APD/GBA (Belgium) - 72/2021: Difference between revisions
From GDPRhub
No edit summary |
|||
| Line 54: | Line 54: | ||
}} | }} | ||
The Belgian DPA issued a reprimand against a public authority | The Belgian DPA issued a reprimand against a public authority that shared an audit report including personal data to third parties, without a proper legal basis, and that did not answer to the access request of a complainant in due time. | ||
== English Summary == | == English Summary == | ||
Revision as of 08:32, 30 June 2021
| APD/GBA (Belgium) - 72/2021 | |
|---|---|
 | |
| Authority: | APD/GBA (Belgium) |
| Jurisdiction: | Belgium |
| Relevant Law: | Article 6(1)(e) GDPR Article 12(3) GDPR Article 13(1)(c) GDPR Article 15(1) GDPR |
| Type: | Complaint |
| Outcome: | Partly Upheld |
| Started: | |
| Decided: | 14.06.2021 |
| Published: | 14.06.2021 |
| Fine: | None |
| Parties: | n/a |
| National Case Number/Name: | 72/2021 |
| European Case Law Identifier: | n/a |
| Appeal: | Unknown |
| Original Language(s): | French |
| Original Source: | Belgian DPA (in FR) |
| Initial Contributor: | n/a |
The Belgian DPA issued a reprimand against a public authority that shared an audit report including personal data to third parties, without a proper legal basis, and that did not answer to the access request of a complainant in due time.
English Summary
Facts
A public administration in charge of supervising the organisations hiring persons with disabilities established an audit report on the situation of the organisation after a complaint from the trade union and some members of the staff. The report mentioned some personal data of the director of the organisation (ie, the salary) and was shared with third parties (trade union representatives, social mediator). The director (the complainant) sent an access request to the administration in charge regarding his personal data in the report. The administration did not answer to the request.
Dispute
Can the administration share the personal data of the report with third parties such as the representatives of the trade union and the social mediator when the procedure does not specifically provide for it?
Holding
The administration did not respect its obligation to inform under Article 12(3), 13(1)(c) and 15(1) GDPR. The sharing of the personal data of the director cannot rely on a proper legal basis such as Article 6(1)(e) since sharing the report with the personal data was not necessary for the performance of the tasks of the administration. In addition, the administration could not rely on Article 6(1)(d) GDPR (vital interests) for communication of the personal data of the director to third parties.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the French original. Please refer to the French original for more details.
1/21
Contentious room
Decision on the merits 72/2021 of June 14, 2021
File No .: DOS-2019-02726
Subject: Complaint against a public authority for transmitting a report to third parties
and lack of response within the legal deadline
The Contentious Chamber of the Data Protection Authority (hereinafter APD), made up of
Mr. Hielke Hijmans, chairman, and Messrs C. Boeraeve and R. Robert, members.
Having regard to Regulation (EU) 2016/679 of the European Parliament and of the Council of April 27, 2016 relating to the
protection of individuals with regard to the processing of personal data
and the free movement of these data, and repealing Directive 95/46 / EC (General Regulation
on Data Protection), hereinafter GDPR;
Having regard to the Law of 3 December 2017 establishing the Data Protection Authority (hereinafter
LCA);
Given the internal regulations of the Data Protection Authority as approved by the
Chamber of Representatives on December 20, 2018 and published in the Belgian Official Gazette on January 15, 2019;
Having regard to the documents in the file;
Has taken the following decision regarding:
The complainant: Mr X, (hereinafter the complainant), represented by Mr Jean-Yves Gyselinx
Defendant: Agence Y, Beslissing on the merits 72/2021 - 2/21
I. Facts and retroacts of the procedure
1. On May 15, 2019, the complainant lodged with the Data Protection Authority
(hereinafter the DPA) a request / complaint form in which he criticizes the
communication by the controller of a report dated April 3, 2019 to
trade union representatives, due to the fact that it contains personal data
personnel about him and in particular his salary. He complains in particular that the
union representatives would have transferred the information to many other
fellow trade unionists, who allegedly used the information against him in meetings.
2. The report, dated April 3, 2019 and entitled "Complaint conclusion report" (hereinafter
afterwards, "the audit report" or "the report") comes from the Audit & Control Department,
[…] Of the defendant. The report concerns ASBL Z (hereafter ASBL), a
establishment that has a care authorization issued by Y for
95 people with disabilities, day and night reception. The
beneficiaries have an intellectual disability or mental health problems,
some with significant multiple disabilities. Part of the population present
complex needs.
3. The audit report follows on from three groups of complaints that were filed between the
December 22, 2018 and February 21, 2019, against the non-profit organization on the part, respectively,
about twenty workers from the non-profit organization, a collective of educators and unions
[…] And […].
4. The audit examines grievances such as the financial structure of the institution, the
lack of supervision, incompetence of management as well as
problems in the quality of care for residents. Out of nine grievances
mentioned, the report considers that five are founded or generally founded, the four
others subject to various assessments. The complainant is informed as
being the director of the non-profit organization.
