APD/GBA (Belgium) - 97/2024: Difference between revisions
No edit summary |
m (→Facts) |
||
(3 intermediate revisions by 2 users not shown) | |||
Line 65: | Line 65: | ||
}} | }} | ||
The DPA | The DPA reprimanded a controller for unlawfully keeping an employee's email inbox active for an excessive amount of time after the termination of the employment. According to a case by case assessment a period of three months would have been appropriate. | ||
== English Summary == | == English Summary == | ||
Line 72: | Line 72: | ||
The data subject was employed by the controller with the role of managing 30 residential buildings. In October 2020, the controller dismissed the data subject without notice, believing he made several mistakes during his job. | The data subject was employed by the controller with the role of managing 30 residential buildings. In October 2020, the controller dismissed the data subject without notice, believing he made several mistakes during his job. | ||
After the termination of the employment contract, the controller kept the professional email address of the data subject active. It argued that it needed that email inbox in order to ensure the tasks that were taken care by the data subject could be smoothly transferred to someone else. Therefore, it argued that it has a legitimate interest under [[Article 6 GDPR#1f|Article 6(1)(f) GDPR]] to keep the email inbox | After the termination of the employment contract, the controller kept the professional email address of the data subject active. It argued that it needed that email inbox in order to ensure the tasks that were taken care by the data subject could be smoothly transferred to someone else. Therefore, it argued that it has a legitimate interest under [[Article 6 GDPR#1f|Article 6(1)(f) GDPR]] to keep the email inbox active. | ||
On 11 November 2020, the data subject asked the controller to stop using his email inbox and filed an erasure request pursuant to [[Article 17 GDPR|Article 17 GDPR]]. | On 11 November 2020, the data subject asked the controller to stop using his email inbox and filed an erasure request pursuant to [[Article 17 GDPR|Article 17 GDPR]]. The controller did not reply to this request. | ||
On 3 December 2020, the data subject filed a complaint with the DPA. | On 3 December 2020, the data subject filed a complaint with the DPA. | ||
Line 81: | Line 81: | ||
First of all, the DPA pointed out that the email address of the data subject is personal data according to [[Article 4 GDPR#1|Article 4(1) GDPR]], since it is a piece of information relating to an identified or identifiable natural person. | First of all, the DPA pointed out that the email address of the data subject is personal data according to [[Article 4 GDPR#1|Article 4(1) GDPR]], since it is a piece of information relating to an identified or identifiable natural person. | ||
Secondly, the DPA noted that this address had been created for professional purposes, namely to allow the data subject to send and receive emails relating to his professional activity. According to the DPA, it follows from the principle of purpose limitation set by [[Article 5 GDPR#1b|Article 5(1)(b) GDPR]] that the controller is obliged to close the inbox after a data subject terminates their job. | Secondly, the DPA noted that this address had been created for professional purposes, namely to allow the data subject to send and receive emails relating to his professional activity. According to the DPA, it follows from the principle of purpose limitation set by [[Article 5 GDPR#1b|Article 5(1)(b) GDPR]] that the controller is obliged to close the inbox after a data subject terminates their job. The DPA added that, before doing this, the controller must activate an automatic reply, informing that the data subject is not working for the controller anymore and indicating another email address which the clients can use. | ||
The DPA added that, before doing this, the controller must activate an automatic reply, informing that the data subject is not working for the controller anymore and indicating another email address which the clients can use. | |||
However, the DPA also noted that, depending on the role of the data subject (for example, if the data subject is the CEO or is the only person that is in charge of doing something in the controller’s organization), a delay up to 3 months can be admissible. In the case at hand, the DPA recalled that the controller had been keeping the email address active for more than that time. Therefore, the DPA found a violation of [[Article 5 GDPR#1b|Article 5(1)(b) GDPR]] combined with [[Article 5 GDPR#1c|Article 5(1)(c)]] and [[Article 5 GDPR#1e|5(1)(e) GDPR]]. | However, the DPA also noted that, depending on the role of the data subject (for example, if the data subject is the CEO or is the only person that is in charge of doing something in the controller’s organization), a delay up to 3 months can be admissible. In the case at hand, the DPA recalled that the controller had been keeping the email address active for more than that time. Therefore, the DPA found a violation of [[Article 5 GDPR#1b|Article 5(1)(b) GDPR]] combined with [[Article 5 GDPR#1c|Article 5(1)(c)]] and [[Article 5 GDPR#1e|5(1)(e) GDPR]]. | ||
Thirdly, the DPA focused on the legal basis. The DPA agreed with the controller that, in principle, it can have a legitimate interest under [[Article 6 GDPR#1f|Article 6(1)(f) GDPR]] to keep the inbox | Thirdly, the DPA focused on the legal basis. The DPA agreed with the controller that, in principle, it can have a legitimate interest under [[Article 6 GDPR#1f|Article 6(1)(f) GDPR]] to keep the inbox active for a certain time. | ||
The DPA noted that to verify if a controller can use the legal basis provided for by [[Article 6 GDPR#1f|Article 6(1)(f) GDPR]], according to the CJEU (see [[CJEU - C-13/16 - Rīgas satiksme|C-13/16, Rīgas satiksme]]) a 3-step test must be conducted. As for the first step, it held that ensuring the continuity of the services provided by the controller is actually a legitimate interest. | The DPA noted that to verify if a controller can use the legal basis provided for by [[Article 6 GDPR#1f|Article 6(1)(f) GDPR]], according to the CJEU (see [[CJEU - C-13/16 - Rīgas satiksme|C-13/16, ''Rīgas satiksme'']]'')'' a 3-step test must be conducted. As for the first step, it held that ensuring the continuity of the services provided by the controller is actually a legitimate interest. | ||
As for the second step, the necessity test, the DPA held that this processing can be regarded as necessary to pursue the interest of the controller. | As for the second step, the necessity test, the DPA held that this processing can be regarded as necessary to pursue the interest of the controller. |
Latest revision as of 07:08, 14 August 2024
APD/GBA - 97/2024 | |
---|---|
Authority: | APD/GBA (Belgium) |
Jurisdiction: | Belgium |
Relevant Law: | Article 5(1)(b) GDPR Article 6(1)(f) GDPR Article 12(4) GDPR Article 17(1) GDPR |
Type: | Complaint |
Outcome: | Upheld |
Started: | |
Decided: | 16.07.2024 |
Published: | |
Fine: | n/a |
Parties: | n/a |
National Case Number/Name: | 97/2024 |
European Case Law Identifier: | n/a |
Appeal: | Unknown |
Original Language(s): | French |
Original Source: | APD/GBA (in FR) |
Initial Contributor: | fb |
The DPA reprimanded a controller for unlawfully keeping an employee's email inbox active for an excessive amount of time after the termination of the employment. According to a case by case assessment a period of three months would have been appropriate.
