APD/GBA (Belgium) - 18/2023
APD/GBA - 18/2023 | |
---|---|
Authority: | APD/GBA (Belgium) |
Jurisdiction: | Belgium |
Relevant Law: | Article 5(1)(a) GDPR Article 6(1) GDPR |
Type: | Complaint |
Outcome: | Upheld |
Started: | |
Decided: | 02.03.2023 |
Published: | 02.03.2023 |
Fine: | n/a |
Parties: | A care home (the controller) Mrs. X (the data subject) |
National Case Number/Name: | 18/2023 |
European Case Law Identifier: | n/a |
Appeal: | n/a |
Original Language(s): | French |
Original Source: | Autorité de Protection des Données (in FR) |
Initial Contributor: | n/a |
An employer has no legal obligation to inform its staff of the identity of an employee who requested an intervention following harassment. This processing was considered unlawful, even though the identity of the employee was publicly available.
English Summary
Facts
A nursing home employee (the data subject) made a request for psychosocial intervention for abuse and harassment by the employer's management. Psychosocial intervention is a procedure, under Belgian labor law, aiming to address psychosocial issues raised by employees in workplaces with the help of a neutral and external advisor. In this case, the external advisor issued an opinion recommending to take individual and collective measures. The employer (controller) subsequently posted a note on a wall of the workplace entitled "Information for our staff following the formal complaint for violence and moral harassment lodged by Mrs X against the board + collective measures for the improvement of relations and general organisation" indicating that the employee made that request. The controller also wrote an open letter to its staff mentioning her name, explaining that she made that request.
On 16 January 2023, the data subject requested access to her data in order to know what the legal basis was for processing her personal data. The controller explained that it had an obligation to share to external advisor's recommendation regarding the collective measures and that the identity of the originator of the request was anyways publicly available. The data subject contested the controller's right to publish her personal data and, therefore, filed a complaint with the Belgian DPA on 23 January 2023.
Holding
The DPA argued that there was no legal obligation for an employer to publish the collective or individual measures included in an opinion issued by the external advisor.
The note posted by the controller on the wall mentioned the name and surname of the data subject. The DPA noted that these data were not communicated for the purpose of publishing the collective or individual measure but for information purposes. The controller could not, therefore, rely on a request, or even an obligation, from the external advisor to publish the data subject's first and last name and, thus, could not rely on Article 6(1)(c) for the processing in question.
The controller's second justification that the identity of the data subject as the originator of the request for intervention was already known to the staff was not valid as publicly available data are considered personal data as long as they are relating to an identifiable individual. Thus, the provisions of the GDPR applied to this case. In this way, even if the employees of the controller were aware of the origin of the request for action, the controller still had to rely on a legal basis to process the data subject's personal data, even when publicly available.
Finally, the DPA conducted the balancing test to see whether the legal basis of legitimate interest could be invoked but the processing did not fulfil the three cumulative criteria.
Therefore, the DPA held that the controller did not process the data of the data subject lawfully (violation of Article 5(1)(a) GDPR and Article 6(1) GDPR). It thus warned the controller that the publication of the names of the data subject in an open letter to the staff without a legal basis could result in a breach of Article 5(1)(a) GDPR and Article 6(1) GDPR, it ordered the controller to comply with the data subject’s request of erasure of her personal data in a timely manner and no later than 30 days from the publication of that decision.
Comment
This decision aimed at informing the alleged controller of the fact that it may have breached the GDPR and thus enabling it to comply with the GDPR requirements.
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the French original. Please refer to the French original for more details.
