APD/GBA (Belgium) - 159/2022
APD/GBA - 159/2022 | |
---|---|
Authority: | APD/GBA (Belgium) |
Jurisdiction: | Belgium |
Relevant Law: | Article 4(1) GDPR Article 4(2) GDPR Article 5(1)(b) GDPR Article 5(1)(e) GDPR Article 5(2) GDPR Article 12(3) GDPR Article 17(1)(a) GDPR Article 24 GDPR |
Type: | Complaint |
Outcome: | Upheld |
Started: | 28.09.2022 |
Decided: | 07.11.2022 |
Published: | |
Fine: | n/a |
Parties: | n/a |
National Case Number/Name: | 159/2022 |
European Case Law Identifier: | n/a |
Appeal: | n/a |
Original Language(s): | French |
Original Source: | GBA (in FR) |
Initial Contributor: | n/a |
The Belgian DPA warned an employer and ordered it to comply with an erasure request of an former employee, from whom pictures and function were displayed almost 7 months after her dismissal.
English Summary
Facts
A former employee (data subject) informed her former employer (controller) that she no longer wanted to be pictured on its website in September 2022, more than six months after her dismissal. The website included both photos of the data subjects alone as well as group photos with the data subject. Some of these photo’s also mentioned the position the data subject held in the company. The data subject stated that controller had not answered to the request in a favourable way. The data subject filed a complaint at the Belgian DPA on 28 September 2022.
Holding
The DPA first reiterated that contact details, such as surname, first name, position and photograph were personal data (Article 4(1) GDPR) and that the publication of this data on the website was processing (Article 4(2) GDPR). It also reiterated that According to Article 5(1)(b) GDPR, all processing must pursue a specific, explicit and legitimate purpose. The controller should also implement appropriate technical and organisational measures to ensure and that the processing is GDPR compliant. It should also be able to demonstrate this. It should have regard for nature, scope, context and purposes of the processing and the risks to the rights and freedoms of individuals, which vary in probability and severity. The DPA stated that because the data subject was no longer an employee, the purpose of the processing was no longer valid after her dismissal. Therefore, the personal data had to be erased as soon as this data was no longer necessary for the purposes for which they were processed (Article 5(1)(b) and 5(1)(e) GDPR). The DPA stated that this data had to be deleted by the controller on its own initiative, without the data subject asking for deletion. The DPA determined that the controller is only entitled to keep data if this retention is justified for the purpose of processing (Articles 5(1)(b) and 5(1)(e) GDPR). When personal data are no longer necessary for the purpose, the controller must erase the data in question or make it anonymous. However, this is not necessary when the controller processes the same data for a different GDPR compliant purpose. According to the DPA, the data subject can in general use its right of erasure (Article 17 GDPR) to verify if the controller has complied with this obligation. The DPA held that under Article 17(1)(a) GDPR, the data subject has the right to obtain from the controller the erasure of their personal data relating as soon as possible. If the data subject has not made a request, the controller is obliged to erase personal data as soon as possible when the personal data are no longer necessary for the purposes. The DPA also reiterated that under Article 12(3) GDPR, the controller is obliged to provide the data subject with information on the measures taken in response to a request made pursuant of Article 17(1)(a) GDPR). The information has to be provided as soon as possible and in any case within one month of receipt of the request. If necessary, this period may be extended by two months, taking into account the complexity and number of requests made by the data subject to the controller. Based on the above, the DPA stated that ideally, an erasure request should result in the erasure of personal data within one month (Articles 12(3) and 17(1)(a) GDPR). However, the DPA stated that a distinction had to be made between the one-month reaction period (Article 12(3) GDPR) and the actual deletion of personal data, which may require a longer time because of the complex technical and operational implications of deletion. In the present case, the DPA determined that when a staff-member leaves the company, it should make an effort to remove the following as soon as possible from its website/social network page: the identity, function and photograph(s) of the data subject. The DPA stated that a few weeks or a month at most were adequate timeframes to remove these identifiers. It also stated that a procedure should be put in place for staff departures and other data protection issues. If the controller does not delete the data on its own initiative, it should act as soon as possible when it receives an erasure request. The DPA considered that the deletion period could vary depending on the nature of the controller. This was the case for both for