APD/GBA (Belgium) - 135/2023
From GDPRhub
| APD/GBA - 135/2023 | |
|---|---|
 | |
| Authority: | APD/GBA (Belgium) |
| Jurisdiction: | Belgium |
| Relevant Law: | Article 5(1)(b) GDPR Article 5(1)(c) GDPR Article 6(1) GDPR Article 13(1)(c) GDPR |
| Type: | Complaint |
| Outcome: | Upheld |
| Started: | |
| Decided: | 21.09.2023 |
| Published: | |
| Fine: | n/a |
| Parties: | n/a |
| National Case Number/Name: | 135/2023 |
| European Case Law Identifier: | n/a |
| Appeal: | n/a |
| Original Language(s): | Dutch |
| Original Source: | APD (in NL) |
| Initial Contributor: | n/a |
The Belgian DPA issued a warning in response to violations of Articles 5(1)(b) and 5(1)(c) GDPR, Article 6(1) GDPR and Article 13(1)(c) GDPR committed by an employer, who had continued to use their employee’s e-mail address for company purposes following the termination of the employment contract.
English Summary
Facts
The complaint concerned the unlawful use of the data subject's former employee e-mail account. The data subject was an employee of the controller until 30 April 2023.
On 9 May 2023, an email was sent without the data subject's knowledge from their former employee e-mail address, informing the controller’s clientele that the data subject was no longer employed with them and of the new contact point.
Following the email of 9 May 2023, the data subject’s work e-mail was still active and its contents were being read. The data subject discovered this and on 8 July 2023, requested the controller to delete their former employee e-mail. The data subject received no response to their request.
On 17 July 2023, the data subject filed a complaint with the Belgian DPA.
Holding
The Belgian DPA found a breach of Articles 5(1)(b) and 5(1)(c) GDPR, Article 6(1) GDPR and Article 13(1)(c) GDPR.
Firstly, the Belgian DPA found that there had been a violation of the principles of data minimisation (Article 5(1)(c) GDPR) and purpose limitation (Article 5(1)(b) GDPR) as the data subject’s e-mail account remained active and in-use following the termination of the employment relationship on 30 April 2023 and following the e-mail of 9 May 2023. The controller, following these two events, continued to access, use and send e-mails to external persons from the data subject’s e-mail address.
Secondly, the Belgian DPA found a breach of Article 6(1) GDPR and Article 13(1)(c) GDPR. The DPA found that the controller could not seek to rely on Article 6(1)(b) GDPR as a legal basis, because the processing continued following the termination of the employment contract. Moreover, neither could the controller rely on Article 6(1)(f) GDPR as a legal basis. Keeping the mailbox active after the termination would only have been legitimate for the purposes of Article 6(1)(f) GDPR, if this was done during the transition period following the end of the employment contract “…so far as this is limited to the automatic transmission of standard communications concerning the departure of the employee, with a view to ensuring the proper functioning of the company and the continuity of its services.” However, the DPA noted that this could have only been done in a GDPR-compliant manner if the data subject was informed as per the requirements under Article 13 GDPR. In the present instance, the data subject was neither informed of the continued use of his e-mail account or the e-mail of 9 May 2023, and the controller continued to use the data subject’s e-mail account beyond the transition period.
In response to the violations of Articles 5(1)(b) and 5(1)(c) GDPR, Article 6(1) GDPR and Article 13(1)(c) GDPR, the DPA issued a warning.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Dutch original. Please refer to the Dutch original for more details.
1/9
Dispute Chamber
Decision 135/2023 of September 21, 2023
File number: DOS-2023-03073
Subject: The alleged unlawful use of the former business
employee email account
The Disputes Chamber of the Data Protection Authority, composed of Mr
Hielke HIJMANS, sole chairman;
Having regard to Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016
on the protection of natural persons with regard to the processing of
personal data and regarding the free movement of such data and to the revocation of
Directive 95/46/EC (General Data Protection Regulation), hereinafter “GDPR”;
Having regard to the law of 3 December 2017 establishing the Data Protection Authority,
hereinafter “WOG”;
In view of the internal rules of order, as approved by the House of Representatives
Representatives on December 20, 2018 and published in the Belgian Official Gazette on
January 15, 2019;
Considering the documents in the file;
Has made the following decision regarding:
Complainant: Mr X, hereinafter “the complainant”
The defendant: Y, hereinafter “the defendant” Decision 135/2023 — 2/9
I. Facts and procedure
1. The subject of the complaint concerns the alleged unlawful use of the
complainant's former work email account.
