APD/GBA (Belgium) - 72/2021: Difference between revisions
Line 69: | Line 69: | ||
=== Holding === | === Holding === | ||
The administration did not respect its obligation to inform | The administration did not respect its obligation to inform under Article 12(3), 13(1)(c) and 15(1) GDPR. The sharing of the personal data of the director cannot rely on a proper legal basis such as Article 6(1)(e) since sharing the report with the personal data was not necessary for the performance of the tasks of the administration. In addition, the administration could not rely on Article 6(1)(d) GDPR (vital interests) for communication of the personal data of the director to third parties. | ||
== Comment == | == Comment == |
Revision as of 08:18, 30 June 2021
APD/GBA (Belgium) - 72/2021 | |
---|---|
Authority: | APD/GBA (Belgium) |
Jurisdiction: | Belgium |
Relevant Law: | Article 6(1)(e) GDPR Article 12(3) GDPR Article 13(1)(c) GDPR Article 15(1) GDPR |
Type: | Complaint |
Outcome: | Partly Upheld |
Started: | |
Decided: | 14.06.2021 |
Published: | 14.06.2021 |
Fine: | None |
Parties: | n/a |
National Case Number/Name: | 72/2021 |
European Case Law Identifier: | n/a |
Appeal: | Unknown |
Original Language(s): | French |
Original Source: | Belgian DPA (in FR) |
Initial Contributor: | n/a |
The Belgian DPA issued a reprimand against a public authority which shared an audit report including personal data to third parties without a proper legal basis and did not answer to an access request of the complainant in due time.
English Summary
Facts
A public administration in charge of supervising the organisations hiring persons with disabilities established an audit report on the situation of the organisation after a complaint from the trade union and some members of the staff. The report mentioned some personal data of the director of the organisation (ie, the salary) and was shared with third parties (trade union representatives, social mediator). The director (the complainant) sent an access request to the administration in charge regarding his personal data in the report. The administration did not answer to the request.
Dispute
Can the administration share the personal data of the report with third parties such as the representatives of the trade union and the social mediator when the procedure does not specifically provide for it?
Holding
The administration did not respect its obligation to inform under Article 12(3), 13(1)(c) and 15(1) GDPR. The sharing of the personal data of the director cannot rely on a proper legal basis such as Article 6(1)(e) since sharing the report with the personal data was not necessary for the performance of the tasks of the administration. In addition, the administration could not rely on Article 6(1)(d) GDPR (vital interests) for communication of the personal data of the director to third parties.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the French original. Please refer to the French original for more details.
1/21 Contentious room Decision on the merits 72/2021 of June 14, 2021 File No .: DOS-2019-02726 Subject: Complaint against a public authority for transmitting a report to third parties and lack of response within the legal deadline The Contentious Chamber of the Data Protection Authority (hereinafter APD), made up of Mr. Hielke Hijmans, chairman, and Messrs C. Boeraeve and R. Robert, members. Having regard to Regulation (EU) 2016/679 of the European Parliament and of the Council of April 27, 2016 relating to the protection of individuals with regard to the processing of personal data and the free movement of these data, and repealing Directive 95/46 / EC (General Regulation on Data Protection), hereinafter GDPR; Having regard to the Law of 3 December 2017 establishing the Data Protection Authority (hereinafter LCA); Given the internal regulations of the Data Protection Authority as approved by the Chamber of Representatives on December 20, 2018 and published in the Belgian Official Gazette on January 15, 2019; Having regard to the documents in the file; Has taken the following decision regarding: The complainant: Mr X, (hereinafter the complainant), represented by Mr Jean-Yves Gyselinx Defendant: Agence Y, Beslissing on the merits 72/2021 - 2/21 I. Facts and retroacts of the procedure 1. On May 15, 2019, the complainant lodged with the Data Protection Authority (hereinafter the DPA) a request / complaint form in which he criticizes the communication by the controller of a report dated April 3, 2019 to trade union representatives, due to the fact that it contains personal data personnel about him and in particular his salary. He complains in particular that the union representatives would have transferred the information to many other fellow trade unionists, who allegedly used the information against him in meetings. 2. The report, dated April 3, 2019 and entitled "Complaint conclusion report" (hereinafter afterwards, "the audit report" or "the report") comes from the Audit & Control Department, […] Of the defendant. The report concerns ASBL Z (hereafter ASBL), a establishment that has a care authorization issued by Y for 95 people with disabilities, day and night reception. The beneficiaries have an intellectual disability or mental health problems, some with significant multiple disabilities. Part of the population present complex needs. 3. The audit report follows on from three groups of complaints that were filed between the December 22, 2018 and February 21, 2019, against the non-profit organization on the part, respectively, about twenty workers from the non-profit organization, a collective of educators and unions […] And […]. 4. The audit examines grievances such as the financial structure of the institution, the lack of supervision, incompetence of management as well as problems in the quality of care for residents. Out of nine grievances mentioned, the report considers that five are founded or generally founded, the four others subject to various assessments. The complainant is informed as being the director of the non-profit organization. 5. This audit report was emailed on April 3, 2019 to the complainant and two union representatives (identified as being respectively the managers and the complainants). The report is also addressed to the social conciliator "in view to support the lines of thought that will be discussed during the meeting of this 1 afternoon in order to try to resolve this dispute ”. 