English Summary
Facts
The data subject was employed by the controller with the role of managing 30 residential buildings. In October 2020, the controller dismissed the data subject without notice, believing he made several mistakes during his job.
After the termination of the employment contract, the controller kept the professional email address of the data subject active. It argued that it needed that email inbox in order to ensure the tasks that were taken care by the data subject could be smoothly transferred to someone else. Therefore, it argued that it has a legitimate interest under Article 6(1)(f) GDPR to keep the email inbox active.
On 11 November 2020, the data subject asked the controller to stop using his email inbox and filed an erasure request pursuant to Article 17 GDPR. The controller did not reply to this request.
On 3 December 2020, the data subject filed a complaint with the DPA.
Holding
First of all, the DPA pointed out that the email address of the data subject is personal data according to Article 4(1) GDPR, since it is a piece of information relating to an identified or identifiable natural person.
Secondly, the DPA noted that this address had been created for professional purposes, namely to allow the data subject to send and receive emails relating to his professional activity. According to the DPA, it follows from the principle of purpose limitation set by Article 5(1)(b) GDPR that the controller is obliged to close the inbox after a data subject terminates their job. The DPA added that, before doing this, the controller must activate an automatic reply, informing that the data subject is not working for the controller anymore and indicating another email address which the clients can use.
However, the DPA also noted that, depending on the role of the data subject (for example, if the data subject is the CEO or is the only person that is in charge of doing something in the controller’s organization), a delay up to 3 months can be admissible. In the case at hand, the DPA recalled that the controller had been keeping the email address active for more than that time. Therefore, the DPA found a violation of Article 5(1)(b) GDPR combined with Article 5(1)(c) and 5(1)(e) GDPR.
Thirdly, the DPA focused on the legal basis. The DPA agreed with the controller that, in principle, it can have a legitimate interest under Article 6(1)(f) GDPR to keep the inbox active for a certain time.
The DPA noted that to verify if a controller can use the legal basis provided for by Article 6(1)(f) GDPR, according to the CJEU (see C-13/16, Rīgas satiksme) a 3-step test must be conducted. As for the first step, it held that ensuring the continuity of the services provided by the controller is actually a legitimate interest.
As for the second step, the necessity test, the DPA held that this processing can be regarded as necessary to pursue the interest of the controller.
Finally, as for the third step, the DPA pointed out that, in principle, a short delay can be acceptable and does not imply that the legitimate interest of the controller is overridden by the interests and fundamental rights of the data subject. However, in the case at hand, the controller had kept the inbox open for a long time (more than 5 months). The DPA believed that this time is to be regarded as having an excessive impact on the rights of the data subject, in particular regarding the principle of data minimisation.
Therefore, the DPA held that the controller could not rely on Article 6(1)(f) GDPR as a legal basis and found a violation of Article 6(1) GDPR.
Finally, the DPA found a violation of Article 12(4) GDPR in combination with Article 17(1) GDPR since the controller did not reply to the data subject and erase the data.
On these grounds, the DPA issued a reprimand to the controller.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the French original. Please refer to the French original for more details.
