IDPC (Malta) - CDP/COMP/577/2023: Difference between revisions
Saineybelle (talk | contribs) (Created page with "{{DPAdecisionBOX |Jurisdiction=Malta |DPA-BG-Color=background-color:#ffffff; |DPAlogo=LogoMT.jpg |DPA_Abbrevation=IDPC |DPA_With_Country=IDPC (Malta) |Case_Number_Name=CDP/COMP/577/2023 |ECLI= |Original_Source_Name_1=IDPC |Original_Source_Link_1=https://idpc.org.mt/wp-content/uploads/2023/10/CDP_COMP_577_2023.pdf |Original_Source_Language_1=English |Original_Source_Language__Code_1=EN |Original_Source_Name_2= |Original_Source_Link_2= |Original_Source_Language_2= |Orig...") |
No edit summary |
||
Line 61: | Line 61: | ||
}} | }} | ||
The Maltese DPA rejected a complaint due to | The Maltese DPA rejected a complaint due to a lack of concrete evidence of an infringement of data protection rights | ||
== English Summary == | == English Summary == | ||
=== Facts === | === Facts === | ||
The data subject lodged a complaint with the Commissioner, alleging that his employer ( | The data subject lodged a complaint with the Commissioner, alleging that his employer ( the controller) accessed his work email account and failed to provide him with the option to delete all personal documents in his work email account after terminating his employment. | ||
The controller sought to argue that, although the data subject was not permitted to use his work email for his own private purposes, access was granted after the termination of his employment to the work email account in order to delete all personal data present. The work email was later wiped, and confirmed | The controller sought to argue that, although the data subject was not permitted to use his work email for his own private purposes, access was granted after the termination of his employment to the work email account in order to delete all personal data present. The work email was later wiped, and this was confirmed by the data subject a few months after. | ||
Nevertheless, the data subject was of the opinion that | Nevertheless, the data subject was of the opinion that the controller had already snooped into his mailbox. | ||
=== Holding === | === Holding === |
Revision as of 08:38, 7 November 2023
IDPC - CDP/COMP/577/2023 | |
---|---|
Authority: | IDPC (Malta) |
Jurisdiction: | Malta |
Relevant Law: | Article 4(1) GDPR Article 77 GDPR |
Type: | Complaint |
Outcome: | Rejected |
Started: | |
Decided: | |
Published: | |
Fine: | n/a |
Parties: | n/a |
National Case Number/Name: | CDP/COMP/577/2023 |
European Case Law Identifier: | n/a |
Appeal: | n/a |
Original Language(s): | English |
Original Source: | IDPC (in EN) |
Initial Contributor: | Sainey Belle |
The Maltese DPA rejected a complaint due to a lack of concrete evidence of an infringement of data protection rights
English Summary
Facts
The data subject lodged a complaint with the Commissioner, alleging that his employer ( the controller) accessed his work email account and failed to provide him with the option to delete all personal documents in his work email account after terminating his employment.
The controller sought to argue that, although the data subject was not permitted to use his work email for his own private purposes, access was granted after the termination of his employment to the work email account in order to delete all personal data present. The work email was later wiped, and this was confirmed by the data subject a few months after.
Nevertheless, the data subject was of the opinion that the controller had already snooped into his mailbox.
Holding
The Commissioner held that the work email account contained the data subjects personal data, as defined in Article 4(1) GDPR, as it contained their name and surname. Consequently, when the controller processes personal data, such processing operation must comply with the appropriate legal criteria and principles established under the Regulation.
In addition, following a termination of an employment relationship, the controller shall provide the data subject the opportunity to keep a copy of any personal emails stored in the mailbox and delete them accordingly.
The data subject failed to put forward any concrete evidence to support their claim that third parties accessed his mailbox. In accordance with Article 77 GDPR, data subjects are entitled to lodge a complaint with a supervisory authority if they consider that a particular processing relating to them infringes the GDPR. The Commissioner held here that a mere suspicion that someone has infringed your rights is not enough to lodge a complaint. Other than the webmaster hosting the email accounts, it cannot be proved that any other person accessed his email accounts.
On the above basis, the Commissioner found no grounds to unequivocally state that the controller infringed the GDPR and dismissed the complaint.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the English original. Please refer to the English original for more details.