APD/GBA (Belgium) - 14/2023: Difference between revisions
mNo edit summary |
|||
Line 63: | Line 63: | ||
}} | }} | ||
According to the Belgian DPA, a controller had lawfully informed the rest of the staff that an employee was no longer working for | According to the Belgian DPA, a controller had lawfully informed the rest of the staff that an employee was no longer working for him. However, by precising that the employee had been dismissed with immediate effect, the controller violated [[Article 5 GDPR|Articles 5(1)(c)]] and [[Article 6 GDPR|6(1) GDPR]]. | ||
== English Summary == | == English Summary == |
Revision as of 15:31, 28 February 2023
APD/GBA - 14/2023 | |
---|---|
Authority: | APD/GBA (Belgium) |
Jurisdiction: | Belgium |
Relevant Law: | Article 5(1)(a) GDPR Article 6(1) GDPR Article 58(2)(c) GDPR |
Type: | Complaint |
Outcome: | Upheld |
Started: | 23.07.2021 |
Decided: | 17.02.2023 |
Published: | |
Fine: | n/a |
Parties: | n/a |
National Case Number/Name: | 14/2023 |
European Case Law Identifier: | n/a |
Appeal: | Unknown |
Original Language(s): | French |
Original Source: | DPA/GBA (in FR) |
Initial Contributor: | ls |
According to the Belgian DPA, a controller had lawfully informed the rest of the staff that an employee was no longer working for him. However, by precising that the employee had been dismissed with immediate effect, the controller violated Articles 5(1)(c) and 6(1) GDPR.
English Summary
Facts
The controller, a public authority, was the former employer of the data subject. The controller announced on his intranet that the data subject's contract was terminated by the controller, and with immediate effect. This intranet was accessible to 428 people. The data subject therefore lodged a complaint with the Belgian DPA.
Holding
The DPA noted that a distinction should be made between (i) announcing the contract termination to the rest of the staff and (ii) clarifying the reasons of such termination. The DPA examined whether each of the elements relied on a legal basis (Article 5(1)(a) and 6(1) GDPR) and whether the minimisation principle was respected (Article 5(1)(c)).
Regarding the first part of the assessment, (i), the DPA considered that, under Article 6(1)(b), it is appropriate to inform employees of changes in the staff. Making information about employees available to staff facilitates exchanges between colleagues. The DPA therefore considered that the publication of staff changes on the intranet was legitimate under Article 6(1)(b).
The Belgian DPA, however, also analysed the second part of the message sent by the controller, (ii), in which the latter clarified or at least hinted at the reasons that had led to the dismissal. In particular, the controller had not only announced that the data subject was no longer an employee, but had also specified that the dismissal had taken place with 'immediate effect' and at the 'initiative of the controller'. This message carries an implied, underlying and sensitive meaning, which is a probable serious misconduct by the former employee.
The DPA therefore assessed whether this additional information (i.e. processing) was necessary. The authority started its analysis by taking into account Article 6(1)(e), under which the processing carried out in the public interest must be necessary for the performance of that task. The DPA concluded that the second part of the message was not necessary to fulfil a public interest, therefore ruling out Article 6(1)(e) GDPR. The DPA also analysed whether Article 6(1)(b) could be a legal basis. Also in this case, this supplementary information was held to be not necessary.
Overall, the DPA recalled that personal data must be adequate, relevant and limited to what is necessary for the purposes. While it is appropriate to inform staff of changes, there was no need to add other elements about the contract termination. Article 5(1)(c) was therefore also violated.
The DPA concluded that Article 5(1)(a), 5(1)(c) and 6(1) were violated and pursuant Article 58(2)(c) , ordered the controller to withdraw the mention in the intranet that the controller initiated the termination.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the French original. Please refer to the French original for more details.