Data Protection Authority Litigation Chamber Decision 97/2024 of July 16, 2024 File number: DOS-2020-05645 Subject: Complaint relating to the failure to delete a professional email address from following a dismissal The Litigation Chamber of the Data Protection Authority, made up of Mr. Hielke HIJMANS, president; Having regard to Regulation (EU) 2016/679 of the European Parliament and of the Council of April 27, 2016 relating to the protection of natural persons with regard to the processing of personal data and to the free movement of these data, and repealing Directive 95/46/EC (General Regulation on the data protection), hereinafter “GDPR”; Having regard to the Law of December 3, 2017 establishing the Data Protection Authority (hereinafter “LCA”); Considering the internal regulations as approved by the House of Representatives on December 20, 2018 and published in the Belgian Official Gazette on January 15, 20191; Considering the documents in the file; Has taken the following decision regarding: The complainant: Mr. The defendant: Company Y, hereinafter “the defendant” 1 The new internal regulations of the APD following the modifications made to the LCA by the Law of December 25 2023 amending the law of December 3, 2017 establishing the Data Protection Authority (LCA) entered into force on 01/06/2024. It only applies to complaints, mediation files, requests, inspections and procedures before the Litigation Chamber initiated from this date: https://www.autoriteprotectiondonnees.be/publications/reglement-dordre- inside-the-data-protection-authority.pdf Files initiated as in this case before 06/01/2024 remain subject to the provisions of the internal regulations (https://www.autoriteprotectiondonnees.be/publications/reglement-d-ordre-interieur.pdf as it existed before this date. Decision on merits 97/2024 — 2/18 I. Facts and procedure 1. The subject of the complaint concerns the failure to delete the professional email address name of the plaintiff following his dismissal by the defendant. 2. The defendant is a company active in the field of real estate which operates notably the function of co-ownership trustee. 3. The defendant explains that it dismissed the plaintiff in October 2020, without providing any prior notice. The defendant describes this cessation of the plaintiff's activities as abrupt and conflicting. She, still according to her, intervened without preparing files or passing as a witness for the attention of a successor. 4. The parties disagree on the reasons for this dismissal. The defendant puts evidence of a recovery context and, on this occasion, the discovery of errors professional acts committed by the complainant. The complainant formally denies everything failure on his part. He indicates that at the time of the resumption 7 months before his dismissal, he was on the contrary informed that due to his age and the proximity of his retirement, he was not part of the future of the company and his files would be gradually taken over by colleagues from a sister company of the defendant. As of At this time, the complainant indicates that his work was systematically hampered by contradictory directives he received from the new management. 5. The defendant reports that the plaintiff managed around thirty residences and played a very key role with regard to the legal obligations of the trustee of co-ownership as well as in the operation of the company. Its missions were numerous (financial management of buildings, administrative management of buildings and monitoring the good performance of these buildings), extending regularly over several years. In the exercise of his duties, the complainant was in direct contact with the co-owners buildings he managed. 6. The defendant further states that she had no other choice than to keep the email address of the complainant after his dismissal in order to ensure the continuity of the activities of the company, in particular the holding of general meetings of co-owners in charge of the complainant and the postponement of these during the period of the covid -19 virus pandemic in accordance with the legal provisions temporarily applicable at the time2. 7. The defendant in fact emphasizes that the facts took place, in addition to in a context of resumption of its activities, in the midst of a health crisis linked to the covid-19 virus pandemic during which the processing of received e-mails was even more essential (compared to 2 Law of December 20, 2020 establishing various temporary and structural provisions in matters of justice within the framework of the spread of the Covid-19 coronavirus, M.B., December 24, 2020. Decision on merits 97/2024 — 3/18 with other non-electronic means of communication) to ensure the mission of trustee and respond to requests from co-owners. 8. On November 11, 2020, the plaintiff sent a registered letter to the defendant asking to end the use of his email box [X’s professional email address] by based on the substantive decision 64/2020 of September 29, 2020 of the Chamber ODA litigation. 9. On December 3, 2020, the complainant filed a complaint with the APD against the defendant. The complainant having been dismissed at the beginning of October 2020 (point 3), he denounces the fact that as of December 3, 2020, the defendant was still sending emails from his address without informing the senders of his departure from the company. The complainant denounces moreover that in many residences, his name still appeared on the information panels as well as on numerous documents, which damaged its reputation. The complainant was in fact no longer able to carry out his position since he had been dismissed almost two months earlier. 10. On December 16, 2020, the complainant confirmed to the SPL that the defendant had refrained from respond to his request of November 11, 2020 (point 8). 11. On January 5, 2021, the complaint was declared admissible by the SPL on the basis of articles 58 and 60 of the LCA and the complaint is transmitted to the Litigation Chamber under article 62, § 1st of the LCA 12. On February 2, 2021, in accordance with article 96, § 1 of LCA, the request of the Chamber Contentious to carry out an investigation is transmitted to the Inspection Service (SI). 13. On June 30, 2021, the investigation by the Inspection Service is closed, the report is attached to the file and this is transmitted by the inspector general to the President of the Litigation Chamber (art. 91, § 1 and § 2 of the LCA). 14. The SI investigation report is based in particular on two technological reports from the 18 March and June 14, 2021 and made the following observations: - Finding 1: the SI concludes that the defendant did not comply with articles 5.1.b (principle of purpose), 5.1.c (principle of minimization) and 5.1.e (principle of limited conservation) of GDPR3 as long as on March 23, 2021, i.e. more than 5 months after dismissal of the complainant, the email address [professional email address of always active / contactable. An auto-reply message is associated with this email address that mentions that the complainant has left the company, that the email address will be deactivated soon and that the email address to be used in the future is the address [generic email address]. 