APD/GBA (Belgium) - 46/2022
APD/GBA (Belgium) - 46/2022 | |
---|---|
Authority: | APD/GBA (Belgium) |
Jurisdiction: | Belgium |
Relevant Law: | Article 5(1)(a) GDPR Article 6(1)(f) GDPR Article 15 GDPR Article 17 GDPR Article 18 GDPR Article 21 GDPR Article 28 GDPR |
Type: | Complaint |
Outcome: | Upheld |
Started: | |
Decided: | 01.04.2022 |
Published: | 04.04.2022 |
Fine: | 7500 EUR |
Parties: | Company Former employee |
National Case Number/Name: | 46/2022 |
European Case Law Identifier: | n/a |
Appeal: | Admissible and partially founded Court of Appeal of Brussels (Belgium) 2022/AR/549 |
Original Language(s): | French |
Original Source: | APD (in FR) |
Initial Contributor: | kc |
The Belgian DPA issued a €7500 fine against a company for restoring data on a former employee's work laptop after termination and subsequently violating the data subject's rights to access, erasure, restriction and objection.
English Summary
Facts
The data subject is a former managing director of the controller. When the data subject was dismissed, he deleted the data on the work laptop before handing it in to the former employer. According to the data subject, he had only deleted the private data, such as his private e-mail inbox. The controller, however, stated that he had deleted all data. Therefore, the controller restored all data that had previously been on the laptop, including the data subject's personal data. After finding out about the restoration, the data subject tried to exercise his rights to information, deletion and restriction of processing as well as his right to object. However, his requests were not followed by the controller. The controller did not only process the data on its own but also used a processor.
Holding
The Belgian DPA fined the controller €7500 and ordered the controller to comply with the data subject's requests. Because of the numerous shortcomings of the controller, the DPA was of the opinion that such a sanction was necessary even though the controller argued that it was prepared to comply with the data subject's request after the proceedings.
First, it found a breach of Articles 5(1)(a) and 6(1)(f) GDPR due to the partial absence of a legal basis for processing. The processing failed to meet the balancing of interests necessary under Article 6(1)(f) GDPR. It explained that, in case of dismissal, the employer must delete the e-mail addresses when these constitute personal data, after having informed their holders and third parties of the e-mail closing date. This obligation is also intended to allow holders to sort and transfer any private messages to their personal mailbox. If part of the content must be retrieved to ensure the smooth running of the business (as argued by the controller in this case), this must be done before the dismissal and with his or her assistance.
Second, the DPA found a violation of Articles 15 (right to access), 17 (right to erasure), 18 (right to restriction of processing) and 21 (right to object) GDPR. By refusing to act on the data subject's requests, it had substantially violated his rights.
Third, the DPA held that Article 28 GDPR had been violated since the controller did not have a processing agreement with its processor.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the French original. Please refer to the French original for more details.
1/28 Litigation Chamber Decision on the merits 46/2022 of 1 April 2022r File number: DOS-2020-02892 Subject: Complaint by a former employee against his former employer for treatment of box email, and refusal to follow up on the request to exercise his rights The Litigation Chamber of the Data Protection Authority, made up of Mr Hielke Hijmans, chairman, and Messrs. Y. Poullet and C. Boeraeve, members, taking up the case in this composition ; Having regard to Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and to the free movement of such data, and repealing Directive 95/46/EC (general regulation on the data protection), hereinafter GDPR; Having regard to the law of 3 December 2017 establishing the Data Protection Authority (hereinafter ACL); Having regard to the internal regulations as approved by the House of Representatives on 20 December 2018 and published in the Belgian Official Gazette on January 15, 2019; Considering the documents in the file; Having regard to the hearing of April 12, 2021; Having regard to the envisaged sanctions form sent to the defendant and its observations, made the following decision regarding: The plaintiff: Mr. X, represented by his counsel Mr. Dr. Jan-Henning Strunz, Matray, Matray & Hallet, s.c.r.l, rue des Fories, 2, 4020 Liège, hereinafter “the plaintiff” The defendant: Y, represented by his counsel, Maître Inger Verhelstet Wouter Van Loon, City Link Posthofbrug 12, 2600 Antwerp as well as Maître Florence Sine, lawyer, Boulevard du Souverain 280, 1160 Auderghem, hereinafter: "the defendant", Decision on the merits 46/2022 - 2/28 I. Facts and procedural history 1. The plaintiff practiced within the defendant, of which he was the sole shareholder during several years, the function of Managing Director from October 15, 2004 until May 29 2019. On this date, the plaintiff resold all of his shares to Z and ceased his administrator functions. Z then assigned all of its rights and obligations to the law company Luxembourgish W. 2. The plaintiff was then hired by the defendant as an employee, from May 29 2019. 3. On November 26, 2019 and December 14, 2019, the plaintiff and the shareholder company W exchange letters concerning breaches invoked by the two parties with regard to of the share transfer agreement. 4. On April 23, 2020, the plaintiff cited companies Z and W before the Court of First Instance francophone in Brussels, before which the dispute is pending. The complainant accuses the defendant to owe him an unpaid balance following the transfer of his shares, while the defendant is claiming compensation from him for the debts of the acquired company. The defendant argues that these breaches are due to the fact that the plaintiff allegedly concealed and truncated certain information when selling shares. The sums at stake are important, and are the subject of differences between the parties. The plaintiff disputes firmly the alleged breaches, and moreover also cited the defendant before the Turkish courts for defamation, unfair dismissal, and payment of damages (the defendant company is also implemented in Turkey). 5. The facts giving rise to the complaint to the DPA are as follows. On February 18, 2020, the complainant is dismissed by the defendant. Before handing over his computer equipment following his dismissal, the complainant erased the data on his laptop professional. He claims to have erased only his private data (private email boxes), while the defendant argues that he would have erased all of the mailboxes (both professional than private). The only evidence put forward in this regard consists of two testimonies of employees submitted by the defendant, claiming that all the mailboxes would have been erased. 6. The Complainant then became aware of the Respondent's intention to proceed with the recovery of data previously present on his laptop, and gives formal notice to the defendant, on February 26, 2020 to suspend all processing of its personal data staff, as long as the information under Article 14 of the GDPR is not provided to them. He also requests the exercise of his right to erasure, limitation of processing, and opposition., Decision on the merits 46/2022 - 3/28 7. On February 28, 2020, the defendant refused to respond to the plaintiff's requests, on the basis of the employment contract that bound them, as well as on the basis of article 6.1.f of the GDPR (legitimate interest) justifying in its view the processing of the complainant's personal data. 8. On March 4, 2020 the plaintiff challenges the legality of the processing by the defendant, in particular concerning his purely private data, as well as professional data prior to the 1st June 2019 (period not covered by the employee employment contract on which the defendant, contract dated June 01, 2019). send him his subcontracting contract with V (having proceeded to the recovery of the data previously present on the complainant's laptop). 9. On March 7, 2020, the defendant refused to suspend processing for character data personal (professional) of the complainant prior to June 01, 2019, by advancing his interest legitimate to the continuity of its activities, and in order to verify alleged shortcomings in its leader as a worker. 10. The defendant adds that although for the period prior to June 01, 2019 the complainant was not under an employee contract, he performed management functions and used the laptop in question. It deduces that for data prior to June 01, 2019, the legitimate interest does constitute a lawful basis for processing. 11. The defendant nevertheless also undertakes not to process the private mailboxes of the plaintiff, but only professional boxes. personal data found during the analysis of the professional mailboxes of the complainant, but refuses to erase them. 12. The defendant also refuses to produce the subcontract, on the grounds that the subcontractor would not have processed personal data by recovering the mailboxes. 13. On March 16, 2020 the Complainant informed the Respondent that it had no legitimate interest in processing his personal data prior to the last five years, and invites him to limit the period time for which she deals with her e-mails in the last five years (corresponding to the limitation of the liability of company directors). 14. He also requests the exercise of his right of access and copy to all emails processed by the defendant. 