APD/GBA (Belgium) - 115/2022
From GDPRhub
| APD/GBA - 115/2022 | |
|---|---|
 | |
| Authority: | APD/GBA (Belgium) |
| Jurisdiction: | Belgium |
| Relevant Law: | Article 5(1)(c) GDPR Article 6(1) GDPR Article 6(4) GDPR Article 9(2) GDPR Article 9(4) GDPR |
| Type: | Complaint |
| Outcome: | Upheld |
| Started: | 16.03.2020 |
| Decided: | 19.07.2022 |
| Published: | 26.07.2022 |
| Fine: | n/a |
| Parties: | n/a |
| National Case Number/Name: | 115/2022 |
| European Case Law Identifier: | n/a |
| Appeal: | Unknown |
| Original Language(s): | French |
| Original Source: | APD/GBA (in FR) |
| Initial Contributor: | Jette |
The Belgian DPA held that discussing a data subjects health related personal data in a staff meeting where she is absent and consequently including this in the minutes of the meeting does not have a legal basis.
English Summary
Facts
The controller is the data subject´s manager at her job. During a meeting where the data subject was not present, the controller announced her departure and read out a document issued by the company docter, stating that she was unfit to work. This statement was also incuded in the minutes of that meeting, which were then saved on the controller´s server, freely accessible to all its staff. This included staff from other departments.
When the data subject discovered this, she filed a complained against the controller with the Belgian DPA for unlawfully disclosing health related personal data to third parties.
The controller argued that the communication of the data subject's health related data in the meeting and its includement in the minutes were based on her consent.
Holding
The DPA noted that writing minutes is a processing activity that falls under Article 4 GDPR#2.
The DPA held that the controller did not have a lawful basis for processing the data subject's health related data and violated Article 5 GDPR#1b juncto Article 6 GDPR#4 and Article 9 GDPR#2.
The DPA was not able to verifify wether the minutes were actually made available on the controllers server. It noted that if this was the case, this would constitute as an additional processing activity and the previous findings of the infringement also apply.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the French original. Please refer to the French original for more details.
1/13
Litigation Chamber
Decision on the merits 115/2022 of 19 July 2022
File number: DOS-2020-01492
Subject: Complaint relating to the communication of data relating to the health of employees
(staff movements – declaration of incapacity) - reprimand
The Litigation Chamber of the Data Protection Authority, made up of Mr. Hielke
Hijmans, chairman, and Messrs. Jelle Stassijns and Romain Robert, members, taking over the business
in this composition;
Having regard to Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the
protection of natural persons with regard to the processing of personal data and
to the free movement of such data, and repealing Directive 95/46/EC (General Regulation on the
data protection), hereinafter "GDPR";
Having regard to the Law of 3 December 2017 establishing the Data Protection Authority (hereinafter
ACL);
Having regard to the Law of 30 July 2018 relating to the protection of natural persons with regard to
processing of personal data (hereinafter LTD);
Having regard to the internal regulations as approved by the House of Representatives on 20
December 2018 and published in the Belgian Official Gazette on January 15, 2019;
Considering the documents in the file;
Made the following decision regarding:
The complainant: X, hereinafter "the complainant".
The Respondent: Y, hereinafter "the Respondent", Decision on the Merits 115/2022 - 2/13
I. Facts and procedure
1. On March 16, 2020, the complainant lodged a complaint with the Authority for the Protection of
data (APD) against his immediate superior, Mr Z, director at Y,
defendant.
2. Under the terms of her complaint, the complainant denounces the disclosure of personal data
about her health by her manager at a department meeting at which she
was not present. In concrete terms, the complainant reports that she was contacted by telephone by
some of her colleagues who wanted to hear from her, she realized
that during the meeting of his service on February 18, 2020 - i.e. the service (....) of Y -, the
Director Z had announced his departure as well as read the document issued by Cohezio to
destination of the defendant stating her inability to work in the future in india
the defendant.
3. It appears from the documents in the file that on February 7, 2020, a prevention adviser – doctor
du travail de Cohezio informed the defendant of the plaintiff’s inability to occupy
any position within it. This information was passed on internally by the resources
to the general management of the defendant who informed the director of the service
concerned, Mr Z.