3 The SI refers in particular to decision 64/2020 of the Litigation Chamber. Decision on merits 97/2024 — 4/18 - Finding 2: the IS notes that there was a breach of article 6.1 of the GDPR by the defendant since maintaining the disputed e-mail address for more than 5 months (i.e. from October 2020 - dismissal of the complainant - to March 2021 at least - investigation reports) is excessive. No longer any basis for legality - not even interest legitimate within the meaning of Article 6.1. f) which authorizes the continuation of the processing for a period duration of 1 to 3 months depending on the concrete circumstances of the case - did not allow to justify the continued processing of this data throughout this period. - Finding 3: the SI notes that the defendant violated the requirements of articles 12.3, 12.4 and 17.1 of the GDPR by refraining from responding to the letter of November 11, 2020 from complainant under the terms of which he made a request to erase his e-address - professional email (articles 12.3 and 12.4) as well as by not deleting (article 17.1 of the GDPR). - Observation 4: the IS finally notes that the complainant put the APD in a copy of the letter he addressed on June 8, 2021 to the defendant and in which he requests that the latter stops using his private telephone number as a contact number for a telephone alarm center. The IS notes that no action is postulated by the complainant on the part of the APD and that in any event the response time of one month to his erasure request has not expired on the date his report is closed. In accordance with article 64, § 2 of the LCA, the SI does not consider it appropriate to pursue its investigation concerning this last aspect. 15. On July 27, 2021 the Litigation Chamber decides, under Article 95, § 1, 1° and article 98 of the LCA, that the file can be processed on its merits. 16. On this same date, the parties concerned are informed of the provisions such as repeated in article 95.2 as well as article 98 of the ACL. They are also informed, in under section 99 of the LCA, deadlines for transmitting their conclusions. The deadline for the receipt of the conclusions in response from the defendant is set for September 22 2021, that for the complainant's reply conclusions as of October 14, 2021 and that for the conclusions in reply of the defendant as of November 5, 2021. 17. On September 13, 2021, the defendant's counsel requested a copy of the file (art. 95, §2, 3° LCA), which is sent to them on September 16, 2021. 18. On this same date, the defendant agrees to receive all communications relating to the case electronically. 19. On September 28, 2021, the Litigation Chamber receives the conclusions in response from the defendant. The defendant having filed summary conclusions, its argument is summarized below (points 21 et seq.). Decision on merits 97/2024 — 5/18 20. On October 13, 2021, the Litigation Chamber receives the conclusions in response to the complainant. The plaintiff refutes any legitimate interest of the defendant in pursuing the processing of his nominative e-mail address as long as it was sufficient for him to communicate to the co-owners, via the generic address of the company, that the trustee had changed and their provide the contact details of the complainant’s successor. The factual circumstances specific reasons invoked by the defendant, in particular to justify the lack of response to its request for erasure within the period (1 month) prescribed by the GDPR, are also dismissed by the complainant. 21. On November 5, 2021, the Litigation Chamber receives the conclusions in response to the defendant. 22. The defendant contests any violation of Article 5.1. b), 5.1. c) and 5.1. e) of the GDPR (observance 1 of the SI) as well as article 6.1 of the GDPR (finding 2 of the SI). She highlights the fact that she has, based on Article 6.1. f) of the GDPR, continued the processing of the email address data of the complainant, leaving the associated email box open, in order to continue his activity and its professional relations with the co-owners concerned following the sudden departure of the complainant, for a period not exceeding what was reasonable taking into account the concrete circumstances of the case. These same elements are invoked to explain his lack of response (uncontested) to the complainant within the deadline of articles 12.3 and 12.4 of the GDPR (information 3 of the SI). Finally, as for “observation” 4 of the SI, the defendant indicates that it endeavored to verify that the diversion of emergency calls alarm systems to the complainant's cell phone number had been successfully deleted. II. Motivation II.1. Preliminary remark 23. It appears from the conclusions of the parties that the complaint filed is part of a climate particularly conflictual which finds its source even before the dismissal of the complainant by the defendant. In this regard, the Litigation Chamber wishes to emphasize that it does not enter in its competence to replace the competence of other instances, judicial by example, competent in matters of labor law disputes in particular. II.2. As for compliance with the principles of purpose (article 5.1. b) of the GDPR), minimization (article 5.1. c) of the GDPR) and limited storage (article 5.1. e) of the GDPR) II.2.1. The point of view of the parties and the SI 24. In its investigation report, the SI notes that it has just been mentioned that on the date of March 23, 2021, more than 5 months after the dismissal of the complainant, the email address Decision on merits 97/2024 — 6/18 [X's professional email address] of the latter is still active / contactable. A automatic reply message is associated with this address which mentions that the complainant has left the company (i.e. the defendant), that the e-mail address will soon be disabled and the email address to use in the future is [generic email address]. The SI also notes on June 14, 2021, that the address [email address professional of X] is no longer reachable even if it is probable that it still exists (pages 7 and 9 of the SI report). 25. The complainant shares the SI's findings. 26. As has just been mentioned in the statement of facts and procedural retroactive documents, the Defendant contests any violation of Article 5.1. b), 5.1. c) and 5.1. e) GDPR. She put highlighting the fact that it continued processing the data of the complainant’s email address, leaving the associated email box open, in order to continue its activity and its professional relations with the co-owners concerned following the sudden departure of the complainant, in compliance with the principles of finality and minimization during a duration not exceeding what was reasonable. She underlines that if the Litigation Chamber has in the past indicated that this period should, ideally, not exceed 1 to 3 months, it does not has no less, using the term “ideally”, left the possibility of a longer delay than concrete circumstances could justify. The defendant highlights the context of the health crisis linked to the covid-19 virus pandemic, the absence of a transition period and handing over of files linked to the abrupt departure of the complainant, the recent resumption of the company as well as the fact that the complainant was his only full-time employee for a number not negligible number of residences. II.2.2. The point of view of the Litigation Chamber 27. In its capacity as data controller, the defendant is required to respect the data protection principles and must be able to demonstrate that these are respected (principle of responsibility – article 5.2. of the GDPR). Furthermore, it must always in its capacity as data controller, implement all technical measures and organizational measures necessary for this purpose (article 24 of the GDPR). 28. Article 5.1 b) of the GDPR enshrines the principle of finality, i.e. the requirement that the data are collected for specific, explicit and legitimate purposes and are not subsequently processed in a manner incompatible with these purposes. 