APD/GBA (Belgium) - 28/2024: Difference between revisions
From GDPRhub
(Created page with "{{DPAdecisionBOX |Jurisdiction=Belgium |DPA-BG-Color= |DPAlogo=LogoBE.png |DPA_Abbrevation=APD/GBA |DPA_With_Country=APD/GBA (Belgium) |Case_Number_Name=28/2024 |ECLI= |Original_Source_Name_1=GBA |Original_Source_Link_1=https://www.gegevensbeschermingsautoriteit.be/publications/zonder-gevolg-nr.-28-2024.pdf |Original_Source_Language_1=Dutch |Original_Source_Language__Code_1=NL |Original_Source_Name_2= |Original_Source_Link_2= |Original_Source_Language_2= |Original_Sou...") |
m (→Facts) |
||
| Line 66: | Line 66: | ||
The data subject was an employee of a school and was absent for long periods of time in 2021-2022 for medical reasons. The data subject returned to work since April 2022. | The data subject was an employee of a school and was absent for long periods of time in 2021-2022 for medical reasons. The data subject returned to work since April 2022. | ||
On 12 May 2023, the data subject filed a complaint with the Belgian DPA (“APD”) regarding two people: the complaint | On 12 May 2023, the data subject filed a complaint with the Belgian DPA (“APD”) regarding two people: the complaint concerned, on the one hand, the theft of the data subject’s personnel file with the intention of copying and disseminating such data, and on the other hand, suspicions of failure to safeguard the confidentiality and integrity of the complainant’s personnel file. | ||
Regarding the alleged theft of personal data, it relied on the fact that a colleague of the data subject stated in writing that one of the defendants told the colleague that she was going to take the data subject’s file to go through it again and take any copies. | Regarding the alleged theft of personal data, it relied on the fact that a colleague of the data subject stated in writing that one of the defendants told the colleague that she was going to take the data subject’s file to go through it again and take any copies. | ||
Latest revision as of 10:29, 13 March 2024
| APD/GBA - 28/2024 | |
|---|---|
 | |
| Authority: | APD/GBA (Belgium) |
| Jurisdiction: | Belgium |
| Relevant Law: | Article 32 GDPR |
| Type: | Complaint |
| Outcome: | Rejected |
| Started: | 12.05.2023 |
| Decided: | 07.02.2024 |
| Published: | |
| Fine: | n/a |
| Parties: | n/a |
| National Case Number/Name: | 28/2024 |
| European Case Law Identifier: | n/a |
| Appeal: | n/a |
| Original Language(s): | Dutch |
| Original Source: | GBA (in NL) |
| Initial Contributor: | nzm |
The DPA dismissed a complaint regarding the potential theft of medical documents as well as suspicions relating to the failure to safeguard confidentiality and integrity due to the lack of evidence provided by the data subject.
English Summary
Facts
The data subject was an employee of a school and was absent for long periods of time in 2021-2022 for medical reasons. The data subject returned to work since April 2022.
On 12 May 2023, the data subject filed a complaint with the Belgian DPA (“APD”) regarding two people: the complaint concerned, on the one hand, the theft of the data subject’s personnel file with the intention of copying and disseminating such data, and on the other hand, suspicions of failure to safeguard the confidentiality and integrity of the complainant’s personnel file.
Regarding the alleged theft of personal data, it relied on the fact that a colleague of the data subject stated in writing that one of the defendants told the colleague that she was going to take the data subject’s file to go through it again and take any copies.
Regarding the failure to safeguard the confidentiality and integrity of the personnel file, it relied on the fact that in October 2022, the data subject asked for access to her file in general terms, without specifying what she was looking for. In November 2022, she clarified that she was looking for “personal reports made by her directors over the years, medical info…”. She then added that she was also looking for “medical reports as well as correspondence regarding employment” from 2020-2022. In March 2023, the data subject clarified that medical information regarding her medical absence, documentation and communication regarding her return to work and evaluation reports from 2020 were missing from the personnel file.
Holding
Concerning the failure to safeguard the confidentiality and integrity of the data subject’s file, firstly, the APD proceeded with a policy dismissal as they found that the data subject did not provide evidence which allowed the DPA to decide whether or not there has been a breach of the GDPR under Article 32 GDPR. Secondly, the APD held that regarding each document, the data subject did not provide evidence that the controller was in possession of these documents. Therefore, the APD considered that the possible absence of documents from the data subject’s personnel file does not have a significant impact, as she did not demonstrate that she suffered any negative consequences after returning to the school.
