APD/GBA (Belgium) - 81/2024: Difference between revisions
From GDPRhub
(Created page with "{{DPAdecisionBOX |Jurisdiction=Belgium |DPA-BG-Color= |DPAlogo=LogoBE.png |DPA_Abbrevation=APD/GBA |DPA_With_Country=APD/GBA (Belgium) |Case_Number_Name=81/2024 |ECLI= |Original_Source_Name_1=APD/GBA |Original_Source_Link_1=https://www.gegevensbeschermingsautoriteit.be/publications/waarschuwing-nr.-81-2024.pdf |Original_Source_Language_1=Dutch |Original_Source_Language__Code_1=NL |Original_Source_Name_2= |Original_Source_Link_2= |Original_Source_Language_2= |Original_...") |
m (→Holding) |
||
| Line 81: | Line 81: | ||
Second, the GBA held that given that the publication on Smartschool may have been an error, there was no intention to make the refusal decision widely known. However, the DPA considered that such an error may indicate the absence of technical and organizational measures. | Second, the GBA held that given that the publication on Smartschool may have been an error, there was no intention to make the refusal decision widely known. However, the DPA considered that such an error may indicate the absence of technical and organizational measures. | ||
Finally, the GBA suspected that internal and confidential documents, such as the data subject’s CV and cover letter, were forwarded to third parties who were not involved in the selection process. | Finally, the GBA suspected that internal and confidential documents, such as the data subject’s CV and cover letter, were forwarded to third parties who were not involved in the selection process. The GBA could not verify the exact involvement of the third party. However, the DPA noted that the general director did not participate in the assessment which seemed to confirm the data subject’s allegations. | ||
Therefore, the DPA issued a prima facie warning against the controller for (i) violating the principle of legality by publishing the refusal decision to the wrong recipients which was not based on a legal basis under [[Article 6 GDPR#1|Article 6(1) GDPR]], (ii) violating the principle of integrity and confidentiality under [[Article 5 GDPR#1c|Article 5(1)(c) GDPR]] by sending the data subject’s personal data to wrong recipients and (iii) not taking the necessary technical and organizational under [[Article 25 GDPR|Article 25 GDPR]]. | Therefore, the DPA issued a prima facie warning against the controller for (i) violating the principle of legality by publishing the refusal decision to the wrong recipients which was not based on a legal basis under [[Article 6 GDPR#1|Article 6(1) GDPR]], (ii) violating the principle of integrity and confidentiality under [[Article 5 GDPR#1c|Article 5(1)(c) GDPR]] by sending the data subject’s personal data to wrong recipients and (iii) not taking the necessary technical and organizational under [[Article 25 GDPR|Article 25 GDPR]]. | ||
Latest revision as of 16:09, 4 June 2024
| APD/GBA - 81/2024 | |
|---|---|
 | |
| Authority: | APD/GBA (Belgium) |
| Jurisdiction: | Belgium |
| Relevant Law: | Article 5(1)(c) GDPR Article 6(1) GDPR Article 25 GDPR |
| Type: | Complaint |
| Outcome: | Upheld |
| Started: | |
| Decided: | |
| Published: | 24.05.2024 |
| Fine: | n/a |
| Parties: | n/a |
| National Case Number/Name: | 81/2024 |
| European Case Law Identifier: | n/a |
| Appeal: | n/a |
| Original Language(s): | Dutch |
| Original Source: | APD/GBA (in NL) |
| Initial Contributor: | nzm |
The DPA issued a warning against a school for mistakenly publishing a job rejection email on the school platform.
English Summary
Facts
In May 2023, the data subject applied for a job position in a school (‘controller’). The data subject was not selected for this position, but the refusal decision was published on Smartschool, a digital school platform. The decision was made visible to around 150 staff members.
Following this event, the school board issued a communication to the school staff indicating that this confidential information was regrettably made public, and they added that the general director did not participate in the assessment of the candidate, nor did they have an influence on it.
On 26 August 2023, the data subject received an email from the general director of the school who addressed him about his cover letter. From this, the data subject concluded that during the selection process, the selection committee passed his cover letter to the director, who was a third party.
On 24 October 2023, the data subject filed a complaint with the Belgian DPA (‘GBA’) regarding the transmission of his cover letter to a third party.
Holding
First, the GBA considered that the publication of the refusal decision of Smartschool allowed other staff members to access the refusal decision, resulting in an unauthorized exposure of personal data to third parties and a breach of confidentiality.
Second, the GBA held that given that the publication on Smartschool may have been an error, there was no intention to make the refusal decision widely known. However, the DPA considered that such an error may indicate the absence of technical and organizational measures.
Finally, the GBA suspected that internal and confidential documents, such as the data subject’s CV and cover letter, were forwarded to third parties who were not involved in the selection process. The GBA could not verify the exact involvement of the third party. However, the DPA noted that the general director did not participate in the assessment which seemed to confirm the data subject’s allegations.