15. On April 7, 2020 the defendant refuses to limit the processing of the data to the last five years, on the basis of its legitimate interest in the processing. She adds that the demands erasure, opposition and limitation cannot be followed, likewise, on the basis of the exception of overriding legitimate reasons (legitimate interest of defense in justice, to ensure the 1Art 2:143 § 1 Code of Companies and Associations., Decision on the merits 46/2022 - 4/28 continuity of the company's services, and potential questioning of the responsibility professional and penal of the plaintiff). 16. It also accepts the applicant's request for access, but indicates that it cannot comply with it. comply within the legal deadline of one month, but three months (due to the complexity of the request and circumstances related to the health crisis). 17. On May 25, 2019 the plaintiff disputes the legitimate interest as put forward by the defendant as the basis for lawful processing, arguing that these interests are neither current nor precise, and that it did not carry out the balance of interests, nor take into account the imbalance between the complainant and herself in the context of their relationship as ex-employee to ex-employer. 18. He also accuses it of violating the principles of minimization, insofar as the data older than five years was not relevant for the purposes pursued. 19. He also criticizes him for having breached the principle of necessity, arguing that other measures less invasive would have enabled the defendant to have the necessary data in sparing its interests (a sorting of emails could for example have been operated by a third party in presence of the plaintiff, in order to deliver only the relevant emails to the defendant, instead of a complete restoration). 20. The complainant reiterates his requests for the suspension of the processing, as well as for the exercise of his rights to erasure, limitation, opposition (particularly for data dating back more than five years). 21. On June 5, the defendant replied to the plaintiff that it maintained its position as to his interest legitimate to the treatment, as well as concerning the absence of obligation to transmit the contract of subcontracting with V. She repeats that she will not process the private mailboxes of the complainant nor the emails found on his professional mailboxes from these email addresses (private). 22. On June 15, 2020, the defendant sent the plaintiff a letter containing a list of personal data it holds about him (exhibit 11 from the complainant). 23. On June 16, 2020 the plaintiff informed the defendant of his intention to file a complaint at the Data Protection Authority (APD below), which it does on June 17, 2020. 24. This decision is based on the articles invoked by the complainant. Regarding the grievance of lack of information raised by the applicant, although the latter repeats Article 14 in its conclusions,insofar asthecomplainant's datawascollected within the framework of his employment contract with the defendant and it appears that it is this article which was covered by the plaintiff in a clumsy wording, the Litigation Chamber considers that Article 13 GDPR applies., Decision on substance 46/2022 - 5/28 II. As to the reasons for the decision II.1. As to the lawfulness of the processing carried out by the controller 25. In its capacity as data controller, the defendant is required to respect the principles data protection and must be able to demonstrate that these are respected (principle of responsibility – article 5.2. of the GDPR) and to implement all the measures necessary for this purpose (Article 24 of the GDPR). 26. Pursuant to Article 5.1.a) of the GDPR, any processing of personal data, was it, totally or partially automated, must in particular be fair and lawful. To be lawful, any processing of personal data must in particular find a basis in GDPR Article 6. It is up to the controller to determine what is foundation. 27. In the present case, the recovery by V, subcontractor of the controller, of the data present on the computer equipment (laptop) provided by the plaintiff to the defendant as well as the analysis of the emails contained in the mailboxes recovered constitutes a processing of personal data subject to the application of the GDPR. Contrary to what the defendant, the recovery of the data by the subcontractor SA and the subsequent analysis of the emails retrieved correspond to processing within the meaning of article 4.2 of the GDPR. 2 28. These processing operations must therefore be based on one of the bases of lawfulness listed in Article 6 GDPR. 29. A distinction should be made from the outset between the processing (or recovery) of a box private email of an employee, and the processing of the professional mailbox. The principle is that An employee's work emails may be handled by their employer. Bedroom Contentitieuse understands, however, that during both private and professional use of a same mailbox by the employee being the holder, this distinction can be difficult to carry out. It should be noted that in principle, an employer cannot freely consult the emails privacy of its employees, even though it has prohibited the use of company tools for personal. This principle nevertheless suffers from exceptions, within a strict legal framework and 3 foreseeable, such as during pending legal proceedings. In the event of control by the employer, employees must also be informed in advance, as well as in particular of the purposes pursued, the basis for lawfulness of the control processing, the retention period data, the right of opposition for legitimate reasons, the right of access and rectification, or still have the possibility of lodging a complaint with the supervisory authority. 2Article 4.2 of the GDPR: “processing”: any operation or set of operations whether or not carried out using processes automated and applied to data or sets of personal data, such as the collection, recording, organization, structuring, conservation, adaptation or modification, extraction, consultation, the use, communication by transmission, dissemination or any other form of provision, bringing together or interconnection, limitation, erasure or destruction; 3 In accordance in particular with the Bărbulescu case law of the European Court of Human Rights, see points 50 to 53, Decision on the merits 46/2022 - 6/28 II.1.1. The arguments put forward by the defendant as to the basis for the lawfulness of the processing carried out 30. The defendant indicates that it is relying on Article 6.1.f) of the GDPR under which the data processing is lawful “if, and insofar as, it is necessary for the purposes of the interests legitimate interests pursued by the controller or by a third party, unless prevailing the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular when the data subject is a kid ". 31. The defendant explains that its legitimate interest in processing the data mentioned above is multiple: • ensure the continuity of business services • legal defense: the defendant (its sole shareholder W ) must be able to demonstrate in the litigation pending before the courts that the plaintiff did not not disclosed all the information available to it, and that it disclosed false information in the context of his professional activities (while he was employee of the controller) • potential questioning of the complainant's liability in his capacity as former director of the defendant company: according to the defendant, the plaintiff guilty of several serious breaches. She argues in this regard that "It is not therefore not impossible, even if it is naturally not the wish of Y, that the responsibility of Mr. X must be engaged for some of the acts he has committed as an administrator. (…) It is in this context of the legitimate interest of Y to have all the necessary information. 5 • potential filing of a complaint with civil action by the defendant against the plaintiff for breaches described as serious by the defendant: the defendant argues in this regard that “It is in the legitimate interest of the company to be able to file a complaint with civil action if it deems it necessary when the limitation period has not elapsed… Again, Y does not ask naturally not up to the Data Protection Authority to confirm the merits from his point of view, but it is necessary to be able to give Y the opportunity to file such a complaint, and if applicable, document it. MrXnecan, under covered by the protection of his personal data, to be freed from having to answer for his acts because all the data relating to the acts he has committed would have been deleted. It is in Y's legitimate interests to be able to continue to 4In 2019, Mr. X sold all of his shares representing the capital of Y to the German company Z. In 2019, it then resold the shares of Y to the Luxembourg company W, which is currently the shareholder of Y (see additional and summary submissions of the defendant p.2 and 4). 5additional conclusions and summary p14., Decision on the merits 46/2022 - 7/28 have this information as long as the limitation period has not expired. 