the deletion period for own-initiative erasures by the controller as well as for an erasure request made by a data subject (Article 17(1)(a) GDPR), whether it is an SME as in this case or a larger company with its own website manager. Also, a more or less rapid erasure by the controller could also be justified depending on the nature of the function and the context of the departure of the staff member. In the present case, the controller should be particularly diligent, because of a targeted photograph such as the one of the data subject in which her function was mentioned as well as the one showing the controller's team. The one-month period in Article 12(3) GDPR must the controller being able, where appropriate, and as indicated above, to state that it has given instructions for such erasure to take place or to indicate that such erasure will take place at an earlier date. In the present case, the DPA determined that it did not appear that the controller deleted the data subject’s personal data after her dismissal. It also did not appear that that the controller reacted to the data subject’s erasure request, which was submitted almost seven months after her dismissal. Therefore, the DPA determined that there seemed to be a lack a procedure in place to deal with these types of situations and requests. The DPA stated that there had at least been a lack of a follow-up in this case. The personal data remained visible on the website for 7 months. The DPA deemed this period ‘a priori excessive’. The DPA ordered the controller to comply with the erasure request of the data subject (Article 95(1)(5) LCA) and issued a warning on the basis of Article 95(1)(4) LCA.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the French original. Please refer to the French original for more details.
1/9 Litigation Chamber Decision 159/2022 of November 7, 2022 File number: DOS-2022-03933 Subject: Complaint relating to the maintenance of the mention of the identity of a former employee, her function and photographs on the Internet pages of a company The Litigation Chamber of the Data Protection Authority, made up of Mr Hielke Hijmans, chairman; Having regard to Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and to the free movement of such data, and repealing Directive 95/46/EC (general regulation on the data protection), hereinafter GDPR; Having regard to the Law of 3 December 2017 establishing the Data Protection Authority (hereinafter ACL); Having regard to the Rules of Procedure as approved by the House of Representatives on 20 December 2018 and published in the Belgian Official Gazette on January 15, 2019; Considering the documents in the file; Made the following decision regarding: The complainant: Mrs. X, hereinafter “the complainant”; The defendant: SPRL Y, hereinafter: “the defendant”. Decision 159/2022-2/9 I. Procedural feedback, facts and subject of the request 1. The plaintiff filed a complaint with the Data Protection Authority (APD) on 28 September 2022. 2. On October 6, 2022, the Front Line Service (SPL) of the APD declared the complaint admissible and forwarded it to the Litigation Chamber. 3. According to her complaint, the complainant indicates that she worked for the defendant until February 2022, when she was fired. 4. On September 1, 2022, more than 6 months after her dismissal, the complainant indicated by email to the defendant that she no longer wished to appear as a member of its staff on its website. The "Our team" section of this site resumed an individual photo of the complainant with the job title “….” what worked with her as well as a group photo of the defendant's team (4 people), including the complainant. The complainant produces the said email of September 1, 2022. 5. The Complainant indicates that as of the date of the filing of her complaint on September 28, 2022, no no favorable response had been given to her request to take the necessary steps to no longer appears as a staff member on the defendant's site. In terms of its complaint, it asks the DPA to remind the defendant of its obligations. II. PLACE 6. The Litigation Chamber recalls that the contact details of a natural person such as his surnames, first names, his function as well as his photograph constitute data to be personal character within the meaning of Article 4.1 of the GDPR. This is indeed information relating to an identified or identifiable natural person (the "data subject"), here the complainant who can be directly identified from this information. 7. The publication of such data on the defendant's website constitutes processing within the meaning of Article 4.2. of the GDPR. 8. Pursuant to Article 5.1.b) of the GDPR, all processing must pursue a purpose determined, explicit and legitimate (principle of purpose). 9. In its capacity as data controller, it is the responsibility of the defendant, given the the nature, of the scope, of the context and of the purposes of the processing as well as of the risks, including the degree of likelihood and severity varies, for the rights and freedoms of individuals Decision 159/2022-3/9 physical, to implement appropriate technical and organizational measures to ensure and be able to demonstrate that the processing is carried out in accordance with the GDPR (Articles 5.2. and 24 of the GDPR). 