition period of more than one month seemed justified. However, the exact timing of the closure of the mailbox was unclear and appeared to be longer than the recommended periods, as the email account still existed in January 2023. Moreover, doubts were raised about the possible access by others to the data subject’s mailbox. | ||
Additionally, the data subject was not informed of the extended transition period implemented by the controller. In the present case, the data subject had a prominent position in the company. | |||
Thus, the GBA considered that the controller had not taken technical and organisational measures to ensure compliance with the GDPR. It held that this highlights a lack of transparent arrangements regarding policy concerning the closure of former employees’ mailboxes, which may violate [[Article 5 GDPR#1a|Article 5(1)(a) GDPR]] and 25 GDPR. There was also a suspected violation of Articles 6(1) and 5(1)(a) GDPR as the mailbox was kept open without legal basis. | Thus, the GBA considered that the controller had not taken technical and organisational measures to ensure compliance with the GDPR. It held that this highlights a lack of transparent arrangements regarding policy concerning the closure of former employees’ mailboxes, which may violate [[Article 5 GDPR#1a|Article 5(1)(a) GDPR]] and [[Article 25 GDPR|25 GDPR]]. There was also a suspected violation of [[Article 6 GDPR#1|Articles 6(1)]] and [[Article 5 GDPR#1a|5(1)(a) GDPR]] as the mailbox was kept open without legal basis. | ||
Secondly, the DPA discussed the late response to the data subject’s access request. The GBA noted that the data subject made an access request in September 2022, and that it appears from the evidence that the first response she got was dated January 2023. Thus, the controller failed to respond in a timely manner pursuant to [[Article 12 GDPR#3|Article 12(3) GDPR]]. | Secondly, the DPA discussed the late response to the data subject’s access request. The GBA noted that the data subject made an access request in September 2022, and that it appears from the evidence that the first response she got was dated January 2023. Thus, the controller failed to respond in a timely manner pursuant to [[Article 12 GDPR#3|Article 12(3) GDPR]]. |
Latest revision as of 11:28, 15 May 2024
APD/GBA - 71/2024 | |
---|---|
Authority: | APD/GBA (Belgium) |
Jurisdiction: | Belgium |
Relevant Law: | Article 5(1)(a) GDPR Article 12(3) GDPR Article 25 GDPR |
Type: | Complaint |
Outcome: | Upheld |
Started: | 08.11.2023 |
Decided: | 06.05.2024 |
Published: | |
Fine: | n/a |
Parties: | n/a |
National Case Number/Name: | 71/2024 |
European Case Law Identifier: | n/a |
Appeal: | n/a |
Original Language(s): | Dutch |
Original Source: | GBA (in NL) |
Initial Contributor: | nzm |
The DPA issued a warning against a controller for not implementing transparent modalities regarding the closure of former employees’ mailboxes, specifically the retention period of the mailbox. The controller has one month to proceed to the deletion of the email address and mailbox, period which can be extended to three months with the data subject's consent.
English Summary
Facts
The senior director of marketing and managing director of a company ('data subject') was dismissed from her workplace in August 2022, after which she had to serve a six-week notice period. During these six weeks, a dispute arose regarding whether she was still allowed to access her professional mailbox. The access to her mailbox was cut off on 12 September 2022. An access to said mailbox was allegedly given to her superior. However, he was requested not to access the mailbox.
On 15 September 2022, the data subject made an access request and asked that the controller confirm that no one had accessed her mailbox on the basis of IT logs.
On 25 January 2023, the controller responded by providing a summary of the logs relating to the disputed mailbox. These logs showed that there was no access to this mailbox. However, the data subject claimed that this document was inaccurate or incomplete. She also noted that her professional email account still existed in January 2023, well after her departure from her workplace.
The data subject filed a complaint with the Belgian DPA ('GBA').
Holding
Firstly, the DPA held that in principle further processing of a mailbox is lawful, as long as some conditions are respected. The DPA said the mailbox can remain active for a certain period of time after the dismissal of the data subject as long as it is limited to the automatic sending of standard communications regarding the departure of the data subject, in order to ensure the proper functioning of the company. However, the GBA added that the other provisions of the GDPR must also be respected.
The GBA then established that the controller has one month after which it must delete the data subject’s email address and mailbox, unless other agreements have been made between the controller and former employee in that regard. A longer period may be granted depending on the context and degree of responsibility of the data subject but this extension must be done with the data subject’s consent.