2. Complainant was an employee of the defendant until April 30, 2023. On May 9, 2023, an e-mail was sent
email sent from the complainant's former work email account (…) to the
clientele of the defendant to inform them of the new employment of
complainant and to appoint a new contact person in this regard. The email became
sent in the capacity of the complainant himself, although he indicates that he has nothing to do with this
to have made, nor to have given his consent.
3. On May 17, 2023 and June 26, 2023, the complainant allegedly found that his old mailbox was still
always existed and that its contents were read. Reply to emails to this email
email address would be answered from another account (no answer will follow
from(..) ).
4. On July 8, 2023, the defendant is given notice of default by the complainant. In this notice of default
also becomes a request to delete his former business mailbox
included. At the time of filing the complaint, the complainant does not have any
may receive a response from the defendant.
5. On July 17, 2023, the complainant files a complaint with the Data Protection Authority against
the defendant.
6. On July 20, 2023, the complaint will be declared admissible by the First Line Service on the grounds
of Articles 58 and 60 WOG and the complaint is filed on the basis of Article 62, § 1 WOG
transferred to the Disputes Chamber.
II. Justification
7. The elements in this case are divided into two different processes. On the one hand it is
there is a failure to delete the complainant's former business mailbox and the
alleged access to this by the defendant, on the other hand there is the matter of sending
of the email on May 9, 2023 by the defendant on behalf of the complainant, using
from his business mailbox.
As for failure to delete the mailbox and gain access to it
provided by the defendant:
8. On the basis of the elements in the file that are known to the Disputes Chamber, and on the basis
of the powers granted to it by the legislature on the basis of Article 95, § 1 WOG
assigned, the Disputes Chamber will decide on the further follow-up of the file; in this case Decision 135/2023 — 3/9
the Disputes Chamber will proceed to dismiss these aspects of the complaint
in accordance with Article 95, § 1, 3° WOG, on the basis of the following justification.
9. If a complaint is dismissed, the Disputes Chamber will make its decision
1
to motivate gradually and:
- to issue a technical dismissal if the file does not exist or is insufficient
contains elements that could lead to a conviction, or if there is insufficient
there is a prospect of a conviction due to a technical obstacle,
which prevents her from reaching a decision;
- or declare a policy rejection, if despite the presence of elements
that could lead to a sanction, the continuation of the investigation
dossier does not seem appropriate in the light of the priorities of the
Data Protection Authority, as specified and explained in the
2
dismissal policy of the Disputes Chamber.
10. In the event of dismissal on more than one ground, the grounds for dismissal (resp.
3
technical dismissal and policy dismissal) should be treated in order of importance.
11. In the present file, the Disputes Chamber will dismiss this case
aspects of the complaint, on the basis of a policy grounds for dismissal. A complaint will not be filed
sufficiently supported by documentary evidence, allowing the Dispute Chamber to accept the
considers it undesirable to take further action on these aspects of the file and therefore
decides not to proceed, inter alia, to a hearing on the merits.
12. The Disputes Chamber establishes that the defendant prima facie has not complied with all the provisions of the
Dispute chamber regarding the management of e-mail accounts of former employees
seems to have been complied with, although a processing of the business mailbox is in principle
lawful. According to the Disputes Chamber, it is to the controller
the holder of the mailbox who has terminated his position, at the latest on the day of his actual
departure with an automatic message. Decision 133/2021 expressly states
inform that “this automatic message warns all subsequent correspondents that the
the person concerned no longer performs his position within the company and provides the
contact details of the person (or general email address) who should take his place
will be contacted during a reasonable period (a priori 1 month).Depending
1st
Brussels Court of Appeal, Market Court Section, 19 Chamber A, Chamber for Market Affairs, judgment 2020/AR/329, September 2, 2020,
p. 18.