1/9 Litigation Chamber Decision 18/2023 of March 2, 2023 File number: DOS-2023-00435 Subject: Complaint relating to the publication in the workplace of the first and last name of a employee who submitted a request for formal psychosocial intervention The Litigation Chamber of the Data Protection Authority, made up of Mr. Hielke Hijmans, chairman; Having regard to Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and to the free movement of such data, and repealing Directive 95/46/EC (General Regulation on the data protection), hereinafter “GDPR”; Having regard to the Law of 3 December 2017 establishing the Data Protection Authority, hereinafter “ACL”; Having regard to the internal regulations as approved by the House of Representatives on 20 December 2018 and published in the Belgian Official Gazette on January 15, 2019; Considering the documents in the file; Made the following decision regarding: The complainant: Ms. X, hereinafter “the complainant”; . . . The defendant: the rest home Y, hereinafter: “the defendant”. Decision 18/2023 – 2/9 I. Facts and procedure 1. The subject of the complaint concerns the publication of the surname and first name of the complainant in a note and a letter, both accessible at the complainant's workplace. The plaintiff is an employee of the defendant, the rest home Y. As part of her work, the complainant submitted a request for formal psychosocial intervention to of the external adviser in the prevention of psychosocial aspects, Z, for acts of violence and moral harassment. In this context, the external advisor gave an opinion to the defendant. This opinion would recommend the adoption by the defendant of collective measures and individual vis-à-vis the complainant. Following this notice, the defendant would have published on a wall of the nursing home a note identifying the complainant, by her first and last name, as the person who submitted the request for formal psychosocial intervention (below the note). Subsequently, the defendant again identified the defendant by his first and last name in an open letter to the staff of the rest home (hereafter the open letter). The plaintiff thus challenges the defendant's right to publish its personal data. 2. On 23 January 2023, the complainant lodged a complaint with the Authority for the Protection of given against the defendant. 3. On January 27, 2023, the complaint was declared admissible by the Front Line Service on the 1 basis of Articles 58 and 60 of the LCA and the complaint is forwarded to the Litigation Chamber st 2 pursuant to Article 62, § 1 of the LCA. 4. Pursuant to article 95 § 2, 3° of the LCA as well as article 47 of the rules of order inside the DPA, a copy of the file may be requested by the parties. If one of parties wishes to make use of the possibility of consulting the file, the latter is required to contact the secretariat of the Litigation Chamber, preferably via the address litigationchamber@apd-gba.be. II. Motivation 5. According to Article 4.7 of the GDPR, the controller is the “natural person or legal entity, public authority, service or other body which, alone or jointly with others, determines the purposes and means of the processing”. Since the parts of the file provided by the complainant were either signed by the defendant or written 1 Pursuant to article 61 LCA, the Litigation Chamber informs the parties by this decision, of the fact that the complaint has been declared admissible. 2 Pursuant to Article 95, § 2 LCA, by this decision, the Litigation Division informs the parties of the fact that following of this complaint, the file was forwarded to him. Decision 18/2023 – 3/9 on their behalf, the Litigation Chamber finds that the person responsible for the disputed processing would be the management of Y, the defendant. 6. The Litigation Chamber recalls that the surname and first name are personal data personal within the meaning of Article 4.1 of the GDPR. This is information about a identified or identifiable natural person (in this case, the complainant) allowing directly identify the data subject. The publication of these personal data staff in a note posted on the wall of the institution where the complainant works therefore does not constitute processing within the meaning of Article 4.2 of the GDPR. of personal data is subject to the general principles as defined in Article 5 of the GDPR, the data controller being required to ensure that these principles generals are respected. 3 7. On the basis of Article 5(1)(a) GDPR, personal data must be "processed in a lawful, fair and transparent manner with regard to the person concerned (lawfulness, fairness and transparency)". The principle of lawfulness of article 5.1.a of the GDPR implies that the data controller must designate one of the permitted legal bases by Article 6, paragraph 1 of the GDPR on the basis of which he wishes to carry out the processing of personal data. 8. The bases of lawfulness of Article 6.1 of the GDPR are the following: “1. Processing is only lawful if and insofar as at least one of the conditions following is fulfilled: a) the data subject has consented to the processing of his or her personal data for one or more specific purposes; b) the processing is necessary for the performance of a contract to which the data subject is party or the execution of pre-contractual measures taken at the latter's request; c) processing is necessary for compliance with a legal obligation to which the