In the present case, the DPA noted that the modalities of this closure were not transparently defined and implemented. For example, it was not clear how long the email continued existing after the data subject’s departure, and who had access to it. Additionally, the data subject was not informed of the extended transition period implemented by the controller. In the present case, the data subject had a prominent position in the company. Therefore, the GBA held that a transition period of more than one month seemed justified. However, the exact timing of the closure of the mailbox was unclear and appeared to be longer than the recommended periods, as the email account still existed in January 2023. Moreover, doubts were raised about the possible access by others to the data subject’s mailbox.
Thus, the GBA considered that the controller had not taken technical and organisational measures to ensure compliance with the GDPR. It held that this highlights a lack of transparent arrangements regarding policy concerning the closure of former employees’ mailboxes, which may violate Article 5(1)(a) GDPR and 25 GDPR. There was also a suspected violation of Articles 6(1) and 5(1)(a) GDPR as the mailbox was kept open without legal basis.
Secondly, the DPA discussed the late response to the data subject’s access request. The GBA noted that the data subject made an access request in September 2022, and that it appears from the evidence that the first response she got was dated January 2023. Thus, the controller failed to respond in a timely manner pursuant to Article 12(3) GDPR.
Therefore, the GBA issued a prima facie warning against the controller about the lack of a proper policy concerning the closure of former employees’ mailboxes and for the late response to the access request.
Comment
As this is a 'prima facie' decision, not much information is available. The Litigation Chamber of the DPA has ruled solely based on the complaint without having a procedure. The controller could demand for a procedure within 30 days after the decision.
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Dutch original. Please refer to the Dutch original for more details.
1/8 Dispute Chamber Decision 71/2024 of May 6, 2024 File number: DOS-2023-04299 Relates to: the failure to close the professional email account of a former employee Close The Disputes Chamber of the Data Protection Authority, composed of Mr Hielke HIJMANS, sole chairman; Having regard to Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and regarding the free movement of such data and to the revocation of Directive 95/46/EC (General Data Protection Regulation), hereinafter “GDPR”; Having regard to the law of 3 December 2017 establishing the Data Protection Authority, hereinafter “WOG”; In view of the internal rules of order, as approved by the House of Representatives Representatives on December 20, 2018 and published in the Belgian Official Gazette on January 15, 2019; Considering the documents in the file; Has made the following decision regarding: Defendant: X, hereinafter “the complainant” The defendant: Y, hereinafter “the defendant” Decision 71/2024 — 2/8 I. Facts and procedure 1. The subject of the complaint concerns the defendant's failure to act professionally to close the complainant's email account. 2. The complainant, former employee and managing director of the defendant, was dismissed in August 2022, after which she had to give six weeks' notice performance. During these six weeks, disagreement arose about the question whether the complainant still got access to her professional mailbox. After all, she still made use of this, as she continued her work for the duration of the notice period. The the complainant's access to her mailbox was closed on September 12, 2022. There would according to the complainant, access to the mailbox was given to the in-line manager. It was asked not to use the access. 3. On September 15, 2022, the complainant reportedly submitted a request for information the unauthorized access to the professional email account. The request is already following stated: “I further ask that you please confirm that no one has access has accessed my mailbox, based on the respective IT logs,[…].” She requests furthermore, to receive confirmation by September 21, 2022 at the latest that the professional mailbox was closed correctly. 4. The defendant is said to have responded on January 25, 2023. In this response a provides an overview of the logs related to the disputed mailbox. The defendant claims that these logs show that there has been no access to the professional email email account of the complainant. Nevertheless, the complainant notes that it was forwarded document appears to be incorrect or incomplete in its opinion. 5. Furthermore, the complainant notes that her professional email account still existed on 3 January 2023, well after her departure from the defendant. 6. On 25 October 2023, the complainant filed a complaint with the Data Protection Authority against the defendant. On the one hand, the defendant does not blame her professional mailbox in accordance with data protection law, and on the other hand accuses she accused the defendant of manipulating the logs she passed on. Moreover The defendant did not respond in a timely manner to the complainant's request for inspection dated September 21, 2022 and to which a full answer will not be provided until January 25, 2023 came. Decision 71/2024 — 3/8 7. On November 8, 2023, the complaint will be declared admissible by the First Line Service 1 on the basis of articles 58 and 60 of the WOG and the complaint is filed on the basis of article 62, § 1 2 of the WOG transferred to the Disputes Chamber. II. Justification 8. The Disputes Chamber first points out that there are guidelines for professional 3 manage and close the mail account of former employees in good order. Thereby it must be said that the further processing of a business mailbox is in principle is