APD/GBA (Belgium) - 40/2023: Difference between revisions
No edit summary |
No edit summary |
||
Line 82: | Line 82: | ||
TO BE UPDATED | TO BE UPDATED | ||
The data subject | The data subject used to be an employee of association (controller), which supported adult persons with a disability. On 15 September 2020, the data subject’s employment contract with the controller was ended. The reason for the end of the working relationship was not specified in the decision. '''(1)''' | ||
On 25 May 2021, the data subject filed an access request at the controller. '''(1)''' According to the data subject, this concerned all personal data and documents '''(8) + (18).''' However, it later turned out that the data subject had only requested access to personal data in his e-mail. '''(19-20)''' | On 25 May 2021, the data subject filed an access request at the controller. '''(1)''' According to the data subject, this concerned all personal data and documents '''(8) + (18).''' However, it later turned out that the data subject had only requested access to personal data in his e-mail to the controller. '''(19-20)''' | ||
On 10 June 2022, the controller informed the data subject that it would use the possibilillity in Article 12 GDPR to extent the deadline with two months. '''(1)''' | On 10 June 2022, the controller informed the data subject that it would use the possibilillity in [[Article 12 GDPR]] to extent the deadline for replying with two months. '''(1)''' | ||
On 24 August 2020, the controller provided its answer to the access request. '''(1)''' | On 24 August 2020, the controller provided its answer to the access request. '''(1)''' | ||
Line 92: | Line 92: | ||
On 22 February 2022, the data subject filed a complaint against the controller at the Belgian DPA. '''(1)''' | On 22 February 2022, the data subject filed a complaint against the controller at the Belgian DPA. '''(1)''' | ||
On 18 July 2022, the controller clarified its position to the DPA. The controller was of the opinion that the request only concerned the data subject’s work e-mail. '''(18)''' The controller also stated that the data subjects request was in fact not an access request. The controller also stated that this e-mail inbox did not contain any personal data in the first place. Additionally, the controller held that the request of the data subject was too excessive, which justified the refusal to grant access. This refusal was also justified looking at the protection of rights and freedoms of other data subjects'''. (8)''' | On 18 July 2022, the controller clarified its position to the DPA. It provided several reasons why it did not comply with the access request. The controller was of the opinion that the data subject's access request only concerned the data subject’s work e-mail. '''(18)''' The controller also stated that the data subjects request was in fact not an access request. The controller also stated that this e-mail inbox did not contain any personal data in the first place. Additionally, the controller held that the request of the data subject was too excessive, which justified the controller's refusal to grant access. This refusal was also justified looking at the protection of rights and freedoms of other data subjects'''. (8)''' | ||
The controller also stated that there was in fact no personal data of the data subject in the inbox. The data subject claimed the opposite '''(36)''' | |||
The data subject and the controller both stated that there had not been any written agreement between controller and data subject that the work email could not be used for private e-mails. However, the controller and the data subject disagreed about the consequences of this ommisision. The controller stated that the use of the work e-mail for private e-mail conversation was not allowed. The data subject disagreed. (40) | |||
=== Holding === | === Holding === | ||
Line 109: | Line 109: | ||
'''Personal data in the inbox? (36 – 42)''' | '''Personal data in the inbox? (36 – 42)''' | ||
Distinction between personal data in proffessional capacity and for personal use/private e-mails. (38) There was no specific prohibition in writing that prevented the use of the work email to receive private e-mails. | Distinction between personal data in proffessional capacity and for personal use/private e-mails. '''(38)''' There was no specific prohibition in writing that prevented the use of the work email to receive private e-mails. (40) | ||
'''Right to access (43 – 65).''' | '''Right to access (43 – 65).''' |
Revision as of 14:45, 7 April 2023
APD/GBA - 40/2023 | |
---|---|
Authority: | APD/GBA (Belgium) |
Jurisdiction: | Belgium |
Relevant Law: | Article 4(1) GDPR Article 12 GDPR Article 12(2) GDPR Article 12(3) GDPR Article 12(5)(b) GDPR Article 15(1) GDPR Article 15(3) GDPR Article 8(1) ECHR |
Type: | Complaint |
Outcome: | Partly Upheld |
Started: | 22.02.2022 |
Decided: | 03.04.2023 |
Published: | |
Fine: | n/a |
Parties: | n/a |
National Case Number/Name: | 40/2023 |
European Case Law Identifier: | n/a |
Appeal: | n/a |
Original Language(s): | Dutch |
Original Source: | APD/GBA (in NL) |
Initial Contributor: | kv33 |
TO BE UPDATED
The Belgian DPA determined that an employer violated Article 12(5) GDPR when refusing to comply with an access request of a former employer.