5. This audit report was emailed on April 3, 2019 to the complainant and two
union representatives (identified as being respectively the managers
and the complainants). The report is also addressed to the social conciliator "in view
to support the lines of thought that will be discussed during the meeting of this
1
afternoon in order to try to resolve this dispute ”.
1
Email of April 3, 2019. Beslissing on the merits 72/2021 - 3/21
6. On the same day, the complainant replied to the email indicating that he had observed different
errors in the report and wanting to write a right of reply. On May 8, 2019, he sent
by e-mail a series of grievances and questions to the defendant concerning
elements of the report. He also complains about the fact that the report contains his
salaries that have been sent to union representations. He asks for
explanations of what he considers to be the breach of data confidentiality
personal. On May 14, 2019, he sent by email a document entitled "Right to
reply ".
7. On May 15, 2019, the complainant submitted his request form to the Authority.
8. Initially, the Authority, through the frontline service intervenes
with the complainant in a mediation phase during which she invites him to exercise
his right of access to the defendant (letter of May 27, 2019).
9. On June 14, 2019, the complainant replied to the PDA that he never received a response to his
communications of May 8 and 14, 2019. By letter dated July 22, 2019, the APD
advises the complainant that the email sent by the complainant on May 8, 2019 does not constitute
not really a request for access. She invites him to exercise this right with the
defendant by asking for the legal basis on which the transfer of
data.
10. The complainant made this request to the defendant on July 23, 2019. The
August 26, he informed the APD of the lack of response from the defendant. The 10
September 2019, the APD sends a letter to the defendant asking them to
respond to the requester and send a copy of this response to the DPA. The
defendant confirms receipt of the request on September 18, 2019 and indicates
that a response will follow as soon as possible.
11. The Respondent's response is dated September 26, 2019. In it, the
defendant apologizes for its late response. It then indicates that
the purpose of the data processing was to investigate a complaint lodged against
of the complainant, in accordance with Article 1369.84 of the Walloon Regulatory Code of
Social and Health Action of July 4, 2013 (hereafter: the regulatory code). It
refers the complainant to the Privacy Policy which states that the data
are transmitted to third parties when required to participate in the investigation of the case. The
defendant also provides elements of contextualization of the Beslissing situation on the merits 72/2021 - 4/21
by evoking an abnormally long social conflict that poses risks to the
be beneficiaries of the establishment.
12. By email of September 27, 2019, the complainant replied to the letter from the
defendant. He challenges the legality of the transmission of his data to unions,
given that they are also the authors of the complaint to Y and that the
transfer was not based on his consent. It indicates that this transfer allowed
unions to use their data for a purpose other than that for which they
had been collected. It also raises the overrun of the legal deadline for
respond to their access request. He asks the APD to register his complaint and declare it
admissible.
13. On October 18, 2019, the Frontline Service of the APD, seeing the last
communication from the complainant, notes that the mediation initiated was not successful and
seeks the consent of the complainant for the file to be forwarded as a complaint to the
Contentious chamber. On November 5, 2019, after obtaining the agreement of
complainant, the Frontline Service declares the complaint admissible on the basis of the
Articles 58 and 60 of the LCA and transmits it to the Litigation Chamber in accordance with
Article 62, § 1 of the LCA.
14. On December 3, 2019, the Litigation Chamber decides that the case can be processed
on the merits and inform the parties thereof. It establishes that the grievor's grievances against
of Y concern, on the one hand, compliance with the data protection rules of the
communication of the report containing personal data on
concerning (his salary) to union representatives, including with regard to
the information that Y communicates to the data subjects about the processing
of their personal data (articles 5 and 6 of the GDPR and articles 12 to 14 of the
GDPR), and on the other hand, the compliance of the response given to the complainant by Y, following
the exercise by the latter of his right of access (Articles 12 and 15 of the GDPR).
15. On the same day, the Contentious Chamber informs the parties of its decision to deal with
the case on the merits and establish a timetable for the exchange of conclusions.
16. On 12 December 2019, the defendant confirms receipt of the letter from the Chamber
contentious and asks to receive a copy of the documents in the file which it does not
not yet have. The secretariat of the contentious chamber sends the documents
requested the same day. Beslissing on the merits 72/2021 - 5/21
17. On 24 December 2019, the defendant sends these conclusions to the Chamber
contentious. She first explains that normally, analysis reports,
such as the audit report of April 3, 2019, have never been communicated to the complainants.
They only receive a letter informing them of the outcome of the investigation. The
defendant adds that the case of the non-profit organization is quite special since it
was the subject of a major social conflict, including a strike that allegedly
lasted seven weeks. According to the defendant, the role of social consultation was
therefore become essential to hope to find a solution to the conflict. The report of the
defendant was eagerly awaited since it made it possible to objectify the complaints made
by the complainants, which included the trade unions. These grievances
concerned, among other things, the mode of governance and financial practices. This is
in this context that the report was transmitted to the conciliator and to the organizations
unions so that he could serve in the conciliation meeting that took place after
noon even. The defendant considers that it was not possible for her not to treat
the subject of the complainant's remuneration in such a context.
18. As to the exercise of the right of access, the defendant acknowledges the late nature of the
response, stressing, however, that a response providing the elements
necessary was eventually transmitted.