29. It is in the light of the purpose that other principles also enshrined can be applied in article 5 of the GDPR: the principle of minimization - under which only data adequate, relevant and limited to what is necessary with regard to the purpose may be processed (article 5.1 c) of the GDPR) - and the principle of limitation of storage – to under which the data cannot be kept in a form that allows Decision on merits 97/2024 — 7/18 the identification of the persons concerned only for a period not exceeding that necessary in view of the purposes for which they are processed (article 5.1 e) of the GDPR). 30. These principles and the obligations which result from them for the data controller, find an echo in terms of rights for the person concerned since in particular, in application of article 17.1 a) of the GDPR, the data subject has the right to obtain data controller the erasure of data concerning them when these data are not are more necessary in view of the purposes for which they were collected or processed. 31. The complainant’s disputed email address is personal data within the meaning of Article 4.1. of the GDPR. This is in fact information relating to a person identified or identifiable physical person within the meaning of this article. In this case, it relates to the complainant. 32. This address, created for professional purposes in the context of the activities of the defendant, was to allow the plaintiff to receive and send letters electronic in the context of his activities within the defendant. 33. The Litigation Chamber is of the opinion that to comply with the principle of finality (article 5.1. b) of the GDPR), combined with the principles of minimization (article 5.1 c) of the GDPR) and limitation of the retention period (article 5.1 e) of the GDPR), it is the responsibility of the person responsible for processing of blocking the electronic messaging of the holders of these having ceased their duties at the latest on the day of their effective departure. This blockage must take place after having informed them beforehand and having inserted an automatic message. This automatic message will notify any subsequent correspondent of the fact that the person concerned no longer exercises his functions within the company and will inform the contact details of the person (or generic email address) to contact in their place, for a reasonable period (a priori 1 month). Depending on the context and, in particular, the degree of responsibility exercised by the person concerned, (such as a function of delegated director or another key function that he or she is the only one to exercise as in this case) a longer period can be accepted, not ideally exceeding 3 month. This extension must be justified and done with the agreement of the person concerned or, at a minimum, after having informed them. An alternative solution must also be researched and implemented as quickly as possible without necessarily waiting the final deadline for this extension. 34. The Litigation Chamber considers that this way of proceeding is to be preferred over automatic forwarding of emails to another email address the company. In the case of an automatic transfer, especially without information to the issuer of the message, there is in fact no control over incoming or “in” emails. Furthermore, in this case, potentially sensitive private information could Decision on merits 97/2024 — 8/18 be disclosed without the knowledge not only of the person concerned but also of the sender of the message. 35. Beyond this period (1 to 3 months maximum), the electronic messaging of the data subject will be deleted4. 29. The complainant having been dismissed by the respondent in October 2020, the Chamber Litieuse considers that the processing of this data should have ceased on this date or, at most, taking into account the function exercised by the complainant, within a reasonable time from this date. The Litigation Chamber is of the opinion that this period could have varied from 1 to 3 month upon notification to message senders that this address messaging was no longer active, with no automatic transfer of sent emails. 36. It appears from the documents of this procedure that the address of the complainant remained active at least 5 months after the cessation of his activities within the defendant from which the dismissal decision came with the establishment of an automatic message informing the senders of messages to the complainant's e-mail address that this the latter no longer worked for her and that a new address was to be used from now on. 37. In support of the above, and notwithstanding the quality of the automatic message set up, the Litigation Chamber concludes that article 5.1 b), combined with article 5.1 c) and e) of the GDPR was not respected by the defendant due to the excessive duration of the maintenance of the email address of the complainant. The Litigation Chamber considers that the context of the pandemic and the various circumstances invoked by the defendant cannot justify this period (see also point 55 below). If the management of the files taken over could perhaps not not be fully realized by the plaintiff's successors, the question of maintaining his nominative e-mail address beyond 3 months is separate from this one. II.3. As for compliance with the requirement of a basis of legality (article 6 of the GDPR) II.3.1. The point of view of the SI and the parties 38. According to its investigation report, the SI indicates that a professional email address such as that of the complainant can remain active for a certain period of time (observation 1) in order to ensure 4 In its Recommendation CM/Rec(2015)5 on the processing of personal data in the context of employment, the Committee of Ministers of the Council of Europe states in principle 14.5. the following: when an employee leaves their job, the employer should take technical and organizational measures so that the employee's electronic messaging is automatically deactivated. If the content of the messaging had to be retrieved for the smooth running of the organization, the employer should take appropriate measures to recover its contents before the employee's departure and if possible in his presence. The explanatory memorandum of the recommendation further specifies (point 122) that in these situations where the employee leaves the organization, employers must deactivate the former employee's account so that they do not have access to their communications after his departure. If the employer wishes to recover the contents of the employee's account, he must take the necessary steps necessary measures to do so before the latter's departure and preferably in his presence. This recommendation sectoral which complements the Convention for the protection of individuals with regard to automated processing of data personal character (STE 108) illustrates how the principles of finality, minimization and conservation proportionate, enshrined both in this Convention and in the GDPR, must apply. Decision on merits 97/2024 — 9/18 the proper functioning of the company and the continuity of its services in support of the interest legitimate of the data controller in compliance with the conditions of article 6.1. f) of GDPR. Beyond this period, the SI is of the opinion that there is no longer any basis for legality that allows the processing continues. Therefore, the IS concludes that maintaining the disputed email address for more than 5 months (i.e. from October 2020 (dismissal of the complainant) to March 2021 to minimum (investigation reports) is excessive and that no longer any basis of legality allows to justify the continued processing of this data throughout this period. The IS thus notes that there was a breach of Article 6.1 of the GDPR by the defendant. 