Concerning the suspicions of unlawful appropriation of the data from the data subject’s personnel file, the APD proceeded to a technical dismissal as the data subject did not provide sufficient evidence to the existence of the GDPR. The only piece of evidence brought was a summary witness statement of an alleged conversation between a colleague and the controller. Since there was only talk of “taking” the file and “possibly” taking copies, the APD considered that there was no evidence that the file was effectively taken or stolen.
Therefore, the APD dismissed the complaint.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Dutch original. Please refer to the Dutch original for more details.
1/9
Dispute Chamber
Decision 28/2024 of February 7, 2024
File number: DOS-2023-01969
Subject: complaint about the absence due to theft of medical and other documents in one
personnel file
The Disputes Chamber of the Data Protection Authority, composed of Mr
Hielke HIJMANS, sole chairman;
Having regard to Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016
on the protection of natural persons with regard to the processing of
personal data and regarding the free movement of such data and to the revocation of
Directive 95/46/EC (General Data Protection Regulation), hereinafter “GDPR”;
Having regard to the law of 3 December 2017 establishing the Data Protection Authority,
hereinafter “WOG”;
In view of the internal rules of order, as approved by the House of Representatives
Representatives on December 20, 2018 and published in the Belgian Official Gazette on
January 15, 2019;
Considering the documents in the file;
Has made the following decision regarding:
Complainant: X, hereinafter “the complainant”;
Defendant 1: Y1, hereinafter “defendant 1”;
Defendant 2: Y2, hereinafter “defendant 2”. Decision 28/2024 — 2/9
I. Facts and procedure
1. The complainant is an employee of an urban education school. At the moment of
the alleged facts, Defendant 1 was the supervisor of the complainant. Defendant 2 was the one
alleged controller of the data of the staff of
the school. The complainant was absent for a long period of time in 2021-2022 for medical reasons. The complainer
was back to work in the school since April 2022.
2. The subject of the complaint against defendant 1 concerns suspicions of the self
unlawful appropriation of data from the complainant's personnel file with the
intention to copy and distribute this data. This concerns, among other things
special data within the meaning of Article 9 GDPR, in this case medical data. In the complaint
there is also talk of theft and criminally prosecuted offences.
3. Since the complainant relies on the alleged incompleteness of her file for his
To substantiate a complaint against defendant 1, the Disputes Chamber will deduce a complaint against it
defendant 2, the controller of the file in question. Theobjectof
the complaint against defendant 2 concerns suspicions of failure to guarantee the
confidentiality and integrity of the complainant's personnel file.
4. On October 5, 2022, a colleague of the complainant stated in writing that “the person [the
Defendant1 told me in July 2021 that she was going to take [defendant's] file with her
to go through it again and take any copies to cover themselves.”
5. On October 20, 2022, the complainant requested access to her personnel file through a counselor
with her current manager.
6. On October 21, 2022, the current manager referred the complainant to the
personnel department of the school group, as there was no file on the complainant
the school.
7. On October 26, 2022, the complainant requested to exercise her right of access to the
school group. On November 7, 2022, the school group confirmed receipt of it
requests, she asked for a specification of the documents for which access was requested
given that a personnel file is very extensive.
8. On November 17, 2022, the complainant clarified her question. She was, in her own words
referred from the school group to the respondent 2 as the file manager
of the complainant only had “reports with various appointments of the client, her
leave system …” The complainant clarified that she was more precisely looking for “personal
reports drawn up by its directors over the years, medical information…”
9. On November 22, 2022, the defendant 2 invited the plaintiff to make an appointment to
to view an additional number of documents that were already in the central archive. Decision 28/2024 — 3/9
10. On November 29, 2022, the complainant noted at the offices of defendant 2 that the
last report dated from 2020 and that the last two years were missing, “[…] this while there
There can be no discussion about the existence of documents from the period 2020-2022 (medical
reports as well as correspondence regarding the employment of [the complainant]). The complainer
asked who she should contact to obtain the documents from this period
to look.
11. On December 19, 2022, Respondent 2 acknowledged receipt of the query.
12. On January 13, 2023, defendant 2 communicated that she was discussing additional documents and also
recent documents and that the complainant could come and inspect them again.
13. On March 6, 2023, the complainant contacted defendant 1 through her counsel with the
finding that in her personal file “[…] – in addition to personal reports
by the management, - important medical documents from the period 2020-2021 were missing.” The
The complainant reminded the respondent 1 of her responsibilities: “As [respondent 1] it was yours
task to handle this personal and extremely sensitive information with care
and “As a custodian, it was your obligation not to dispose of these documents
operate, without express or tacit agreement from the client (art. 1930 Old Civil Code).”