19. Regarding the disclosure of the amount of the complainant's remuneration, the
defendant recognizes a clumsiness and a lack of precaution but precise
many elements. It recalls the exceptional nature of the situation and the
need to find solutions, which prompted him to carry out a balance of
interests, particularly in view of its essential role in this sector. She explains
also not to consider itself responsible for actions carried out a posteriori by the
unions. She also added that her email from April 3, 2019 contained a
disclaimer.
20. On January 3, 2020, the complainant informs the Litigation Chamber and the respondent
to have given a mandate to Me. Gyselinx to represent him. On January 28, 2020, the latter
2
sends its conclusions to the contentious chamber and to the defendant. There is
explains that the report contained not only the salary of the concluding party but
also the invoicing of [the company…] (a service provider). He points out that the
defendant admitted his own awkwardness. He also argues that this
2The Contentious Chamber notes that the plaintiff's lawyer refers to the Contentious Chamber as a "court".
The Litigation Chamber reminds the parties that it is an organ of an administrative authority and not an institution
of the judiciary. Beslissing on the merits 72/2021 - 6/21
disclosure of the salary caused enormous damage in terms of images and forced the
complainant to withdraw and then leave the management of the non-profit organization. On the principles, he
stresses that the defendant does not rely on any basis of lawfulness provided for by the
GDPR (called grounds for justification by the complainant) and explains why it
considers that neither Article 6.1.d) nor Article 6.1.e) is applicable in the present case.
21. On February 10, 2020, the defendant sends its pleadings in reply to the
Contentious chamber. Beyond the points already mentioned in its premieres
conclusions, the defendant considers that the complainant minimizes the situation in
which the non-profit organization was at the time of the events and underlines the importance of
look into executive compensation as well as other budgetary aspects. It
adds that the complainant does not demonstrate anything of the damage that would have been caused to him and that
dissemination of the report was supervised and limited to stakeholders only
identified.
22. With regard to the basis of legality, the defendant states that it is based on Article 6.1.d)
since the disastrous living conditions of the beneficiaries of the establishment are
in connection with the notion of vital interest provided for in this article. The defendant indicates
also be based on Article 6.1.e) as the seriousness of the grievances impacted
considerably the quality of life and reception of residents as well as their safety.
23. On July 1, the plaintiff's lawyer wrote to the Litigation Chamber to inquire about
the status of the case. The defendant asks a similar question on November 25, 2020.
On December 10, 2020, the Litigation Chamber responds to both parties that the
file is still being processed and the decision will be communicated
when it has been adopted. The contentious chamber regrets the delay it has made
to address a response to the parties.
PLACE
II. On the grounds for the decision
1) As to the Beslissing complaints on the merits 72/2021 - 7/21
24. In accordance with the grievances set out by the complainant, as well as the exchanges of
conclusions between the parties, the Contentious Chamber considers that several
issues need to be analyzed.
25. The first question concerns the legality of the data processing
personal data of the complainant (Articles 5 and 6 of the GDPR). The second concerns the
further processing of the data which would have been carried out by certain recipients of the
audit report. The last question concerns the exercise of the right of access by the
complainant and the response provided by the defendant (Articles 12 and 15 of the GDPR).
26. Beyond these questions, in its minutes of December 3, 2019, the Chamber
contentious had considered that the case also concerned the information that the
defendant communicates to the persons concerned about the processing of
their personal data (Articles 12 to 14 of the GDPR). These grievances having been
addressed neither by the complainant nor by the defendant during the concluding discussions, the
Litigation Chamber has few elements enabling it to examine
that question. It will therefore not be considered by the Chamber.
contentious.
2) Regarding the data processing in dispute
27. It appears from the documents in the file that the complainant objects to the fact that the audit report
contains some of his personal data. According to the access request of the
complainant, this personal data relates to:
- data concerning his salary;
- information concerning the company […] (the fact that the complainant is
also the manager of this service provider of the institution as well as the
fees and overall billing amount);
- "hasty conclusions" on management.
28. In his conclusions the complainant only refers to the first two
elements. The Contentious Chamber therefore considers that the dispute relates to these two
different data in the report.
29. In its pleadings in reply, the defendant objects to the
the question of data concerning the company […] be addressed, for two reasons.
First of all, she considers that this is a legal person whose data is not Beslissing on the merits 72/2021 - 8/21
therefore not covered by the definition of personal data in Article 4.1
of the GDPR. Then she feels that this item was never brought to her attention.
before the complainant's conclusions.
30. The data concerning the company [...] appear in the audit report under the
“financial package” grievance. It is stated in particular that "The designation of
Mr. X coincided with the arrival of a new subcontractor of which he is none other than
the manager. ". This sentence is followed by several others which describe the tasks of
this company within the non-profit organization as well as elements relating to invoicing. In this
that the quoted sentence refers directly to the complainant, who is a natural person
identified, and the fact that he is the manager of this company, the Litigation Chamber
considers that this is indeed personal data within the meaning of Article 4.1 of
GDPR. On the other hand, the amounts of fees and global annual invoicing
cannot be understood as personal data since it does not
do not refer to an identified or identifiable natural person. Bedroom
litigation also points out that this information was already in the request
access notice of 23 July 2019. The respondent cannot therefore argue that it
was unaware that this was data that was the subject of the dispute.