1 Email of April 3, 2019. Beslissing on the merits 72/2021 - 3/21 6. On the same day, the complainant replied to the email indicating that he had observed different errors in the report and wanting to write a right of reply. On May 8, 2019, he sent by e-mail a series of grievances and questions to the defendant concerning elements of the report. He also complains about the fact that the report contains his salaries that have been sent to union representations. He asks for explanations of what he considers to be the breach of data confidentiality personal. On May 14, 2019, he sent by email a document entitled "Right to reply ". 7. On May 15, 2019, the complainant submitted his request form to the Authority. 8. Initially, the Authority, through the frontline service intervenes with the complainant in a mediation phase during which she invites him to exercise his right of access to the defendant (letter of May 27, 2019). 9. On June 14, 2019, the complainant replied to the PDA that he never received a response to his communications of May 8 and 14, 2019. By letter dated July 22, 2019, the APD advises the complainant that the email sent by the complainant on May 8, 2019 does not constitute not really a request for access. She invites him to exercise this right with the defendant by asking for the legal basis on which the transfer of data. 10. The complainant made this request to the defendant on July 23, 2019. The August 26, he informed the APD of the lack of response from the defendant. The 10 September 2019, the APD sends a letter to the defendant asking them to respond to the requester and send a copy of this response to the DPA. The defendant confirms receipt of the request on September 18, 2019 and indicates that a response will follow as soon as possible. 11. The Respondent's response is dated September 26, 2019. In it, the defendant apologizes for its late response. It then indicates that the purpose of the data processing was to investigate a complaint lodged against of the complainant, in accordance with Article 1369.84 of the Walloon Regulatory Code of Social and Health Action of July 4, 2013 (hereafter: the regulatory code). It refers the complainant to the Privacy Policy which states that the data are transmitted to third parties when required to participate in the investigation of the case. The defendant also provides elements of contextualization of the Beslissing situation on the merits 72/2021 - 4/21 by evoking an abnormally long social conflict that poses risks to the be beneficiaries of the establishment. 12. By email of September 27, 2019, the complainant replied to the letter from the defendant. He challenges the legality of the transmission of his data to unions, given that they are also the authors of the complaint to Y and that the transfer was not based on his consent. It indicates that this transfer allowed unions to use their data for a purpose other than that for which they had been collected. It also raises the overrun of the legal deadline for respond to their access request. He asks the APD to register his complaint and declare it admissible. 13. On October 18, 2019, the Frontline Service of the APD, seeing the last communication from the complainant, notes that the mediation initiated was not successful and seeks the consent of the complainant for the file to be forwarded as a complaint to the Contentious chamber. On November 5, 2019, after obtaining the agreement of complainant, the Frontline Service declares the complaint admissible on the basis of the Articles 58 and 60 of the LCA and transmits it to the Litigation Chamber in accordance with Article 62, § 1 of the LCA. 14. On December 3, 2019, the Litigation Chamber decides that the case can be processed on the merits and inform the parties thereof. It establishes that the grievor's grievances against of Y concern, on the one hand, compliance with the data protection rules of the communication of the report containing personal data on concerning (his salary) to union representatives, including with regard to the information that Y communicates to the data subjects about the processing of their personal data (articles 5 and 6 of the GDPR and articles 12 to 14 of the GDPR), and on the other hand, the compliance of the response given to the complainant by Y, following the exercise by the latter of his right of access (Articles 12 and 15 of the GDPR). 15. On the same day, the Contentious Chamber informs the parties of its decision to deal with the case on the merits and establish a timetable for the exchange of conclusions. 16. On 12 December 2019, the defendant confirms receipt of the letter from the Chamber contentious and asks to receive a copy of the documents in the file which it does not not yet have. The secretariat of the contentious chamber sends the documents requested the same day. Beslissing on the merits 72/2021 - 5/21 17. On 24 December 2019, the defendant sends these conclusions to the Chamber contentious. She first explains that normally, analysis reports, such as the audit report of April 3, 2019, have never been communicated to the complainants. They only receive a letter informing them of the outcome of the investigation. The defendant adds that the case of the non-profit organization is quite special since it was the subject of a major social conflict, including a strike that allegedly lasted seven weeks. According to the defendant, the role of social consultation was therefore become essential to hope to find a solution to the conflict. The report of the defendant was eagerly awaited since it made it possible to objectify the complaints made by the complainants, which included the trade unions. These grievances concerned, among other things, the mode of governance and financial practices. This is in this context that the report was transmitted to the conciliator and to the organizations unions so that he could serve in the conciliation meeting that took place after noon even. The defendant considers that it was not possible for her not to treat the subject of the complainant's remuneration in such a context. 18. As to the exercise of the right of access, the defendant acknowledges the late nature of the response, stressing, however, that a response providing the elements necessary was eventually transmitted. 