6 due date." • Legitimate interest in documenting the reality in order to be able to counter the allegations of the plaintiff The Litigation Chamber understands the last four points as parts integral to the legal defense exception, as the legitimate interest on which the defendant. II.1.2. The arguments put forward by the plaintiff 32. The complainant, for his part, considers that there is no lawful basis for processing on the part of the defendant. He thus affirms with regard to the interests listed by the defendant the elements following: - ensure the continuity of the company's services: the defendant would only have need data for the current year, see the previous year, but not those of previous years. The defendant could not justify the retention of data prior to 01-01-2017, i.e. two accounting years, 7 insofar as the facts alleged by the defendant against the plaintiff go back to the month of November 2017. - defense in court: insofar as the courts of the judicial order are seized of the dispute, the DPA should not rule on the merits of the dispute, and should deal with grievances alleged in this context as not established in the absence of testimony - the plaintiff argues that there is no legitimate interest on the part of the defendant to data processing, at least not for data older than five years. He considers that only for data more recent than 5 years the legitimate interest may possibly constitute a basis for the lawfulness of the processing due to the pending legal proceedings, but not older ones. - the other interests put forward by the defendant are vague, not current, and imprecise; - the defendant did not carry out a balance of interests in the context of the assessment of legitimate interest: no consideration of the imbalance inherent in the situation of ex- employee and ex-employer between plaintiff and defendant; - violation of the principle of minimization of data, insofar as the data more older than five years are irrelevant; 6 additional conclusions and summary p14. 7 Complainant's main conclusions p18-19, Decision on the merits 46/2022 - 8/28 - violation of the principle of necessity since other less invasive measures would have could have been envisaged in order to allow the defendant to have the data (for example designation of a third party with whom the defendant could have carried out the analysis data together with the complainant). - potential questioning of the complainant's liability in his capacity as former director of the defendant company: the limitation period for liability administrators being five years, the legitimate interest cannot justify a processing going beyond this period II.1.3. Discussionplace 33. The Litigation Chamber notes that point f) of Article 6.1 of the GDPR refers to an interest lawful pursued by the controller. The processing of personal data personnelmustbe"necessaryfortheachievementofthelegitimateinterest"followedbytheresponsible of the treatment. 34. Moreover, recourse to legitimate interest is expressly subject to a criterion additional balancing act, which aims to protect the interest and the rights and freedoms fundamentals of the people concerned. In other words, the legitimate interest pursued by the controller must be weighed against the interests or rights and freedoms fundamental rights of the person concerned, the objective of the balancing being to prevent disproportionate impact on his rights and freedoms. 35. The interest pursued by the data controller, even if it is legitimate and necessary, cannot therefore validly be invoked only if the fundamental rights and freedoms of the persons concerned do not prevail over this interest. The Court of Justice of the European Union has clarified that these three conditions – either the pursuit of a legitimate interest by the controller (a), the necessity of the processing for the achievement of the legitimate interest pursued (b) and the condition that the fundamental rights and freedoms of the persons concerned do not prevail over the interest continued (c), are cumulative. 36. In other words, in order to be able to invoke the basis of lawfulness of "legitimate interest" in accordance with Article 6.1.f) of the GDPR, the controller must demonstrate that: 1) the interests it pursues with the processing can be recognized as legitimate (the "finality test"); 2) the envisaged processing is necessary to achieve those interests (the “necessity test”); 8 See.notablyCourtofJusticeoftheEuropeanUnion(CJEU),Judgmentof11November2019(C-708/18),TKc.Asociațiade Proprietari bloc M5A-ScaraA pronounced under Article 7 f) of Directive 95/46/EC., Decision on the merits 46/2022 - 9/28 3) the weighing of these interests against the fundamental interests, freedoms and rights data subjects weighs in favor of the data controller (the "test of weighting"). 37. These principles are also outlined in Opinion 2/2017 on the processing of data on the location working group 29, according to which “the performance of a contract and the interests legitimate reasons can sometimes be invoked, provided that the processing is strictly necessaryforlegitimatepurposesandrespectstheprinciplesofproportionalityandsubsidiarity; » . 9 Group 29 recalls more specifically that: “To invoke Article 7(f), as legal basis for the processing, it is essential that specific mitigation measures provided in such a way as to strike a fair balance between the employer's legitimate interest and the fundamentalfreedomsandrightsofemployees. should impose limits on surveillance activities in order to avoid any violation of life privacy of the employee. These limits could be: - geographic (e.g. monitoring only in locations specific; surveillance of sensitive areas such as religious places and, by example, sanitary areas and rest rooms should be prohibited), - related to data (for example, personal electronic records and the communication should not be monitored), and - temporal (for example, sampling instead of monitoring keep on going). »10 38. While the data controller is initially responsible for assessing whether the conditions set out in Article 6.1.f of the GDPR are met, the legitimacy of the processing may then be subject to another evaluation, and possibly be challenged, among other things by data subjects and by the authorities responsible for supervising the protection of data. A case-by-case examination, taking into account the concrete circumstances of each case, will thus allow the Litigation Chamber to conclude as to the lawfulness of processing based on the basis of the legitimate interest invoked, as in this case, by the data controller. 39. The processing of personal data must be “necessary for the performance of legitimate interest” pursued by the data controller. This condition of necessity between the processing carried out and the legitimate interest pursued is particularly relevant in the case of Article 6.1.f) of the GDPR in order to ensure that the processing of data based on the legitimate interest does not lead to an overly broad interpretation of the interest in processing data. 40. The defendant relies on several elements to found its legitimate interest, elements which are further analyzed below. 9 Opinion 2/2017 on data processing in the workplace of Working Party 29, p2 1Ibid, p7, Decision on the merits 46/2022 - 10/28 II.1.4. The legitimate interest of the defense in court 41. Legal defense is a fundamental right enshrined in Article 48 of the Charter of Rights fundamentals of the Union. In general, "defence in justice" can indeed be considered a lawful legitimate interest in the context of the application of Article 6.1.f. of GDPR. In accordance with Article 29 Group Opinion 06/2014 on the notion of legitimate interest, this interest must be real and present, or not hypothetical. 42. The Litigation Chamber finds that this interest constitutes a real and present legitimate interest. Indeed, during the processing (retrieval and analysis) by the defendant of the data to personalcharacteronthelaptopoftheplaintiff,thedisputebeforethecourtsofthejudicialorder between plaintiff and defendant was already .11 43. Nevertheless, the necessity test must be met, as prescribed by the CJEU (see above). In Indeed, for this legitimate interest of "defence in justice" of the defendant to prevail, the data processing must be “necessary” for the exercise of this legal defence. He would be excessive and contrary to these requirements of necessity and proportionality to accept that all previous employers of an employee can, by virtue of this capacity, process all personal data relating to this employee, even for defense purposes in justice. 44. In the present case, insofar as the defendant bases its grievances against the plaintiff (in the context of the dispute before the courts of the judicial order) on the fact that he would have culpably refrained from communicating information (or allegedly communicated truncated information), the Litigation Chamber considers that the defendant is justified in base on Article 6.1.f of the GDPR in order to be able to support the litigation pending and parallel to this procedure, and this only for the data necessary for this purpose. 45. In the present case, the substantive dispute between the parties has its source in the transfer of the shares from the Complainant to the Respondent, dated May 29, 2020. The Complainant submits that the grievances the defendant accusing him dates back to November 2017. same and in parallel with his personal data dating back to a period of five years could be processed by the defendant on the basis of the legitimate interest related to the defense in justice of it. The defendant nevertheless refused to comply with the request of the complainant to process only his personal data older than five years. Bedroom Litigation follows the complainant in his assertion that a limit should be placed temporal to the period of time in which the defendant can rely on the interest legitimate defense in court, justifying only necessary data processing and proportionate to the exercise of this defense in court. The time limit of 5 years 11 See also CNIL thematic sheet, “IT tools at work”, https://www.cnil.fr/sites/default/files/atoms/files/_travail-vie_privee_outils_informatiques_travail.pdf 1Complainant's submissions p 8, Decision on the merits 46/2022 - 11/28 earlier, corresponding to the prescription of the plaintiff's liability as director therefore agrees to be retained. 