39. The complainant refutes any legitimate interest of the defendant in continuing the processing of his nominative e-mail address since it was sufficient, according to him, that the latter communicates to the co-owners, via the generic address of the company, that the trustee had changed and provide them with the contact details of the complainant's successor. The complainant adds that a lawyer was hired the day after his dismissal, supplementing the staff of the defendant's sister company to which the files he handled were transferred. This sister company included, in addition to administrative staff (…), another manager responsible for gradually resume its files. Reception and follow-up of customer calls as well as secretarial work was carried out by a part-time secretary. The argument of the defendant that he was the only employee cannot therefore be accepted. 40. The defendant considers that it can rely on its legitimate interest (article 6.1. f) of the GDPR) to continue its activities to justify the disputed processing beyond a period of 3 months taking into account the specific circumstances of the case already mentioned. There is no therefore, according to her, there was no violation of Article 6.1. of the GDPR in its head. II.3.2. The point of view of the Litigation Chamber 41. Article 6.1 of the GDPR requires that any processing be based on a basis of lawfulness. In others terms, the data controller cannot process data without relying on one of the bases of legality listed in article 6.1 of the GDPR, which concretizes the principle of legality stated in article 5.1 a) of the GDPR. 42. The Litigation Chamber has, in accordance with the above developments, noted that the purpose for which the data constituting the email address was processed was extinguished with the cessation of the plaintiff's activities with the defendant. Pursuing a legitimate interest in compliance with the conditions of article 6.1 f) of the GDPR, the address may, as indicated in the SI, remain active for a certain period of time in order to ensure the correct operation of the company and the continuity of the defendant's services. Beyond After this period, there is no longer any basis of legitimacy for the processing to continue. 43. The Litigation Chamber recalls that in order to be able to rely on the basis of legality of “legitimate interest” in application of article 6.1.f) of the GDPR, the data controller, Decision on merits 97/2024 — 10/18 either the first respondent in this case, must demonstrate that (a) the interest he pursues via the data processing concerned can be recognized as legitimate (the “purpose test”); b) that the envisaged processing is necessary to achieve this interest (the “necessity test”) and that c) the weighting of this interest in relation to the interests, freedoms and fundamental rights of the persons concerned weighs in its favor or in favor of the third party (the "weighting test"). 44. The Litigation Chamber will verify whether in this case, these 3 tests are satisfied with regard to concerns the disputed processing. Finality test 45. The Litigation Chamber recalls that in order to be qualified as “legitimate”, the interest pursued by the data controller (or the third party but this is not the case of species) must be lawful under the law, determined in a sufficiently clear manner and precise, to be born and current and not fictitious or hypothetical (test of finality). 46. In this case, the Litigation Chamber is of the opinion that the use of the email address of the complainant for a short period of time intended to ensure the continuity of the company and the contacts with managed co-ownerships while putting in place transition measures constitutes a legitimate interest on the part of the defendant. Necessity test 47. Regarding the test of necessity, the Litigation Chamber recalls that the Court of Justice of the European Union (CJEU) ruled among others in the “TK” judgment on this condition of necessity of treatment5, insisting on the strict interpretation of this a condition which is not specific to Article 6.1. f) of the GDPR but common to all the bases of lawfulness listed in article 6.1 of the GDPR with the exception of the consent provided for in article 6.1. a) GDPR. 48. The CJEU also observes that the condition relating to the necessity of the processing must be examined in conjunction with the so-called “data minimization” principle enshrined in Article 6(1)(c) of Directive 95/46, according to which the personal data must be "adequate, relevant and not excessive with regard to the purposes for which they are collected and for which they are processed subsequently”. 49. The CJEU also clarified that if there are realistic and less intrusive alternatives to the treatment carried out, this treatment is not “necessary”6. In other words, the 5 As regards the second condition set out in Article 7(f) of Directive 95/46, relating to the need for recourse to a processing of personal data for the realization of the legitimate interest pursued, the Court recalled that the exceptions and restrictions to the principle of protection of personal data must be carried out within the limits what is strictly necessary (judgment of 4 May 2017, Rīgas satiksme, C‑‑13/16, EU:C:2017:336, paragraph 30 and case law cited). 6 This condition requires the referring court to verify that the legitimate interest in the processing of data pursued by the video surveillance at issue in the main proceedings, which consists, in essence, of ensuring the security of property and people and of prevent the occurrence of offenses, cannot reasonably be achieved as effectively by other means Decision on merits 97/2024 — 11/18 data controller must ensure that there is no less intrusive means to achieve its objective than to implement the envisaged treatment (for example a device not processing personal data, or different processing more protector of the right to privacy and protection of personal data of the person concerned). 50. This case law formulated in relation to Articles 7 and 6 of Directive 95/46/EC remains relevant to this day. Article 6.1 of the GDPR in fact repeats the terms of article 7 of Directive 95/46/EC - the legitimate interest of the data controller being retained (article 7 f) of Directive 95/46/EC and article 6.1. f) of the GDPR), certainly in terms that are a bit different. Article 5.1. c) of the GDPR relating to the principle of minimization reinforces the terms of Article 6.1.c) of Directive 95/46/EC to which the CJEU also refers. THE context of “video surveillance” of the TK judgment is certainly distinct from that in which the disputed treatment is relevant to this case. However, this does not justify that the principles stated by the CJEU with regard to the conditions of legitimate interest as the basis of lawfulness are excluded. These requirements are expressed in general terms applicable to all mixed contexts. 