2In this context, the Disputes Chamber refers to its dismissal policy as explained in detail on the GBA website:
https://www.gegevensbeschermingsautoriteit.be/publications/sepotbeleid-van-de-geschikkamer.pdf
3
Cf. Title 3 – In which cases is my complaint likely to be dismissed by the Disputes Chamber? from the
dismissal policy of the Disputes Chamber.
4Cf. decisions 64/2020 and 133/2021.
5Cf. decision 46/2020, legal basis. 29 et seq. and decision 133/2021 para. 56 et seq. Decision 135/2023 — 4/9
of the contexts and in particular the degree of responsibility that the person concerned exercises,
a longer period may be permitted, ideally no longer than three months. The
extension must be done with the consent of the person concerned or at least after
has been informed of the extension.”
13. In summary, it can be said that the controller is a
transition period of one month in principle, after which it will receive the e-mail address and the
mailbox of the data subject must be deleted, unless mutually agreed upon
controller and ex-employee other agreements have been made in this regard
6
bandage . The complainant provides two documents in support of the allegation
must demonstrate that in this case the mailbox was not closed in time and even here
still had access to laundry by the defendant on May 17, 2023 and June 26, 2023. The Disputes Chamber
notes, however, that these documents do not sufficiently assist the Disputes Chamber
to decide whether or not there has been a violation of the GDPR. This is because of the
next reason; it concerns email traffic in which not all emails are included (complainant
seems to have extracts of emails pasted under each card).Can be seen from the emails
that the defendant's clients were confused about who they should contact. However,
The Disputes Chamber cannot automatically conclude from this that the mailbox still existed
and the defendant took note of its contents. Some of the pieces
added by the complainant are said to be emails addressed to (…) , after which
defendant would have responded from a different email address. However, the
Disputes Chamber determines that neither the original email nor the sender(s)
of these were provided by the complainant in the documents, resulting in the complete exchange
and a concrete indication that a response followed from the defendant to an e-mail that
was purely addressed to the complainant's business mailbox is missing. The Disputes Chamber eight
These documents are too suggestive and not sufficiently convincing to establish that there is
a violation of the GDPR has occurred.
14. Due to this lack of supporting evidence, the Disputes Chamber is forced to
the complaint, with regard to the current existence of the former business mailbox
6
In its recommendation CM/Rec (2015)5 on the processing of personal data in the context of the employment relationship,
the Committee of Minister of the Council of Europe in principle 14.5 the following: when an employee his or her job
leaves, the employer must take technical and organizational measures to ensure that the email from the
employee is automatically deactivated. If the contents of the email must be requested for good
functioning of the organization, the employer must take appropriate measures to retrieve the contents of the email
before the employee's departure and, if possible, in his presence. The explanation accompanying the recommendation states further
(para 122) that in these situations where the employee leaves the organization, the employer retains the account of the former
employee must deactivate so that there is no longer access to the former employee's communications after his
departure. If the employer wishes to recover the contents of the employee's account, the employer must take the necessary steps
to take steps before the employee's departure, preferably in his presence. This sectoral recommendation that
and completes the Convention for the Protection of Individuals with regard to Automated Processing
personal data (STE108), illustrates how the principles regarding purpose limitation, minimal data processing
proportionate retention, which are confirmed in both this Treaty and the GDPR, should be applied. Decision 135/2023 — 5/9
to dismiss, although she recommends that, if this has not yet happened in the meantime,
still to be adjusted.
With regard to the email dated May 9, 2023 that was sent on behalf of the complainant:
15. The documents in this file show that the complainant's former business email address
was still active within the defendant's organization on May 9, 2023, while the
cooperation had already ended on April 30, 2023 and the complainant had no information
received information about the further use of his mailbox and email address. Although the indicative
period of one month after termination of the complainant's activities at the moment
sending of the e-mail in question had not yet expired, which could possibly be the case
it is stated that the principle of storage limitation has been complied with (the contrary is stated).
in any case not proven), the Disputes Chamber must nevertheless determine that both
purpose limitation principle as the principle of data minimization was by no means established
respected because the defendant was able to gain access after the complainant's departure
to the complainant's mailbox, has also used it and to the
messages were sent to external parties using the complainant's email address
persons.