Therefore, the DPA issued a prima facie warning against the controller for (i) violating the principle of legality by publishing the refusal decision to the wrong recipients which was not based on a legal basis under Article 6(1) GDPR, (ii) violating the principle of integrity and confidentiality under Article 5(1)(c) GDPR by sending the data subject’s personal data to wrong recipients and (iii) not taking the necessary technical and organizational under Article 25 GDPR.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Dutch original. Please refer to the Dutch original for more details.
1/6
Dispute Chamber
Decision 81/2024 of May 24, 2024
File number: DOS-2023-04145
Subject: The occurrence of a data leak at Smartschool and it is unlawful
forwarding a motivation letter/CV
The Disputes Chamber of the Data Protection Authority, composed of Mr
Hielke HIJMANS, sole chairman;
Having regard to Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016
on the protection of natural persons with regard to the processing of
personal data and regarding the free movement of such data and to the revocation of
Directive 95/46/EC (General Data Protection Regulation), hereinafter “GDPR”;
Having regard to the law of 3 December 2017 establishing the Data Protection Authority,
hereinafter “WOG”;
In view of the internal rules of order, as approved by the House of Representatives
Representatives on December 20, 2018 and published in the Belgian Official Gazette on
January 15, 2019;
Considering the documents in the file;
Has made the following decision regarding:
Complainant: X, hereinafter “the complainant”
The defendant: Y, hereinafter “the defendant” Decision 81/2024 — 2/6
I. Facts and procedure
1. The subject of the complaint concerns the publication of personal communications in
in connection with an application from the complainant via the Smart School system that the defendant
(an educational institution) uses and forwards the complainant's motivation letter to
third parties.
2. The complainant indicates that he has applied for a position with the defendant. The complainer
was not retained for this position, but unfortunately saw the refusal decision
be published on Smartschool, where it would have been visible to approximately 150
staff members. The school board then made an announcement on (...) stating:
addressed to the employees of Y, which reads as follows:
“Notice to the staff of Y
On May 5, an internal selection committee, composed solely of three, made the decision
mandated board members, based on the submitted CV with motivation and vision statement
not to consider X's candidacy and therefore not to invite him
for a selection interview. The assessment was made on substantive grounds, which depend on the
candidate have been notified by email and by registered letter. There is understanding for the
experienced disappointment, but it is regrettable that this is confidential to the candidate
targeted communication apparently made public and caused a commotion.
The board of Z wishes to state that the management did not participate in the assessment and there
had no influence whatsoever. With respect for all involved, the board remains committed to the
decisions made, it looks forward to the recruitment of a suitable candidate for the
renewed vacancy for director Y.”
3. On August 26, 2023, the complainant will receive an email from the general manager of the
educational institution, which speaks to him about the contents of the application letter sent by the complainant
submitted at the time. The complainant concludes from this that during the candidacy process the
selection committee has passed on its motivation letter to this third party. After all, this one is
not a member of the selection committee.
4. On October 24, 2023, the complainant will submit a complaint to the Data Protection Authority
against the defendant.
5. On October 24, 2023, the complaint will be declared admissible by the First Line Service on
1
on the basis of articles 58 and 60 of the WOG and the complaint is filed on the basis of article 62, § 1
2
of the WOG transferred to the Disputes Chamber.
1In accordance with Article 61 of the WOG, the Disputes Chamber hereby informs the parties that the complaint is admissible
declared.
2In accordance with Article 95, § 2 of the WOG, the Disputes Chamber hereby informs the parties that the file will be sent to
has been transferred to her as a result of this complaint. Decision 81/2024 — 3/6
6. In accordance with Article 95, § 2, 3° of the WOG as well as Article 47 of the internal regulations
order of the GBA, the parties can request a copy of the file. If one
both parties wish to make use of the opportunity to consult and
copying the file, he or she must contact the secretariat of the
Disputes Chamber, preferably via litigationchamber@apd-gba.be.
II. Justification
7. As acknowledged by the defendant in the 'Notice to the staff of Y,
confidential communications made public by mistake, indicating a
possible “personal data breach”. Through the publication of the
refusal decision at Smartschool, other employees of the complainant could
gain access to the denial decision, which resulted in an unauthorized
exposure of personal data to others and a breach of confidentiality.
8. Based on the facts presented, the Dispute Chamber concludes prima facie that the
defendant does not have a valid legal basis according to Article 6.1 of the GDPR for the
processing of the relevant data. Moreover, this processing probably has
confidentiality and integrity were compromised because third parties gained access to the
facts.