lawful, as long as certain conditions are respected. So can the mailbox, with it in view of the legitimate interest of the defendant in accordance with the conditions of Article 6.1.f) of the GDPR, for a certain period after dismissal of the complainant will still remain active insofar as this is limited to automatic transmission of standard communication regarding the departure of an employee, with a view to guaranteeing the proper functioning of the company and its continuity services. This is of course only possible if the other provisions of the GDPR are also complied with are respected, in particular article 13.1.c) GDPR, which means that before it starts is related to the processing activities, it must be determined which legal basis is applicable 5 applies, and in connection with which specific purpose, with the obligation for the controller to inform the data subject of this. 9. The controller generally has one month after which the e-mail address and the mailbox of the data subject must be deleted, unless mutually agreed upon controller and former employee other agreements have been made in this connection. 6 1In accordance with Article 61 of the WOG, the Disputes Chamber hereby informs the parties that the complaint is admissible declared. 2 In accordance with Article 95, § 2 of the WOG, the Disputes Chamber hereby informs the parties that the file will be sent to has been transferred to her as a result of this complaint. 3 Cf. decisions 64/2020 and 133/2021 of the Disputes Chamber. 4Cf. decision 46/2020 of the Disputes Chamber, para. 29 and decision 133/2021 of the Disputes Chamber, para. 56 et seq. 5 In this regard, see Guidelines 05/2020 on consent in accordance with Regulation 2016/679 (edition nos. 121-123); https://edpb.europa.eu/sites/default/files/files/file1/edpb guidelines 202005 consent en.pdf 6 In its recommendation CM/Rec (2015)5 on the processing of personal data in the context of the employment relationship, the Committee of Ministers of the Council of Europe in principle 14.5 the following: when an employee leaves his or her job leaves, the employer must take technical and organizational measures to ensure that the email from the employee is automatically deactivated. If the contents of the email must be retrieved for good functioning of the organization, the employer must take appropriate measures to retrieve the contents of the email before the employee's departure and, if possible, in his presence. The explanation accompanying the recommendation states further (para. 122) that in these situations where the employee leaves the organization, the employer retains the account of the former employee must deactivate so that there is no longer access to the former employee's communications after his departure. If the employer wishes to recover the contents of the employee's account, the employer must take the necessary steps to take steps before the employee's departure, preferably in his presence. This sectoral recommendation that and completes the Convention for the Protection of Individuals with regard to Automated Processing personal data (STE 108), illustrates how the principles of purpose limitation, minimum data processing proportionate retention, which are confirmed in both this Treaty and the GDPR, should be applied. Decision 71/2024 — 4/8 Depending on the context and in particular the degree of responsibility that the exercised by the person concerned, a longer period may be granted, ideally no longer than three months. The extension must be done with the consent of the person concerned or at least after it has been informed of the extension. Moreover, it should be like this an alternative solution must be sought and implemented as quickly as possible without deadline for this extension must be awaited. 10. In this case, it must be established that the complainant has not received any no longer had access to her professional mailbox. From the email traffic between the complainant and the defendant appeared to have indeed reported this closure of her access to the complainant did not agree to the closure of access. 11. However, from the complainant's documents, the Disputes Chamber can prima facie establish that the modalities of this transition period were not laid down transparently and executed. It is therefore not clear how long the mailbox continued to exist after the departure of the complainant and who gets access to this. As stated earlier, the person concerned must be awake least be informed of an extended transition period. In this case, it seems prima facie this is not the case. 12. The Disputes Chamber must investigate whether the mailbox is within a reasonable period of time concluded, namely within one month, or within three months if the person concerned has a had a prominent role within the organization. Given the important position of the complainant within the company – namely as CEO, Senior Director Marketing and managing director – the Disputes Chamber has no choice but to state that a transition period of longer than a month seems justified. The exact timing of the final closing of the However, the mailbox is unclear to the Disputes Chamber. This appears to be longer than the recommended three to be months, as an automatic response is still being sent to emails addressed to this email address in January 2023. 13. It can be deduced from the documents attached to the complaint (in particular appendix 7) that the mailbox was still active and sent automatic responses on January 3, 2023, while the cooperation already ended in September 2022. The complainant has no information received over this extended transition period. As a result, the original is already extended period of three months has been exceeded. 14. In addition, doubts have been raised about possible access by others to the mailbox of the complainant, as evidenced by her email correspondence and a registered letter in which the complainant expresses her concerns. 