31. The Litigation Division also considers that the disputed treatments relate to
on the one hand on the collection and integration of the aforementioned personal data
in the audit report and on the other hand on the transmission of this audit report to
union representatives. Even if this is not part of the grievances put forward by the complainant,
the Contentious Chamber notes that the second processing (transmission of the report)
concerns not only the union representatives but also the conciliator
social. The contentious division's analysis will therefore focus on these two treatments.
3) As to the lawfulness of the processing (article 6 of the GDPR)
Article 6
Lawfulness of processing
1. Processing is only lawful if, and insofar as, at least one of the following conditions
is met: Beslissing on the merits 72/2021 - 9/21
a) the data subject has consented to the processing of their personal data for
one or more specific purposes;
b) the processing is necessary for the performance of a contract to which the data subject is a party
or the execution of pre-contractual measures taken at the request of the latter;
c) the processing is necessary for compliance with a legal obligation to which the data controller
treatment is submitted;
d) the processing is necessary to protect the vital interests of the data subject or
another natural person;
e) the processing is necessary for the performance of a task of public interest or falling within
the exercise of public authority vested in the controller;
f) the processing is necessary for the purposes of the legitimate interests pursued by the controller
processing or by a third party, unless the interests or freedoms and rights
fundamental aspects of the data subject which require protection of personal data
personal, especially when the data subject is a child.
Point f) of the first subparagraph does not apply to processing carried out by public authorities
in the performance of their missions.
2. Member States may maintain or introduce more specific provisions for
adapt the application of the rules of this Regulation with regard to processing for the purpose of
comply with paragraph 1, points c) and e), determining more precisely the requirements
specific conditions applicable to the processing as well as other measures to ensure processing
lawful and fair, including in other special processing situations as provided for in
chapter IX.
3. The basis for the processing referred to in paragraph 1 (c) and (e) shall be defined by:
(a) Union law; or
b) the law of the Member State to which the controller is subject.
The purposes of the processing are defined in this legal basis or, with regard to the
processing referred to in point (e) of paragraph 1 are necessary for the performance of a task of interest
public or subject to the exercise of public authority vested in the person responsible for
treatment. This legal basis may contain specific provisions to adapt
the application of the rules of this regulation, inter alia: the general conditions governing the
lawfulness of processing by the controller; the types of data that are the subject of
treatment; the people concerned; the entities to which the personal data Beslissing as to the substance 72/2021 - 10/21
can be communicated and the purposes for which they can be; limitation of
purposes; retention periods; and processing operations and procedures, including
measures to ensure lawful and fair processing, such as those provided for in other
special processing situations as provided for in Chapter IX. Union law or
Member State law meets an objective of public interest and is proportionate to the objective
legitimate pursued.
[…] "
32. During the exercise of the right of access by the complainant, he requested from the
defendant, the legal basis for the processing of such data. In his response to the law
access dated September 26, 2019, the defendant explained that the purpose of
processing "aimed at investigating a complaint lodged against you, in accordance with
Article 1369/84 of the Walloon Regulatory Code for Social Action and Health of 4
July 2013. "
33. In the exchange of conclusions, it appeared that the defendant is claiming the
Articles 6.1.d) and 6.1.e) of the GDPR as the bases of lawfulness of the processing (called
grounds for justification by both the complainant and the defendant). The complainant has
meanwhile, he had the opportunity to challenge the applicability of his bases of legality.
34. It follows from recital 46 that 'the processing of personal data
based on the vital interest of another natural person should in principle take place
only when the processing clearly cannot be based on any other basis
3
legal."
35. The Contentious Chamber will therefore examine the legal basis of Article 6.1.e) in a
first place. It will only consider that of Article 6.1.d) if Article 6.1.e) is found to be
inapplicable in this case.
36. The defendant argues that the complaints raised against the non-profit organization and their impact on
the quality of life and the reception of the residents justified his intervention. The complainant
considers that the processing of the complainant's personal data was in no way
useful for the execution of the mission.
3
"The processing of personal data should also be considered lawful when it is necessary for
protect an essential interest in the life of the data subject or that of another natural person. Treatment of
personal data based on the vital interest of another natural person should in principle only take place
when the processing clearly cannot be based on another legal basis. Certain types of treatment may
be justified both by important reasons of public interest and by the vital interests of the data subject, for example
when the treatment is necessary for humanitarian purposes, including to monitor epidemics and their spread, or in
humanitarian emergencies, including natural and man-made disasters. »Beslissing on the merits 72/2021 - 11/21
37. The defendant is a regional public authority responsible for [matters
in the social and health sector]. As such, it notably issued a
payment authorization for the benefit of the non-profit organization. In the context of the litigation at
examination, the defendant investigated a complaint lodged against the
defendant, which led to the conclusion of the audit report. It is therefore established that
the defendant exercises public authority, in the sense that it is the institution
government in charge of large areas of social action at regional level and that by
For example, as such, it issues authorizations and investigates complaints. The part
defend this argument to justify that the treatment can be based on the article
6.1.e) of the GDPR.