46. It remains that this data processing must also (to correspond to the conditions necessity and proportionality) fit in a relevant and proportionate manner with the purpose precisely identified of this legitimate interest, namely the defense in court with regard to the dispute concerning. It is therefore still necessary to ensure that the requirements of the weighting test are encountered. 47. In this regard, the Litigation Chamber considers that the complainant can be followed in his argument according to which the defendant did not realize a balance of interest before proceeding with the treatment in dispute insofar as the facts show that it refused the plaintiff's proposal to not to carry out the complete restoration, but to involve a third party with whom the plaintiff could proceed, in the presence of the defendant, to a sorting of the relevant emails. In in other words, less invasive measures than restoring all the mailboxes of the complainant, both private and professional, would have been possible. The defendant has elsewhere proceeded, as a first step, to the analysis of all its mailboxes (private and professionals) despite the opposition of the complainant. She only pledged to stop dealing actively the complainant's private mailboxes, and not to analyze emails from these private boxes present on the professional boxes only at the complainant's insistence. 48. In its submissions in reply, the defendant argues in this regard that the balance of interests to which the complainant refers may be detailed when information is requested. According to her, the GDPR does not require, “in its text, to detail for each transaction of treatment for which a balance of interests is desired, to document this balance of interest". The defendant does not submit any provision on which it would rely to justify this assertion. It cannot be followed up in this respect, since this balanced interest must at the very least emerge from the history of the exchanges between the parties, which is not the case here. 49. The conditions linked to the aforementioned weighting test are therefore not met in the head of the defendant. 50. The European Court of Human Rights (ECHR hereafter) has also expressed its opinion on the subject of an employer's surveillance of the electronic communications of its employees in the case of Barbulescu v. Romania, concerning the decision of a private company to put termination of an employee's employment contract after monitoring their electronic communications and have had access to their content. 51. The Court concluded that the Romanian courts failed to verify whether Mr Bărbulescu had been previously informed by his employer of the possibility that his communications may be 1Additional conclusions and summary p16, Decision on the merits 46/2022 - 12/28 monitored. They also failed to take into account the fact that he had not been informed or the nature neither of the extent of this surveillance nor, in particular, of the possibility that his employer access to the actual content of his messages. Moreover, the national courts have not determined, first, what specific reasons had justified the establishment of monitoring measures, secondly, whether the employer could have made use of less intrusive for Mr. Bărbulescu's private life and correspondence and, thirdly, if access to the content of the communications had been possible without his knowledge. 14 52. In its Grand Chamber judgment, the ECHR indicates that the Romanian authorities did not struck a fair balance between the right to respect for private and family life, the home and the complainant's correspondence and the interests of his former employer, and finds a violation of Article 8 of the European Convention on Human Rights. 53. It is clear from this judgment that when an employer takes measures to monitor the communications from its employees, these measures must be accompanied by safeguards adequate and sufficient against abuse, including the use of the least intrusive measures possible (including direct access to the content of employee communications) . 15 54. In the present case, the Litigation Chamber notes that the defendant rejected the proposal by the complainant to carry out an examination together with a third of the emails, and not proposed an alternative less intrusive measure than the processing of all the emails of the complainant (and their content). In this way, without further examining the other criteria retained by the ECHR to assess whether there has been a balance of interests, the defendant therefore places itself in failure to comply with the aforementioned ECHR case law. 55. The Litigation Chamber concludes in view of the foregoing and in accordance with the above-mentioned case law of both the CJEU and the ECHR, that the defendant could not base the processing of data referred to in the complaint and older than five years on its legitimate interest of the defense in court, in the absence of such processing being necessary for the meaning of Article 6.1. f) of the GDPR. This legitimate interest nevertheless constitutes a basis of lawfulness for the complainant's personal data relating to the period prior to five years. 56. For information purposes, the Litigation Division points out that it previously ruled on the processing of email boxes when an employee leaves. She has thus already recalled “that in the event of departure from the organization, the employer must delete the e-mail addresses when these constitute personal data, after having informed their holders and third parties of the email closing date. This obligation is also intended to allow 1Questions and Answers, Grand Chamber Judgment in the case of Bărbulescu v. Romania, (application no. 61496/08) 15 Case of Bărbulescu v. Romania, application no. 61496/08, 05 September 2017, §136, available via https://hudoc.echr.coe.int/fre#{%22itemid%22:[%22001-177083%22]}:“136. Court of Appeal did not sufficiently examine the question of whether the aim pursued by the employer could have been achieved by less intrusive methods than access to the actual content of the applicant's communications. », Decision on the merits 46/2022 - 13/28 holders to sort and transfer any private messages to their mailbox personal. In the same way that it must be left to the person concerned to resume its effects personal, it should be left to him to resume or delete his communications electronic mail of a private nature before his departure. Similarly, if part of the content of its messaging must be retrieved to ensure the smooth running of the business (as advanced by the defendant in this case), this must be done before his departure and in his presence. In the event of a contentious situation, the intervention of a trusted person is 16 recommended. The assumption of resignation or dismissal or any other form of cessation of activity and its consequences should be regulated in an internal Charter 17 relating to the use of IT tools. » 57. Although at the initiative of both parties, these principles can no longer be applied in the case case, the Litigation Chamber recommends that the defendant set up such a Charter to prevent the repetition of similar situations in the future. The establishment of a charter regulating the conditions under which an employer can consult the mailboxes professional or monitor the computer tools of its employees, takes over the necessary compliance with the case-law lessons set out above, by offering adequate guarantees and sufficient against abuse (in particular by warning employees of possible measures of control) and respecting the principle of proportionality is recommended by the Chamber Litigation more generally. II.1.5. As for the legitimate interest linked to the potential questioning of the liability of the complainant in his capacity as a former director of a defendant company 58. The defendant indicates in its pleadings that it reserves the right to initiate the responsibility of the plaintiff for some of the acts (communication of false information) that he posed as administrator of Y. 59. The Litigation Division refers in this respect to recital 47 of the GDPR which states that the processing of personal data strictly necessary for prevention purposes fraud constitutes a legitimate interest of the data controller concerned. 60. The Chamber has previously held that, depending on the case, the purpose of preventing abuse and fraud may constitute a basis of legitimate interest, in compliance with the triple test of CJEU (see above). In this context, if it is established that the processing of personal data 16For several years now, the Commission for the Protection of Privacy, which the APD succeeded, had made available to available to employers a legal notice on its website https://www.autoriteprotectiondonnees.be/sites/privacycommission/files/documents/note-juridique-e-mails-employes- absents_0.pdf as well as FAQs: https://www.autoriteprotectiondonnees.be/faq-themas/acc%C3%A8s-aux-e-mails- demploy%C3%A9s-absentslicenci%C3%A9s relating to this theme of closing e-mail addresses in the event of departure/termination of function in particular. 1Decision 64/2020 of 29 September 2020, points 39-40, pages 12-13 18 See decision 24/2020 of May 14, 2020, Decision on the merits 46/2022 - 14/28 personalforthispurposeisnecessaryforthepurposesofthelegitimateinterestofthedefendantandthatthis interest prevails over the complainant's interest in the protection of his personal data, the processing must be considered to have a basis of lawfulness. 