1/10 Litigation Chamber Decision 14/2023 of February 17, 2023 File number: DOS-2021-05196 Subject: Complaint relating to the publication on the intranet of the dismissal of the complainant by her ex-employer The Litigation Chamber of the Data Protection Authority, made up of Mr. Hielke Hijmans, chairman; Having regard to Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and to the free movement of such data, and repealing Directive 95/46/EC (General Regulation on the data protection), hereinafter “GDPR”; Having regard to the Law of 3 December 2017 establishing the Data Protection Authority, hereinafter “ACL”; Having regard to the internal regulations as approved by the House of Representatives on 20 December 2018 and published in the Belgian Official Gazette on January 15, 2019; Considering the documents in the file; Made the following decision regarding: The complainant: X, hereinafter “the complainant”; hereinafter “the complainant”; . . The defendant: Y, hereinafter: “the defendant”. . Decision 14/2023 – 2/10 I. Facts and procedure 1. On July 23, 2021, the complainant filed a complaint with the Authority for the Protection of data (hereinafter “the DPA”), against his former employer, the defendant 2. On November 30, 2021, the complaint was declared admissible by the Service de Première Ligne on the basis of Articles 58 and 60 of the LCA and the complaint is forwarded to the Litigation Chamber pursuant to Article 62, § 1 of the LCA. 3. Pursuant to article 95 § 2, 3° of the LCA as well as article 47 of the rules of order inside the DPA, a copy of the file may be requested by the parties. If one of parties wishes to make use of the possibility of consulting the file, the latter is required to contact the secretariat of the Litigation Chamber, preferably via the address litigationchamber@apd-gba.be. II. Motivation 4. The complaint concerns the publication on the intranet of the defendant (the former employer of the complainant), in the section concerning personnel changes, the mention of the plaintiff's immediate breach of contract. This raises the fact that the ad states that the termination of the contract takes place at the initiative of the defendant, and that the dismissal is immediate although this would not be true. The complainant indicates that the mention of the character immediate dismissal (or breach of contract on the part of the defendant) may leave think that the defendant would have terminated her employment contract for serious fault in her chief. 5. The Litigation Chamber considers that its analysis of the announcement on the intranet must be split in two, and relate on the one hand to the very announcement of the breach of contract between the defendant and the plaintiff (i.e. his departure), and on the other hand on the mention of the party to the initiative on which the termination of the contract takes place as well as the immediacy of the termination. The Litigation Chamber examines below whether each of these elements respects the principle of legality (article 5.1.a and 6.1 GDPR) as well as the principle of minimization (article 5.1.c GDPR). II.1. Basis of lawfulness of processing (Article 5.1.a and 6.1 GDPR) 6. The Litigation Chamber examines below article 6.1.e and 6.1.b GDPR as potential basis of lawfulness for the disputed processing on the part of the defendant. 1 Pursuant to article 61 LCA, the Litigation Chamber informs the parties by this decision, of the fact that the complaint has been declared admissible. 2 Pursuant to Article 95, § 2 LCA, by this decision, the Litigation Division informs the parties of the fact that following of this complaint, the file was forwarded to him. Decision 14/2023 – 3/10 II.1.1. Regarding the application of Article 6.1.e) GDPR 7. Insofar as the defendant is a public authority, the Litigation Chamber analysis below whether the defendant can rely on Article 6.1.e) GDPR to found the disputed treatment. 8. The Belgian legislator has not applied paragraph 2 of article 6 GDPR, which allows the possibility of providing "more specific provisions to adapt the application of the rules of this Regulation with regard to processing for the purpose of complying with the paragraph 1, points (c) and (e), determining more precisely the specific requirements 3 applicable to the processing (…)”. The Litigation Chamber recalls that Article 6.1.e) GDPR implies that the person responsible for the processing is able to demonstrate that: a) the processing is for the performance of a task carried out in the public interest or for the exercise of the public authority; And b) the processing is necessary for the performance of the task or the exercise of authority mentioned above. 9. The Litigation Division begins by examining whether the necessary character is satisfied of the treatment. 10. Paragraph 3 of Article 6 GDPR stipulates that the purposes of the processing carried out on the basis of the exercise of public authority "are necessary for the performance of a mission of interest public or subject to the exercise of official authority vested in the person responsible for the treatment ". 