10. The Litigation Chamber is of the opinion that since the complainant no longer worked for the defendant, the purpose of processing the aforementioned data concerning him by the latter aimed to inform Internet users of who works with it and with what function, ended with the departure of the complainant. This extinction of finality has the automatic consequence – either without it being required that the data subject (here the complainant) so requests - erasure of this data as soon as it is not no longer necessary in relation to the purposes for which they were processed (Article 5.1.b) and (e) GDPR). 1 11. Indeed, by virtue of the combination of the principles of finality (article 5.1.b) of the GDPR) and limitation of data retention (article 5.1. e) of the GDPR), the person responsible for processing is only the place to store the data for as long as this storage is justified in view of the purpose of the processing. Hence, as soon as the data personal data are no longer necessary for the pursuit of this purpose, the person responsible for processing must erase the data in question, or, at the very least, anonymize them unless it processes these same data for a distinct purpose that it can legitimately pursue GDPR compliance. The right to erasure as provided for in Article 17.1.a) of the GDPR explicitly recognizes the right of data subjects to verify that the controller processing has complied with this obligation. 12. Under Article 17.1. a) GDPR, the data subject has the right to obtain of the data controller the erasure, as soon as possible, of data to personal character concerning her. In the absence of having done so spontaneously (see points 10 and 11above), the data controller has the obligation to erase this personal data personal as soon as possible when the personal data are no longer necessary in relation to the purposes for which they were processed. 13. Pursuant to Article 12.3. of the GDPR, the controller is required to provide the data subject with information on the measures taken following a request made pursuant to Articles 15 to 22 of the GDPR (thus including a request for erasure on the basis of Article 17.1.a) of the GDPR), as soon as possible and in any case within a period of one month from the receipt of the request. At necessary, this period may be extended by two months, taking into account the complexity and numberofrequestssentbythepersonconcernedtotheprocessingmanager. 1Vo. also decision 62/2021 of the Litigation Chamber. Decision 159/2022-4/9 14. The Litigation Chamber is of the opinion that it results from the combination of articles 12.3. and 17.1.a) of the GDPR that ideally, the request for erasure submitted by the person concerned on the basis of Article 17.1.a) of the GDPR should be followed by an erasure of the data within one month. However, the Litigation Chamber considers that in depending on the concrete context in which the request for erasure is made, a distinction can be made between: has. the one-month reaction period (article 12.3. of the GDPR) under which the controller informs the data subject of the action he intends give (or not) at his request on the one hand and b. the concrete erasure of the data which could require a longer period of time given the complex technical and operational implications associated with this deletion on the other hand. 15. In the event of the departure of a staff member, as in this case, the Dispute is of the opinion that the data controller must make every effort to delete, the as quickly as possible and on its own initiative, the identity, function and photographs of him from his website/social media page featuring him as being part of its staff when this is no longer the case. A procedure should be put in place in the event of the departure of staff members for this purpose in the same way as other data protection issues that need to be resolved on this occasion. 2 A few weeks, or a month at most, seems adequate. no initiative, the data controller receiving a request for erasure must, at a fortiori, to react as soon as possible. 16. This period within which the erasure must occur spontaneously, as well as this "best time" referred to in Article 17.1.a) of the GDPR, may vary depending on the person responsible for processing concerned whether it is an SME as in the present case or a company of larger size which has its own website manager. The nature of the function and the context of the departure of the staff member concerned may also justify a more or less rapid erasure. In the case of targeted photography such as the one of the complainant in respect of which her function was mentioned as well as that presenting the defendant's team, the data controller will ensure that it is particularly diligent. The one-month period referred to in Article 12.3. of the GDPR must meanwhile 2See. for example decision 64/2020 of the Litigation Chamber. 