English Summary
Facts
TO BE UPDATED
The data subject used to be an employee of association (controller), which supported adult persons with a disability. On 15 September 2020, the data subject’s employment contract with the controller was ended. The reason for the end of the working relationship was not specified in the decision. (1)
On 25 May 2021, the data subject filed an access request at the controller. (1) According to the data subject, this concerned all personal data and documents (8) + (18). However, it later turned out that the data subject had only requested access to personal data in his e-mail to the controller. (19-20)
On 10 June 2022, the controller informed the data subject that it would use the possibilillity in Article 12 GDPR to extent the deadline for replying with two months. (1)
On 24 August 2020, the controller provided its answer to the access request. (1)
On 22 February 2022, the data subject filed a complaint against the controller at the Belgian DPA. (1)
On 18 July 2022, the controller clarified its position to the DPA. It provided several reasons why it did not comply with the access request. The controller was of the opinion that the data subject's access request only concerned the data subject’s work e-mail. (18) The controller also stated that the data subjects request was in fact not an access request. The controller also stated that this e-mail inbox did not contain any personal data in the first place. Additionally, the controller held that the request of the data subject was too excessive, which justified the controller's refusal to grant access. This refusal was also justified looking at the protection of rights and freedoms of other data subjects. (8)
The controller also stated that there was in fact no personal data of the data subject in the inbox. The data subject claimed the opposite (36)
The data subject and the controller both stated that there had not been any written agreement between controller and data subject that the work email could not be used for private e-mails. However, the controller and the data subject disagreed about the consequences of this ommisision. The controller stated that the use of the work e-mail for private e-mail conversation was not allowed. The data subject disagreed. (40)
Holding
TO BE UPDATED
The DPA limited the scope of the access request to the data subjects e-mail and not to other documents, since the data subject initial request did not contain a request for these documents.
E-mail address = personal data? (29 – 35)
The DPA first assessed if the email adresses constituted personal data. It held that it was necessary to make a distinction between the situation before the email was first used and the situation after the first use of the email by the data subject. The data subject first used the email on 4 January 2018. the DPA concluded that both before 4 January and after 4 January 2018, the e-mail address consitituted personal data.
Personal data in the inbox? (36 – 42)
Distinction between personal data in proffessional capacity and for personal use/private e-mails. (38) There was no specific prohibition in writing that prevented the use of the work email to receive private e-mails. (40)
Right to access (43 – 65).
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Dutch original. Please refer to the Dutch original for more details.
1/16 Litigation room Decision on the substance 40/2023 of 3 April 2023 File number : DOS-2022-01387 Subject: Refusal to inspect personal data after termination of employment The Disputes Chamber of the Data Protection Authority, composed of Mr Hielke Hijmans, chairman, and Messrs. Dirk Van Der Kelen and Jelle Stassijns, members; Having regard to Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data and revocation of Directive 95/46/EC (General Data Protection Regulation), hereinafter GDPR; Having regard to the law of 3 December 2017 establishing the Data Protection Authority, hereafter WOG; Having regard to the rules of internal order, as approved by the Chamber of Representatives on 20 December 2018 and published in the Belgian Official Gazette on January 15, 2019; Having regard to the documents in the file; Made the following decision regarding: The complainant: Mr X, represented by Maarten Verhaghe, with offices at Kortrijksesteenweg 546, 9000 Ghent, hereinafter referred to as “the complainant”; The defendant: Y, represented by Meester Sara Torrekes, with office at 8790 Waregem, Jozef Duthoystraat 112, hereinafter referred to as “the defendant”. Decision on the substance 40/2023 – 2/16 I. Factual Procedure 1. On 22 February 2022, the complainant submits a complaint to the Data Protection Authority against the defendant. The complainant worked for 13 years at the defendant, an autonomous association with as activity the support and guidance of adults with a limit. The complainant was (jointly) responsible for the studio operations of the defendant. In the context of the performance of this position, the complainant has during a used the e-mail address […] for a period of (at least) 8 years. On September 15, 2020, the employment of the complainant terminated. On May 25, 2021, the complainant submitted a request for inspection/more information addressed to the defendant. Considering the complexity and size of the request, the defendant informed the complainant on 10 June 2022 of the extension by 2 months of the deadline for providing information about the consequence given to the request. The defendant has its answer on 24 August 2022 transferred to the right of access. 2. On March 30, 2022, the complaint will be declared admissible by the First Line Service on the basis of Articles 58 and 60 WOG and the complaint is dismissed pursuant to Article 62, § 1 WOG submitted to the Disputes Chamber. 