19. Regarding the disclosure of the amount of the complainant's remuneration, the defendant recognizes a clumsiness and a lack of precaution but precise many elements. It recalls the exceptional nature of the situation and the need to find solutions, which prompted him to carry out a balance of interests, particularly in view of its essential role in this sector. She explains also not to consider itself responsible for actions carried out a posteriori by the unions. She also added that her email from April 3, 2019 contained a disclaimer. 20. On January 3, 2020, the complainant informs the Litigation Chamber and the respondent to have given a mandate to Me. Gyselinx to represent him. On January 28, 2020, the latter 2 sends its conclusions to the contentious chamber and to the defendant. There is explains that the report contained not only the salary of the concluding party but also the invoicing of [the company…] (a service provider). He points out that the defendant admitted his own awkwardness. He also argues that this 2The Contentious Chamber notes that the plaintiff's lawyer refers to the Contentious Chamber as a "court". The Litigation Chamber reminds the parties that it is an organ of an administrative authority and not an institution of the judiciary. Beslissing on the merits 72/2021 - 6/21 disclosure of the salary caused enormous damage in terms of images and forced the complainant to withdraw and then leave the management of the non-profit organization. On the principles, he stresses that the defendant does not rely on any basis of lawfulness provided for by the GDPR (called grounds for justification by the complainant) and explains why it considers that neither Article 6.1.d) nor Article 6.1.e) is applicable in the present case. 21. On February 10, 2020, the defendant sends its pleadings in reply to the Contentious chamber. Beyond the points already mentioned in its premieres conclusions, the defendant considers that the complainant minimizes the situation in which the non-profit organization was at the time of the events and underlines the importance of look into executive compensation as well as other budgetary aspects. It adds that the complainant does not demonstrate anything of the damage that would have been caused to him and that dissemination of the report was supervised and limited to stakeholders only identified. 22. With regard to the basis of legality, the defendant states that it is based on Article 6.1.d) since the disastrous living conditions of the beneficiaries of the establishment are in connection with the notion of vital interest provided for in this article. The defendant indicates also be based on Article 6.1.e) as the seriousness of the grievances impacted considerably the quality of life and reception of residents as well as their safety. 23. On July 1, the plaintiff's lawyer wrote to the Litigation Chamber to inquire about the status of the case. The defendant asks a similar question on November 25, 2020. On December 10, 2020, the Litigation Chamber responds to both parties that the file is still being processed and the decision will be communicated when it has been adopted. The contentious chamber regrets the delay it has made to address a response to the parties. PLACE II. On the grounds for the decision 1) As to the Beslissing complaints on the merits 72/2021 - 7/21 24. In accordance with the grievances set out by the complainant, as well as the exchanges of conclusions between the parties, the Contentious Chamber considers that several issues need to be analyzed. 25. The first question concerns the legality of the data processing personal data of the complainant (Articles 5 and 6 of the GDPR). The second concerns the further processing of the data which would have been carried out by certain recipients of the audit report. The last question concerns the exercise of the right of access by the complainant and the response provided by the defendant (Articles 12 and 15 of the GDPR). 26. Beyond these questions, in its minutes of December 3, 2019, the Chamber contentious had considered that the case also concerned the information that the defendant communicates to the persons concerned about the processing of their personal data (Articles 12 to 14 of the GDPR). These grievances having been addressed neither by the complainant nor by the defendant during the concluding discussions, the Litigation Chamber has few elements enabling it to examine that question. It will therefore not be considered by the Chamber. contentious. 2) Regarding the data processing in dispute 27. It appears from the documents in the file that the complainant objects to the fact that the audit report contains some of his personal data. According to the access request of the complainant, this personal data relates to: - data concerning his salary; - information concerning the company […] (the fact that the complainant is also the manager of this service provider of the institution as well as the fees and overall billing amount); - "hasty conclusions" on management. 28. In his conclusions the complainant only refers to the first two elements. The Contentious Chamber therefore considers that the dispute relates to these two different data in the report. 29. In its pleadings in reply, the defendant objects to the the question of data concerning the company […] be addressed, for two reasons. First of all, she considers that this is a legal person whose data is not Beslissing on the merits 72/2021 - 8/21 therefore not covered by the definition of personal data in Article 4.1 of the GDPR. Then she feels that this item was never brought to her attention. before the complainant's conclusions. 30. The data concerning the company [...] appear in the audit report under the “financial package” grievance. It is stated in particular that "The designation of Mr. X coincided with the arrival of a new subcontractor of which he is none other than the manager. ". This sentence is followed by several others which describe the tasks of this company within the non-profit organization as well as elements relating to invoicing. In this that the quoted sentence refers directly to the complainant, who is a natural person identified, and the fact that he is the manager of this company, the Litigation Chamber considers that this is indeed personal data within the meaning of Article 4.1 of GDPR. On the other hand, the amounts of fees and global annual invoicing cannot be understood as personal data since it does not do not refer to an identified or identifiable natural person. Bedroom litigation also points out that this information was already in the request access notice of 23 July 2019. The respondent cannot therefore argue that it was unaware that this was data that was the subject of the dispute. 