4
38. As already explained in its decision 55/2021, the Contentious Chamber must
however check that the conditions provided for in Article 6.1.e) are met by
the species. Under Article 6.3.b) and recital 45 of the GDPR, processing
based on Article 6.1.e) must meet two conditions:
o The data controller must be responsible for carrying out a
mission of public interest or relating to the exercise of public authority
under a legal basis, whether under European Union law
or under the law of the Member State;
o The processing must be necessary for the performance of the assignment of interest
public or the exercise of public authority.
A legal basis
39. It appears from the documents in the file that the defendant's audit report was drawn up
based on article 1369/84 of the Regulatory Code. This article is written as
follows:
"Article 1369/84. Any complaint relating to taking charge in a service can be
formulated in writing to the Agency. The Agency shall inform the
organizing authority, taking into account the needs of the examination of this request.
The Agency carries out this examination upon receipt of the complaint and formulates its
4 Decision on the merits 55/2021 of 22 April 2021 (https://www.autoriteprotectiondonnees.be/publications/decision-quant-au-
fond-n-55-2021.pdf) Beslissing as to the merits 72/2021 - 12/21
conclusions within a maximum period of six months. The Agency informs the complainant, the
management, the manager of the service and the authorities responsible for the placement and / or
funding, follow-up to this complaint. "
40. The Contentious Chamber therefore considers that this article establishes a legal basis which
framework of the exercise of the public authority of the defendant for the treatments
contentious, being extended that the general framework for the exercise of public authority
Complainant is much larger. For the contentious Chamber, it therefore appears
the exercise of public authority has a legal basis in national law. The
Contentious roomvadoncexaminersicettebaselegalerfillsprescribed well
of the GDPR.
Processing necessary for the exercise of public authority
41. In order for the processing to be lawful on the basis of Article 6.1.e), the purposes of the processing
must therefore be necessary for the exercise of public authority. As she already has
developed in its decision on the merits 38/2021, the necessity test is
essential.
42. In its Huber judgment, the Court of Justice of the European Union (CJEU) has, in view of
of this necessary condition, specified: that "with regard to the objective of ensuring
an equivalent level of protection in all Member States, the concept of
necessity as it results from Article 7 (e) of Directive 95/46, which aims to
precisely delimit one of the hypotheses in which the processing of
personal data is lawful, cannot have a variable content depending on the
function of the Member States. Therefore, it is an autonomous concept of the law
community which must be interpreted in such a way as to fully respond
subject to this Directive as defined in Article 1 (1) thereof ". 7
8
43. According to his conclusions in this case, the Advocate General
makes it clear in this regard that "the concept of necessity has a long history in
community and it is well established as an integral part of the
5 Decision on the merits 38/2021 of 23 March 2021 (https://www.autoriteprotectiondonnees.be/publications/decision-quant-
deep-n-38-2021.pdf)
6 Member States provide that the processing of personal data may only be carried out if: (...) e) it is
necessary for the performance of a mission of public interest or falling within the exercise of public authority vested in the
controller or the third party to whom the data are communicated.
7CJUE, December 16, 2008,, Heinz Huber v. Bundesrepublik Deutschland, C-524/06, para. 52.
8
Opinion of Advocate General Poiares Maduro presented on April 3, 2008 in the context of the proceedings before the CJU having
resulted in the judgment cited in footnote 15 above (C-524/06). Beslissing on the merits 72/2021 - 13/21
proportionality. It means that the authority which adopts a measure which undermines
a fundamental right in order to achieve a justified objective must demonstrate that this
is the least restrictive measure to achieve this objective. Moreover, if the
processing of personal data may be liable to infringe the law
fundamental to respect for private life, Article 8 of the European Convention on
safeguard of human rights and fundamental freedoms (ECHR) which guarantees
respect for private and family life is also becoming relevant. As the court has
stated in the Österreichischer Rundfunk and others judgment, if a national measure is
incompatible with Article 8 of the ECHR, this measure cannot satisfy
the requirement of Article 7 (e) of the directive. Article 8, paragraph 2, of the ECHR
provides that an interference with privacy may be justified if it targets one of the
objectives listed therein and "in a democratic society, is necessary" to
one of those goals. The European Court of Human Rights has ruled that the concept
of "necessity" implies that a "pressing social need" is involved ".
44. The Article 29 Group also referred to the case law of the Court
European Human Rights Court (Eur. D.H. Court) to identify the requirement of
necessity and concludes that the adjective "necessary" thus does not have the flexibility of terms
such as "admissible", "normal", "useful", "reasonable" or "expedient". 10
45. In its Michael Schwarz v. Stadt Bochum, the Court of Justice of the Union
European Union, considers that it concerns "the examination of the necessary
such processing, the legislator is in particular required to verify whether measures less
infringements of the rights recognized by Articles 7 and 8 of the Charter are conceivable
while contributing effectively to the goals of Union regulation by
11
cause "
46. Following this precedent, it is therefore up to the Contentious Chamber to determine
if the processing was necessary for the exercise of public authority. So she has it
established beforehand (see point 31), for the Contentious Chamber
concerns two processing operations: the processing of the complainant's personal data
completion of the drafting of the audit report, as well as sending the audit report to
different parties, including union representatives and the social conciliator.