3The Litigation Chamber considers that this photo representing only 4 people working for the defendant remains a targeted photo of the plaintiff. Decision 159/2022-5/9 be respected, the data controller being able, if necessary, and as indicated below above, explain that he gave instructions for this deletion to take place or indicate that this deletion will take place at an early date. 17. In this case, in support of the documents produced by the complainant, the Litigation Chamber notes that the data controller appears not to have erased the data from the plaintiff after his dismissal in February 2022. He does not seem to have reacted either at the request made nearly 7 months after this on September 1, 2022 by the complainant, nor in the form of a response as to the measures taken or envisaged with regard to his request or in the form of an effective deletion of the data on his site. The Litigation Chamber therefore considers that there seems to be an absence of procedure put in place to manage this type of situation and request or at the very least a lack of follow-up in this case. 18. In other words, it seems that, at a minimum, the complainant's data is remained visible on its website for 7 months (between the dismissal in February 2022 and the filing of the complaint on September 28, 2022), a deadline that the Litigation Chamber judges to be a priori excessive. 19. In the light of the foregoing and in support of all the elements of the file of which it knowledge and skills attributed to it by the legislator under section 95.1. LCA, the Litigation Chamber therefore decides to address to the defendant an order to comply with the complainant's request for erasure based on article 95.1.5° of the ACL as well as a warning based on article 95.1.4° of the ACL. As for the order to comply with the complainant's request for erasure (article 95.1.5° of the ACL) 20. It follows from the foregoing paragraphs that the defendant did not follow up effective at the complainant's request for erasure. Admittedly, the formal request dates from September 1, 2022 and the complaint was lodged on September 28, 2022, i.e. less than a month er after the September 1 request. The Litigation Chamber has been able to observe in consulting the page of the defendant's website only on the date of this decision, the photograph of the 4-person team, including the complainant, was still on the site. The names, position and individual photograph of the complainant were, however, removed between September 28, 2022 and the date of this decision. 21. In support of the foregoing, the Litigation Chamber decides to order the defendant to fully comply (thus including the deletion of Decision 159/2022-6/9 team photograph)uponrequesttoexercisetherighttoerasureofthecomplainantteen execution of article 95.1.5° of the LCA. Regarding the warning (article 95.1.4° of the LCA) 22. The Litigation Chamber also considers that in support of the above analysis, there takes place, to conclude that in the absence prima facie has. of procedure put in place relating to the erasure of the data of members of the staff leaving the company as well as, b. procedure aimed at responding to a request for erasure within the required time respectively by Articles 12.3 and 17.1.a) of the GDPR, or vs. AT LEAST, EFFECTIVE FOLLOW-UP OF THE COMPLAINANT'S REQUEST WITHIN THE REQUIRED DEADLINES in this case, there is a risk of breach of the GDPR by the defendant as soon as it would be confronted in the future with other departures of employees and a situation comparable to that which is the subject of the plaintiff's complaint. 23. Therefore, this risk of violation justifies that the Litigation Chamber address to the defendant a warning within the meaning of Article 58.2.a) of the GDPR on the basis of Article 95.1.4° of the LCA and invites it to put in place a procedure to prevent situations comparable to that which is the subject of the present proceedings does not occur in the future. 24. For the rest, the Litigation Chamber argues that given the limited impact of these violations (points 20-22), it is not necessary to deal with the case on the merits. 25. As already mentioned, this decision is a prima facie decision taken by the Litigation Chamber in accordance with article 95 of the LCA – more particularly on thebasisofarticles95.1.5°and95.1.4°oftheLCA-onthebasisoftheonlycomplaintfiledby the complainant and the supporting documents provided in support thereof, as part of of the "procedure prior to the substantive decision". It is therefore not a decision as to on the merits within the meaning of Article 100 LCA. 26. The purpose of this decision is to inform the defendant, allegedly responsible for the processing, because it may have violated the provisions of the GDPR, in order to enable it to still comply with the aforementioned provisions. 27. Therefore, if the defendant does not agree with the content of this decision prima facie and believes that it can make factual and/or legal arguments that Decision 159/2022-7/9 could lead to another decision, it can send to the Litigation Chamber a request for processing on the merits of the case via the e-mail address litigationchamber@apd-gba.be, within 30 days of notification of the this decision. If necessary, the execution of this decision will be suspended. during the aforementioned period. 