4. On April 29, 2020, the APD Front Line Service (SPL) reminded the Complainant that
the GDPR applies to the processing of personal data, automated, in whole or in
in part, as well as the non-automated processing of data contained in or intended to appear
in a file. If these conditions are not met (for example, specifies the SPL, if it is
questionofthevoicetransmissionofpersonalinformationthatdoesnotcomefrom
of a database or a file and which are not intended to be saved there), 1
the DPA is not competent. The SPL concludes at this stage that in the event of this
complaint under which the complainant denounces only oral remarks, the complaint will be
declared inadmissible and the file closed, unless there is a new element on the part of the complainant.
5. On April 30, 2020, the complainant reported to the SPL that the information given during the meeting
mentioned above was recorded in the minutes of this service meeting. She produces this
minutes and adds that this is communicated by e-mail to all members
department (present or absent at the meeting, i.e. 17 people). It is moreover
stored on the defendant's server with free access and thus made accessible to
1The Litigation Chamber here draws the reader's attention to its decision 143/2021 of December 22, 2021 under the terms of
which she insisted on the fact that "in order to achieve the intended purpose - to recruit only candidates who have been vaccinated
- the response to the verification of the vaccination status which is carried out orally during the application interview involves
necessarily a processing of personal data. It is hardly conceivable that no treatment
does not intervene, especially given the size of the hospital network which employs thousands of collaborators". In other words, the
Chambre Litigation specifies that personal data communicated orally must be protected by the
GDPR when they are (necessarily) required to appear in a file, for example recorded in a file
or in a meeting minutes as in this case., Decision on the merits 115/2022 - 3 /13
all the members of its personnel, including departments other than that in
where the complainant worked.
6. The minutes of the meeting produced by the complainant mention in particular the following:
as far as she is concerned: her absence for several weeks, the fact that she was the subject of
of a report by Cohezio, the fact that she was declared unfit for work within the
defendant by Cohezio and the fact that she will no longer work with the
defendant.
For the rest, the part of the minutes concerning the complainant relates the announcement of her
departure and mentions that colleagues have wondered about the allocation of his office, on
their personal effects and on the future recruitment of a replacement for the position
which she occupied.
7. On September 30, 2020, after further examination, the complaint was declared admissible by the SPL
on the basis of Articles 58 and 60 of the LCA and the complaint is transmitted to the Chamber
Litigation under Article 62, § 1 of the LCA.
8. On October 13, 2020, the Litigation Chamber decides, pursuant to Article 95, § 1, 1° and
article 98 of the LCA, that the case can be dealt with on the merits.
9. On the same date, the parties concerned are informed by registered letter of the
provisions as set out in article 95, § 2 as well as in article 98 of the LCA. They are
also informed, pursuant to Article 99 of the LCA, of the deadlines for transmitting their
conclusions, i.e. November 25, 2020 and January 8, 2021 respectively for the
submissions in response and reply of the defendant on the one hand and on December 17
2020 for the submissions in response of the complainant on the other hand.
10. A copy of the file (art. 95, §2, 3° LCA) is sent to the parties by means of this same
letter of October 13, 2020.
11. By return email of October 13, 2020, the defendant agrees to receive
all case-related communications electronically.
12. This e-mail sent directly to the Litigation Chamber by the director Z implicated
by the complainant further states the following:
Mr. Z indicates that with regard to the complaint against him, he wishes
bring to the attention of the Litigation Chamber that in the context of the meeting of
service mentioned, he informed the entire team of the movements in
personnel matters. Aware of the delicate nature of the situation of the
complainant and in order to avoid any discussion or rumor about her departure from the
management and, more broadly, of the defendant, he reports that it seemed to him relevant
to use the same terms as those used by the General Secretariat (management
General) of the Respondent., Decision on the Merits 115/2022 - 4/13
He specifies that he was never in possession of the medical diagnosis of the complainant
and that it is on the basis of a note between the Human Resources Department and the
General Management of the defendant, and in particular of the terminology used in
Article 410 of the Civil Service Code (unsuitability), which he informed the
co-workers in his management.
He adds that his intention was to remain as factual as possible in order to avoid any
form of interpretation of the situation and that in no case did it intend to
harm the complainant or disseminate confidential information concerning her.