9
"Article 29" working group on data protection, "Opinion 06/2014 on the concept of legitimate interest pursued by
the data controller within the meaning of Article 7 of Directive 95/46 / EC ", adopted on April 9, 2014.
10Court eur. D.H., March 25, 1983, Silver et al. United Kingdom, para. 97.
11CJUE, 17 October 2013,, Michael Schwarz v. Stadt Bochum, C-291/12, para. 46. Beslissing on the merits 72/2021 - 14/21
47. With regard to the processing of the complainant's personal data for the
drafting of the report, the Litigation Chamber notes that it concerns
only the complainant's salary as director of the non-profit organization and his position as
manager of a subcontractor (see points 27 and 28). These data were discussed in the
report during the analysis of the grievance mentioned "financial package" which is found under the
title A "Management".
48. For the Contentious Chamber, there is no doubt that the processing of data
the director's salary as well as his position as manager of a subcontractor are
information that it is necessary to examine during an audit relating, among other things, to the
management and financial arrangement of an institution. Therefore, the treatment of these
data is necessary for the exercise of public authority of the defendant who
consists of dealing with complaints received against the non-profit organization.
49. The second treatment subject to the examination of the contentious division consists of
sending the audit report to various parties, including union representatives from
the non-profit organization, who were among the people who lodged a complaint with the
defendant, as well as the social conciliator. This is the treatment that is
mainly contested by the complainant in the present case. The complainant
considers that this processing was in no way necessary for the mission of the
defendant.
50. The defendant considers that this dispatch was entirely justified in view of
the specific circumstances of the non-profit organization and the ongoing labor dispute. The transfer of
report to union representatives and to the conciliator was intended to promote
consultation and find a solution to the dispute (see point 17).
51. For this processing also, the Litigation Chamber must examine whether it was
necessary for the exercise of the public authority of the defendant. The criterion of
"Necessity" as already specified (see point 41 et seq.) Restricts the margin
assessment of the controller, since he does not authorize him to carry out
treatments that would only be useful or desirable.
52. It appears from the conclusions of the defendant that the purpose of this processing was to
allow the use of the report during the social conciliation meeting so that
the latter can objectify the situation. The aim was therefore to promote the resolution of the
ongoing social conflict. Beslissing on the merits 72/2021 - 15/21
53. The Respondent justifies the treatment in question by the exceptional situation in
which was the non-profit organization, due to an unusually long social conflict. The
Litigation Chamber notes that the extent of the social conflict is underlined in the
conclusions of the audit report. It also appears from the conclusions of the
defendant, that "the analysis and conclusions that the agency would bring to the complaint
filed by union organizations in a common front, became essential
since they would give a neutral look at the alleged facts "and that" the
conclusions of the agency were eagerly awaited in order to conduct a final
attempt at conciliation ”. The purpose of this precise processing was therefore to facilitate the
social conciliation in progress.
54. It is also clear from the defendant's explanations that this treatment does not
did not correspond to an ordinary exercise of his public authority, since this
stresses that "the case of the complainant's institution is quite specific and
fortunately exceptional ”.
55. The Litigation Chamber recalls that the legal basis for the exercise of authority
of the defendant limits it to the reception and processing of complaints.
It does not appear from this legal basis that support for social conciliation or
social conflict resolution is part of the exercise of public authority
defendant. It follows that the processing at issue, consisting in transferring the
audit report to union representatives and the social conciliator, cannot be
considered necessary for the exercise of the public authority of the defendant.
56. Even if the respondent justifies the treatment by its willingness to support the process
of social conciliation in progress, the Litigation Chamber notes all the same that the
legal basis provides that the defendant "informs the complainant, the management, the
manager of the service and the authorities responsible for the placement and / or
financing, of the follow-up reserved for this complaint ”, which could have been used by the
defendant to justify sending the audit report to union representatives
in particular, since they were also complainants. However, it is necessary to
note that according to the defendant's own conclusions, "the reports
of analysis are never communicated to the complainants ". So it seems that this
provision only obliges the defendant to inform certain categories of
persons "of the follow-up to the complaint" and in no way bind the defendant
atransfer the report in question. It follows that the treatment in question cannot
no longer be justified by this information obligation provided for in the legal basis and
that it is therefore not necessary for the exercise of public authority by the Respondent. Beslissing on the merits 72/2021 - 16/21
57. On the basis of the above elements, the Contentious Chamber considers that the
defendant cannot rely on Article 6.1.e) as the legal basis for the
processing consisting of sending the report to different recipients, since it
was not necessary for the exercise of public authority.
58. The defendant has also indicated that it relies on Article 6.1.d) as a basis for
lawfulness of the processing, which would imply that the processing is necessary for the
safeguarding the vital interests of the data subject or of another person
physical. The Contentious Chamber recalls in this regard that this basis of lawfulness is
refer to the treatments that are clearly and directly necessary to preserve
12
the health of an affected person. Treatment intended to help
resolution of a labor dispute cannot therefore rely on this basis of
lawfulness.