3. On 4 May 2022, the Litigation Chamber shall, in accordance with Article 58(2)(c) of the GDPR and Article 95, paragraph 1, 5° WOG the decision 67/2022 with regard to the defendant and orders her, before a decision is taken on the merits, to hear within one month to the request of the complainant to exercise his right of access (Article 15, par 1 GDPR). The result of this decision must be brought to the attention of the Litigation Chamber be submitted, together with supporting documents, within one month from the date of the notification of the decision. 4. On 24 May 2022, the defendant requests a hearing on the merits of the case and she requests a copy of the file (article 95, § 2, 3° WOG), which was sent to her transferred on June 1, 2022 5. On 1 June 2022, the parties concerned will be notified by registered mail of the provisions as stated in Article 95, § 2, as well as of these in Article 98 of the WOG. they are informed of the time limits for their to file defenses. The deadline for receipt of the statement of defense from the defendant will be recorded on 13 July 2022, those for the complainant's reply on 3 August 2022 and finally those for the defendant's statement of reply on 24 August 2022. Decision on the substance 40/2023 – 3/16 6. On June 13, 2022, the defendant will electronically accept all communications regarding the case, it indicates that it wishes to make use of the opportunity to be heard in accordance with Article 98 WOG, and requests an extension of the deadlines for conclusion. 7. On June 13, 2022, the complainant electronically accepts all communication regarding the case to know that he wishes to make use of the opportunity to be heard in accordance with Article 98 WOG and confirms the request for extension of the deadlines of the defendant. The deadlines are determined as follows: The deadline for receipt of the statement of defense from the defendant will be recorded on 24 July 2022, this for the conclusion of the complainant's reply on 24 August 2022 and finally those for the statement of defense of the defendant on 24 September 2022. 8. On 18 July 2022, the Disputes Chamber received the statement of defense from the defendant.In principle, the defendant raises that the writing dated.25 May 2021 of the complainant does not request access to personal data relating to (the mailbox associated with) the e-mail address in question. In a subordinate order, the the defendant that the e-mail address in question does not contain any personal data of the complainant contains. In a more subordinate order, the defendant argues that the refusal to inspect justified in view of the excessive nature of the request and the protection of the rights and freedoms of others. 9. On August 24, 2022, the Disputes Chamber receives the request from both parties for the deadlines to adjust so that the final date for receipt of the conclusion The complainant's reply is set for August 31, 2022 and this before the conclusion of reply of the defendant on 29 September 2022. The Litigation Chamber confirms this extension on August 26, 2022. 10. On August 31, 2022, the Disputes Chamber receives the request from both parties for the deadlines to extend once again, thereby extending the final date for receipt of the statement of reply of the complainant is set for September 5, 2022 and the conclusion of the defendant's rejoinder on 4 October 2022. On 31 August 2022, the Litigation Chamber has extended these deadlines and emphasizes that no further extension will be made be allowed. 11. On 5 September 2022, the Disputes Chamber will receive the statement of reply from the complainant. The complainant argues that the letter dd. May 25, 2021 indeed a request for inspection pursuant to Article 15 GDPR and that the e-mail address, contrary to what the the defendant raises, does constitute his personal data. The complainant also argues that request for access not only relates to the e-mail address itself, but also to other Substance decision 40/2023 – 4/16 personal data. Finally, the complainant argues that the refusal of access is not is justified. 12. On 4 October 2022, the Disputes Chamber will receive the statement of rejoinder from the defendant. In these conclusions, the defendant reiterates its arguments conclusions of reply and adds that the letter dd. May 25, 2021 of the the complainant did not relate to various personal data other than the e-mail address connected mailbox. 13. On 26 January 2023, the parties will be notified that the hearing will take place on March 13, 2023. 14. On March 13, 2023, the parties will be heard by the Disputes Chamber. 15. On 15 March 2023, the minutes of the hearing will be submitted to the parties. 16. On March 20, 2023, the Disputes Chamber will receive some from the defendant remarks with regard to the official report which it decides to include in her deliberation. 17. The Disputes Chamber does not receive any comments regarding the official report because of the complainant. II. Motivation II.1. Object of the procedure 18. Based on the conclusions and the hearing, the Disputes Chamber establishes that the parties disagree on the scope of the subject-matter of this proceeding. The complainant raises that the complaint and therefore the procedure relates to the request for inspection with regarding all requested personal data and documents, as well formulated in writing dd. May 25, 2021. The defendant argues that the complaint only relates to the e-mail address and the associated mailbox. Both parties explained their position on this at the hearing. 