On the contrary, he continues, he wished to be able to ensure maximum serenity to the
within his team.
On October 28, 2020, Mr Z will send the same message to the Litigation Chamber,
these messages being worth “conclusions” for the defendant (see below points 22 et seq.).
13. On December 15, 2020, the Litigation Chamber received the conclusions in reply of the
complainant. The complainant highlights that it is not disputed that Mr. Z read the
document sent by Cohezio mentioning his inability to perform his duties during the
service meeting on the one hand and which he has also validated, according to the internal procedure which
requires, the provision of the minutes of the meeting on the server of the
defendant on the other hand. The complainant further adds that her manager could have
announce his departure to his colleagues without mentioning the reason for this departure or asking him
his possible consent to the communication of this sensitive data.
14. The Litigation Division did not receive any submissions in reply from the
defendant and none of the parties requested a hearing within the meaning of Article 93 of the LCA
and Article 51 of the Internal Regulations (RoI) of the APD as they had been
invited to do so if they so wish via the aforementioned letter of October 13, 2020 from the
Litigation Chamber.
II. Motivation
As for the identification of the data processing in question
15. As the SPL recalled in its letter of April 29, 2020 to the complainant's address
(point 4), the GDPR - whose DPA is responsible for ensuring the correct application - applies
2
Art. 410. § 1. Subject to Article 412 and by way of derogation from Article 405, a staff member shall be granted leave without
time limits: 1° when his illness is caused by an accident at work, by an accident occurring on the way to
work or by an occupational disease; 2° when the agent has been removed from his post following a decision
of the occupational physician noting his inaptitude to occupy a post (referred to in article 2 of the royal decree of 28 May
2003 relating to the surveillance of workers' health – AGW of 18 October 2012, art. 31) and that no work of
replacement could not be assigned to him. (…) Version in force of 1 January 2020:, Decision on the merits 115/2022 - 5 /13
“to the processing of personal data, automated in whole or in part, as well as
only to the non-automated processing of personal data called upon to appear in
a file" (article 2.1 of the GDPR).
16. It is not disputed that the comments made orally by Director Z during the meeting
of service that their recording in the minutes of this meeting constitute
personal data relating to the complainant. Section 4.1. of the GDPR defines in
effect of personal data as being “any information relating to a
identified or identifiable natural person”. The information that the
complainant (cited by name – see point 6) had been absent for several weeks, had
was the subject of a Cohezio report, had been declared unfit for work and would no longer work
with the defendant in the future are indeed information which makes it possible to
identify it, in this case directly.
17. The Litigation Chamber further notes that the information that the complainant has
been declared unfit for work by the well-being and prevention at work service
also constitutes data relating to the complainant's health within the meaning of article 4.15
of the GDPR.
18. The Litigation Chamber recalls in this regard that the GDPR has opted for a broad definition
health data. Article 4.15 of the GDPR thus defines the data relating to
health as "personal data relating to the physical health or
mental health of a natural person, including the provision of health care services, which
reveal information about that person's state of health. Recital 35 of the
GDPR which sheds light on this definition confirms the choice of a broad concept and not
restrictive. The information that the complainant was declared unfit for work by
professionals whose mission is specifically to assess the capacity of
workers to perform their job, certainly does not reveal the physical or mental pathology
from which the plaintiff suffers. Such a service is indeed not authorized to reveal a
any medical diagnosis or any other consideration of a medical nature
that the mere information that the employee is unable or no longer able to exercise his
functions is sufficient for the purpose pursued: either to allow the employer to derive the
3
It is the Litigation Chamber which underlines.
4Recital(35): Personal data relating to health should include all data
relating to the state of health of a data subject which reveal information about the state of physical or
mental past, present or future of the person concerned. This includes information about the natural person
collected during the registration of this natural person in order to benefit from health care services or during the
provision of these services within the meaning of Directive 2011/24/EU of the European Parliament and of the Council1 for the benefit of this
Physical person; a specific number, symbol or element assigned to a natural person to identify him from
unique way for health purposes; information obtained during the testing or examination of a part of the body or a
bodily substance, including from genetic data and biological samples; and any information
regarding, for example, illness, disability, risk of illness, medical history, clinical treatment
or the physiological or biomedical condition of the data subject, regardless of its source, whether by
exampleofadoctororotherhealthprofessional,ahospital,amedicaldeviceoradiagnostictest
in vitro., Decision on the Merits 115/2022 - 6/13
consequences in terms of the rights of the employee, possible departure/reclassification,
staff movements etc. This incapacity information does not reveal less
information relating to the complainant's state of health and must therefore be considered
as personal data relating to his health within the meaning of Article 4.15 of the
GDPR.