61. In accordance with this position, in view of the fact that the defendant criticizes the plaintiff in the dispute before the Court of First Instance already during the communication of information truncated and/or false, the Litigation Chamber considers the potential questioning of the liability of the plaintiff in his capacity as a former director as a legitimate interest in the head of the defendant (for the processing of personal data relating to the five recent years only). II.1.6. As for the legitimate interest linked to the potential filing of a criminal complaint with constitution of civil party by the defendant against the plaintiff for breaches that it qualifies serious 62. The defendant also indicates in its pleadings that it reserves the right to file a criminal complaint with civil action by the defendant against the plaintiff for breaches classified as serious (abuse of the company's credit card). 63. The Litigation Chamber refers in this regard to recital 47 of the GDPR which states that the processing of personal data strictly necessary for prevention purposes abuse and fraud constitutes a legitimate interest of the controller concerned. 64. The Chamber has previously held that, depending on the case, the purpose of preventing abuse and fraud may constitute a basis of legitimate interest, in compliance with the triple test of CJEU (see above). In this context, if it is established that the processing of personal data personnel for this purpose is necessary for the purposes of the legitimate interest of the defendant and that this interest prevails over the complainant's interest in the protection of his personal data, the processing must be considered to have a basis of lawfulness. 65. In accordance with this position, in view of the fact that the defendant criticizes the plaintiff in the dispute before the Court of First Instance already during the communication of information truncated and/or false, and that she also accuses him of misusing the company's credit card under his mandate as administrator, the Litigation Chamber considers the potential filing of criminal complaint with civil action by the defendant against the plaintiff for breaches qualified as serious as a legitimate interest on the part of the defendant (for the processing relating to the complainant's personal data for the last five years only). II.1.7. Concerning the continuity of the defendant's services 66. As indicated above, the Complainant may be followed in his reasoning as appropriate to place a time limit on the period during which the legal defense can establish 1See Decision 24/2020 of May 14, 2020, Decision on the merits 46/2022 - 15/28 the legitimate interest of the defendant, and thus constitute the basis for the lawfulness of the disputed processing. The complainant understands in his conclusions that the need to ensure the continuity of his services by the defendant may constitute a basis for the lawfulness of the treatment, but only for data dating back to two accounting years, i.e. for data prior to January 1, 2017. 67. For the sake of consistency, insofar as the limit is placed (by the complainant himself) at the last five years for the legitimate interest of the defendant's legal defense, this same limit is retained concerning the legitimate interest of the continuity of the services of the defendant (instead of the two accounting years reducing the period of treatment to the January 1, 2017 as claimed by the complainant). 68. As indicated above, in the absence of a basis of lawfulness, the Litigation Chamber concludes that article 5.1.a. of the GDPR combined with article 6 of the GDPR have not been complied with with regard to the processing of data older than five years. Conversely, with regard to personal data of the complainant more recent than five years, the legitimate interest constitutes a basis of lawfulness. 3- On the failure to provide information (Articles 13 of the GDPR, combined with Article 12 GDPR) 69. Pursuant to Articles 13 and 14 of the GDPR, any person whose personal data personal are processed must, depending on whether the data is collected directly from it or with third parties, to be informed of the elements listed in these articles (§§ 1 and 2). In case of collection direct data from the person concerned, the latter will be informed of both the elements listed in paragraph 1 and in paragraph 2 of Article 13 of the GDPR, namely: the identity and contact details of the data controller as well as the contact details of the data protection officer possible data protection, the purposes of the processing as well as the legal basis for the latter (when the processing is based on the legitimate interest of the data controller, this interest must be specified), recipients or categories of recipients of the processing, the intention of the controller to transfer the data outside the Economic Area European Union, the duration of data retention, the rights conferred on it by the GDPR in this including the right to withdraw consent at any time and the right to lodge a complaint with the data protection supervisory authority (in this case the DPA), information whether the requirement to provide personal data has a regulatory or contractual nature and the consequences of their non-provision as well as of the existence of automated decision-making including profiling, referred to in Article 22 of the GDPR. Article 14.1 and 14.2 list elements that are similar taking into account however that the hypothesis referred to in article 14 of the GDPR is that where data is not collected directly with the person concerned but also with third parties. This information is, 2 Complainant's main submissions p18-19, Decision on the merits 46/2022 - 16/28 whether on the basis of Article 13 or Article 14 of the GDPR to be provided to the data subject in accordance with the terms set out in Article 12 of the GDPR. 70. The Litigation Chamber recalls that an essential aspect of the principle of transparency light to Articles 12, 13 and 14 of the GDPR is that the data subject should be able to determine in advance what the scope and the consequences of the processing encompass, in order to not be caught off guard at a later stage as to how their personal data staff were used. The information should be concrete and reliable, it does not should not be formulated in abstract or ambiguous terms or leave room for different interpretations. More specifically, the purposes and legal bases of the processing of personal data should be clear. 71. Article 12.3 of the GDPR imposes information on the data subject within a maximum period of three months. The complainant asked for the first time on February 26, 2020 to the defendant to send it the information under Article 14 of the GDPR. Bedroom Litigation notes here that Article 14 of the GDPR is applicable in the event of indirect collection of personal data. In the present case, although the complainant's conclusions repeat Article 14 in this respect, insofar as the complainant's data were collected in the framework of his employment contract with the defendant, Article 13 GDPR is applicable. 72. It appears from the facts that the Respondent merely sent the Complainant a list of personal data concerning him that it holds, by letter dated June 15, 2020 (exhibit 11 of the complainant), without including all the other information required under Article 13 GDPR. Nevertheless, Article 13.4 of the GDPR dispenses with the need to communicate the information under points 1 to 3 of the same article if the person concerned already had these informations. The document sent by the defendant to the plaintiff does not indicate the duration retention of data (important aspect in the dispute between the parties), or the existence of the right to request access, rectification or erasure of the same, or a limitation of processing, nor does it mention the right to object to processing, or the right to lodge a complaint with the supervisory authority. Nevertheless, it is reasonable to assume that the complainant was not unaware of this information, given his former functions of administrator. The element of information under Article 13 of the GDPR particularly relevant to the case in hand and absent in the document is therefore the retention period of the data processed by the defendant. Although this element constitutes a central point in the present dispute and in the plaintiff's claims, it is also necessary to take into account the difficulty for the defendant to estimate the time that the resolution of the dispute will take during before the courts of the judicial order, duration during which it is entitled to keep the data (more recent than five years). 