31. The Litigation Division also considers that the disputed treatments relate to on the one hand on the collection and integration of the aforementioned personal data in the audit report and on the other hand on the transmission of this audit report to union representatives. Even if this is not part of the grievances put forward by the complainant, the Contentious Chamber notes that the second processing (transmission of the report) concerns not only the union representatives but also the conciliator social. The contentious division's analysis will therefore focus on these two treatments. 3) As to the lawfulness of the processing (article 6 of the GDPR) Article 6 Lawfulness of processing 1. Processing is only lawful if, and insofar as, at least one of the following conditions is met: Beslissing on the merits 72/2021 - 9/21 a) the data subject has consented to the processing of their personal data for one or more specific purposes; b) the processing is necessary for the performance of a contract to which the data subject is a party or the execution of pre-contractual measures taken at the request of the latter; c) the processing is necessary for compliance with a legal obligation to which the data controller treatment is submitted; d) the processing is necessary to protect the vital interests of the data subject or another natural person; e) the processing is necessary for the performance of a task of public interest or falling within the exercise of public authority vested in the controller; f) the processing is necessary for the purposes of the legitimate interests pursued by the controller processing or by a third party, unless the interests or freedoms and rights fundamental aspects of the data subject which require protection of personal data personal, especially when the data subject is a child. Point f) of the first subparagraph does not apply to processing carried out by public authorities in the performance of their missions. 2. Member States may maintain or introduce more specific provisions for adapt the application of the rules of this Regulation with regard to processing for the purpose of comply with paragraph 1, points c) and e), determining more precisely the requirements specific conditions applicable to the processing as well as other measures to ensure processing lawful and fair, including in other special processing situations as provided for in chapter IX. 3. The basis for the processing referred to in paragraph 1 (c) and (e) shall be defined by: (a) Union law; or b) the law of the Member State to which the controller is subject. The purposes of the processing are defined in this legal basis or, with regard to the processing referred to in point (e) of paragraph 1 are necessary for the performance of a task of interest public or subject to the exercise of public authority vested in the person responsible for treatment. This legal basis may contain specific provisions to adapt the application of the rules of this regulation, inter alia: the general conditions governing the lawfulness of processing by the controller; the types of data that are the subject of treatment; the people concerned; the entities to which the personal data Beslissing as to the substance 72/2021 - 10/21 can be communicated and the purposes for which they can be; limitation of purposes; retention periods; and processing operations and procedures, including measures to ensure lawful and fair processing, such as those provided for in other special processing situations as provided for in Chapter IX. Union law or Member State law meets an objective of public interest and is proportionate to the objective legitimate pursued. […] " 32. During the exercise of the right of access by the complainant, he requested from the defendant, the legal basis for the processing of such data. In his response to the law access dated September 26, 2019, the defendant explained that the purpose of processing "aimed at investigating a complaint lodged against you, in accordance with Article 1369/84 of the Walloon Regulatory Code for Social Action and Health of 4 July 2013. " 33. In the exchange of conclusions, it appeared that the defendant is claiming the Articles 6.1.d) and 6.1.e) of the GDPR as the bases of lawfulness of the processing (called grounds for justification by both the complainant and the defendant). The complainant has meanwhile, he had the opportunity to challenge the applicability of his bases of legality. 34. It follows from recital 46 that 'the processing of personal data based on the vital interest of another natural person should in principle take place only when the processing clearly cannot be based on any other basis 3 legal." 35. The Contentious Chamber will therefore examine the legal basis of Article 6.1.e) in a first place. It will only consider that of Article 6.1.d) if Article 6.1.e) is found to be inapplicable in this case. 36. The defendant argues that the complaints raised against the non-profit organization and their impact on the quality of life and the reception of the residents justified his intervention. The complainant considers that the processing of the complainant's personal data was in no way useful for the execution of the mission. 