19. Along the same lines, the other information recorded in the minutes (such as
identified in point 15) relating to the long absence of the complainant and the fact that she
is the subject of a report by Cohezio also constitute, and for the same reasons,
health data.
20. The material scope of the GDPR further requires that there be “processing” of
personal data within the meaning of Article 4.2 of the GDPR, this processing being defined
as “any operation or set of operations whether or not performed using processes
automated and applied to personal data or sets of data
such as the collection, recording (…), communication by transmission, dissemination
or any other form of provision, (…)”.
21. In this case, the Litigation Chamber therefore considers that the recording in writing of the
aforementioned information relating to the complainant (point 15) - including in particular her incapacity
-, in the minutes of the meeting (which was communicated to the Litigation Chamber
as part) is a processing of personal data within the meaning of Article
4.2 of the GDPR subject to its application in execution of its article 2.
22. The availability of the minutes of the service meeting is not
challenged by Mr Z in the writings he sent to the Litigation Chamber (point
12). However, the Litigation Chamber was not able to verify materially
that these meeting minutes have indeed been made available to the staff of the
defendant through mail and on its server. Sitelshould be the case, this provision
of the complainant's personal data is additional processing which
is added to the recording of these data in the minutes drawn up and saved
electronically and the following findings of violation also apply to it.
Regarding the identification of the data controller
23. The Litigation Chamber notes that under the terms of the complaint form filed, the
complainant directs her complaint directly against her supervisor,
Mr. Z. It nevertheless mentions his status as director within the
Respondent., Decision on the Merits 115/2022 - 7 /13
5
24. The Litigation Chamber has already had the opportunity to point out that it is often complex to
the complainant to correctly identify the data controller with regard to the
treatment(s) that he denounces, these notions being legally defined in articles 4.7
of the GDPR and probably difficult to understand by a person not versed in the
matter.
25. The Litigation Chamber recalls here that a data controller is defined
“the natural or legal person or any other entity which alone or jointly with
others, determines the purposes and means of the processing of personal data
personnel” (article 4.7 of the GDPR). It is an autonomous concept, specific to the
data protection regulations, the assessment of which must be made at the
starting from the criteria it sets out: the determination of the purposes of the data processing
concerned as well as that of the latter's means.
26. In its Guidelines 07/2020, the European Data Protection Board
(EDPS) states that if the data controller may, under the terms of the aforementioned definition
of section 4.7. of the GDPR, of course being a natural person, in practice, it is
usually the organization itself, not a person within it
(such as the general manager, an employee or a member of the board of directors), who acts
as a controller within the meaning of the GDPR. Indeed, even though it has
certainly a certain autonomy in the exercise of its functions, it is in this case
not Director Z as such who determines the purposes and means of processing
but the organization in which he works. Except to exceed its functions - this
which has not been demonstrated in this case - he is not responsible for processing. Bedroom
Contentious therefore considers that it is the defendant, and not one of its directors, who is
the data controller since it is up to the defendant to determine the
purposes and means of the processing carried out within it.
27. Accordingly, the Litigation Division sent the invitation to conclude on April 8, 2020 both to
plaintiff than to the defendant as data controller.
Regarding the compliance of the processing with the GDPR
28. Any processing of personal data must be based on one of the databases
lawfulness provided for in Article 6.1 of the GDPR. Regarding the processing of categories
particular data such as data relating to health as in the present case (points
16-17), the lawfulness condition referred to in Article 6.1 of the GDPR only applies if Article 9.2 of the
GDPR provides a specific derogation from the general prohibition on processing categories
particulars of Article 9.1. In other words, when data within the meaning of Article 9
5
See. for example decisions 81/2020 and 76/2021 of the Litigation Chamber.