51. In this case, the Litigation Chamber is of the opinion that the processing of the e-mail address of the complainant can be qualified as necessary for the realization of the interest pursued by the defendant, if only to allow the reception of messages which are still addressed to this address and in response to them, inform the issuers of the departure of the complainant and the methods of communication following this departure. Weight test 52. The Litigation Chamber recalls that in addition to the two conditions mentioned above, article 6.1. f) of GDPR can only be mobilized if the interests or fundamental freedoms and rights of the person concerned does not prevail over the interest pursued by the person responsible for the processing or the third party. In other words, the data controller must make an update in balance, a weighting between the rights and interests in question, and verify in this framework that the interests (commercial, security of goods, fight against fraud, etc.) that it pursues do not create an imbalance to the detriment of the rights and interests of individuals whose data is processed. If the interests and rights of the latter prevail, the article 6.1. f) GDPR cannot be used. 53. Concretely, the data controller must first identify the consequences of all kinds that its processing may have on the people concerned: on their lives private but also, more broadly, on all the rights and interests covered by the less detrimental to the freedoms and fundamental rights of the persons concerned, in particular the rights to respect privacy and the protection of personal data guaranteed by Articles 7 and 8 of the Charter." This is the Litigation Chamber which underlines. Decision on merits 97/2024 — 12/18 Protection of personal data. This involves assessing the degree of intrusion of the treatment considered in the individual sphere, measuring its impact on private life people (processing of sensitive data, processing relating to people vulnerable, profiling, etc.) and on their other fundamental rights (freedom of expression, freedom of information, freedom of conscience, etc.) as well as the other concrete impacts of treatment of their situation (monitoring or surveillance of their activities or movements, exclusion of access to services, etc.). These impacts must be measured in order to determine, on a case-by-case basis, the extent of the intrusion caused by the treatment into the lives of the people. The principle of data minimization will also be taken into account. 54. The data controller must then take into account, in the weighting between its legitimate interest and the rights and interests of the data subjects, “expectations reasonable” of the latter. This consideration is essential when it comes to treatments that can be implemented without the prior consent of individuals: in the absence of a positive and explicit act on their part, legitimate interest requires not surprise people in the implementation methods as well as in the consequences of the treatment. 55. Generally speaking, regarding the continued processing of an e-mail address professional after the departure of an employee or other actor of the company, the Chamber Contentieuse is of the opinion, as was recalled by the SI in its investigation report and in the point 33 of this decision, that it is appropriate to set up an automatic message warning any correspondent of the fact that the person concerned (here the complainant) does not exercise his functions within the company and to provide the contact details of the company as quickly as possible. person (or generic email address) to contact in their place, for a reasonable period (a priori 1 month). The complainant having been dismissed, it is important to clarify the situation as quickly as possible and not create confusion or expectations that he would no longer be in able to satisfy given his departure. Depending on the context and, in particular, the degree of responsibility exercised by the person concerned, (such as a function of administrator delegate or another key function that he or she is the only one to exercise as in this case) a longer period may be allowed, ideally not exceeding 3 months. Even during periods pandemic as put forward by the defendant to justify an extension of this deadline, the Litigation Chamber considers that the extension of this period beyond 3 months (which 3 months already constitutes an extension of the basic period of 1 month which tends to express the adequate balance between the interests of the controller and the person concerned) is not justified in this case especially since, as the Chamber Contentious will note in the following paragraphs, this extension was done without information of the complainant nor communication of the reason for this extension even if that he was opposed to it. The Litigation Chamber considers that 5 months constitute, even in the case, an excessive duration with regard to the rights and freedoms of the complainant, all Decision on merits 97/2024 — 13/18 particularly with regard to the principle of minimization to which the defendant is bound this included in its assessment of the use of article 6.1. f) GDPR. Conclusion 56. In conclusion, the Litigation Chamber can only note that there is no longer any basis for lawfulness did not allow the defendant to justify the continuation of the processing of the email address of the complainant. There was therefore a breach of article 6.1 of the GDPR on his part. II.4. As for the follow-up to the complainant's request for erasure (articles 12.3, 12.4 and 17.1 of the GDPR) II.4.1. The point of view of the SI and the parties 57. As mentioned above, the SI notes a breach of Article 12.3 and 12.4 of the GDPR on the part of the defendant in that it refrained from responding to the request for erasure from the complainant of November 11, 2020, the circumstances invoked by the defendant does not upset this observation. 58. Likewise, the complainant denounces this total lack of response. None of arguments put forward by the defendant cannot be accepted. The argument of the hasty cessation of its activities cannot be accepted since it is a decision which emanates from the defendant itself. The argument based on the resumption of activities by a separate management cannot be accepted either since this takeover had taken place 7 months before his dismissal. In this regard, the complainant disputes any error committed in the framework of its services. Finally, the complainant emphasizes that the commitments of the new management were taken under the duress of the APD services while the complaint was pending and not spontaneously. 59. For its part, the defendant does not deny having failed to respond to the request of 11 November 2020 of the complainant for deletion of his professional email address [address X's professional email]. In addition to the context of the pandemic and other circumstances already mentioned, the defendant insists on the fact that she did not remain inactive since she put set up an automatic response system for the complainant's email address and then deactivated. At the same time, she set about replacing all the posters and plates containing the complainant's contact details in the residences for which he had the management. Finally, she indicates having verified that the diversion of emergency calls on the The complainant's private phone was turned off. II.4.2. The point of view of the Litigation Chamber 60. The Litigation Chamber notes that the defendant did not comply with article 12.4 of the GDPR under the terms of which “if the data controller does not respond to the request Decision on merits 97/2024 — 14/18 made by the person concerned, he informs him without delay and at the latest in a period of one month from receipt of the request for the reasons for its inaction and the possibility of lodging a complaint with a supervisory authority and forming a legal recourse”. 