3 "The processing of personal data should also be considered lawful when it is necessary for protect an essential interest in the life of the data subject or that of another natural person. Treatment of personal data based on the vital interest of another natural person should in principle only take place when the processing clearly cannot be based on another legal basis. Certain types of treatment may be justified both by important reasons of public interest and by the vital interests of the data subject, for example when the treatment is necessary for humanitarian purposes, including to monitor epidemics and their spread, or in humanitarian emergencies, including natural and man-made disasters. »Beslissing on the merits 72/2021 - 11/21 37. The defendant is a regional public authority responsible for [matters in the social and health sector]. As such, it notably issued a payment authorization for the benefit of the non-profit organization. In the context of the litigation at examination, the defendant investigated a complaint lodged against the defendant, which led to the conclusion of the audit report. It is therefore established that the defendant exercises public authority, in the sense that it is the institution government in charge of large areas of social action at regional level and that by For example, as such, it issues authorizations and investigates complaints. The part defend this argument to justify that the treatment can be based on the article 6.1.e) of the GDPR. 4 38. As already explained in its decision 55/2021, the Contentious Chamber must however check that the conditions provided for in Article 6.1.e) are met by the species. Under Article 6.3.b) and recital 45 of the GDPR, processing based on Article 6.1.e) must meet two conditions: o The data controller must be responsible for carrying out a mission of public interest or relating to the exercise of public authority under a legal basis, whether under European Union law or under the law of the Member State; o The processing must be necessary for the performance of the assignment of interest public or the exercise of public authority. A legal basis 39. It appears from the documents in the file that the defendant's audit report was drawn up based on article 1369/84 of the Regulatory Code. This article is written as follows: "Article 1369/84. Any complaint relating to taking charge in a service can be formulated in writing to the Agency. The Agency shall inform the organizing authority, taking into account the needs of the examination of this request. The Agency carries out this examination upon receipt of the complaint and formulates its 4 Decision on the merits 55/2021 of 22 April 2021 (https://www.autoriteprotectiondonnees.be/publications/decision-quant-au- fond-n-55-2021.pdf) Beslissing as to the merits 72/2021 - 12/21 conclusions within a maximum period of six months. The Agency informs the complainant, the management, the manager of the service and the authorities responsible for the placement and / or funding, follow-up to this complaint. " 40. The Contentious Chamber therefore considers that this article establishes a legal basis which framework of the exercise of the public authority of the defendant for the treatments contentious, being extended that the general framework for the exercise of public authority Complainant is much larger. For the contentious Chamber, it therefore appears the exercise of public authority has a legal basis in national law. The Contentious roomvadoncexaminersicettebaselegalerfillsprescribed well of the GDPR. Processing necessary for the exercise of public authority 41. In order for the processing to be lawful on the basis of Article 6.1.e), the purposes of the processing must therefore be necessary for the exercise of public authority. As she already has developed in its decision on the merits 38/2021, the necessity test is essential. 42. In its Huber judgment, the Court of Justice of the European Union (CJEU) has, in view of of this necessary condition, specified: that "with regard to the objective of ensuring an equivalent level of protection in all Member States, the concept of necessity as it results from Article 7 (e) of Directive 95/46, which aims to precisely delimit one of the hypotheses in which the processing of personal data is lawful, cannot have a variable content depending on the function of the Member States. Therefore, it is an autonomous concept of the law community which must be interpreted in such a way as to fully respond subject to this Directive as defined in Article 1 (1) thereof ". 7 8 43. According to his conclusions in this case, the Advocate General makes it clear in this regard that "the concept of necessity has a long history in community and it is well established as an integral part of the 5 Decision on the merits 38/2021 of 23 March 2021 (https://www.autoriteprotectiondonnees.be/publications/decision-quant- deep-n-38-2021.pdf) 6 Member States provide that the processing of personal data may only be carried out if: (...) e) it is necessary for the performance of a mission of public interest or falling within the exercise of public authority vested in the controller or the third party to whom the data are communicated. 7CJUE, December 16, 2008,, Heinz Huber v. Bundesrepublik Deutschland, C-524/06, para. 52. 8 Opinion of Advocate General Poiares Maduro presented on April 3, 2008 in the context of the proceedings before the CJU having resulted in the judgment cited in footnote 15 above (C-524/06). Beslissing on the merits 72/2021 - 13/21 proportionality. It means that the authority which adopts a measure which undermines a fundamental right in order to achieve a justified objective must demonstrate that this is the least restrictive measure to achieve this objective. Moreover, if the processing of personal data may be liable to infringe the law fundamental to respect for private life, Article 8 of the European Convention on safeguard of human rights and fundamental freedoms (ECHR) which guarantees respect for private and family life is also becoming relevant. As the court has stated in the Österreichischer Rundfunk and others judgment, if a national measure is incompatible with Article 8 of the ECHR, this measure cannot satisfy the requirement of Article 7 (e) of the directive. Article 8, paragraph 2, of the ECHR provides that an interference with privacy may be justified if it targets one of the objectives listed therein and "in a democratic society, is necessary" to one of those goals. The European Court of Human Rights has ruled that the concept of "necessity" implies that a "pressing social need" is involved ". 44. The Article 29 Group also referred to the case law of the Court European Human Rights Court (Eur. D.H. Court) to identify the requirement of necessity and concludes that the adjective "necessary" thus does not have the flexibility of terms such as "admissible", "normal", "useful", "reasonable" or "expedient". 