11. Also, in its Huber judgment, the Court of Justice of the European Union (CJEU), expressed itself on this condition of necessity. It thus indicates: 12. “(…) having regard to the objective of ensuring an equivalent level of protection in all Member States, the concept of necessity as it results from Article 7(e) of the Directive 95/46, which aims to precisely delimit one of the cases in which the processing of personal data is lawful, cannot have variable content depending on the Member States. Therefore, it is an autonomous concept of law community which must be interpreted in such a way as to respond fully to the subject of this Directive as defined in Article 1(1) thereof” 13. In his conclusions, the Advocate General explains in this regard that “the concept of necessity has a long history community place and it is well established as an integral part of the proportionality test. It means that the authority which adopts a measure which carries interference with a fundamental right in order to achieve a justified objective must demonstrate that this measure is the least restrictive to achieve this objective. Furthermore, if the 3Article 6.2 GDPR 4 CJEU, Heinz Huber v. Bundesrepublik Deutschland, 16 December 2008, C 524/06, para. 52 Decision 14/2023 – 4/10 processingofpersonaldatamaymayinfringefundamentallaw respect for privacy, article 8 of the European Convention for the Protection of Rights Rights and Fundamental Freedoms (ECHR), which guarantees respect for privacy and family, also becomes relevant. As the Court stated in the Österreichischer judgment Rundfunk and others, if a national measure is incompatible with Article 8 of the ECHR, this measure cannot meet the requirement of Article 7(e) of the Directive. Article 8, paragraph 2 of the ECHR provides that an interference with private life may be justified if it pursues one of the objectives listed therein and “in a democratic society, is necessary” for one of these purposes. The European Court of Human Rights has ruled that the notion of “necessity” implies that a “pressing social need” is involved”. 5 14. This case law formulated with regard to Article 7(e) of Directive 95/46/EC remains relevant today even though Directive 95/46 has been repealed, since this condition of necessity is maintained under the terms of Article 6.1 b) to f) of the GDPR. Section 6.1 of the GDPR indeed takes up the terms of article 7 of directive 95/46/EC of which it is the equivalent. It also applies to all the bases of lawfulness of article 6.1 GDPR which retain this condition of necessity. 15. The Court of Justice has also clarified that if there are realistic and less intrusive, treatment is not “necessary”.6 16. The Article 29 Group also referred to the case law of the Court Court of Human Rights (ECHR) to identify the requirement of necessity and concludes 7 that the adjective "necessary" does not have the same flexibility as the term: "admissible", "normal “, “helpful”, “reasonable” or “advisable”. 17. It is necessary to examine the necessity of the publication in the intranet of the rupture of the plaintiff's contract, with mention of the party at whose initiative it was terminated to the contract as well as the immediacy of the termination. 18. In the present case, the examination of the extract from the intranet in which the Respondent's personnel changes submitted by Complainant indicates that in each case, in addition to the date of entry into service or end of service of the members of the personnel concerned, the party at whose initiative the contract is terminated is also specified. It is therefore standard procedure for the defendant. 19. In order to assess the necessary nature for the achievement of the public interest mission pursued speak to the person responsible for processing, it should be examined whether the same result can be obtained by other means, without processing personal data or without processing 5 Conclusions of the Advocate General P. Maduro of April 3, 2008 in the CJEU case, Heinz Huberv.BundesrepublikDeutschland, 16 December 2008, C 524/06 6CJEU, Volker und Markus Schecke GbR and Hartmut Eifert v Land Hessen, 9 November 2010, joined cases C‑92/09 and C‑93/09 7Article 29 Group, Opinion 06/2014 of April 9, 2014 on the notion of legitimate interest pursued by the data controller data processing within the meaning of Article 7 of Directive 95/46/EC, WP 217 8ECHR, 25 March 1983, Silver and others v. UK, para97 Decision 14/2023 – 5/10 unnecessarily burdensome or intrusive for data subjects. Bedroom Litigation considers that it is not necessary to indicate the party at the initiative of which the contract is terminated in order to inform staff of employee changes. There simple mention of the breach of contract with an employee as well as the effective date are sufficient for this purpose. 20. The Litigation Chamber notes that this is also personal data sensitive, since the fact that the contract is terminated at the initiative of the employer, and a fortiori with immediate effect, implies with a high probability of serious misconduct on the part of 9 the employee. It also notes that the defendant employs 428 employees scattered throughout offices around the world, and concludes that a relatively large number of people have access to this information. 