16. This leads the Disputes Chamber to suspect that the defendant has committed an infringement
committed under Article 5.1.b) and Article 5.1.c) GDPR.
17. Furthermore, the Disputes Chamber must determine that there is no legal basis for this
processing was. It is true that the mailbox can, in view of the legitimate interest of
defendant in accordance with the terms of Article 6.1.f) of the GDPR,
remain active in this regard for a certain period after the complainant's resignation
this is limited to the automatic sending of standard communications regarding the
departure of the employee, with a view to ensuring the proper functioning of the
company and the continuity of its services. This is of course only possible provided the
other provisions of the GDPR regarding the legal basis are also respected,
in particular article 13.1.c) GDPR, from which it follows that before starting the
processing activities, it must be determined which legal basis applies, and
in connection with which specific purpose, with the obligation for the
controller to inform the complainant thereof.
18. It does not appear prima facie from the file that the defendant informed the complainant
processed on the legal basis and on the basis of his consent. Consequently, it has
The defendant processes the complainant's personal data against his expectations. In this
In this connection, reference must also be made to the judgment of the Court of Cassation dated 20
May 2019, which stipulates that no one may intentionally learn of its existence
7In this context, reference can also be made to a judgment of the Court of Cassation. Decision 135/2023 — 6/9
of information of any kind that is sent electronically and that is not personal
intended for him, if permission has not been obtained from everyone
other persons directly or indirectly involved.
19. Finally, reference should also be made to the legal basis contained in Article 6.1.b) GDPR,
on the basis of which processing can take place if it is necessary for the
execution of an agreement. In this case, this cannot be relied on either,
as the complainant had already terminated his contractual employment relationship with the respondent
on April 30, 2023.
20. Based on the above analysis, the Dispute Chamber assumes that the
defendant has committed an infringement of the provisions of the GDPR, which
justifies that in this case a decision is made on the basis of
Article 95, §1, 4° of the WOG, more specifically to formulate a warning with regard to
from the defendant with regard to the email dated May 9, 2023 that was sent from
name of the complainant. The documents submitted do not in any way show that the defendant op
systematically and purposefully processes personal data of data subjects without
appropriate legal basis and without informing the data subjects. Accordingly, the
Disputes Chamber does not need to impose other sanctions
defendant. The Disputes Chamber determines that the defendant has violated the articles
5.1.a), b) and c), and Articles 6.1 GDPR in conjunction with Article 13.1.c) GDPR.
21. This decision is a prima facie decision taken by the Disputes Chamber
in accordance with Article 95 of the WOG on the basis of the complaint submitted by the complainant
9
complaint, in the context of the “procedure prior to the decision on the merits” and none
decision on the merits of the Disputes Chamber within the meaning of Article 100 of the WOG.
The Disputes Chamber has thus decided on the basis of Article 58.2.a) GDPR and Article 95, §1,
4° of the WOG, to formulate a warning regarding the defendant, for what
concerns the unlawful processing of personal data that took place in the
in the context of broadcasting the email dated May 9, 2023 that was sent on behalf of the
complainant.
22. The purpose of this decision is to inform the defendant of the fact that this
has committed an infringement of the provisions of the GDPR and has the opportunity to do so
still agree to comply with the aforementioned provisions.
23. However, if the defendant does not agree with the content of this prima facie statement
decision and is of the opinion that it can apply factual and/or legal arguments
that could lead to a different decision, this can be done via the e-mail address
8See judgment HvC, S.17.0089.F, 20 May 2019, ECLI:BE:CASS:2019:ARR.20190520.5.
9Section 3, Subsection 2 of the WOG (Articles 94 to 97). Decision 135/2023 — 7/9
litigationchamber@apd-gba.be send a request to hear the merits of the case
to the Disputes Chamber within thirty days after notification of
the decision. The implementation of this decision will be carried out if necessary
suspended for the aforementioned period.