10 45. In its Michael Schwarz v. Stadt Bochum, the Court of Justice of the Union European Union, considers that it concerns "the examination of the necessary such processing, the legislator is in particular required to verify whether measures less infringements of the rights recognized by Articles 7 and 8 of the Charter are conceivable while contributing effectively to the goals of Union regulation by 11 cause " 46. Following this precedent, it is therefore up to the Contentious Chamber to determine if the processing was necessary for the exercise of public authority. So she has it established beforehand (see point 31), for the Contentious Chamber concerns two processing operations: the processing of the complainant's personal data completion of the drafting of the audit report, as well as sending the audit report to different parties, including union representatives and the social conciliator. 9 "Article 29" working group on data protection, "Opinion 06/2014 on the concept of legitimate interest pursued by the data controller within the meaning of Article 7 of Directive 95/46 / EC ", adopted on April 9, 2014. 10Court eur. D.H., March 25, 1983, Silver et al. United Kingdom, para. 97. 11CJUE, 17 October 2013,, Michael Schwarz v. Stadt Bochum, C-291/12, para. 46. Beslissing on the merits 72/2021 - 14/21 47. With regard to the processing of the complainant's personal data for the drafting of the report, the Litigation Chamber notes that it concerns only the complainant's salary as director of the non-profit organization and his position as manager of a subcontractor (see points 27 and 28). These data were discussed in the report during the analysis of the grievance mentioned "financial package" which is found under the title A "Management". 48. For the Contentious Chamber, there is no doubt that the processing of data the director's salary as well as his position as manager of a subcontractor are information that it is necessary to examine during an audit relating, among other things, to the management and financial arrangement of an institution. Therefore, the treatment of these data is necessary for the exercise of public authority of the defendant who consists of dealing with complaints received against the non-profit organization. 49. The second treatment subject to the examination of the contentious division consists of sending the audit report to various parties, including union representatives from the non-profit organization, who were among the people who lodged a complaint with the defendant, as well as the social conciliator. This is the treatment that is mainly contested by the complainant in the present case. The complainant considers that this processing was in no way necessary for the mission of the defendant. 50. The defendant considers that this dispatch was entirely justified in view of the specific circumstances of the non-profit organization and the ongoing labor dispute. The transfer of report to union representatives and to the conciliator was intended to promote consultation and find a solution to the dispute (see point 17). 51. For this processing also, the Litigation Chamber must examine whether it was necessary for the exercise of the public authority of the defendant. The criterion of "Necessity" as already specified (see point 41 et seq.) Restricts the margin assessment of the controller, since he does not authorize him to carry out treatments that would only be useful or desirable. 52. It appears from the conclusions of the defendant that the purpose of this processing was to allow the use of the report during the social conciliation meeting so that the latter can objectify the situation. The aim was therefore to promote the resolution of the ongoing social conflict. Beslissing on the merits 72/2021 - 15/21 53. The Respondent justifies the treatment in question by the exceptional situation in which was the non-profit organization, due to an unusually long social conflict. The Litigation Chamber notes that the extent of the social conflict is underlined in the conclusions of the audit report. It also appears from the conclusions of the defendant, that "the analysis and conclusions that the agency would bring to the complaint filed by union organizations in a common front, became essential since they would give a neutral look at the alleged facts "and that" the conclusions of the agency were eagerly awaited in order to conduct a final attempt at conciliation ”. The purpose of this precise processing was therefore to facilitate the social conciliation in progress. 54. It is also clear from the defendant's explanations that this treatment does not did not correspond to an ordinary exercise of his public authority, since this stresses that "the case of the complainant's institution is quite specific and fortunately exceptional ”. 55. The Litigation Chamber recalls that the legal basis for the exercise of authority of the defendant limits it to the reception and processing of complaints. It does not appear from this legal basis that support for social conciliation or social conflict resolution is part of the exercise of public authority defendant. It follows that the processing at issue, consisting in transferring the audit report to union representatives and the social conciliator, cannot be considered necessary for the exercise of the public authority of the defendant. 56. Even if the respondent justifies the treatment by its willingness to support the process of social conciliation in progress, the Litigation Chamber notes all the same that the legal basis provides that the defendant "informs the complainant, the management, the manager of the service and the authorities responsible for the placement and / or financing, of the follow-up reserved for this complaint ”, which could have been used by the defendant to justify sending the audit report to union representatives in particular, since they were also complainants. However, it is necessary to note that according to the defendant's own conclusions, "the reports of analysis are never communicated to the complainants ". So it seems that this provision only obliges the defendant to inform certain categories of persons "of the follow-up to the complaint" and in no way bind the defendant atransfer the report in question. It follows that the treatment in question cannot no longer be justified by this information obligation provided for in the legal basis and that it is therefore not necessary for the exercise of public authority by the Respondent. Beslissing on the merits 72/2021 - 16/21 57. On the basis of the above elements, the Contentious Chamber considers that the defendant cannot rely on Article 6.1.e) as the legal basis for the processing consisting of sending the report to different recipients, since it was not necessary for the exercise of public authority. 