73. In these circumstances, it cannot be concluded that there is a breach of Article 13 of the GDPR., Decision on the merits 46/2022 - 17/28 III. As for the communication of the subcontract between the defendant and its subcontracting 74. Article 28.3 of the GDPR states: “Processing by a processor is governed by a contract or other legal act under Union law or the law of a Member State, which binds the processor with regard to of the controller, defines the purpose and duration of the processing, the nature and purpose of the processing, the type of personal data and the categories of data subjects, and the obligations and rights of the controller. This contract or other legal act provides, in particular, that the subcontractor: a) only processes personal data on documented instructions from the data controller, including with regard to data transfers of a personal nature to a third country or to an international organisation, unless required to do so under Union or State law member to which the subcontractor is subject; in this case, the subcontractor informs the controller of this legal obligation prior to processing, unless the law concerned prohibits such information for important reasons of interest audience; b) ensures that the persons authorized to process the personal data personnel undertake to respect confidentiality or are subject to a appropriate legal duty of confidentiality; (c) take all measures required under Article 32; (d) complies with the conditions referred to in paragraphs 2 and 4 to recruit another subcontracting; (e) take into account the nature of the processing, assist the controller, for appropriate technical and organizational measures, to the fullest extent possible, to fulfill its obligation to respond to the requests of which the persons concerned seize it in order to exercise their rights provided for in Chapter III; f) assists the data controller in ensuring compliance with the obligations laid down in Articles 32 to 36, taking into account the nature of the processing and the information to be the disposition of the subcontractor; g) at the choice of the data controller, delete all data to be personal nature or returns them to the controller at the end of the provision of services relating to the processing, and destroys the existing copies, unless Union law or Member State law requires the retention personal data; and, Decision on the Merits 46/2022 - 18/28 h) make available to the controller all information necessary to demonstrate compliance with the obligations provided for in this article and to enable audits, including inspections, to be carried out by the controller or another auditor appointed by him, and contribute to these audits. With regard to point h) of the first paragraph, the processor shall inform the data controller immediately if, in his opinion, an instruction constitutes a breach of this Regulation or of other provisions of Union law or of the law Member States relating to data protection. » 75. Article 4.8 of the GDPR defines a processor as follows: “the natural or legal person, public authority, agency or other body who processes personal data on behalf of the data controller treatment; » 76. It is not disputed by the defendant that the V having carried out the restoration of the data is a third party, and that it acted as a subcontractor. Furthermore, the defendant acknowledges the absence of a contract binding it to this subcontractor. She justifies this in her conclusions by arguing that the subcontractor “did not process personal information, but restored the data deleted by M.X, without examining the content of this data and without perform a sorting that it was not for him to perform”. The defendant adds that the sub- handler "did not access the mailbox before retrieving the items deleted (…) did not recover deleted items from Mr. X's email (after request of Y), no action has been taken (…)”, and that he “did not read Mr. 23 X”. 77. The Litigation Chamber finds that this constitutes an erroneous reading of the notion of “processing”, as set out in article 4.2 of the GDPR: “anyoperationoranysetofoperationsperformedornotusingprocedures automated and applied to personal data or sets of data personnel, such as collecting, recording, organizing, structuring, storage, adaptation or modification, extraction, consultation, use, communication by transmission, broadcast or any other form of posting provision, reconciliation or interconnection, limitation, erasure or destruction;". 78. It is also not disputed that the emails contained in the electronic mailboxes (professional and/or private) constitute personal data. 2It thus indicates in its summary conclusions p8 that the subcontractor is “a third-party service provider” 2Summary conclusions of the defendant p17 2Ibid. p18, Decision on the merits 46/2022 - 19/28 personal data relating to the complainant therefore constitutes processing personal data within the meaning of the GDPR. 79. The fact that this data has been encrypted as part of the processing by the processor of the defendant, and that only the defendant can decrypt them (as his counsel indicates in a mail of May 4, 2021), does not modify the nature of this conclusion, since although encrypted, these data remain personal data of the complainant, and that the processing remains. In effect, to the extent that pseudonymised 24 or encrypted data may allow the identification of a person via additional information, in particular via the key of encryption (held in the present case by the defendant), encrypted data constitute indeed personal data within the meaning of article 4.1 of the GDPR. 80. The defendant therefore demonstrates a breach of Article 28.3 of the GDPR. IV. As to the plaintiff's requests for the exercise of his rights IV.1. On the defendant's breach of its obligation to follow up on the exercise of the complainant's right of access (Article 15 of the GDPR) in accordance with the terms of Article 12 GDPR 81. As indicated above, in its capacity as data controller, the defendant is required to comply with data protection principles and must be able to demonstrate that these are respected. It must also implement all the measures necessary to this purpose (principle of responsibility – articles 5.2. and 24 of the GDPR). 24 Article 4.5 of the GDPR defines the notion of pseudonymisation as follows: “the processing of personal data in such a way that these movies can no longer be attributed to a person data subject without having recourse to additional information, provided that this information additional data are kept separately and subject to technical and organizational measures in order to guarantee that the personal data is not attributed to an identified or identifiable natural person” Recital 26 of the GDPR similarly states: “The principles of data protection should apply to any information relating to a person identified or identifiable physical. Personal data which has been pseudonymised and which could be attributed to a natural person through the use of additional information should be considered to be information relating to an identifiable natural person. To determine if a person is identifiable, consideration should be given to all reasonably likely means to be used by the controller or any other person to identify the natural person directly or indirectly, such as targeting. To establish whether means are reasonably likely to be used to identify a natural person, all of the objective factors should be taken into consideration, such as than the cost of identification and the time required for it, taking into account the technologies available at the time their treatment and evolution. » 25 See on this subject the Breyer judgment of the ECHR, Case C‑582/14, 19 October 2016, § 49, Decision on the merits 46/2022 - 20/28 82. As a preliminary point, the Chamber recalls that the right of access is one of the foundations of the right to data protection, it constitutes the “front door” which allows the exercise of other rights that the GDPR confers on the person concerned, such right to rectification, the right to erasure, to limitation or limitation. 83. Pursuant to Article 15.1 of the GDPR, the data subject has the right to obtain from the controller of processing the confirmation that personal data concerning him are or are not are not processed. When this is the case, the data subject has the right to obtain access to the said personal data as well as a series of information listed in article 15.1 a) - h) such as the purpose of the processing of its data, the duration of data storage, the potential recipients of its data as well as information relating to the existence of its rightsincludingthatofrequestingthecorrectionorerasureofitsdataorthatof lodge a complaint with the DPA. 84. Pursuant to Article 15.3 of the GDPR, the data subject also has the right to obtain copy of the personal data which is the subject of the processing. Article 15.4 of the GDPR provides that this right to copy may not infringe the rights and freedoms of others. 85. Article 12 of the GDPR relating to the procedures for exercising their rights by persons concerned provides in particular that the controller must facilitate the exercise of his rights by the person concerned (article 12.2 of the GDPR) and provide him with information on the measures taken following his request as soon as possible and no later than later within one month of their request (Article 12.3 of the GDPR). This deadline may special circumstances, be extended to three months (Article 12.3 of the GDPR). When the controller does not intend to respond to the request, he must notify his refusal within one month accompanied by the information that an appeal against this refusal can be lodged with the data protection supervisory authority (12.4 of the GDPR). 86. On March 16, 2020, the plaintiff exercised his right of access and copy with the defendant. She replied on April 7, 2020 that she would be unable to comply with his request within the one-month delay due to the complexity of the request and difficult working circumstances related to the health crisis, but has undertaken to do so within three months. 