21. In light of the above considerations, the Litigation Chamber concludes that it is not meets the criterion of necessity in the context of the mission of public interest. 22. Insofar as the criterion of necessity of the processing provided for by article 6.1.e GDPR, the Litigation Chamber does not analyze further whether article 6.1.eRGPD is a basis of legality on the part of the defendant. 23. Consequently, the Litigation Chamber concludes that Article 6.1.e) GDPR cannot constitute a basis of lawfulness for the publication in the defendant's intranet of the breach of plaintiff's employment contract, with the mention of the fact that the termination took place at the initiative of the defendant, and that it has immediate effect. II.1.2. Regarding the application of Article 6.1.b) GDPR 24. The Litigation Chamber examines below whether Article 6.1.b GDPR can constitute a basis of lawfulness on the part of the defendant for the disputed processing. 25. The Litigation Chamber notes that the publication of the changes in the members of the staff (departures and arrivals) on its intranet by the defendant falls within the framework of the termination of the employee's employment relationship and this. In this meaning, the Litigation Chamber has already stated in its decision 63/2021, that it is appropriate, within the framework of personnel policy, to inform employees of such movements. LaChambre Litigation considers that, since this processing is part of the framework of the end of the employment relationship, it can be considered as part of the execution of the 10 employment contract . The Article 29 Working Party indicated as to the situations where the 9https://be.linkedin.com/company/Y 10 See in this respect recital 155 GDPR: “The law of the Member States or collective agreements, including "corporate agreements" may provide specific rules relating to the processing of personal data of employeesintheframeworkofemploymentrelationships,particularlytheconditionsunderwhichthepersonaldata in the context of employment relationships may be processed on the basis of the employee's consent, for the purposes of recruitment, the performance of the employment contract, including compliance with the obligations set by law or by agreements collective rights, management, planning and organization of work, equality and diversity in the workplace, Decision 14/2023 – 6/10 treatment is necessary for the performance of a contract to which the data subject is a party: “There is an obvious link here between the assessment of the necessity and the respect of the principle purpose limitation. It is important to determine the exact purpose of the contract, that is to say, its substance and its fundamental objective, because this is what will make it possible to check whether the data processing is necessary for the performance of the contract. In certain borderline situations, one may be led to question oneself or to gather more specific additional elements, in order to determine whether the processing is necessary for the performance of the contract. Thus, building a database of contact for internal use containing names, business addresses, phone numbers telephone number and e-mail addresses of all employees of a company, intended to facilitate the exchange of information between colleagues, can in certain cases be considered necessary for the performance of a contract under Article 7(b) (…)” 26. It can therefore be considered that the processing consisting of the announcement on the intranet of the defendant of changes in staff members can therefore rely on article 6.1.b) of the GDPR, and must be considered legitimate on the part of the defendant. 27. The Litigation Chamber concludes in this respect that there was no breach of the principle of legality (article 5.1.a and 6.1 GDPR) for this part of the announcement only (announcement of changes in staff members, without mention of the party at the initiative of a breach of contract or any immediate effect of the breach). 28. Conversely, the mention of the party initiating the termination of the employment contract, as well as the mention of the immediate nature of the rupture do not in any case respect the criterion of necessity of processing based on Article 6.1.b GDPR. The Litigation Chamber considers effect that no link can be established between the mention of the party at the initiative of the rupture of the employment contract, as well as between the mention of the immediate nature of such a termination, and the substance of the employment contract between the plaintiff and the defendant. She returns for more details as to the necessary character in points 9 to 16 above. 