In addition, the complainant pointed out that she had heard from a colleague that “you have the file
of the client in order to make the necessary copies.” The complainer
accused the defendant 1 of theft and serious violation of the privacy of the
complainant.
14. The complainant demanded from the defendant 1 to provide the “complete personal file – together with all
any copies” to be returned to the complainant. Failing this, the complainant would
submit a criminal complaint to the investigating judge and the GBA without further notice
notify. The complainant would also not fail to inform the current employer of the
to inform defendant 1 of these facts. In addition, the defendant demanded a moral one
damages of €2,500 “for the violation of her privacy as well as the insecure
situation she finds herself in as a result. That such precarious, delicate information about her
health were simply copied and could be or be shared with anyone
is very painful for the client.”
15. The complainant therefore served notice of default on defendant 1 “to resolve the matter by no later than March 15, 2023
to return the client's personal file to us as well as the moral one
to pay compensation of €2,500 to our third party account […].”
16. On March 7, 2023, defendant 1 replied to the letter dated March 6, 2023 from the
complainant. She stated that no official documents were copied or distributed from it
the complainant's personnel file and that the complete file is available for inspection by the defendant
2. Decision 28/2024 – 4/9
17. On April 28, 2023, the complainant submitted an (inadmissible) complaint to the GBA. The complaint
concerns, on the one hand, the alleged theft of personal data and a violation of the
privacy of the plaintiff by the defendant 1. On the other hand, certain documents are missing
from the complainant's file kept by the defendant 2.
18. The complainant stated that the management of the complainant's file was inadequate and the following
documents were missing from the file:
• “all medical records regarding her illness;
• certificates of disability;
• all documentation following her return to work;
• all correspondence between Ms [the complainant]'s lawyers and [the school];
• evaluation interviews.”
19. The complainant also stated that there had been problems between her and the
Defendant 1. This one showed “not to be too careful with the personal, delicate
[the complainant's] data.” The complainant also refers to the
witness statement dated October 5, 2022. The complainant concludes: “Given her position as
[manager] it was up to [defendant 1] to be caring with the personal and extremely
sensitive information to handle. Since [defendant 1] is guilty of
we would therefore politely request you to report theft and violation of [the complainant's] privacy
investigate this complaint and take appropriate action.”
20. On May 9, 2023, the First Line Service contacted the complainant to inform him that the
complaint was not signed. In addition, the First Line Service invited the complainant to
additional supporting documents to be added to the file as it
lack of sufficient evidence may lead to the dismissal of the complaint in line with it
dismissal policy of the Disputes Chamber.
21. On May 12, 2023, the complainant submits an (admissible) complaint to the
Data Protection Authority against the defendant.
22. On May 16, 2023, the complaint is declared admissible by the First Line Service on the grounds
of Articles 58 and 60 WOG and the complaint is filed on the basis of Article 62, § 1 WOG
transferred to the Disputes Chamber.
23. On September 28, 2023, the complainant inquired about the progress of her complaint.
II. Justification
24. On the basis of the elements in the file that are known to the Disputes Chamber, and on the basis
of the powers granted to it by the legislature on the basis of Article 95, § 1 WOG Decision 28/2024 - 5/9
assigned, the Disputes Chamber will decide on the further follow-up of the file; in this case
the Disputes Chamber will dismiss the complaint in accordance with Article 95,
§ 1, 3° WOG, based on the following justification.
25. If a complaint is dismissed, the Disputes Chamber will make its decision
to motivate gradually and:
- to issue a technical dismissal if the file does not exist or is insufficient
contains elements that could lead to a conviction, or if there is insufficient
there is a prospect of a conviction due to a technical obstacle,
which prevents her from reaching a decision;
- or declare a policy rejection, if despite the presence of elements
that could lead to a sanction, the continuation of the investigation
dossier does not seem appropriate in the light of the priorities of the
Data Protection Authority, as specified and explained in the
dismissal policy of the Disputes Chamber. 2
26. In the event of dismissal on more than one ground, the grounds for dismissal (resp.
technical dismissal and policy dismissal) should be treated in order of importance. 3
Complaint against defendant 2
27. The complaint against defendant 2 concerns suspicions of failure to guarantee the
confidentiality and integrity of the complainant's personnel file. Although the
the complainant does not mention any complaint against the defendant in the complaint form
2, the complainant specifically states in his letter attached to the complaint that there would be documents
are missing from the file of the controller, in this case defendant 2:
• “all medical records regarding her illness;
• certificates of disability;
• all documentation following her return to work;
• all correspondence between Ms [the complainant]'s lawyers and [the school];
• evaluation interviews.”