controller treatment is submitted; d) the processing is necessary to protect the vital interests of the person concerned or of another natural person; e) processing is necessary for the performance of a task carried out in the public interest or falling within the the exercise of official authority vested in the controller; f) the processing is necessary for the purposes of the legitimate interests pursued by the controller processing or by a third party, unless the interests or freedoms and 3Article 5.2 of the GDPR. Decision 18/2023 – 4/9 fundamental rights of the data subject which require data protection of a personal nature, in particular when the person concerned is a child. » 9. It appears from the documents in the file that the complainant exercised her right of access to the defendant on January 16, 2023 in order to know the legal basis of the processing in question. In its response of January 18, 2023 and its open letter, the defendant does not cite explicitly of the legal bases of Article 6.1 of the GDPR but justifies such publication for two reasons: (1) the obligation to publish the recommendations and (2) the public nature of the origin of the complaint. 10. As for the first justification, the Litigation Chamber notes that the execution of a possible request from the external psychosocial prevention adviser cannot be based on a legal obligation. Indeed, there is no legal obligation on the part of a employer to publish the collective or individual measures included in a notice issued by the external prevention adviser. Moreover, in the letter, the defendant indicates that the obligation imposed by Z related to the publication of the collective measures. However, the note posted by the management on the walls of the nursing home is entitled “Information for our staff following the formal complaint for violence and moral harassment filed by Mrs. X against management + collective measures for the improvement of relations and general organization” (the Litigation Chamber underlines). The complainant is again identified in the memorandum under the subtitle “Conclusionconcerningthecomplaint”: “Advisor prevention of occupational medicine (Z) did not reveal any violence or moral harassment on the part of the management towards Mrs X”. 11. On the basis of these elements, the Litigation Division finds that the surname and first name of the complainant have not been communicated for the purpose of publishing the collective measures, or even individual. The only measurements published are the collective measurements and do not do not concern the complainant. The identity of the complainant in adequacy communicated only as informative. The defendant could then not rely on a request, or even a obligationoftheexternalpsychosocialpreventionadvisortopublishfirstnameandsurname of the complainant. The defendant could therefore not rely on Article 6.1.c of the GDPR for the disputed treatment. 12. The defendant's second justification resides in the fact that the identity of the complainant as being at the origin of the request for intervention would already be known to the staff of Y. The external adviser would have carried out a survey among the workers of the institution during which the workers would have had the opportunity to express themselves on the 4See article 32sexiesdecies, paragraph 1 of the law of 4 August 1996 on the well-being of workers during the performance of their work with regard to the prevention of psychosocial risks at work including, in particular, violence and moral harassment or sexual at work, as amended by the law of February 28, 2014, where the employer is only obliged to send the written notice by the prevention counselor and the person concerned by the request for formal psychosocial intervention and the person having submitted the request for formal psychosocial intervention. Decision 18/2023 – 5/9 ongoing dispute between the plaintiff and the defendant. The fact that the complainant is the person who requested the intervention of an external adviser would be in a way a information already public. 13. With regard to the processing of publicly accessible data, the European Committee for data protection reminded “that personal data, even if they are been made public, remain considered as personal data and that their processing therefore continues to require appropriate safeguards”. The treatment of publicly accessible personal data must therefore also meet the principle of lawfulness recalled in points 7 and 8. Even if the employees of the institution of defendant knew the origin of the request to intervene, the defendant must rely on a legal basis to process the personal data of the complainant, certainly publicly accessible. 14. Given the nature of the processing in question, the Litigation Chamber considers that the legal bases provided for in Article 6 of the GDPR do not seem to apply in the species. For the sake of completeness, the Litigation Chamber nevertheless examines whether the data processing could be based on the basis of lawfulness of the legitimate interest provided for in Article 6.1.f of the GDPR. 15. As recalled by the Litigation Chamber in its decision 35/2020, pursuant to Article 6.1.f of the GDPR and the case law of the Court of Justice, three conditions cumulative must be met for a data controller to be able to validly rely on this legal basis, “namely, first, the pursuit of an interest legitimate by the data controller or by the third party or third parties to whom the data is communicated, secondly, the need for the processing of personal data personnel for the achievement of the legitimate interest pursued and, thirdly, the condition that the fundamental rights and freedoms of the person concerned by the protection of data do not prevail”. 