9. In this regard, the Disputes Chamber is of the opinion that, given the fact that the publication on
Smartschool may have been a mistake, it was by no means the intention to do so
to make the refusal decision generally known. This certainly follows from the nature of a decision
mistake itself. However, such an error may indicate the absence of
technical and organizational measures that reduce the risk of unlawful processing
as a result of human error.
10. In addition, the Disputes Chamber suspects that internal, "confidential" documents (i.e.
motivation letter and/or CV from the complainant) to third parties who were not involved in the
selection process for the vacancy would have been forwarded. The complainant claims that this
third party is not part of the selection committee. The exact involvement of this one
third party in the process, however, cannot be verified at this time by the
Dispute Chamber. The 'Notice to Y's staff indicates that “the direct does not
participated in the assessment”, which seems to confirm the complainant's claims and
suggests that the general manager was indeed not part of the
selection committee.
11. Based on this analysis, the Disputes Chamber concludes that the defendant may
has infringed the GDPR. This justifies taking a decision on the basis of Decision 81/2024 - 4/6
of Article 95, §1, 4°, of the WOG, namely issuing a warning to the
defendant.
12. Prima facie the Disputes Chamber can determine that there is insufficient care
applied when processing the complainant's personal data. The Disputes Chamber states
established that the following infringements have probably been committed:
a. The principle of legality was violated because the publication of the
refusal decision from the complainant to the wrong recipients
was not based on a legal basis under Article 6(1) of the GDPR;
b. The principle of integrity and confidentiality as set out in Article 5.1.f) of the GDPR
was violated because the defendant by sending
personal data of the complainant to wrong recipients
confidentiality of that personal data has been compromised; and
c. From the sending of the complainant's personal data to a wrong person
recipient seems to result from the fact that the defendant has not provided the necessary technical and
has organizational measures in accordance with Article 25 of the GDPR
taken to ensure and demonstrate that the processing has taken place
took place in accordance with the GDPR.
13. This decision is a prima facie decision taken by the Disputes Chamber
in accordance with Article 95 of the WOG on the basis of the complaint submitted by the complainant,
3
in the context of the “procedure prior to the decision on the merits” and none
decision on the merits of the Disputes Chamber within the meaning of Article 100 of the WOG.
The Disputes Chamber has thus decided, on the basis of Article 58.2.a) GDPR and
Article 95, § 1, 4°, of the WOG, to impose a warning on the defendant.
14. The purpose of this decision is to inform the defendant of the fact that this
may have committed an infringement of the provisions of the GDPR and this in the
to provide the opportunity to still comply with the aforementioned provisions, or
to avoid such infringements in the future.
15. If the defendant does not agree with the content of this prima facie case
decision and is of the opinion that it can put forward factual and/or legal arguments that
could lead to a new decision, it can request a reconsideration
submit to the Disputes Chamber in accordance with the procedure established in Articles 98 in conjunction
99 of the WOG, known as a “treatment on the merits”. This request must be
sent to the email address litigationchamber@apd-gba.be within a period of 30
3
Section 3, Subsection 2 of the WOG (Articles 94 to 97). Decision 81/2024 — 5/6
days after notification of this primafacie decision. If applicable, implementation will take place
of this decision is suspended for the above-mentioned period.
16. In the event of a continuation of the merits of the case, the
Disputes Chamber the parties on the basis of Articles 98, 2° and 3° in conjunction with Article 99 of the
invite WOG to submit their defenses and any documents they consider useful
to be added to the file. If necessary, the present decision will become final
suspended.
17. Finally, for the sake of completeness, the Disputes Chamber points out that a hearing on the merits
of the case may lead to the imposition of the measures referred to in Article 100 of the
WOG . 4
18. In accordance with Article 57 of the WOG and taking into account the language in which the complaint was submitted
Dutch is used as the procedural language.
III. Publication of the decision
19. Considering the importance of transparency with regard to decision-making
Dispute Chamber, this decision will be published on the website of the
Data Protection Authority. However, it is not necessary that the
identification details of the parties are disclosed directly.
4Article 100. § 1. The Disputes Chamber has the authority to:
1° to dismiss a complaint;
2° to order the dismissal of prosecution;
3° order the suspension of the ruling;
4° to propose a settlement;
5° formulate warnings and reprimands;
6° order compliance with the data subject's requests to exercise his rights;
7° to order that the person concerned is informed of the security problem;
8° order that processing be temporarily or permanently frozen, restricted or prohibited;
9° to order that the processing be brought into compliance;
10°the rectification, limitation or deletion of data and its notification to the recipients of the data
recommend data;
11° order the withdrawal of the recognition of certification bodies;
12° to impose penalty payments;
13° to impose administrative fines;
14° the suspension of cross-border data flows to another State or an international institution
command;
15° to transfer the file to the public prosecutor's office in Brussels, who will inform it of the
follow-up given to the file;
16° decide on a case-by-case basis to publish its decisions on the website of the
Data Protection Authority.