Additional remarks concerning the transmission of the report
59. If the defendant considered that its intervention in the conciliation was absolutely
indispensable, it would have been quite open to him to transmit to the unions and the
social conciliator a version of the report redacted from the personal data
personnel, or the simple observation that the salary level "is somewhat
13
higher than the maximum scale of scale 29 (director> 60) of the C.P. […] ". Asset
at the very least, the defendant could have ensured that the principle of minimization of
data (article 5.1.c) of the GDPR) when submitting the report. A track of this
type was moreover mentioned by the defendant itself in its conclusions,
since it indicates, for example, that it would have been "wiser not to mention
precisely the amount of the salary ”.
4) As regards the further processing of the complainant's personal data by the union
60. In its request for information of May 15, 2019, as well as in letters
subsequent reports, the complainant indicates that the union members to whom the report
12 "Article 29" working group on data protection, "Opinion 06/2014 on the concept of legitimate interest pursued by
the data controller within the meaning of Article 7 of Directive 95/46 / EC ", adopted on April 9, 2014, p. 20.
13 Audit report of April 3, 2019 p. 5. Beslissing on the merits 72/2021 - 17/21
have been sent have sent this same document to colleagues who have
finally sent to the staff of the non-profit organization. The complainant believes that this caused him
"An extremely complex situation" during the joint committee that took place
shortly after the report was sent. The complainant also indicates that he suffered
damage resulting from this further processing of these data (see point 20).
61. The defendant maintains in its submissions that it cannot control nor a fortiori
be responsible for the actions of unions and not condone them. It
draws attention to the disclaimer in the email (see point
19). In its pleadings in reply, it considers that the complainant does not demonstrate
in no way its damage, nor their possible link with the transmission of the report.
62. On the basis of the elements described above, the Contentious Chamber arrives at several
conclusions. First of all, she finds that the complainant provides no proof of
this further processing by the unions. Indeed, he repeatedly indicates that
the unions would have forwarded the report to their colleagues, who would in turn have
transferred (see point 1). This account, however, is not supported by any element of the
file, apart from the complainant's statements.
63. Moreover, even if this subsequent processing is proved, the Chamber
litigation notes that the complainant does not bind it to any specific violation of the
GDPR. However, the contentious chamber considers, at first glance and in the absence
contrary elements brought by the complainant, which the defendant does not seem
be able to be considered as responsible for the subsequent processing carried out by one
or more of the report recipients.
64. Indeed, the Court of Justice has confirmed that for the identification of the responsible
treatment, there was a need for a factual assessment of the natural person (s) or
of the legal person (s) which determine "the purpose" and "the means" of the
treatment, the concept being defined broadly with a view to protecting
persons concerned . The Court also held that a natural person
which, for reasons relating to it, exerts an influence on the processing of
personal data and thus participate in determining the purpose and
means of this processing can be considered as a controller
15
treatment. In this case, these are well the union delegates who received the report
14
CJEU judgment of May 13, 2014, Google Spain and Google, C-131/12, ECLI: EU: C: 2014: 317, para. 34; CJEU judgment of June 5, 2018,
Wirtschaftsakademie Schleswig-Holstein, C-210/16, ECLI: EU: C: 2018: 388, para. 28.
15 CJEU judgment of 10 July 2018, Jehovan todistajat, C-25/17, ECLI: EU: C: 2018: 551, para. 65 Beslissing on the merits 72/2021 - 18/21
audit reports that would have passed it on to other colleagues. They themselves have
determined the purposes and means of this new processing. So they would be
who have become data controllers within the meaning of Article 4.7) of the GDPR.
65. The contentious chamber cannot therefore examine possible infringements in the
head of the defendant with regard to this additional treatment.
additional elements. First, if the email sending the audit report contains
indeed a confidentiality clause specifically providing for this prohibition of
transfer to third parties, this in no way frees the data controller from a
possible liability. Then, respect for the principle of minimizing
data (see paragraph 59) could have limited the risks relating to the data
personal data of the complainant.
5) Regarding the response to the exercise of the right of access by the complainant
66. According to article 15.1 of the GDPR, the data subject has the right to obtain
controller confirmation that the personal data
concerning are or are not processed. When this is the case, the person concerned
has the right to obtain access to such personal data as well as to a series
information listed in Article 15.1 a) -h) such as the purpose of processing its
data, the possible recipients of their data as well as information
relating to the existence of their rights, including the right to request rectification or
the erasure of his data or even that of filing a complaint with the DPA.
67. The Contentious Chamber recalls, as it had already established in its decision
15/2021, that the right of access is one of the essential requirements of the right to
data protection, since it constitutes the "front door" which allows the exercise
other rights that the GDPR confers on the data subject.
68. Although not expressly listed in Article 15.1, the basis for legality
undeniably constitutes information that the data subject can request
on the part of the controller, being specifically included in Article 13.1.c)
as information to be provided to the data subject at the time of collection of
its data.