19. The Disputes Chamber states that the letter dd. May 25, 2021 is broadly formulated, whereby on the one hand, you are asked to inspect all personal data, and on the other hand various specific documents are mentioned which the complainant wishes to inspect to acquire. The defendant has formulated a reply to this letter and various requested documents in its possession. The complainant found this answer is insufficient and has filed a complaint with the GBA. referred to in this complaint the complainant only to the e-mail address and the connected mailbox. There is no reference, also not as an example, to other documents that the complainant wishes to obtain, but not received after the defendant's letter of reply. The Litigation Chamber upholds Decision 40/2023 – 5/16 therefore established that the complaint is thus aimed at obtaining personal data contained in the mailbox. 20. The Litigation Chamber therefore concludes that these proceedings only concern the right to inspect the mailbox [… ] and the associated mailbox. II.2. Definition of personal data II.2.1. Position of the complainant 21. In his conclusions, the complainant argues that during a period of 13 years was employed by the defendant as responsible for the studio operations. During the day and with a view to the performance of his duties, the complainant always has the e-mail address […] used for both professional and personal purposes. The complainant argues that this e-mail address was only used by him, during a period of 8 years until the end of his employment. The complainant also states that the general e-mail address of the defendant is […] and not […]. 22. Consequently, the complainant concludes that the e-mail address is his personal data and contains the mailbox also various personal data from him. 23. The complainant also refers to Commission Recommendation 8/2012 of 2 May 2012 for the protection of privacy (hereinafter: CPP) and decisions 29 September 2020 and December 2, 2021 of the Litigation Chamber regarding the management of the mailbox of an employee who leaves the company and the application of essential principles within the GDPR such as purpose limitation, lawfulness, minimal data processing and storage limitation by the employer. After all, the complainant never has permission given for further use of the mailbox after his departure. The defendant, according to the complainant has not acted in accordance with this Recommendation and previous decisions of the Litigation room. II.2.2. Defendant's position 24. The defendant disputes the complainant's assertion. She states that the e-mail address […] no personal data of the complainant and that the mailbox linked to it does not contain any contains personal data relating to the complainant. Nor are they in use of the mailbox processes personal data relating to the complainant. The email address concerns after all, a purely functional e-mail address that belongs exclusively to it and that by it employees, including the complainant, can and may only do so for professional purposes being used. 25. In its conclusions, the defendant notes that, contrary to what is stated in the conclusions of the complainant, this e-mail address at the time of his employment was used by Decision on the substance 40/2023 – 6/16 several employees, such as colleague Z in particular. This is apparent from communication that the the complainant himself sent during his employment, whereby the complainant himself on the one hand insisted on using generic email addresses instead of personalized email email addresses and on the other hand asked to grant this colleague access to the email address in question. In this context, the defendant sends an email dd. January 4, 2018 about in which the the complainant asks that e-mails from a colleague be routed to the mailbox so that they can be sent as quickly as possible share the same mailbox. 26. The defendant argues that the complainant does not demonstrate or plausible in any way means that (the mailbox linked to) the e-mail address would contain personal data that pertain to him. The defendant submits witness statements that allege that the email address was a professional shared email address in which several supervisors had a view and that was not used for private purposes. This testimonials also state that, if after the departure of the complainant a personal mail have been received for him, quod non, it would have been forwarded to him. 27. In addition, it should be noted that the absence of an ICT policy and/or written ban on the private use of an e-mail address, obviously not just like that can be deduced that the e-mail address concerned in practice for both professional can be used asprivate purposes.ThereferenceofthebearertotheRecommendation 02/2012 and to the previous decisions of the Litigation Chamber is not relevant according to the defendant. This Recommendation and decisions relate to the use of a e-mail address in which the name and first name of the person concerned are stated. The email address with mailbox therefore did not contain any personal data of the complainant, concludes the defendant. II.2.3. Review by the Litigation Chamber 28. The Disputes Chamber will first judge whether the e-mail address […] is personal data of the complainant and then about the personal data contained in the mailbox. II.2.3.1. Email address as personal data 29. Article 4, 1 GDPR defines personal data as follows: any information about an identified or identifiable natural person ("de data subject”); an identifiable natural person is considered to be directly or can be identified indirectly, in particular by means of an identifier such as a name, an identification number, location data, an online identifier or one or more elements characteristic of the physical, physiological, genetic, psychological, economic, cultural or social identity of that natural person. Decision on the substance 40/2023 – 7/16 30. There are 4 elements in the definition of personal data: 1) relate to 2) an identified or 3) identifiable 4) natural person. 