7 16. In order to be able to invoke the ground of lawfulness of “legitimate interest” under Article 6.1.f of the GDPR, the controller must demonstrate, in other words, that: 1) the interests he pursues with the processing can be recognized as legitimate (the “purpose test”); 5European Data Protection Board (or EDPB), opinion 06/2014 on the notion of legitimate interest pursued by the data controller within the meaning of Article 7 of Directive 95/46/EC, p. 43. 6 Litigation Chamber, decision 35/2020 of June 30, 2020, points 26 and 27, available at https://www.autoriteprotectiondonnees.be/publications/decision-quant-au-fond-n-35-2020.pdf 7 CJEU, judgment of 4 May 2017, Valsts policijas Rīgas reģiona pārvaldes Kārtības policijas pārvalde t. Rīgas pašvaldības SIA “Rīgas satiksme”, C-13/16; ECLI: EU:C:2017:336, para. 28-31; CJEU, judgment of December 11, 2019, TK v. Asociaţia de Proprietari block M5A-ScaraA, C-708/18, ECLI:EU:C:2019:1064, para. 40. Decision 18/2023 – 6/9 2) the envisaged processing is necessary for the realization of these interests (the “criterion of need ") ; And 3) the balancing of these interests with the fundamental interests, freedoms and rights of data subjects leans in favor of the controller or a third party (the “balancing test”). 17. With regard to the first condition, the Litigation Chamber notes, according to the documents of the file and more particularly its letter to the complainant of January 18, 2023, that the defendant justifies the publication of the identity of the complainant by, on the one hand, the fact that staff members reportedly inquired about the results of the investigation carried out by the external adviser Z and, on the other hand, his desire to show that no act of violence or harassment would have been observed on his part. Since the legitimacy processing can be interpreted broadly, the Chamber considers that the purposes which consist of informing the staff of an opinion of the external adviser and defending its reputation, must be considered as pursuing a legitimate interest. The first requirement included in Article 6.1.f of the GDPR is therefore fulfilled. 18. With regard to the second condition (the “necessity test”), it should be demonstrate that the processing is necessary for the achievement of the purposes pursued. This means more precisely that one must ask oneself if the same result not be achieved by other means, without processing personal data or without processing that is unnecessarily burdensome or intrusive for the data subjects. 19. Based on the purposes mentioned in point 17, it should therefore be checked whether the publication surnames and first names of the complainant may or may not contribute to informing staff about the existence of acts of violence and moral harassment on the part of the defendant. There Litigation Chamber considers that the publication of the surname and first name of the complainant is not strictly necessary for the pursuit of such purposes. Indeed, the mere mention the results of the external counsel's investigation, without containing the identity of the complainant, was sufficient for this purpose. The second condition is therefore not met. 20. The three conditions for invoking legitimate interest as a legal basis being cumulative, the Litigation Chamber does not analyze the balancing criterion because the disputed treatment does not meet the requirements of the necessity test. 21. The defendant could therefore not invoke Article 6.1.f of the GDPR to justify the publication of the surname and first name of the complainant in the note and the letter in question. presenting no legal basis for the disputed processing, the defendant does not seem to respect the principle of lawfulness prescribed by articles 5.1.a and 6.1 of the GDPR. 8 "Article 29" Working Party on data protection, Opinion 06/2014 on the notion of legitimate interest pursued by the data controller within the meaning of Article 7 of Directive 95/45/EC, p. 27. Decision 18/2023 – 7/9 22. The Litigation Chamber therefore considers that on the basis of the facts set out above, it must be concluded that the defendant may have committed a violation of the principle of legality prescribed by Article 5.1.a and 6.1 of the GDPR, which justifies, in this case, proceeding to making a decision in accordance with Article 95, § 1, 4° of the ACL, more specifically to warn the defendant that the publication of the surname and first name of the complainant in open notes or letters to staff without a legal basis could constitute a breach of er article 5.1.a and article 6.1 of the GDPR, as well as, in accordance with article 95, §1, 5° of the ACL, to order it to comply with the complainant's request to delete the data at personal nature of the complainant of the note and the open letter, and this in particular seen: - The information note displayed concerning the psychosocial intervention and the letter opened in response to the letter from the CNE regional secretary, presumably written by the defendant, in which the plaintiff is identified; - The complainant's reply letter to the registered letter of January 18, 2023 presumably written by the defendant, in which the defendant would explain the legal bases of the disputed processing in non-legal terms. 