58. The defendant has also indicated that it relies on Article 6.1.d) as a basis for lawfulness of the processing, which would imply that the processing is necessary for the safeguarding the vital interests of the data subject or of another person physical. The Contentious Chamber recalls in this regard that this basis of lawfulness is refer to the treatments that are clearly and directly necessary to preserve 12 the health of an affected person. Treatment intended to help resolution of a labor dispute cannot therefore rely on this basis of lawfulness. Additional remarks concerning the transmission of the report 59. If the defendant considered that its intervention in the conciliation was absolutely indispensable, it would have been quite open to him to transmit to the unions and the social conciliator a version of the report redacted from the personal data personnel, or the simple observation that the salary level "is somewhat 13 higher than the maximum scale of scale 29 (director> 60) of the C.P. […] ". Asset at the very least, the defendant could have ensured that the principle of minimization of data (article 5.1.c) of the GDPR) when submitting the report. A track of this type was moreover mentioned by the defendant itself in its conclusions, since it indicates, for example, that it would have been "wiser not to mention precisely the amount of the salary ”. 4) As regards the further processing of the complainant's personal data by the union 60. In its request for information of May 15, 2019, as well as in letters subsequent reports, the complainant indicates that the union members to whom the report 12 "Article 29" working group on data protection, "Opinion 06/2014 on the concept of legitimate interest pursued by the data controller within the meaning of Article 7 of Directive 95/46 / EC ", adopted on April 9, 2014, p. 20. 13 Audit report of April 3, 2019 p. 5. Beslissing on the merits 72/2021 - 17/21 have been sent have sent this same document to colleagues who have finally sent to the staff of the non-profit organization. The complainant believes that this caused him "An extremely complex situation" during the joint committee that took place shortly after the report was sent. The complainant also indicates that he suffered damage resulting from this further processing of these data (see point 20). 61. The defendant maintains in its submissions that it cannot control nor a fortiori be responsible for the actions of unions and not condone them. It draws attention to the disclaimer in the email (see point 19). In its pleadings in reply, it considers that the complainant does not demonstrate in no way its damage, nor their possible link with the transmission of the report. 62. On the basis of the elements described above, the Contentious Chamber arrives at several conclusions. First of all, she finds that the complainant provides no proof of this further processing by the unions. Indeed, he repeatedly indicates that the unions would have forwarded the report to their colleagues, who would in turn have transferred (see point 1). This account, however, is not supported by any element of the file, apart from the complainant's statements. 63. Moreover, even if this subsequent processing is proved, the Chamber litigation notes that the complainant does not bind it to any specific violation of the GDPR. However, the contentious chamber considers, at first glance and in the absence contrary elements brought by the complainant, which the defendant does not seem be able to be considered as responsible for the subsequent processing carried out by one or more of the report recipients. 64. Indeed, the Court of Justice has confirmed that for the identification of the responsible treatment, there was a need for a factual assessment of the natural person (s) or of the legal person (s) which determine "the purpose" and "the means" of the treatment, the concept being defined broadly with a view to protecting persons concerned . The Court also held that a natural person which, for reasons relating to it, exerts an influence on the processing of personal data and thus participate in determining the purpose and means of this processing can be considered as a controller 15 treatment. In this case, these are well the union delegates who received the report 14 CJEU judgment of May 13, 2014, Google Spain and Google, C-131/12, ECLI: EU: C: 2014: 317, para. 34; CJEU judgment of June 5, 2018, Wirtschaftsakademie Schleswig-Holstein, C-210/16, ECLI: EU: C: 2018: 388, para. 28. 15 CJEU judgment of 10 July 2018, Jehovan todistajat, C-25/17, ECLI: EU: C: 2018: 551, para. 65 Beslissing on the merits 72/2021 - 18/21 audit reports that would have passed it on to other colleagues. They themselves have determined the purposes and means of this new processing. So they would be who have become data controllers within the meaning of Article 4.7) of the GDPR. 65. The contentious chamber cannot therefore examine possible infringements in the head of the defendant with regard to this additional treatment. additional elements. First, if the email sending the audit report contains indeed a confidentiality clause specifically providing for this prohibition of transfer to third parties, this in no way frees the data controller from a possible liability. Then, respect for the principle of minimizing data (see paragraph 59) could have limited the risks relating to the data personal data of the complainant. 5) Regarding the response to the exercise of the right of access by the complainant 66. According to article 15.1 of the GDPR, the data subject has the right to obtain controller confirmation that the personal data concerning are or are not processed. When this is the case, the person concerned has the right to obtain access to such personal data as well as to a series information listed in Article 15.1 a) -h) such as the purpose of processing its data, the possible recipients of their data as well as information relating to the existence of their rights, including the right to request rectification or the erasure of his data or even that of filing a complaint with the DPA. 67. The Contentious Chamber recalls, as it had already established in its decision 15/2021, that the right of access is one of the essential requirements of the right to data protection, since it constitutes the "front door" which allows the exercise other rights that the GDPR confers on the data subject. 