24. Finally, for the sake of completeness, the Disputes Chamber points out that a hearing on the merits
of the case may lead to the imposition of the measures referred to in Article 100 of the
10
WOG .
III. Publication and communication of the decision
25. Considering the importance of transparency with regard to decision-making
Dispute Chamber, this decision will be published on the website of the
Data Protection Authority. On the other hand, it is not necessary that the
identification details of the parties are disclosed directly.
26. In accordance with its deposit policy, the Disputes Chamber will issue the decision to the defendant
to transfer . After all, the Disputes Chamber has decided to dismiss its decisions
ex officio to the defendants. However, the Dispute Chamber decided not to do so
such a notification when the complainant has requested anonymity in this regard
of the defendant and the notification of the decision to the defendant, even if
10Article 100, §1 WOG: “The Disputes Chamber has the authority to:
1° to dismiss a complaint;
2° to order the dismissal of prosecution;
3° order the suspension of the ruling;
4° to propose a settlement;
5° formulate warnings and reprimands;
6° order that the data subject's requests to exercise his rights be complied with;
7° to order that the person concerned is informed of the security problem.
8° order that processing be temporarily or permanently frozen, restricted or prohibited;
9° to order that the processing be brought into compliance;
10° the rectification, restriction or deletion of data and its notification to the recipients of the data
recommend data;
11° order the withdrawal of the recognition of certification bodies;
12° to impose penalty payments;
13° to impose administrative fines;
14° the suspension of cross-border data flows to another State or an international institution
command;
15° to transfer the file to the public prosecutor's office in Brussels, who will inform it of the outcome
that is given to the file;
16° decide on a case-by-case basis to publish its decisions on the website of the
Data Protection Authority.
11Cf. Title 5 – Will the dismissal of my complaint be published? Will the other party be informed of this?
of the dismissal policy of the Disputes Chamber. Decision 135/2023 — 8/9
it is pseudonymised, nevertheless makes it possible to contact the complainant
(re)identify . However, this is not the case in the present case.
FOR THESE REASONS ,
the Disputes Chamber of the Data Protection Authority decides, after deliberation,
to:
- the current complaint to the extent to which it relates to the removal
of the mailbox on the basis of Article 95, § 1, 3° of the WOG.
- issue a warning to the controller
as regards the lack of the principles of purpose limitation and minimum
data processing, as stated in articles 5.1.b) and c) GDPR, and a
to issue a warning regarding the lack of legal basis, such as
stated in articles 6.1 and 5.1.a) in conjunction with article 13.1.c) GDPR.
Pursuant to Article 108, § 1 of the WOG, within a period of thirty days from the
notice, an appeal against this decision will be filed with the Market Court (court of
appeal Brussels), with the Data Protection Authority as defendant.
Such an appeal can be lodged by means of an inter partes petition
13
must contain information listed in Article 1034ter of the Judicial Code. It
an objection petition must be submitted to the registry of the Market Court
in accordance with Article 1034quinquies of the Dutch Civil Code. , or via the e-Deposit
IT system of Justice (Article 32ter of the Judicial Code).
12
Ibid.
13The petition states, under penalty of nullity:
1° the day, month and year;
2° the surname, first name, place of residence of the applicant and, where applicable, his capacity and his national register or
company number;
3° the surname, first name, place of residence and, where applicable, the capacity of the person to be
summoned;
4° the subject matter and brief summary of the grounds of the claim;
5° the judge before whom the claim is brought;
6° the signature of the applicant or his lawyer.
14
The petition with its attachment will be sent by registered letter in as many copies as there are parties involved.
deposited with the clerk of the court or at the registry. Decision 135/2023 — 9/9
To enable the complainant to consider other possible remedies, the
Disputes Chamber will refer the complainant to the explanation in its dismissal policy. 15
(get). Hielke H IJMANS
Chairman of the Disputes Chamber
15Cf. Title 4 – What can I do if my complaint is closed? of the dismissal policy of the Disputes Chamber.