28. In the event of further processing of the case on the merits pursuant to Articles 98, 2° and 3° juncto article 99 of the LCA, the Litigation Chamber will invite the parties, either the plaintiff and the defendant, to introduce their arguments in the form of submissions and to attach to the file all the documents they deem useful. decision will be permanently suspended. 29. The Litigation Division also informs the parties that the procedural file relating to the complaint leading to this decision may, pursuant to Article 95.2., 3° of the ACL be requested by preferably sending an e-mail to the Registry of the Chamber Litigation. 30. Finally, in a concern for completeness and transparency, the Litigation Chamber or online that an examination of the case on the merits may lead to the imposition of measures referred to in Section 100 of the ACL. 4 III. Publication of the decision 31. Given the importance of transparency regarding the decision-making process of the Chamber Litigation, this decision is published on the DPA website. However, he 4 1° dismiss the complaint without follow-up; 2° order the dismissal; 3° pronouncing the suspension of the pronouncement; 4° to propose a transaction; 5° issue warnings and reprimands; 6° order to comply with requests from the data subject to exercise his or her rights; 7° order that the person concerned be informed of the security problem; 8° order the freezing, limitation or temporary or permanent prohibition of processing; 9° order compliance of the processing; 10° order the rectification, restriction or erasure of the data and the notification thereof to the data recipients; 11° order the withdrawal of accreditation from certification bodies; 12° to issue periodic penalty payments; 13° to issue administrative fines; 14° order the suspension of cross-border data flows to another State or an international body; 15° forward the file to the public prosecutor's office in Brussels, which informs it of the follow-up given to the case ; 16° decide on a case-by-case basis to publish its decisions on the website of the Data Protection Authority. Decision 159/2022-8/9 it is not necessary for this purpose that the identification data of the parties be directly mentioned. FOR THESE REASONS, The Litigation Division of the Data Protection Authority (APD) decides, subject to the introduction of a request by the defendant for treatment on the merits in accordance with the articles 98 e.s. of the ACL: - pursuant to Article 58.2.c) of the GDPR and Article 95, § 1, 5° of the LCA, to order the defendant to comply with the plaintiff's request to exercise its rights, plus precisely his right to erasure relating to the team photograph (article 17.1.a) of the GDPR), as soon as possible and at the latest within 30 days of the notification of this decision; - to order the defendant to inform, by e-mail, the Data Protection Authority (Litigation Chamber) of the follow-up given to this decision, within the same period of 30 days, via the e-mail address litigationchamber@apd-gba.be; and - if the defendant does not comply in good time with what is requested of it above, to deal ex officio with the case on the merits, in accordance with articles 98 e.s. of the ACL. - pursuant to Article 58.2.a) of the GDPR and Article 95.1, 4° of the LCA, to send by elsewhere to the defendant a warning regarding the absence of proceedings in case of departure of a staff member with regard to the processing of his data and the respect the period prescribed by article 12.3. of the GDPR to respond to a request to exercise the right to erasure. Under Article 108.1 LCA, this decision may be appealed to the Court of contracts (Brussels Court of Appeal) within 30 days of its notification, with the Data Protection Authority (DPA) as defendant. Decision 159/2022-9/9 Such an appeal may be introduced by means of an interlocutory request which must contain the information listed in article 1034ter of the Judicial Code (C. jud.) . The interlocutory motion must be filed with the registry of the Market Court in accordance with article 1034quinquies of the C. jud. , or via the e-Deposit information system of the Ministry of Justice (article 32ter of the C. jud.). (se).Hielke Hijmans President of the Litigation Chamber 5The request contains on penalty of nullity: (1) indication of the day, month and year; 2° the surname, first name, domicile of the applicant, as well as, where applicable, his qualities and his register number national or business number; 3° the surname, first name, domicile and, where applicable, the capacity of the person to be summoned; (4) the object and summary statement of the means of the request; (5) the indication of the judge who is seized of the application; 6° the signature of the applicant or his lawyer. 6The request, accompanied by its appendix, is sent, in as many copies as there are parties involved, by registered letter to the clerk of the court or deposited at the registry.