23. This decision is a prima facie decision taken by the Litigation Chamber pursuant to Article 95 of the LCA on the basis of the complaint submitted by the complainant, 9 within the framework of the “procedure prior to the substantive decision” and not a decision on the merits of the Litigation Chamber within the meaning of Article 100 of the LCA. 24. The purpose of this decision is to inform the defendant, allegedly responsible for the processing, because it may have violated the provisions of the GDPR, in order to enable it to still comply with the aforementioned provisions. 25. If, however, the defendant does not agree with the content of this decision prima facie and believes that it can make factual and/or legal arguments that could lead to another decision, it may send the Litigation Chamber a request for treatment on the merits of the case via the e-mail address litigationchamber@apd- gba.be, within 30 days of notification of this decision. The case applicable, the execution of this decision is suspended for the period aforementioned. 26. In the event of further processing of the case on the merits, pursuant to Articles 98, 2° and 3° juncto article 99 of the LCA, the Litigation Chamber will invite the parties to introduce their conclusions and attach to the file all the documents they deem useful. If applicable, the this decision is permanently suspended. 9Section 3, Subsection 2 of the ACL (Articles 94 to 97 inclusive). Decision 18/2023 – 8/9 27. With a view to transparency, the Litigation Division finally emphasizes that a dealing with the case on the merits may lead to the imposition of the measures mentioned in section 100 of the ACL. 10 III. Publication of the decision 28. Given the importance of transparency regarding the decision-making process of the Chamber Litigation, this decision is published on the website of the Protection Authority Datas. However, it is not necessary for this purpose that the identification data of the parties are communicated directly. FOR THESE REASONS, the Litigation Chamber of the Data Protection Authority decides, subject to the introduction of a request by the defendant for treatment on the merits in accordance with to articles 98 e.s. of the ACL: - pursuant to Article 58.2.a) of the GDPR and Article 95, § 1, 4° of the LCA, to notify the defendant FOR THE FUTURE THAT THE PUBLICATION OF THE NAME AND FIRST NAME OF THE COMPLAINANT in open notes or letters to staff without a legal basis could constitute a violation of Article 5.1.a and Article 6.1 of the GDPR. - pursuant to Article 58.2.c) of the GDPR and Article 95, §1, 5° of the LCA, to order the defendant to comply with the plaintiff's request to delete the disputed personal data, as soon as possible and at the latest within 30 days of notification of this decision. 10Art. 100. § 1. The litigation chamber has the power to 1° dismiss the complaint without follow-up; 2° order the dismissal; 3° pronouncing the suspension of the pronouncement; 4° to propose a transaction; 5° issue warnings and reprimands; 6° order to comply with requests from the data subject to exercise his or her rights; 7° order that the person concerned be informed of the security problem; 8° order the freezing, limitation or temporary or permanent prohibition of processing; 9° order compliance of the processing; 10° order the rectification, restriction or erasure of the data and the notification thereof to the recipients of the data ; 11° order the withdrawal of accreditation from certification bodies; 12° to issue periodic penalty payments; 13° to issue administrative fines; 14° order the suspension of cross-border data flows to another State or an international body; 15° forward the file to the public prosecutor's office in Brussels, who informs it of the follow-up given to the file; 16° decide on a case-by-case basis to publish its decisions on the website of the Data Protection Authority. Decision 18/2023 – 9/9 In accordance with Article 108, § 1 of the LCA, an appeal against this decision may be lodged, within thirty days of its notification, to the Court of Markets (court d'appel de Bruxelles), with the Data Protection Authority as defendant. Such an appeal may be introduced by means of an interlocutory request which must contain the information listed in article 1034ter of the Judicial Code. The interlocutory motion must be filed with the registry of the Court of Markets in accordance with article 1034quinquies of the C. jud. , or 12 via the e-Deposit information system of the Ministry of Justice (article 32ter of the C. jud.). (Sé). Hielke H IJMANS President of the Litigation Chamber 11The request contains on pain of nullity: (1) indication of the day, month and year; 2° the surname, first name, domicile of the applicant, as well as, where applicable, his qualities and his national register number or Business Number; 3° the surname, first name, domicile and, where applicable, the capacity of the person to be summoned; (4) the object and summary statement of the means of the request; (5) the indication of the judge who is seized of the application; 6° the signature of the applicant or his lawyer. 12The request, accompanied by its annex, shall be sent, in as many copies as there are parties involved, by letter recommended to the court clerk or filed with the court office.