29. As indicated above (point 20), this is also personal data sensitive, since the fact that the contract is terminated at the initiative of the employer, and a fortiori with immediate effect, implies with a high probability of serious misconduct on the part of 13 the employee. It also recalls that the defendant employs 428 employees scattered throughout occupational health and safety, and for the exercise and enjoyment of employment rights and benefits, individually or collectively, as well as for the purpose of terminating the employment relationship. » 11 Article 29 Working Party, Opinion 06/2014 on the notion of legitimate interest pursued by the data controller data within the meaning of article 7 of directive 95/46/EC, April 9, 2014, p19 12Section 6.1. "The processing is only lawful if, and insofar as, at least one of the following conditions is met: […] b) the processing is necessary for the performance of a contract to which the data subject is a party or for the performance of measures pre-contractual agreements taken at the latter's request; […] 1https://be.linkedin.com/company/Y Decision 14/2023 – 7/10 offices around the world, and concludes that a relatively large number of people have access to this information. 30. The Litigation Chamber concludes that the constitutive processing of the announcement on the intranet of the party at the initiative of which the breach of contract takes place (implicitly the dismissal, if at initiative of the employer) cannot be based on article 6.1.b GDPR. 31. Examination of articles 6.1.e and 6.1.b GDPR indicates that these articles do not constitute a basis of lawfulness for the disputed processing. In the absence of other probable bases of lawfulness, the Litigation Chamber finds a violation of Article 5.1.a and 6.1 GDPR. 32. The consideration that following a letter from the plaintiff's lawyer to the defendant inviting him to withdraw this mention, the mention of the immediate nature of the end of the contract has been removed from its intranet by the defendant does not alter this finding. 33. As indicated below (see paragraphs 38 to 40), this is a prima facie decision taken by the Litigation Chamber pursuant to Article 95 of the LCA on the basis of the complaint introduced by the complainant, as part of the “procedure prior to the substantive decision” and not a decision on the merits of the Litigation Chamber within the meaning of Article 100 of the ACL. The purpose of this decision is to inform the defendant, allegedly responsible for the processing, because it may have violated the provisions of the GDPR, in order to enable it to still comply with the aforementioned provisions. 34. If, however, the defendant does not agree with the content of this decision prima facie and believes that it can make factual and/or legal arguments that could lead to another decision, it may send the Litigation Chamber a request for processing on the merits of the case. II.2. Principle of minimization (article 5.1.c GDPR) 35. The data minimization principle states that personal data must be adequate, relevant and limited to what is necessary for the purposes for which they are processed. The Litigation Chamber concluded above (points 19-20) that the purpose of the defendant to inform its personnel of the changes in in no way requires that the party at whose initiative the termination of the employment contract took place (which implies a dismissal if at the initiative of the employer) is not indicated, nor a fortiori the immediacy of the termination of the contract. 36. As indicated above, the Litigation Chamber considers that the announcement concerning the rupture of contract (i.e. the departure) between the defendant and the plaintiff, without mention of the party to the initiative of which the rupture takes place, and without mention of the immediate nature of the rupture satisfies the principle of minimization, with regard to the purpose of informing the members of the personnel changes in personnel. Nevertheless, the information relating to the party at whose initiative the termination, and mention of the immediate nature of the termination Decision 14/2023 – 8/10 is in no way necessary with regard to the purpose pursued which could reasonably be reached without communicating this information. Consequently, the Chamber Litigation finds that the defendant violated article 5.1.c GDPR by including these mentions in the ad in question. 37. The Litigation Chamber considers that on the basis of the aforementioned facts, there is reason to conclude that the defendant may have committed a violation of the provisions of the GDPR, which which justifies that in this case, a decision is taken in accordance with article 95, § 1, 5° of the LCA, more specifically to order compliance with the request of the plaintiff to remove the mention on the defendant’s intranet that the defendant initiated the termination of the employment contract (Article 17 of the GDPR) given that this violates articles 5.1.a and 6 as well as 5 .1.c of the GDPR. 38. As indicated above (points 33-34) this decision is a prima facie decision taken by the Litigation Chamber in accordance with article 95 of the LCA on the basis of the complaint 14 introduced by the complainant, as part of the “procedure prior to the substantive decision” and not a decision on the merits of the Litigation Chamber within the meaning of Article 100 of the ACL. 39. The purpose of this decision is to inform the defendant, allegedly responsible for the processing, because it may have violated the provisions of the GDPR, in order to enable it to still comply with the aforementioned provisions. 