68. Although not expressly listed in Article 15.1, the basis for legality undeniably constitutes information that the data subject can request on the part of the controller, being specifically included in Article 13.1.c) as information to be provided to the data subject at the time of collection of its data. 16 Decision on the merits 15/2021 of 9 February 2021 (https://www.autoriteprotectiondonnees.be/publications/decision-quant- au-fond-n-15-2021.pdf). Beslissing on the merits 72/2021 - 19/21 17 69. As it has already explained in its decision 41/2020, the Chamber litigation recalls that Article 12 of the GDPR relating to the methods of exercising their rights by the data subjects provides in particular that the controller must facilitate the exercise of their rights by the person concerned (Article 12.2 of the GDPR) and provide them with information on the measures taken following his request as soon as possible and at the latest within a months from the request (article 12.3 of the GDPR). According to this same article, the time can be extended for an additional month, at the request of the data controller. 70. Although he did not mention it in his conclusions, the complainant criticized on several occasions to the defendant the late nature of its response to its request access, exercised on the basis of Article 15.1 of the GDPR (see point 12). It appears coins of the file that the respondent's response was sent more than two months after the request (see points 10 and 11). 71. In the present case, the defendant did not make use of this possibility to extend the response time. In its submissions the defendant acknowledged that it did not meet this deadline, as she indicated that she "cannot question the complainant's claim as to the late deadline in which the response was communicated ", even if it underlines that a response was ultimately provided. On the basis of these elements, the Litigation Chamber finds a violation of Article 15.1 of GDPR attached to articles 12.3 and 13.1c). 6) Regarding corrective measures and sanctions 72. Under Article 100 LCA, the Litigation Chamber has the power to: 1 ° dismiss the complaint; 2 ° order the dismissal; 3 ° pronounce a suspension of the pronouncement; 4 ° propose a transaction; 5 ° issue warnings or reprimands; 6 ° order compliance with the requests of the person concerned to exercise these rights; 7 ° order that the person concerned be informed of the security problem; 17 Decision on the merits 41/2020 of 29 July 2020 (https://www.autoriteprotectiondonnees.be/publications/decision-quant- au-fond-n-41-2020.pdf), §16. Beslissing on the merits 72/2021 - 20/21 8 ° order the freezing, limitation or temporary or definitive prohibition of processing; 9 ° order that the processing be brought into conformity; 10 ° order the rectification, restriction or erasure of data and the notification of these to the data recipients; 11 ° order the withdrawal of accreditation of certification bodies; 12 ° give periodic penalty payments; 13 ° issue administrative fines; 14 ° order the suspension of transborder data flows to another State or a international body; 15 ° transmit the file to the public prosecutor's office in Brussels, who informs them of follow-up given to the case; 16 ° decide on a case-by-case basis to publish its decisions on the website of the Authority Data protection. 73. The Litigation Chamber emphasizes that under Article 221.2 ° of the Law of 30 July 2018 on the protection of individuals with regard to the processing of personal data, it cannot impose a fine on the defendant, since it is a public authority within the meaning of Article 5.1 ° of the same law. 74. The Contentious Chamber found that the defendant had violated Article 15.1 of GDPR attached to articles 12.3 and 13.1.c) by not responding to the access request of the complainant within the legal time limit. This point has also been explicitly recognized by the defendant. 75. The Chamber also found that the Respondent had violated Article 6.1.e) of GDPR by processing data, consisting of sending the report audit to union representatives and the social conciliator, while the latter was not necessary for the exercise of public authority. 76. In conclusion of the above, and in view of all the circumstances of the case, the Contentious Chamber considers that the reprimand (that is, the appeal to the order referred to in article 58.2.b) of the GDPR) is in this case the effective, proportionate and dissuasive sanction 18 which is binding on the defendant. 77. It recalls that in its capacity as controller, the defendant is required respect the principles of data protection and must be able to 18As it has already had the opportunity to specify in several decisions, the Contentious Chamber recalls here that the warning sanctions a breach that is likely to occur: see. Article 58.2.a) of the PDR in this regard. Beslissing on the merits 72/2021 - 21/21 demonstrate that these are respected. It must also implement all the measures necessary for this purpose (principle of liability - Articles 5.2. and 24 of GDPR). The contentious chamber therefore invites the defendant to ensure that the process put in place to process requests for the exercise of rights under the GDPR ensure a response within the legally stipulated deadlines. 7) Publication of the decision 78. In view of the importance of transparency with regard to the process decision-making and decisions of the Litigation Chamber, this decision will be published on the website of the Data Protection Authority by deleting direct identification data of the parties and persons named, that they be physical or legal. FOR THESE REASONS, THE LITIGATION CHAMBER - Issue a reprimand against the defendant on the basis of article 100.1, 5 ° LCA, for violation of Article 15.1 of the GDPR attached to Articles 12.3 and 13.1.c) and for violation of Article 6.1.e) of the GDPR. - Discard the complaint for other aspects without further action on the basis of Article 100.1, 1 ° LCA. Under Article 108 § 1 LCA, this decision may be appealed against to the Court of contracts (Brussels Court of Appeal) within 30 days of notification, with the Data Protection Authority as respondent. (Sé). Hielke hijmans President of the Litigation Chamber 19 Decision on the merits 41/2020 of 29 July 2020 (https://www.autoriteprotectiondonnees.be/publications/decision-quant- au-fond-n-41-2020.pdf), §16.