87. On June 15, 2020, the day before the expiry of the three-month period, the defendant sent the complainant a list of personal data about him that she holds. double failure to provide it with the information required under Article 15.1 a) to f) (including the retention period of the data), and does not send him a copy of this data. 88. The defendant relies in this regard on the argument that, in its letter of March 16 requesting the application of Article 15 of the GDPR, the complainant would have limited himself to requesting access and not the copy, because the letter only refers to article 15.1 and not 15.3 (copy part of the right access)., Decision on the merits 46/2022 - 21/28 89. The Litigation Chamber cannot subscribe to this reasoning, inasmuch as although said courier expressly refers only to article 15.1 and not to 15.3, the term “copy” (“copy” in the mail in English) is explicitly mentioned twice (complainant's exhibit 7): 90. The Litigation Chamber can therefore only find a breach of Article 15.1, prosecution incomplete to the Complainant's right of access request, and a breach of Section 15.3 for refusal to follow up on the copy part of the right of access. IV.2. On the defendant's breach of its obligation to follow up on the exercise of the the complainant's right to erasure (Article 17 of the GDPR), the right to restriction (Article 18 GDPR), as well as the right of opposition (Article 21 GDPR) 91. Article 17 of the GDPR states: 1. “The data subject has the right to obtain from the controller the erasure, in as soon as possible, of personal data concerning him and the person responsible for the processing has the obligation to erase this personal data as soon as possible, when one of the following grounds applies: a) the personal data is no longer necessary in relation to the purposes for which it was collected or otherwise processed; b) the data subject withdraws the consent on which the processing is based, in accordance with point (a) of Article 6(1) or point (a) of Article 9(2), and there is no other legal basis for the processing; c) the data subject objects to the processing pursuant to Article 21(1) and he there are no overriding legitimate grounds for the processing, or the data subject objects to the processing pursuant to Article 21(2); d) the personal data has been unlawfully processed; e) the personal data must be erased to comply with an obligation which is provided for by Union law or by the law of the Member State to which the controller is subject; f) the personal data was collected in the context of the service offer of the information society referred to in Article 8(1). 2. When he has made the personal data public and is required to delete them in pursuant to paragraph 1, the controller, taking into account the technologies available and the costs of implementation, take reasonable measures, including order technical, to inform the data controllers who process this personal data, Decision on the merits 46/2022 - 22/28 personal data that the data subject has requested the erasure by those responsible for the processing of any link to such personal data, or any copy or reproduction of these. 3. Paragraphs 1 and 2 do not apply insofar as this processing is necessary: (a) the exercise of the right to freedom of expression and information; b) to comply with a legal obligation which requires the processing provided for by the law of the Union or by the law of the Member State to which the controller is subject, or to perform a task in the public interest or in the exercise of authority authority vested in the controller; c) for reasons of public interest in the field of public health, in accordance with Article 9, paragraph 2, points h) and i), as well as Article 9, paragraph 3; (d) for archival purposes in the public interest, for the purposes of scientific research or historical or statistical purposes in accordance with Article 89(1) in the extent to which the right referred to in paragraph 1 is likely to render impossible or seriously impair the achievement of the objectives of that processing; Where e) the establishment, exercise or defense of legal claims. » 92. Recital 65 of the GDPR also includes the exception of legal defense as set out provided for in Article 17.3.e of the GDPR to the right to erasure. 93. As indicated above, the Litigation Chamber considers that in view of the dispute pending before the jurisdictions of the judicial order, and a fortiori insofar as this is linked to exchanges of information (and emails) between the plaintiff, the defendant, and third parties, the legitimate interest for defense in court constitutes a basis of valid lawfulness in the head of the defendant, for data more recent than five years, from the start of the disputed processing. For data after this date, the defendant cannot rely on the interest legitimate (see section 2.1.3 above) as the basis for the disputed processing. 94. In all consistency, the exception to the right to erasure set out in Article 17.3.e of the GDPR (the defense of rights in court) is applicable to the case in question, according to the same time criterion. 95. There is therefore no breach by the defendant of Article 17 of the GDPR with regard to the processing of data five years prior to the processing, but concerning the data after this date. 96. Insofar as Articles 18.2 (right to limitation) and 21.1 (right to object) take up exception of legal defense, the same reasoning applies to the claim exercise of its right of limitation and opposition by the complainant. 97. There is therefore no breach by the defendant of Article 18 of the GDPR and 21 of the GDPR which concerns the processing of data five years prior to the processing, but regarding data after that date., Decision on the merits 46/2022 - 23/28 V. Corrective Measures and Sanctions 98. Under Article 100 LCA, the Litigation Chamber has the power to: 1° dismiss the complaint without follow-up; 2° order the dismissal; 3° order a suspension of the pronouncement; 4° to propose a transaction; 5° issue warnings or reprimands; 6° order to comply with requests from the data subject to exercise these rights; (7) order that the person concerned be informed of the security problem; 8° order the freezing, limitation or temporary or permanent prohibition of processing; 9° order the processing to be brought into conformity; 10° order the rectification, restriction or erasure of the data and the notification of these to the recipients of the data; 11° order the withdrawal of accreditation from certification bodies; 12° to issue periodic penalty payments; 13° to impose administrative fines; 14° order the suspension of cross-border data flows to another State or a international body; 15° forward the file to the public prosecutor's office in Brussels, who informs it of the follow-up data on file; 16° decide on a case-by-case basis to publish its decisions on the website of the Protection Authority Datas. 99. As to the administrative fine which may be imposed pursuant to Article 83 of the GDPR and articles 100, 13° and 101 LCA, article 83 of the GDPR provides: 1. “Each supervisory authority shall ensure that the administrative fines imposed in under this article for violations of this Regulation, referred to in paragraphs 4, 5 and 6 are, in each case, effective, proportionate and dissuasive. 2. Depending on the specific characteristics of each case, the administrative fines are imposed in addition to or instead of the measures referred to in Article 58(2), points a) to h), and j). To decide whether to impose an administrative fine and to decide on the amount of the administrative fine, due account shall be taken, in each case in point, of the following elements: (a) the nature, gravity and duration of the breach, taking into account the nature, scope or the purpose of the processing concerned, as well as the number of data subjects affected and the level of damage they suffered; (b) whether the breach was committed willfully or negligently;, Decision on the Merits 46/2022 - 24/28 c) any action taken by the controller or processor to mitigate the damage suffered by the persons concerned; d) the degree of responsibility of the controller or processor, account given the technical and organizational measures they have implemented pursuant to sections 25 and 32; e) any relevant breach previously committed by the controller or the subcontractor; (f) the degree of cooperation established with the supervisory authority with a view to remedying the breach and to mitigate any adverse effects thereof; (g) the categories of personal data affected by the breach; h) the manner in which the supervisory authority became aware of the breach, in particular whether, and the extent to which the controller or processor notified the breach; (i) where measures referred to in Article 58(2) have previously been ordered against the controller or processor concerned for the same object, compliance with these measures; (j) the application of codes of conduct approved pursuant to Article 40 or certification mechanisms approved under section 42; and k) any other aggravating or mitigating circumstance applicable to the circumstances of the species, such as the financial advantages obtained or the losses avoided, directly or indirectly, by reason of the breach”. 100. It is important to contextualize the breaches of these articles in order to identify the measures most suitable correctives. In this context, the Litigation Chamber will take into account all the circumstances of the case, including - within the limits it specifies below after the reaction communicated by the defendant, the amount of the fine envisaged has been communicated (see retroacts of the procedure). In this regard, the Litigation Chamber specifies that said form expressly mentions that it does not imply the reopening of debates. Its sole purpose is to obtain the reaction of the defendant on the amount of the proposed fine. 101. The Litigation Division also wishes to specify that it is sovereignly incumbent upon it quality of independent administrative authority - in compliance with the relevant articles of the GDPR and the ACL - to determine the appropriate corrective action(s) and sanction(s). 