31. If there is to be personal data, the data must, in principle, relate have on a natural person. Data refers only to a natural person when identified or identifiable. A person is identified when it is unique from all other individuals within a group is distinguished. A person is identifiable when it has not yet been identified, but it can be done without disproportionate effort. 32. The Disputes Chamber has confirmed on several occasions that an e-mail address containing the data subject his/her first and last name, i.e. direct identifiers, a 1 personal data within the meaning of Article 4, 1) GDPR. In the present case it concerns however, a functional e-mail address, namely […] The e-mail address is thus linked to one service, in this case the studio operation, and not to a person. The question arises or something like that functional e-mail address can also constitute personal data on the basis of indirect identifiers.The extent to which certain (indirect) identifiers are sufficient to identification depends on the context of the specific situation. The Litigation Chamber finds that a distinction must be made between the e- email address in the period from the first use until January 4, 2018 and the period thereafter. Period before January 4, 2018 33. The complainant claims in its conclusions that he was the only user of the e-mail address. Since the defendant does not adduce any evidence that other persons used the email address in the period up to January 4, 2018, the Litigation Chamber determined that the e-mail address was used and managed exclusively by the complainant, as (co-)responsible for the studio activities. While exercising tasks, the complainant has always sent and signed e-mails with his name as (co- responsible for the studio. The people who sent emails to and received emails from this e-mail address in question could, certainly over time, identify the complainant as the administrator of the e-mail address. The complainant was therefore indirectly identifiable to third parties by using the email address as described above. 34. In view of the above, the Disputes Chamber therefore concludes that the functional e- e-mail address has not been used for the purpose of linking it to the person 1 See, among others, decision 133/2021 of 2 December 2021 and decision 64/2020 of 20 September 2020. Decision on the merits 40/2023 – 8/16 of the complainant, but that this was the result because of the exclusive use of it the complainer. Consequently, the e-mail address for that period constitutes his personal data. Period from January 4, 2018 35. However, in the period from 4 January 2018, the defendant demonstrates that the e-mail address was also used by (at least) the other co-responsible person of the studio operation in function of the operation of the service. The purpose of a functional e- After all, the mail address is to ensure the continuity of the service, for example when a employee is no longer employed within that service. As soon as the co-responsible person and other facilitators used the e-mail address and also e-mails in their own name as an employee of the atelier, the complainant was no longer indirect identifiable. After all, a sender of an e-mail could not know which of the employees would handle his mail, even if he addressed the complainant personally in his email. The Disputes Chamber therefore rules that from 4 January 2018 the e-mail address no longer constitutes personal data of the complainant. II.2.3.2. Personal data in the mailbox 36. The defendant argues that there are no personal data in the mailbox since it was not allowed to use the e-mail address for non-professionals purposes. This is disputed by the complainant. The complainant claims that there are personal data in the mailbox and points out that there is no policy on the use of the professional email address. 37. The Disputes Chamber points out in this regard that the concept of "personal data" includes all types of information includes: private (intimate), public, professional or commercial information, objective or subjective information. In the Nowak judgment, the Court of Justice of the European Union (hereinafter: CJEU) clearly that the concept of "personal data" includes both data arising from objective, verifiable and arguable elements such as subjective data that provide an evaluation or judgment about the data subject contain. Consequently, the Litigation Chamber concludes that the fact that a functional e-mail e-mail address does not constitute personal data in the sense of article 4, 1) GDPR, does not prevent that personal data of the complainant may be present in the mailbox. 38. The Disputes Chamber argues that in this case a distinction must be made between on the one hand, the personal data of the complainant that were processed in the professional context and, on the other hand, personal data that were processed outside the professional context of his then capacity as an employee of the defendant (private emails). 2 CJEU, 20 December 2017, C-434/16, Nowak, ECLI:EU:C:2017:994. Decision on the substance 40/2023 – 9/16 39. On the basis of the above, the Litigation Chamber concludes that there can be no doubt exist that personal data in the professional context of the complainant is contained in the mailbox, such as a registration for a course. 40. With regard to private emails, it is acknowledged by the parties that there is no explicit written prohibition on using the professional e-mail address for private purposes was applicable. However, the parties do not agree on the consequences result. The complainant states that it was thus permitted to send private e-mails and to be received with the professional e-mail address. The defendant, on the other hand, points out that the lack of such prohibition or ICT policy in that sense does not simply mean it concerned e-mail address can be used for both professional and private purposes. 