6 European Data Protection Board (EDPB), Guidelines 07/2020 on the concepts of responsible
of processing and processor in the GDPR, adopted on July 7, 2021 (version after public consultation) available
here: https://edpb.europa.eu/system/files/2022-02/eppb_guidelines_202007_controllerprocessor_final_fr.pdf, Decision on the merits 115/2022 - 8 /13
of the GDPR are processed, their processing must find a basis in article 9.2 of the GDPR read
in conjunction with Article 6.1. of the GDPR.
29. Since the defendant processed data relating to the complainant's health, the
processing of such data should, as just mentioned, find a
based on Article 9.2 of the GDPR, read in conjunction with Article 6.1. of the GDPR.
30. In the present case, the plaintiff does not dispute the lawfulness of the processing by the defendant of
the information that, at the end of the Cohezio report, she was declared unfit for
work. The Litigation Chamber recalls that in addition to the fact that the lawfulness of the processing must
be based on a combined reading of Articles 6.1. and 9.2. of the GDPR, article 9 of the LTD
also applies in this case when data relating to health are
processed.
7
The national legislator has provided that in execution of Article 9.4 of the GDPR, the person responsible
of the treatmenttakesthefollowingadditionalmeasureswhenparticularlyduringthetreatment
health data:
1° the categories of persons having access to the personal data,
are designated by the controller or, where applicable, by the data processor.
treating, with a precise description of their function in relation to the treatment of
targeted data. This requirement translates the “need to know” principle according to which
only persons for whom the processing of this data is necessary to
performance of their duties are authorized to do so;
2° the list of the categories of persons thus designated is made available
of the competent supervisory authority by the controller or, where appropriate
where applicable, by the subcontractor;
3° it ensures that the designated persons are bound by a legal obligation
or statutory, or by an equivalent contractual provision, in compliance with the
confidentiality of the data concerned.
31. What is disputed by the complainant is the subsequent communication of information
relating to his health to colleagues in his department as well as to all the staff of the
defendant by making the minutes of the meeting available on the server.
32. As it has already had occasion to specify in other decisions, the Chamber
Litigation recalls here that the processing of personal data carried out for
purposes other than those for which the personal data was
collected initially cannot be authorized in accordance with article 5.1. b) GDPR that
7
Article9.4. :Member States may maintain or introduce additional conditions, including limitations,
with regard to the processing of genetic data, biometric data or data concerning health.
8See. for example decision 80/2022 of the Litigation Chamber and the references cited., Decision on the merits 115/2022 - 9 /13
if it is compatible with the purposes for which the personal data were
were originally collected.
9
33. In view of the criteria set out in Article 6.4. of the GDPR and in recital 50, it is appropriate to
verify whether the subsequent processing – in this case the communication of said information
to other staff to inform them about staff movements
- is or is not compatible with the purpose of the initial processing.
34. In this case, the Litigation Division notes that this subsequent communication pursues
an objective distinct from the primary purpose, which was to receive information and to
process at the level of human resources departments for personnel management purposes
(end of the employment relationship, granting of rights, possible redeployment/mobility, etc.) At this
respect, only certain persons are, in the exercise of their specific function,
authorized to receive this information, particularly given its sensitivity
and its impact for the data subject and the principle of data minimization
(proportionality - article 5.1.c) of the GDPR).
35. The Litigation Division concludes in this case that this subsequent communication is not
not compatible with the original purpose. This communication does not meet expectations
reasonableness of the person concerned. Given the specific legal framework of which the
processing of information processed by Cohezio (personal data relating to
to health) is subject to (limitation of recipients, lack of precise diagnosis), the person
concerned – here the complainant – cannot reasonably expect that these same
data are, on the contrary, communicated widely beyond the only persons
having a functional need to know them. Data sensitivity collides
also to broadly designed compatibility.
36. It follows that there is no question of compatible further processing so that a
separate legal basis was required for said communication to be qualified as
10
lawful.
37. Processing of personal data, including further processing
incompatible as in the present case, is in fact lawful only if it is based on a basis of lawfulness
own. Recital 50 of the GDPR 11 is explicit in this regard. These legal bases
9Recital 50 of the GDPR: [...] In order to establish whether the purposes of further processing are compatible with those for
which the personal data was initially collected, the controller, after having
complied with all requirements relating to the lawfulness of the initial processing, should take into account, inter alia: any link between these
purposes and purposes of the intended further processing; the context in which the personal data was
collected, in particular the reasonable expectations of the persons concerned, according to their relationship with the
responsible for the processing, as to the subsequent use of said data; the nature of the personal data;
the consequences for data subjects of the intended further processing; and the existence of appropriate safeguards
both as part of the initial treatment and as part of the planned subsequent treatment.