102. Thus, it is not for the plaintiff to ask the Litigation Chamber to order such or any remedy or sanction. If, notwithstanding the foregoing, the Complainant should nevertheless ask the Litigation Chamber to pronounce one or the other measure and/or sanction, it is therefore not incumbent on the latter to justify why it would not retain any request made by the complainant. These considerations leave intact the obligation for the Litigation Chamber to justify the choice of measures and sanctions, Decision on the merits 46/2022 - 25/28 which it deems, (among the list of measures and sanctions made available to it by the articles 58 of the GDPR and 95.1 and 100.1 of the LCA) appropriate to condemn the party in question. 103. In the present case, the Litigation Chamber notes that the Complainant requested in particular from the Chamber Litigation that it sanctions the defendant for its failure to respond to its requests to exercise their rights. He also requests that the Chamber issue an injunction to the defendant, on two counts. First, he asks for an injunction to stop the treatment personal data concerning him older than 5 years (and even more recent if the Chamber had to conclude that there was no basis of lawfulness for these as well), as well as their deletion. Next, the plaintiff seeks an injunction on the defendant to do following requests to exercise its various rights. Finally, he asks for confirmation that the defendant cannot validly rely on Article 6.1.f (legitimate interest) to found the contentious treatments, regardless of time at the very least. V.1. As for the shortcomings 104. The Litigation Chamber found a breach of Articles 5.1.a combined with Article 6.1.f of the GDPR, due to the partial absence of a legal basis for processing. She also noted a breach of Article 15 (right of access and copying), 17 (right to erasure), 18 (right to limitation), and 21 (right to object). Finally, article 28 has also been violated (in the absence of a contract between the defendant and its subcontractor). 105. It appears from the complainant's conclusions that the defendant undertook, at the insistence of the complainant, not to analyze the personal data of the complainant found in his boxes private emails, as well as to cease all active processing of private emails found during the analysis professional mailboxes .26 106. The Litigation Chamber also notes that the defendant indicates in its submissions be prepared to delete the emails relating to the private mailboxes of the complainant, provided 27 that the emails in question do not interfere with his right of defense in court. However, in view numerous shortcomings on the part of the defendant, the Litigation Chamber is of the opinion that this concession is not sufficient to justify an absence of sanctions. 107. Accordingly, the Litigation Chamber orders the defendant: - to comply with the complainant's requests to exercise his rights to the extent explained above - to put in place a charter as set out in point 56 26 Complainant's conclusions p.5 27 Respondent's summary submissions p.17, Decision on the merits 46/2022 - 26/28 - to cease the processing of personal data relating to the older complainant only 5 years 108. In addition to this compliance order, the Litigation Division is of the opinion that, in addition, an administrative fine is in this case justified for the reasons below, reasons analyzed on basis of article 83.2 GDPR and in accordance with the recent teaching of the Court of Markets. 109. The rights of data subjects are part of the essence of the GDPR and violations of these rights are punished with the highest fines, in accordance with Article 83.5 GDPR. In this spirit, serious breaches of the rights of the persons concerned must be sanctioned proportionally high fines, depending on the circumstances of the case. In this In this regard, reference may be made to the Group Guidelines 29 on the application and setting of administrative fines, according to which: “Fines are an important tool that enforcement authorities should use in the appropriate circumstances. Supervisors are encouraged to adopt a well-considered and balanced approach when applying measures remedies in order to react to the violation in a manner that is both effective and dissuasive proportionate. This is not to see fines as a last resort or to fear of imposing them, but, on the other hand, they should not be used such that their effectiveness would be reduced. » 110. Insubparagrapha),Article83.2.concerns“thenature,seriousnessanddurationoftheviolation, taking into account the nature, scope or purpose of the processing concerned, as well as the number of data subjects affected and the level of harm they have suffered”. In the case In this case, the Litigation Chamber notes that the principles of legality and minimization (articles 5.1.a and 5.1.c GDPR) that the right of access (article 15), erasure (article 17), limitation (article 18) and opposition (article 21) are essential principles of the regime of GDPR protection. The principle of liability set out in Article 5.2. of GDPR and developed in article 24 is also at the heart of the GDPR and reflects the change of paradigm brought about by it, i.e. a changeover from a regime that was based on prior declarations and authorizations from the supervisory authority towards greater accountabilityandresponsibilityoftheprocessor.Compliancewithitsobligations by the latter and its ability to demonstrate it are therefore all the more important. The breaches of these principles constitute serious breaches. 28 GDPR also constitutes a serious violation. 111. With regard more specifically to the nature of the data, although it is not clear of the submissions filed (to the extent that the parties contradict each other on this subject and lack of evidence) whether the defendant restored the mailboxes, both private and Complainant's professional interests, the Chamber notes that the Respondent acknowledges at the very least, Decision on the Merits 46/2022 - 27/28 have also processed (restored) the private emails on the complainant contained in its boxes professionals. 112. With regard to the duration and scope of the impugned processing, the Chamber notes that the defendant proceeded from the outset and deliberately (art 83.2.b GDPR) to restore the complainant's emails without any time limit, despite the latter's opposition and his request to place a limit of 5 years. 113. The other criteria of section 83.2. of the GDPR are neither relevant nor likely to influence the decision of the Litigation Chamber regarding the imposition of an administrative fine and its amount. 114. Pursuant to Articles 83.4 and 83.5 GDPR, breaches of the provisions identified above may amount to up to 20,000,000 euros or in the case of a company, up to 4% of the total worldwide annual turnover for the previous financial year. A breach of Articles 5.1.a combined with article 6.1.f of the GDPR, with articles 12 and 13, 15, 17, 18, and 21 and 28 GDPR is retained. the maximum amount of the fine in the specific case, as provided for in article 83.5 is therefore €20,000,000. 115. As regards, among other things, breaches of a fundamental right, enshrined in Article 8 of the Charter of Fundamental Rights of the European Union, their seriousness will be assessed, as the Litigation Chamber has already had the opportunity to point out, in support of Article 83.2.a) of the GDPR, independently. 116. In conclusion, in view of the elements developed above specific to this case, the Chamber Litigation considers that the aforementioned breaches justify that as a sanction effective, proportionate and dissuasive as provided for in Article 83 of the GDPR and taking into account assessment factors listed in Article 83.2. GDPR and the respondent's reaction to the envisaged sanctions form, a compliance order accompanied by a fine administrative order in the amount of 7,500 euros (article 100.1, 13° and 101 LCA) be pronounced at against the defendant. 117. The amount of 7500 euros remains in view of these elements proportionate to the shortcomings denounced. This amount also remains well below the maximum amount provided for by Article 83.5 GDPR, of 20,000,000 euros (see above). 118. This amount is justified for the reasons set out above, including the fact that the defendant immediately processed the complainant's mailboxes without any time limit. 119. The Litigation Chamber is of the opinion that a lower amount of fine would not meet, case, the criteria required by section 83.1. of the GDPR according to which the administrative fine must not only be proportionate, but also effective and dissuasive. These elements constitute a specification of the general obligation of Member States under Union law, Decision on substance 46/2022 - 28/28 European Union, based on the principle of sincere cooperation (article 4.3 of the Treaty on European Union European). 120. Given the importance of transparency regarding the decision-making process of the Chamber Litigation and in accordance with Article 100, § 1, 16° of the LCA, this decision is published on the website of the Data Protection Authority by deleting the data identification of the parties, since these are neither necessary nor relevant in the context of of the publication of this decision. FOR THESE REASONS, the Litigation Chamber of the Data Protection Authority issues, after deliberation: - On the basis of article 100, § 1, 9° of the LCA, a compliance order as worded supra, including the establishment of a charter as set out in point 56 - Based on article 83 of the GDPR and articles 100, 13° and 101 of the LCA, a fine from 7500 EUR er Under Article 108, § 1 of the LCA, this decision may be appealed to of the Court of Markets within thirty days of its notification, with the Data Protection Authority as defendant. (Sr.) Hielke Hijmans President of the Litigation Chamber