41. The Disputes Chamber refers in this context to the case law of the European Court of Justice Human Rights (hereinafter: ECtHR). The ECtHR has ruled that the term “private life” should be interpreted broadly. For example, it includes the right to it establishing and developing relationships with other people and the right to identity and personal development. In particular, the ECtHR has ruled that emails sent from the work will be sent prima facie under the notions of private life and correspondence within the meaning of Article 8(1) of the European Convention on Human Rights by analogy with its earlier position that this is also the case for telephone calls from business premises. However, this broad reading does not mean that every activity that a person would like to engage in with other people in order to establish relationships delivery is protected. The Disputes Chamber is therefore of the opinion that the complainant, in view of to the right to protection of private life, could occasionally send private e-mails received at the professional e-mail address, partly because he did not have one professional email address in name and since no (written) policy on this was communicated. However, this private use should be limited to occasional use usage. However, the Disputes Chamber reads in the conclusions of the complainant that during 8 would have sent and received many private e-mails over the years, but at the same time notes that he does not provide any evidence in this regard. The Disputes Chamber can therefore not determine that such private e-mails date from the period of the complainant's employment the mailbox would be present. 42. The defendant argues that there are no private e-mails after the termination of the employment arrived for the complainant and substantiates this by various witness statements. During the day the hearing has asked the Disputes Chamber to the counsel of the complainant about what kind of private emails it would involve in this case. This stated that it concerned private e-mail e-mails from friends and acquaintances. However, the Litigation Chamber cannot depart from the claims, nor establish from the hearing that there are indications that there are indeed 40/2023 – 10/16 private e-mails have been received at the e-mail address in question after the termination of the employment with the defendant. II.3. Right of access (Article 15 GDPR) 43. In accordance with Article 58(2)(c) of the GDPR and Article 95(1)(5) WOG, the Litigation Chamber has taken the decision 67/2022 with regard to the defendant and ordered her to be heard within one month before a substantive decision is taken to the request of the complainant to exercise his right of access (Article 15, par 1 GDPR). Having regard to the request of the defendant to deal with the substance of the case and the arguments set out by the parties are taken by the Litigation Chamber in this regard a new decision. 44. According to Article 15(1) of the GDPR, the data subject has the right to obtain from the to obtain a definite answer from the controller as to whether or not he is being processed regarding personal data. If that is the case, the data subject has the right to obtain access to those personal data and information listed in Article 15(1a)-h) of the GDPR is stated, such as the purpose of the processing of the data and the any recipients of the data, as well as information about its existence rights, including the right to request rectification or erasure of its data, or to submit a complaint to the GBA. 45. Pursuant to Article 15(3) of the GDPR, the data subject also has the right to obtain a obtain a copy of the personal data that are the object of the processing. 46. Article 12 of the GDPR on the way in which data subjects can exercise their rights, provides that the controller shall prevent the exercise of those rights by the the data subject (article 12, paragraph 2 of the GDPR) must facilitate, and in any case inform him without delay must provide information about the measures taken in response to his request (Article 12(3) of the GDPR). If the controller does not intend to comply with the request, it must communicate his refusal within one month, and inform the person concerned about the possibility to appeal against that refusal to the supervisory authority for data protection (Article 12 (4) of the GDPR). 47. The Disputes Chamber finds that on 25 May 2021 the complainant received the notification and/or inspection requested by letter below. Decision on the substance 40/2023 – 11/16 48. The complainant also requests copies of several documents from its personnel file and adds that he would also like to have known what happened when happened to his work mailbox […] after his dismissal. 49. On 10 June 2021, the defendant notified the complainant by registered letter of the extension of the deadline for providing information about the consequence to it request is given, with two months, in accordance with Article 12 (3) GDPR. On 24 August 2021, the defendant will forward and light various requested documents to the complainant why other documents cannot be submitted, either because they do not exist, or because the defendant is not the controller is. 50. In his complaint to the GBA, the complainant denounces that he does not have access to the data received in the emails in his work mailbox. 