10In the same direction see. the substantive decision 03/2021 of January 13, 2021 of the Litigation Chamber, point 14
https://www.autoriteprotectiondonnees.be/publications/decision-quant-au-fond-n-03-2021.pdf.
11
Recital 50 of the GDPR: The processing of personal data for purposes other than those for
which the personal data was originally collected should only be allowed if compatible, Decision on the merits 115/2022 - 10/13
distinct are those defined in article 6.1. of the GDPR and, where applicable, when it comes to
of data relating to health as in the present case, of Article 9.2. GDPR read
in conjunction with its article 6.1.
38. The Respondent itself does not cite any basis of legality and the Chamber
Litigation could confine itself to this finding. The Litigation Chamber is however of the opinion
that the complainant's communication of (health) data cannot in this case be based
on no basis of proper lawfulness,
39. The Litigation Division certainly does not question the will or the legitimacy of
the defendant to inform its employees of staff movements. In this
meaning, the Litigation Chamber has already stated in its decision 63/2021, that it is appropriate,
within the framework of personnel policy, to inform employees of such
movements. However, to comply with the principle of data minimization
(proportionality) of the data, it is sufficient that this communication remains limited to the
factual communication of the fact that the person concerned, such as the complainant here, is no longer
in service.
40. Regarding the assumptions of Article 9.2. read in conjunction with Article 6.1. of the GDPR, the
Litigation Chamber finds that
- said communication to other members of staff and its recording in a
minutes of the meeting are not based on the consent of the complainant, although
on the contrary (article 9.2. a) of the GDPR) and this, even assuming that it can constitute
a valid basis of lawfulness in the context of the professional relationship which binds it to the
defendant, quod non;
- said communication to other members of staff and its recording in a
minutes of the meeting cannot be considered necessary for the purposes of
the execution of the obligations and the exercise of the rights specific to the person in charge of the
treatment or the complainant in matters of labor law, social security and
social protection (article 9.2. b) of the GDPR);
- this communication to other staff members and its recording in a
meeting minutes are not necessary to safeguard vital interests
of the complainant (article 9.2. c) of the GDPR);
- communication and recording in meeting minutes are not
carried out by a foundation, an association or any other non-profit organization
lucrative and pursuing a political, philosophical, religious or union purpose,
in the context of their legitimate activities (article 9.2. d) of the GDPR);
with the purposes for which the personal data was originally collected. In this case, none
separate legal basis from that which allowed the collection of personal data will be required. [...], Decision on the merits 115/2022 - 11 /13
- the communication and recording in the minutes of the meeting do not relate
on personal data which would obviously have been made
public by the complainant (Article 9.2. e) of the GDPR);
- communication and recording in the meeting minutes are not
necessary for the establishment, exercise or defense of legal claims or
whenever courts act within the framework of their judicial function
(article 9.2. f) of the GDPR);
- communication and recording in the meeting minutes are not
necessary for reasons of important public interest (Article 9.2. g) of the GDPR);
- communication to other staff members and recording in the
meeting minutes are not necessary for the purposes of preventive medicine
or occupational medicine, the assessment of the worker's ability to work,
medical diagnoses, health or social care, or management
health care or social protection systems and services on the basis of
Union law, the law of a Member State or under a contract concluded with a
healthcare professional (article 9.2. h) of the GDPR);
- this communication and the recording in the minutes of the meeting are not
necessary for reasons of public interest in the field of public health, such as
that protection against serious cross-border threats to health, or
for the purpose of ensuring high standards of quality and safety in healthcare
and medicines or medical devices (Article 9.2. i) of the GDPR);
- communication and recording in the meeting minutes are not
necessary for archival purposes in the public interest, for research purposes
scientific or historical or for statistical purposes (Article 9.2. j) of the GDPR).