28. With regard to the complaint against defendant 2, the Disputes Chamber considers this undesirable
further action and decides to proceed with a policy dismissal. The complaint against
1Court of Appeal Brussels, Market Court Section, 19 Chamber A, Chamber for Market Affairs, judgment 2020/AR/329, September 2, 2020,
p. 18.
2
In this context, the Disputes Chamber refers to its dismissal policy as explained in detail on the GBA website:
https://www.gegevensbeschermingsautoriteit.be/publications/sepotbeleid-van-de-geschikkamer.pdf
3 Cf. Title 3 – In which cases is my complaint likely to be dismissed by the Disputes Chamber? from the
dismissal policy of the Disputes Chamber. Decision 28/2024 – 6/9
defendant 2 is not supported by evidence that the Litigation Chamber would be able to
to decide whether or not there is a violation of the GDPR complaint
has no major personal impact.
29. On October 20 and October 26, 2022, the complainant requests access to general
terms without specifying what she is looking for. On November 17, 2022, the
complainant that she is looking for “personal reports made by her directors about
over the years, medical information…”.On November 29, 2022, the complainer once again clarified her
request access and is then looking for “medical reports as well as correspondence regarding
employment” for the period 2020-2022. On March 6, 2023, the complainant clarified
her communication to defendant 1 which, according to her, is missing from her file: “besides
personal reports drawn up by the management, - important medical documents from
period 2020-2021”.
30. The Disputes Chamber concludes from this that the following documents are missing from the
personnel file:
• Medical information (medical reports, disability certificates)
regarding the complainant's medical absence
• Documentation and communication regarding the complainant's return to work
and regarding the complainant's complaint regarding the incomplete personnel file
• Evaluation reports from 2020
31. Regarding medical information, Education Flanders collaborates with MEDEX, a
service of the FPS Public Health. This procedure exists for a sick employee
medical data is only shared with the MEDEX doctors and not with the employer itself
given the sensitivity of such information and given the medical confidentiality. The
Absence of such information in the personnel file testifies to good management
the school. The complainant does not provide any evidence that defendant 2 is in possession of these
documents and therefore cannot prove that this information has disappeared or
Scattered.
32. With regard to documentation and communication, it is not common practice that such
documents are kept in a personnel file, which is mainly composed of
decisions and evidence of decisions. The complainant does not demonstrate that this
documentation and communication was of such a nature that it would be included in the personnel file
must have been preserved. In addition, the complainant does not provide any evidence that the management
4Cf. criterion B.5. in the dismissal policy of the Disputes Chamber.
5https://onderwijs.vlaanderen.be/nl/onderwijspersoneel/van-basis-tot- Adultenonderwijs/je-loopbaan/Zieken-en-
accident/sick leave/disposition due to illness, consulted on 02/02/2024. Decision 28/2024 — 7/9
such communications and documents would have been problematic in view of
defendant 2.
33. Regarding the evaluation reports, the current manager declares on October 21, 2022
that there is no file of the complainant in the school, but he also states that there is
no 'incidental reports' have been made regarding the complainant since his appointment on 1
September 2021. Following the inspection of November 29, 2022, the complainant states
that only pieces from the period 2020-2022 were missing, which the complainant did not report
makes of the lack of incidental reports or evaluation reports of the period
for 2020. This shows that only incidental pieces would be missing from 2020 to the
start of her absence in spring 2021. The complainant provides no evidence that during that period
incidental reports or evaluations would have been drawn up.
34. The Disputes Chamber is of the opinion that any missing documents from the
the complainant's personnel file does not have a major personal impact, since the complainant
in no way makes it plausible that she has suffered negative consequences after
the return to school. The Disputes Chamber assumes that the medical
the complainant's details have been correctly handled by the defendant 2 and are therefore not included in it
Defendant's personnel file is 2. The complainant does not provide any evidence of it
on the contrary.
35. On May 9, 2023, the First Line Service asked the complainant to provide additional evidence
in the absence of which the complaint may not be dealt with on the merits
become. The complainant did not respond to this question.
Complaint regarding defendant 1:
36. The complaint against defendant 1 concerns suspicions of unlawful
appropriation of data from the complainant's personnel file with the intention of this
copy and distribute data. This includes special data
the meaning of Article 9 GDPR, in this case medical data.