16 Decision on the merits 15/2021 of 9 February 2021 (https://www.autoriteprotectiondonnees.be/publications/decision-quant-
au-fond-n-15-2021.pdf). Beslissing on the merits 72/2021 - 19/21
17
69. As it has already explained in its decision 41/2020, the Chamber
litigation recalls that Article 12 of the GDPR relating to the methods of exercising
their rights by the data subjects provides in particular that the
controller must facilitate the exercise of their rights by the person
concerned (Article 12.2 of the GDPR) and provide them with information on the measures taken
following his request as soon as possible and at the latest within a
months from the request (article 12.3 of the GDPR). According to this same article, the time
can be extended for an additional month, at the request of the data controller.
70. Although he did not mention it in his conclusions, the complainant criticized
on several occasions to the defendant the late nature of its response to its request
access, exercised on the basis of Article 15.1 of the GDPR (see point 12). It appears coins
of the file that the respondent's response was sent more than two months after the
request (see points 10 and 11).
71. In the present case, the defendant did not make use of this possibility
to extend the response time. In its submissions the defendant acknowledged that it
did not meet this deadline, as she indicated that she "cannot question
the complainant's claim as to the late deadline in which the response was
communicated ", even if it underlines that a response was ultimately provided.
On the basis of these elements, the Litigation Chamber finds a violation of Article 15.1 of
GDPR attached to articles 12.3 and 13.1c).
6) Regarding corrective measures and sanctions
72. Under Article 100 LCA, the Litigation Chamber has the power to:
1 ° dismiss the complaint;
2 ° order the dismissal;
3 ° pronounce a suspension of the pronouncement;
4 ° propose a transaction;
5 ° issue warnings or reprimands;
6 ° order compliance with the requests of the person concerned to exercise these rights;
7 ° order that the person concerned be informed of the security problem;
17 Decision on the merits 41/2020 of 29 July 2020 (https://www.autoriteprotectiondonnees.be/publications/decision-quant-
au-fond-n-41-2020.pdf), §16. Beslissing on the merits 72/2021 - 20/21
8 ° order the freezing, limitation or temporary or definitive prohibition of processing;
9 ° order that the processing be brought into conformity;
10 ° order the rectification, restriction or erasure of data and the notification of
these to the data recipients;
11 ° order the withdrawal of accreditation of certification bodies;
12 ° give periodic penalty payments;
13 ° issue administrative fines;
14 ° order the suspension of transborder data flows to another State or a
international body;
15 ° transmit the file to the public prosecutor's office in Brussels, who informs them of
follow-up given to the case;
16 ° decide on a case-by-case basis to publish its decisions on the website of the Authority
Data protection.
73. The Litigation Chamber emphasizes that under Article 221.2 ° of the Law of 30 July
2018 on the protection of individuals with regard to the processing of
personal data, it cannot impose a fine on the defendant,
since it is a public authority within the meaning of Article 5.1 ° of the same law.
74. The Contentious Chamber found that the defendant had violated Article 15.1 of
GDPR attached to articles 12.3 and 13.1.c) by not responding to the access request of the
complainant within the legal time limit. This point has also been explicitly recognized by the
defendant.
75. The Chamber also found that the Respondent had violated Article 6.1.e) of
GDPR by processing data, consisting of sending the report
audit to union representatives and the social conciliator, while the latter
was not necessary for the exercise of public authority.
76. In conclusion of the above, and in view of all the circumstances of the case, the
Contentious Chamber considers that the reprimand (that is, the appeal to the order referred to in article
58.2.b) of the GDPR) is in this case the effective, proportionate and dissuasive sanction
18
which is binding on the defendant.
77. It recalls that in its capacity as controller, the defendant is required
respect the principles of data protection and must be able to
18As it has already had the opportunity to specify in several decisions, the Contentious Chamber recalls here that
the warning sanctions a breach that is likely to occur: see. Article 58.2.a) of the PDR in this regard. Beslissing on the merits 72/2021 - 21/21
demonstrate that these are respected. It must also implement all
the measures necessary for this purpose (principle of liability - Articles 5.2. and 24 of
GDPR). The contentious chamber therefore invites the defendant to ensure that the
process put in place to process requests for the exercise of rights under the
GDPR ensure a response within the legally stipulated deadlines.
7) Publication of the decision
78. In view of the importance of transparency with regard to the process
decision-making and decisions of the Litigation Chamber, this decision will be published
on the website of the Data Protection Authority by deleting
direct identification data of the parties and persons named, that they
be physical or legal.
FOR THESE REASONS,
THE LITIGATION CHAMBER
- Issue a reprimand against the defendant on the basis of article 100.1, 5 °
LCA, for violation of Article 15.1 of the GDPR attached to Articles 12.3 and 13.1.c) and for
violation of Article 6.1.e) of the GDPR.
- Discard the complaint for other aspects without further action on the basis of Article 100.1, 1 ° LCA.
Under Article 108 § 1 LCA, this decision may be appealed against to the Court of
contracts (Brussels Court of Appeal) within 30 days of notification, with
the Data Protection Authority as respondent.
(Sé). Hielke hijmans
President of the Litigation Chamber
19 Decision on the merits 41/2020 of 29 July 2020 (https://www.autoriteprotectiondonnees.be/publications/decision-quant-
au-fond-n-41-2020.pdf), §16.