51. In its conclusions, the defendant argues that this initial application dated. May 25, 2021 none request for access to personal data in accordance with Article 15 GDPR until (the mailbox linked to) contains the email address […]. The complainant asks, according to the defendant with regard to the email address just what happened when work mailbox. The defendant replied that the access rights of the e- email address and password have been changed. The defendant replied also that the e-mail address was not personal and therefore does not constitute personal data Decision on the substance 40/2023 – 12/16 and rejects the complainant's request. In subordinate order, the defendant argues that if it would nevertheless constitute personal data, the rejection of the request for access still remains would always be justified, in view of the principle of proportionality on the one hand and the protection of the rights and freedoms of others on the other. II.3.1. Request access regarding the e-mail address and the mailbox 52. The Disputes Chamber finds that the complainant's question about what to do and when mailboxishappenedcannotbequalifiedasarequesttoinspect/notify his personal data The request for inspection, however, arises from the first part of the letter dd. May 25, 2021 as resumed above (see supra marginal number 47). The GDPR after all, does not provide any formal requirements for the request for inspection, and unless stated otherwise, a request for access relates to all personal data of the data subject. The above request is therefore formulated in accordance with the GDPR and is related on all personal data, including those that may be in the mailbox. 53. The Disputes Chamber also points out in this context that the right of inspection is one of the constitutes essential elements of the right to data protection, as such included in Article 8 of the Charter of Fundamental Rights of the European Union, and that, as is also apparent from the EDPB's guidelines on the right of access, there are limitations the exercise of this right is only permitted to a limited extent of a data subject to request access of no importance. 3 II.3.2. Refusal of the right to inspect the mailbox 54. The complainant argues that the right of access includes several elements, such as getting information about whether or not personal data of the complainant is being processed such as personal data contained in the mailbox. In its conclusions, the the defendant explained the reasons why it refused the right to inspect the mailbox has. In principle, the defendant argues that no personal data are present in the mailbox (see section II.2.3.2). In the first instance, therefore, the defendant replied to request access by stating that there are no personal data in the mailbox are located. 55. In view of the above (see section II.2.3.2), the Litigation Chamber finds that the it is unavoidable that personal data of the complainant are present in professional e-mails the mailbox. 3 EDPB, Guidelines 01/2022 on data subject rights – right of access, available at https://edpb.europa.eu/system/files/2022-01/edpb_guidelines_012022_right-of-access_0.pdf Decision on the substance 40/2023 – 13/16 56. In orderly order, the defendant argues that the refusal is still justified is, in view of the principle of proportionality on the one hand and the protection of rights and freedoms of others on the other hand. 57. The Disputes Chamber points out that the right of access is not absolute. In this context the Litigation Chamber refers to Article 12(5)(b) of the GDPR which reads as follows: “Providing the information referred to in Articles 13 and 14, and providing the communication and the taking of the measures referred to in Articles 15 to 22 and Article 34 are free of charge. When requests from a data subject are evident are unfounded or excessive, in particular because of their repetitive nature, the controller or: […] b) refuse to comply with the request. It is up to the controller to correct the manifestly unfounded or excessive nature of the request” 58. In its Rijkeboer judgment, the CJEU ruled on the balance that must be struck be sought between the right of access of the data subjects and the burden imposed on the obligation to comply with that law entails for the controller. More specifically, the question was "from when the exercise of the right to access information about the past may become lawful paralyzed by the erasure of that information. And how long do people need to own it of that data are the traces of past actions with that data performed, keep". Although the question in this case was how long a controller must keep personal data, the reasoning of the CJEU should be applied to the present case, given the scope of the request of the complainant, that all e-mails concerning him are concerned. The Disputes Chamber points to it importance of finding “[…] a fair balance between, on the one hand, the interests of the data subject to protect his privacy […] and, on the other hand, the burden that the obligation to that information for the controller constitutes". The parameters on the based on this balance, the controllers are of course not allowed to impose disproportionate obligations and excessive burdens. 59. However, the Litigation Chamber notes that Article 12(5) GDPR requires that the controller the manifestly unfounded and excessive nature of the request must be demonstrated. In her letter dd. As of August 24, 2021, the defendant does not have this done. The defendant does have elements in its statement of defense and rejoinder which demonstrate the excessive nature, but this should already have been done in the above-mentioned letter to the complainant. Decision on the substance 40/2023 – 14/16 60. In the present case, the Litigation Chamber finds that searching all e-mails concerning the complainant, for at least 8 years, after the moment of termination of the employment, would imply a disproportionate workload for the defendant. The work mailbox was also used by different people for years. The complainer also did not transfer a single document showing that there are private e-mails in the mailbox nor does the complainant provide specific e-mail addresses or other parameters on the basis of which targeted searches can be made in the mailbox. In his conclusions, the complainant states moreover, that no internal instructions indicate that he was obliged to apply any labelling to the e-mails