37. With regard to the complaint against defendant 1, the Disputes Chamber considers it undesirable to continue
to follow up on the file and decides to proceed with a technical dismissal
because the complaint against defendant 1 has not been sufficiently substantiated with evidence for its existence
of a breach of the GDPR or data protection laws and it clearly is not
possible to obtain such proof. The Disputes Chamber is therefore not required to follow up
to determine whether it is appropriate to continue the investigation of the file and, if necessary,
to proceed with, inter alia, a treatment on the merits.
6Cf. criterion A.1 in the dismissal policy of the Disputes Chamber. Decision 28/2024 — 8/9
38. The complaint against defendant 1 is not supported by evidence that the Litigation Chamber
would be able to decide whether or not there has been an infringement of the GDPR.
The complainant provides as the only piece of evidence a summary witness statement from one
alleged conversation between a colleague and defendant 1. Based on this
witness statement, which only states that “the person [the defendant 1] July 2021 to me
said that she was going to take [the complainant's] file with her to go through it again and
to take any copies to cover itself,” is impossible for the Disputes Chamber
evidence of the alleged infringement. There is only talk of “taking” it
file and “possibly” take copies. So there is no beginning of evidence that the
defendant 1 has actually taken the file or documents from the file 'home'
or, as the complainant claims, has 'stolen'. There is, moreover, no beginning of proof that the
defendant 1 has effectively “copied and with
can be or be shared with anyone,” as the complainant states in her letter to the defendant
1.
39. Moreover, it is clear that the Data Protection Authority finds it impossible to prove
will be able to obtain in this regard. Firstly, Respondent 1 had lawful access
the file, which means that any access control of the file would not be evidence
deliver. Secondly, it is a paper file given that it is
take and copy. The chance that there is a trace of taking one
paper file and copying it, is very small.
40. On May 9, 2023, the First Line Service asked the complainant to provide additional evidence
otherwise the complaint may not be dealt with on the merits
become. The complainant did not respond to this question.
III. Publication and communication of the decision
41. Considering the importance of transparency with regard to decision-making
Dispute Chamber, this decision will be published on the website of the
Data Protection Authority. On the other hand, it is not necessary that the
identification details of the parties are disclosed directly.
42. In accordance with its deposit policy, the Disputes Chamber will make the decision regarding the defendants
to transfer . After all, the Disputes Chamber has decided to dismiss its decisions
ex officio to the defendants. However, the Dispute Chamber decided not to do so
such notification where the complainant has requested anonymity
of the defendants and the notification of the decision to the defendants, even if
7
Cf. Title 5 – Will the dismissal of my complaint be published? Will the other party be informed of this?
of the dismissal policy of the Disputes Chamber. Decision 28/2024 – 9/9
it is pseudonymised, nevertheless makes it possible to contact the complainant
(re)identify . However, this is not the case in the present case.
FOR THESE REASONS ,
the Disputes Chamber of the Data Protection Authority decides, after deliberation,
to dismiss the present complaint on the basis of Article 95, § 1, 3° of the WOG.
Pursuant to Article 108, § 1 of the WOG, within a period of thirty days from the
notice, an appeal against this decision will be filed with the Market Court (court of
appeal Brussels), with the Data Protection Authority as defendant.
Such an appeal can be lodged by means of an inter partes petition
9
must contain statements listed in Article 1034ter of the Judicial Code. It
an objection petition must be submitted to the registry of the Market Court
10
in accordance with Article 1034quinquies of the Dutch Civil Code. , or via the e-Deposit
IT system of Justice (Article 32ter of the Judicial Code).
To enable the complainant to consider other possible remedies, the
Disputes Chamber will refer the complainant to the explanation in its dismissal policy.
The Disputes Chamber emphasizes that the closure of cases by the
Data Protection Authority may be taken into account for its future
determine priorities and/or may give rise to future investigations on its own initiative
by the Inspection Service of the Data Protection Authority.
(get). Hielke IJMANS
Chairman of the Disputes Chamber
8
Ibid.
9The petition states, under penalty of nullity:
1° the day, month and year;
2° the surname, first name, place of residence of the applicant and, where applicable, his capacity and his national register or
company number;
3° the surname, first name, place of residence and, where applicable, the capacity of the person to be
summoned;
4° the subject matter and brief summary of the grounds of the claim;
5° the judge before whom the claim is brought;
6° the signature of the applicant or his lawyer.
1The petition with its attachment will be sent by registered letter in as many copies as there are parties involved
deposited with the clerk of the court or at the registry.
1Cf. Title 4 – What can I do if my complaint is closed? of the dismissal policy of the Disputes Chamber.