40. If, however, the defendant does not agree with the content of this decision prima facie and believes that it can make factual and/or legal arguments that could lead to another decision, it may send the Litigation Chamber a request for treatment on the merits of the case via the e-mail address litigationchamber@apd- gba.be, within 30 days of notification of this decision. The case applicable, the execution of this decision is suspended for the period aforementioned. 41. In the event of further processing of the case on the merits, pursuant to Articles 98, 2° and 3° juncto article 99 of the LCA, the Litigation Chamber will invite the parties to introduce their conclusions and attach to the file all the documents they deem useful. If applicable, the this decision is permanently suspended. 42. With a view to transparency, the Litigation Chamber finally emphasizes that a dealing with the case on the merits may lead to the imposition of the measures mentioned in section 100 of the ACL. 14 Section 3, Subsection 2 of the ACL (articles 94 to 97 inclusive). 15Art. 100. § 1. The litigation chamber has the power to 1° dismiss the complaint without follow-up; 2° order the dismissal; 3° pronouncing the suspension of the pronouncement; 4° to propose a transaction; 5° issue warnings and reprimands; 6° order to comply with requests from the data subject to exercise his or her rights; 7° order that the person concerned be informed of the security problem; Decision 14/2023 – 9/10 III. Publication of the decision 43. Given the importance of transparency regarding the decision-making process of the Chamber Litigation, this decision is published on the website of the Protection Authority Datas. However, it is not necessary for this purpose that the identification data of the parties are communicated directly. FOR THESE REASONS, the Litigation Chamber of the Data Protection Authority decides, subject to the introduction of a request by the defendant for treatment on the merits in accordance with to articles 98 e.s. of the ACL: - pursuant to Article 58.2.c) of the GDPR and Article 95, §1, 5° of the LCA, to order the defendant to remove the mention from its intranet (if it is still there) that the defendant initiated the termination of the employment contract (article 17.1 of the GDPR), within 30 days of notification of the this decision; - under article 58.2.c) of the GDPR and article 95, §1, 4° of the ACL, to formulate a warning to the defendant to cease indicating in its intranet the party to be the initiative of which the terminations of the contract with its employees take place, especially possible immediacy - to order the defendant to inform by e-mail the Data Protection Authority data (Litigation Chamber) of the follow-up given to this decision, in the same deadline, via the e-mail address litigationchamber@apd-gba.be; And - if the defendant does not comply in good time with what is requested of it above, to deal ex officio with the case on the merits, in accordance with articles 98 e.s. of the ACL. In accordance with Article 108, § 1 of the LCA, an appeal against this decision may be lodged, within thirty days of its notification, to the Court of Markets (court d'appel de Bruxelles), with the Data Protection Authority as defendant. 8° order the freezing, limitation or temporary or permanent prohibition of processing; 9° order compliance of the processing; 10° order the rectification, restriction or erasure of the data and the notification thereof to the recipients of the data ; 11° order the withdrawal of accreditation from certification bodies; 12° to issue periodic penalty payments; 13° to issue administrative fines; 14° order the suspension of cross-border data flows to another State or an international body; 15° forward the file to the public prosecutor's office in Brussels, who informs it of the follow-up given to the file; 16° decide on a case-by-case basis to publish its decisions on the website of the Data Protection Authority. Decision 14/2023 – 10/10 Such an appeal may be introduced by means of an interlocutory request which must contain the information listed in article 1034ter of the Judicial Code. The interlocutory motion must be filed with the registry of the Court of Markets in accordance with article 1034quinquies of the C. jud. , or 17 via the e-Deposit information system of the Ministry of Justice (article 32ter of the C. jud.). (Sr.) Hielke H IJMANS President of the Litigation Chamber 16 The request contains on pain of nullity: (1) indication of the day, month and year; 2° the surname, first name, domicile of the applicant, as well as, where applicable, his qualities and his national register number or Business Number; 3° the surname, first name, domicile and, where applicable, the capacity of the person to be summoned; (4) the object and summary statement of the means of the request; (5) the indication of the judge who is seized of the application; 6° the signature of the applicant or his lawyer. 17The request, accompanied by its annex, shall be sent, in as many copies as there are parties involved, by letter recommended to the court clerk or filed with the court office.