that are personal or to classify them in a separate folder. Any private e-mails present are therefore not possible with a reasonable effort found by the defendant. In addition, the mailbox concerns many sensitive information, such as health data about the users of the services of defendant, namely adults with a disability, so that not just inspection can be granted in all professional emails with personal data of the complainant on the basis of the aforementioned elements, the Disputes Chamber concludes that the request for access by the complainant is excessive and that the defendant has lawfully refused to to follow up on this. 61. In view of the above, the Disputes Chamber concludes that there is no infringement is on Articles 12 (1) – (4) and 15 GDPR, but that there is a violation of Article 12 (5) GDPR due to failure to sufficiently demonstrate the apparent in time excessive or unfounded nature of the request for inspection by the complainant. That infringement is however, not of such a serious nature as to warrant a fine or corrective sanction must be imposed. The Disputes Chamber believes that a reprimand can be suffice. III. Access and use of the e-mail address after termination of employment 62. In its conclusions, the complainant states that the defendant unilaterally controlled access to the mailbox denied him. After all, his permissions as a user of the mailbox were deleted and then the password was changed. The complainant argues that the defendant can only rely on the legal basis of permission to make further use of the mailbox after his departure. Since the complainant has not given consent, the processing of his personal data is not based on a legal basis from Article 6, paragraph 1 GDPR. In this context, the complainant refers to the Recommendation already mentioned above 02/2021 of the CPP and the aforementioned decisions September 29, 2020 and December 2 2021 of the Disputes Chamber regarding the use of professional resources, such as an email address. 63. The defendant argues in its conclusions that no personal data of the complainant further processed by using the mailbox. After all, it concerns a decision on the merits 40/2023 – 15/16 functional e-mail address and not a registered e-mail address. The complainant's reference to the Recommendation 02/2012 and previous decisions of the Litigation Chamber are not relevant according to the defendant. This Recommendation and decisions relate to it use of an e-mail address in which the name and first name of the data subject are stated. Consequently, the Respondent may lawfully continue to use the email address and the mailbox. III.1. Review by the Litigation Chamber 64. The Disputes Chamber states that the e-mail address is indeed a functional e-mail address time of termination of the complainant's employment and therefore no personal data of the complainant, as a result of which the GDPR does not apply. The references to Recommendation 02/2020 of the CPP and the aforementioned decisions of the Disputes Chamber are therefore not relevant in this case. During the hearing, the explained to the defendant that in the meantime she has started using a different e-mail address for the studio operation, which has entailed the necessary problems, considering its target audience, adults with disabilities. The Disputes Chamber is of the opinion that the defendant could have lawfully continued to use the functional e-mail email address. After all, the purpose of such an e-mail address is the continuity of the service(provision). Finally, the Disputes Chamber once again points out that the complainant does not have made plausible that after the termination of the employment there are still matters concerning him personal data would have arrived in the e-mail box. IV. Publication of the decision 65. Given the importance of transparency with regard to decision-making by the Litigation Chamber, this decision will be published on the website of the Data Protection Authority. However, it is not necessary for the identification data of the parties are disclosed directly. FOR THESE REASONS, the Disputes Chamber of the Data Protection Authority decides, after deliberation, to: - on the basis of article 100, §1, 5°, to reprimand the defendant for not doing so in time sufficient proof of the manifestly excessive or unfounded character of the request for inspection, which constitutes a violation of Article 12, paragraph 5 GDPR. - to dismiss all other grievances pursuant to Article 100, §1, 1° WOG. Decision on the substance 40/2023 – 16/16 Pursuant to Article 108, § 1 of the WOG, within a period of thirty days from the notification against this decision may be appealed to the Marktenhof (court of Brussels appeal), with the Data Protection Authority as defendant. Such an appeal may be made by means of an inter partes petition must contain the information listed in Article 1034ter of the Judicial Code . It 4 a contradictory petition must be submitted to the Registry of the Market Court 5 in accordance with article 1034quinquies of the Ger.W. , or via the e-Deposit IT system of Justice (Article 32ter of the Ger.W.). (get). Hielke HIJMANS Chairman of the Litigation Chamber 4 The petition states under penalty of nullity: 1° the day, month and year; 2° the surname, first name, place of residence of the applicant and, where applicable, his capacity and his national register or enterprise number; 3° the surname, first name, place of residence and, if applicable, the capacity of the person to be summoned; 4° the object and brief summary of the means of the claim; 5° the court before which the action is brought; 6° the signature of the applicant or his lawyer. 5 The petition with its appendix, in as many copies as there are parties involved, will be sent by registered letter sent to the clerk of the court or deposited at the clerk's office.