61. Indeed, once it receives a request to exercise the rights of a data subject (here the complainant), the data controller (here the defendant) is always required to respond to the person concerned: - Either by providing him with information on the measures taken following his request as soon as possible and in any event within one month from the date of receipt of the request in accordance with the requirements of article 12.3. of the GDPR. If needed, this period may be extended by two months, taking into account the complexity and number of requests. In this case, the data controller nevertheless informs the person concerned of this extension and the reasons for the postponement within a period of one months from receipt of the request. - Or as mentioned above, if he considers that he should not follow up on the request made by the person concerned (article 12.4.), he informs him without delay and at later within one month from receipt of the request for reasons for its inaction and the possibility of lodging a complaint with a regulatory authority. control and to file a legal appeal. 62. In other words, the person concerned must never be left without any response. whatever the intention of the data controller as to the action he gives or intends comply with the request to exercise a right addressed to him. 63. In this case it is not disputed that the defendant refrained from responding to the request for erasure from the complainant of November 11, 2020. 64. The circumstances already invoked by the defendant and linked to work overload, particular context of the pandemic or even the consequences of the hasty departure of the complainant are not likely to eliminate this breach. At most these circumstances could they be taken into account by the Litigation Chamber in the determination of the sanction appropriate to the breach noted. 65. There was therefore a violation of Article 12.4 of the GDPR on the part of the defendant, who considering itself justified (quod non – see above) in continuing to process the email address of the complainant, and therefore to refuse his request for erasure, should nevertheless have respond and explain the reasons for this refusal as well as inform them of the possibility of introducing a claim (complaint) to the APD and to seek legal recourse. 66. Finally, as the Litigation Chamber has already stated above, the principles of finality, minimization and limitation of conservation as well as the obligations arising therefrom Decision on merits 97/2024 — 15/18 for the data controller, find an echo in terms of rights for the individual concerned. If the data controller fails to comply with these obligations of spontaneous manner taking into account the extinction of the processing purpose (article 5.1. b) and e) of the GDPR), the data subject may obtain erasure by exercising this right is recognized in article 17.1 a) of the GDPR. In application of this, it has in fact the right to obtain from the data controller the erasure of data concerning him when these data are no longer necessary for the purposes for which they were collected or processed. 67. Notwithstanding the plaintiff's request to this effect, the defendant belatedly complied with this request for erasure once the complaint is pending before the APD and in violation of the articles 5.1.b) of the GDPR, combined with article 5.1. c) and 5.1. e) GDPR (point 37), as well as Article 6.1 of the GDPR (point 55). 68. In doing so, the defendant was guilty of a breach of article 17.1 combined with Article 12.4. of the GDPR. II.5. Additional remarks 69. The Litigation Chamber takes note that the defendant has taken the measures necessary to indicate to the security company that the telephone number of the complainant no longer had to be called in the event of an incident, the latter having left the company. So general, it was up to the defendant to inform those to whom the data of the complainant had been communicated in the exercise of his functions that he no longer exercised them, ideally and if possible, proactively but in all hypothesis from the moment the complainant made the request. 70. As a reminder, Article 19 of the GDPR provides in this sense that “the data controller notifies each recipient to whom the personal data has been communicated any rectification or erasure of personal data or any restriction of processing carried out in accordance with Article 16, Article 17(1) 1, and article 18, unless such communication proves impossible or requires disproportionate efforts. The data controller provides the data subject with information on these recipients if the latter requests it. 71. As for the signs providing the contact details of the complainant displayed in the various buildings which he managed, the Litigation Chamber takes also notes that the contact details of the complainant thus displayed - which are constituting personal data concerning him within the meaning of article 4.1. of GDPR - have gradually been erased and replaced by a general address of contact. Decision on merits 97/2024 — 16/18 III. As for corrective measures and sanctions 72. Under the terms of article 100 LCA, the Litigation Chamber has the power to: 1° close the complaint without further action; 2° order the dismissal of the case; 3° pronounce a suspension of the sentence; 4° propose a transaction; 5° issue warnings or reprimands; 6° order to comply with the requests of the person concerned to exercise these rights; 7° order that the person concerned be informed of the security problem; 8° order the freezing, limitation or temporary or definitive ban on processing; 9° order compliance of the processing; 10° order the rectification, restriction or erasure of the data and the notification of these to the recipients of the data; 11° order the withdrawal of the approval of certification bodies; 12° give fines; 13° issue administrative fines; 14° order the suspension of cross-border data flows to another State or a international body; 15° transmit the file to the public prosecutor of the King of Brussels, who informs him of the follow-up given to the case; 16° decide on a case-by-case basis to publish its decisions on the website of the Authority of Data protection 73. In its conclusions, the defendant indicates that the new management of the company has, more still more than in the past, keen to respect the regulations regarding protection Datas. She indicates that she has hired a part-time lawyer in this regard since the events denounced. It indicates that it has also put in place an internal policy for the use of IT tools intended for employees and emphasizes that this policy will be part of integral part of the new work regulations being implemented on the date of dispatch of its conclusions. As part of the overall reflection aimed at compliance with the GDPR for which the recruited lawyer is responsible, a confidentiality policy Decision on merits 97/2024 — 17/18 intended for employees as well as a confidentiality policy intended for customers have been written. 74. The Litigation Chamber takes note of these steps. 75. Breaches of Article 5.1 b) of the GDPR – combined with Article 5.1 c) and e) of the GDPR – (point 37), article 6.1 of the GDPR (point 55) as well as article 17.1. combined with article 12.4 of the GDPR (point 68) being proven, the Litigation Chamber decides to send a reprimand to the defendant for the said breaches. 76. Without calling into question the defendant's assertions regarding the projects initiated in 2021 already, the Litigation Chamber nevertheless matches this reprimand with an order compliance. Taking into account the time elapsed since the deadline for timetable of the conclusions under which the defendant relates its implementation compliance and its commitments and projects, it orders the defendant to communicate to it the policy governing the issue of closing electronic mail in the event of departure of one of its directors, employees and other possible functions in the month of this decision in accordance with its operative part. 77. The Litigation Chamber is of the opinion that these are appropriate, effective and