15. Finally, the Disputes Chamber also wishes to address the defendant's possible late response to discuss the request for access. In the correspondence between the complainant and the It is also suggested to the defendant that there may be a violation of Decision 71/2024 - 5/8 Article 12.3 of the GDPR, as the defendant did not respond to it in a timely manner access request. Appendix 14 contains an email from the defendant's counsel dated 25 January 2023 with an attachment entitled “IT log data supporting that there were no other successful logins to X account after September 9, 2022”. If this is actually the first response to the complainant's request, which was made for the first time in September 2022 submitted, then the defendant is perfectly late to comply with the requirements of Article 12.3 of the GDPR. 16. In this context, the Disputes Chamber suspects that the defendant has no technical and has taken organizational measures to ensure compliance with the GDPR. This emphasizes the lack of transparent agreements, which may be in conflict with Articles 5.1.a), 13.1.c) and 25 of the GDPR. There is a suspected violation of Article 6.1 j° Article 5.1.a) of the GDPR as the mailbox became without legal basis kept open. Finally, there is a suspected violation of Article 12.3 of the GDPR due to the defendant's late response. 17. The Disputes Chamber is of the opinion that on the basis of the above analysis concluded that the defendant committed a suspected violation of the provisions of the GDPR was committed, which justifies taking action in this case to warn a decision pursuant to Article 95, § 1, 4° of the WOG, in particular for the lack of a solid policy regarding closing a business mailbox from a former employee. 18. The Disputes Chamber hereby establishes that the defendant has used the email account since then closed properly. The Disputes Chamber therefore does not consider it necessary to do anything impose other corrective measures. 19. The accuracy of the logs forwarded by the defendant is also disputed. According to the complainant, these may be incorrect or even manipulated, while the defendant denies this. However, since the inaccuracy of the logs is not supported by concrete evidence and the Disputes Chamber does not have sufficient information to establish prima facie to conclude that this constitutes a violation, it will refrain from making a statement this issue. 20. This decision is a prima facie decision taken by the Disputes Chamber in accordance with Article 95 of the WOG on the basis of the complaint submitted by the complainant, 7 in the context of the “procedure prior to the decision on the merits” and none decision on the merits of the Disputes Chamber within the meaning of Article 100 of the WOG. 7Section 3, Subsection 2 of the WOG (Articles 94 to 97). Decision 71/2024 — 6/8 The Disputes Chamber has thus decided, on the basis of Article 58.2.a) GDPR and Article 95, § 1, 4° of the WOG, to warn the defendant about late closing of the mailbox. 21. The purpose of this decision is to inform the defendant of the fact that this may have committed an infringement of the provisions of the GDPR and this in the the opportunity to still comply with the aforementioned provisions. 22. If the defendant does not agree with the content of this prima facie case decision and is of the opinion that it can put forward factual and/or legal arguments that could lead to a new decision, it can request a reconsideration submit to the Disputes Chamber in accordance with the procedure established in Articles 98 in conjunction 99 of the WOG, known as a “treatment on the merits”. This request must be sent to the email address litigationchamber@apd-gba.be within a period of 30 days after notification of this primafacie decision. If applicable, implementation will take place of this decision is suspended for the above-mentioned period. 23. In the event of a continuation of the merits of the case, the Disputes Chamber the parties on the basis of Articles 98, 2° and 3° in conjunction with Article 99 of the invite WOG to submit their defenses and any documents they consider useful to be added to the file. If necessary, the present decision will become final suspended. 24. Finally, for the sake of completeness, the Disputes Chamber points out that a hearing on the merits of the case may lead to the imposition of the measures referred to in Article 100 of the WOG . 8 8Article 100. § 1. The Disputes Chamber has the authority to: 1° to dismiss a complaint; 2° to order the dismissal of prosecution; 3° order the suspension of the ruling; 4° to propose a settlement; 5° formulate warnings and reprimands; 6° order that the data subject's requests to exercise his rights be complied with; 7° to order that the person concerned is informed of the security problem; 8° order that processing be temporarily or permanently frozen, restricted or prohibited; 9° to order that the processing be brought into compliance; 10°the rectification, limitation or deletion of data and its notification to the recipients of the data recommend data; 11° order the withdrawal of the recognition of certification bodies; 12° to impose penalty payments; 13° to impose administrative fines; 14° the suspension of cross-border data flows to another State or an international institution command; 15° to transfer the file to the public prosecutor's office in Brussels, who will inform it of the follow-up given to the file; 16° decide on a case-by-case basis to publish its decisions on the website of the Data Protection Authority. Decision 71/2024 — 8/8 10 in accordance with Article 1034quinquies of the Dutch Civil Code. , or via the e-Deposit information system of the Ministry of Justice (Article 32ter of the Dutch Civil Code). (get). Hielke H IJMANS Chairman of the Disputes Chamber 10The petition with its attachment will be sent by registered letter in as many copies as there are parties involved deposited with the clerk of the court or at the registry.