41. In the absence of a basis of lawfulness legitimizing the processing complained of (subsequent incompatible)
of the complainant's data, the Litigation Chamber concludes that the defendant has
violates Articles 5.1.b) juncto 6.4 and 9.2. read in conjunction with Article 6.1. of the GDPR.
The complainant's data were indeed the subject of further processing incompatible
with the specified, lawful and legitimate purposes for which they were initially
collected, without being able to rely on a basis of proper lawfulness.
Regarding corrective measures and sanctions
42. Under Article 100 LCA, the Litigation Chamber has the power to:
1° dismiss the complaint without follow-up;
2° order the dismissal;
12
See. footnote 11 above.
13Article 5.1.b) of the GDPR., Decision on the substance 115/2022 - 12 /13
3° order a suspension of the pronouncement;
4° to propose a transaction;
5° issue warnings or reprimands;
6° order to comply with the data subject's requests to exercise these rights;
(7) order that the person concerned be informed of the security problem;
8° order the freezing, limitation or temporary or permanent prohibition of processing;
9° order the processing to be brought into conformity;
10° order the rectification, the restriction or the erasure of the data and the notification of
these to the recipients of the data;
11° order the withdrawal of accreditation from certification bodies
12° to issue periodic penalty payments;
13° to impose administrative fines;
14° order the suspension of cross-border data flows to another State or a
international body;
15° forward the file to the public prosecutor's office in Brussels, which informs it of the
follow-up given to the file;
16° decide on a case-by-case basis to publish its decisions on the website of the Authority of
Data protection.
43. It is important to contextualize the breaches for which the defendant is responsible
with a view to identifying the most appropriate corrective measures and sanctions.
44. In view of the breach of Article 5.1.b) juncto 6.4 and 9.2. read in conjunction with Article
6.1. of the GDPR noted in point 41, the Litigation Chamber is of the opinion that the measure
adequate remedy is to issue a reprimand to the defendant. Like the
defendant is a public authority within the meaning of Article 221, § 2, of the LTD, the Chambre
Litigation is not competent to impose any fine on it. Bedroom
Contentious also invites the defendant to raise awareness among its staff
so that similar situations do not occur in the future.
45. In addition, the Litigation Division also notes that in support of the breaches
found in this decision, it is for the defendant to take, in its capacity
of data controller, the measures necessary to restrict or even eliminate
henceforth the dissemination of information relating to the health of the complainant and as identified
in points 17 and 19 with regard to third parties. In line with what it states in point 39 above,
only the information covered by the certificate issued by Cohezio relating to the absence and
reason for absence (inaptitude) are concerned here; the statement – reformulated if necessary - of
that the Complainant will no longer be in service with the Respondent may stand., Decision on the Merits 115/2022 - 13/13
III. Publication of the decision
45. Given the importance of transparency regarding the decision-making process of the Chamber
Litigation, this decision is published on the website of the Protection Authority
data (APD). However, it is not necessary for this purpose that the data
identification of the parties are directly mentioned.
FOR THESE REASONS,
the Litigation Chamber of the Data Protection Authority decides, after deliberation:
- Pursuant to Article 100 §1, 5 of the LCA, to formulate a reprimand against the
defendant.
In accordance with Article 108, § 1 of the LCA, an appeal against this decision may be lodged,
within thirty days of its notification, to the Court of Markets (court
d'appel de Bruxelles), with the Data Protection Authority as defendant.
Such an appeal may be introduced by means of an interlocutory request which must contain the
information listed in article 1034ter of the Judicial Code. The interlocutory motion must be
filed with the registry of the Court of Markets in accordance with article 1034quinquies of the C. jud. , or 15
via the e-Deposit information system of the Ministry of Justice (article 32ter of the C. jud.).
(Sr.) Hielke HIJMANS
President of the Litigation Chamber
14The application contains on pain of nullity:
(1) indication of the day, month and year;
2° the surname, first name, domicile of the applicant, as well as, where applicable, his qualities and his national register number or
Business Number;
3° the surname, first name, domicile and, where applicable, the capacity of the person to be summoned;
(4) the object and summary of the grounds of the application;
(5) the indication of the judge who is seized of the application;
6° the signature of the applicant or his lawyer.
15The request, accompanied by its annex, shall be sent, in as many copies as there are parties involved, by letter
recommended to the court clerk or filed with the court office.
