APD/GBA (Belgium) - 41/2023

From GDPRhub
APD/GBA - 41/2023
LogoBE.png
Authority: APD/GBA (Belgium)
Jurisdiction: Belgium
Relevant Law: Article 6(1)(f) GDPR
Type: Complaint
Outcome: Rejected
Started:
Decided: 14.04.2023
Published: 18.04.2023
Fine: n/a
Parties: n/a
National Case Number/Name: 41/2023
European Case Law Identifier: n/a
Appeal: Unknown
Original Language(s): French
Original Source: Décision 41/2023 (in FR)
Initial Contributor: Matthias Smet

The Belgian DPA dismissed a complaint based on technical reasons regarding unlawful processing of personal data sent via e-mails concerning supplementary pension from a third intermediate party to an insurance company, instructed by complainant's former employer, .

English Summary

Facts

The former employer of complainant received an e-mail concerning an invoice to be paid for the complainant for a supplementary pension. Since the employment contract had already ended, the former employer asked the defendant to contact the pension insurance company complementary to understand the reason for issuing the invoice. The insurance company indicates that she was not informed of the end of the contract of work between the complainant and his former employer, and that she therefore issued a new invoice. In this context, the complainant considers that his personal data should not have been sent, as the defendant is not an insurance broker or policyholder.

At first instance, the complainant made a request for mediation to the DPA. However, he was not satisfied with the outcome and thus filed a complaint afterwards.

Holding

In accordance with article 6.1.f GDPR and the case law of the CJEU (arrest 'Rigas', three cumulative conditions must be fulfilled in order to process personal data based on legitimate interests:

a) Purpose criterion: the pursuit of a legitimate interest;

b) Necessity criterion: demonstrating the necessity of the processing to achieve the purpose;

c) Weighing of interests: the rights and freedoms of the data subject must not override the legitimate interest pursued by the controller

Each criterion is briefly discussed below:

a) Purpose criterium: the DPA states that the personal data of the complainant were passed on to the insurance company in the context of an assignment entrusted to the defendant by the former employer of the complainant. The first condition is therefore fulfilled.

b) Necessity criterion: In order to satisfy the second condition, it must be shown that the same result cannot be achieved by other less intrusive means of processing of personal data The litigation chamber is of the opinion that with regard to the above-mentioned purpose, finding the origin of the invoice received in the name of the complainant, could not have been reached by means other than email exchanges.

c) Weighing of interests (recital 47 GDPR): It is important to take into account the expectations of the data subjects. After sending the said invoice, it appeared that the insurance company had not been informed of the termination of the complainant's employment contract. In this context, it may reasonably be expected that the defendant will provide the insurance company with the personal data that reveal the origin of the invoice. This data was also limited to elements necessary to understand the origin of the invoice.

For these reasons, the litigation chamber has decided that the cumulative conditions prescribed in [[Article 6 GDPR#1f|Article 6(1)(f)] have been met and deems it inappropriate to further follow up on the case.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the French original. Please refer to the French original for more details.

1/6






                                                                        Litigation Chamber


                                                           Decision 41/2023 of April 14, 2023



File number: DOS-2022-04587


Subject: Complaint relating to the communication of personal data to a

third party by a former employer



The Litigation Chamber of the Data Protection Authority, made up of Mr Hielke

Hijmans, President, sitting alone;


Having regard to Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the
protection of natural persons with regard to the processing of personal data and

to the free movement of such data, and repealing Directive 95/46/EC (general regulation on the

data protection), hereinafter GDPR;


Having regard to the Law of 3 December 2017 establishing the Data Protection Authority (hereinafter
ACL);


Having regard to the Law of 30 July 2018 relating to the protection of natural persons with regard to

processing of personal data (hereinafter LTD);

Having regard to the Rules of Procedure as approved by the House of Representatives on 20

December 2018 and published in the Belgian Official Gazette on January 15, 2019;


Considering the documents in the file;


Made the following decision regarding:



The complainant: Mr. X, hereinafter “the complainant”;


The defendant: Y, hereinafter “the defendant”; Decision 2022-01356/2023 - 2/6



I. Facts and procedure


 1. The subject of the complaint concerns the sending of an email containing personal data

       personnel to a third party by the defendant. The disputed email concerns an invoice to be paid to

       plaintiff’s name by his ex-employer (V), for a supplementary pension that the ex-

       employer paid for the plaintiff when the latter worked for him. The former employer has

       asked the defendant to contact the pension insurance company
       complementary (Z) to understand the reason for issuing the invoice. Further to question

       in this sense by the defendant, Z indicates that she was not informed of the end of the contract of

       work between the complainant and his former employer, and that she therefore issued a new invoice

       for the complainant's supplementary pension. In this context, the complainant considers that his

       personal data should not have been sent, as the defendant

       is not an insurance broker or policyholder.

 2. On November 8, 2022, the complainant made a request for mediation with the Authority

       Data Protection Authority (hereinafter DPA) for the aforementioned facts. The complainant did not

       nevertheless not satisfied with the outcome of the mediation, and requested on February 23, 2023 the

       First Line Service of the APD to transform the mediation into a complaint.

 3. On February 28, 2023, the First Line Service took note of the complainant's request for

       transform the mediation form into a complaint. The same day, the complaint is declared

       admissible on the basis of articles 58 and 60 of the LCA, and transmitted to the Chamber

       Litigation in accordance with Article 62, § 1 of the LCA.



II. Motivation


 4. On the basis of the facts described in the complaint file as summarized above, and on the basis
       powers attributed to it by the legislator under Article 95, § 1 of the

       LCA, the Litigation Chamber decides on the follow-up to be given to the file; in this case, the

       Litigation Chamber decides to proceed with the dismissal of the complaint,

       in accordance with Article 95, § 1, 3° of the LCA, for the reasons set out below.

 5. In matters of dismissal, the Litigation Chamber is required to justify its

       step-by-step decision and:


            - to pronounce a classification without technical continuation if the file does not contain or not

                sufficient element likely to lead to a sanction or if it includes a

                technical obstacle preventing him from rendering a decision;

            - or pronounce a classification without further opportunity, if despite the presence

                elements likely to lead to a sanction, the continuation of the examination of the


1
 Market Court (Brussels Court of Appeal), September 2, 2020, judgment 2020/AR/329, p. 18. Decision 2022-01356/2023 - 3/6



                file does not seem to him to be appropriate given the priorities of the Autorité de

                data protection as specified and illustrated in the Privacy Policy

                dismissal of the Litigation Chamber. 2


 6. In the event of dismissal based on several reasons for dismissal, these

       last (respectively, classification without technical continuation and classification without continuation
                                                                     3
       opportunity) should be addressed in order of importance .


 7. In this case, the Litigation Chamber decides to proceed with a classification without follow-up

       the complaint on technical grounds.

 8. The Litigation Chamber proceeds with a classification without any technical follow-up, for lack of

       breach of GDPR or privacy laws. The complainant

       criticizes the defendant for having processed and communicated her personal data

       in a way that does not comply with the GDPR. The Litigation Chamber examines this complaint under

       the angle of the lawfulness basis of the processing.


 9. In accordance with Article 6.1.f) of the GDPR and the case law of the Court of Justice of the Union

       European Union (hereinafter "the Court"), three cumulative conditions must be met in order to

       that a data controller can validly invoke this basis of lawfulness,

       namely, “first, the pursuit of a legitimate interest by the controller

       or by the third party or parties to whom the data is communicated, secondly, the

       necessity of the processing of personal data for the fulfillment of the interest

       legitimate for monitoring and, thirdly, the condition that the fundamental rights and freedoms

       of the person concerned by data protection do not prevail" (judgment "Rigas"). 4


 10. In other words, in order to be able to invoke the basis of lawfulness of “legitimate interest”

       in accordance with Article 6.1.f) of the GDPR, the controller must demonstrate that:

         1) the interests it pursues with the processing can be recognized as legitimate

       (“purpose” criterion);


         2) the envisaged processing is necessary for the achievement of these interests (criterion of “

       need ") ; And









2In this respect, the Litigation Chamber refers to its policy of dismissal as developed and published on
the website of the Data Protection Authority: https://www.autoriteprotectiondonnees.be/publications/politique-de-
classification-without-continuation-of-the-litigation-chamber.pdf.
3
 Discontinued Policy, Title 3 – When is my complaint likely to be dismissed by the
Litigation Chamber?, https://www.autoriteprotectiondonnees.be/publications/politique-de-classement-sans-suite-de-
4a-litigious-chamber.pdf.
 CJEU, 4 May 2017, C-13/16, Valsts policijas Rīgas reģiona pārvaldes Kārtības policijas pārvalde v Rīgaspašvaldības SIA
„Rīgas satiksme”, recital 28. See also CJEU, 11 December 2019, C-708/18, TK v Asociaţia de Proprietari bloc
M5A-ScaraA, recital 40 Decision 2022-01356/2023 - 4/6



               3) the weighing of these interests with the fundamental interests, freedoms and rights

        data subjects leans in favor of the controller or a third party

        (“weighting” criterion).


 11. Also, according to recital 47 of the GDPR, "the existence of a legitimate interest should
       be carefully assessed, in particular to determine whether a person

       data subject can reasonably expect, at the time and in the context of the collection of the

       personal data, that they are processed for a purpose

       data".


 12. In the present case, the defendant transmitted the complainant's data to Z in the
       framework of the exercise of the missions entrusted to him by the complainant's former employer

       (understand why an invoice was sent to the complainant's ex-employer

       for this one). The Litigation Division therefore considers that the processing of

       personal data for this purpose is legitimate. The first condition repeated in

       Article 6.1.f) of the GDPR is therefore fulfilled.

 13. In order to fulfill the second condition, it must be demonstrated that the processing is necessary

       for the achievement of the purposes pursued. This means more precisely that one must

       ask if the same result cannot be achieved with other means, without

       processing of personal data or without substantial processing unnecessary for the

       persons concerned. The Litigation Chamber finds that with regard to this purpose of

       continue the mission entrusted to him by the former employer (to understand the origin of the

       invoice received in the name of the complainant), other means than email exchanges including

       relevant personal data of the complainant would not have made it possible to arrive at the same

       result. Since the processing is necessary for the achievement of the purposes pursued, it is
       satisfies the second condition.


 14. In order to check whether the third condition of Article 6.1.f) of the GDPR - the "weighting test"

       between the interests of the data controller on the one hand and the freedoms and rights

       fundamentals of the person concerned on the other hand - can be fulfilled, it is advisable to take

       account of the reasonable expectations of the person concerned, in accordance with recital
       47 GDPR. In particular, it must be assessed whether the data subject can

       “reasonably expect, at the time and in the context of data collection to

       personal character, that they are processed for a given purpose”.


 15. In this regard, the Litigation Chamber notes that the disputed email concerns an invoice to be paid

       on behalf of the plaintiff by his ex-employer (V), for a supplementary pension that the ex-
       employer paid for the plaintiff when the latter worked for him. However, following the exchanges

       email between the defendant and the insurance company (Z) in order to understand the reason for



5Recital 47 of the GDPR Decision 2022-01356/2023 - 5/6



       the sending of the said invoice, it appears that the insurance company had not been informed of

       the end of the complainant's employment contract. In this context, it can reasonably be

       whereas the defendant sends the personal data allowing to understand

       the origin of the invoice to the insurance company. This data is also limited to

       elements necessary to understand the origin of the invoice.


 16. The criteria of Article 6.1.f) of the GDPR are therefore satisfied. Therefore, the House

       concludes that the defendant has not breached the principle of legality.

 17. On the basis of these considerations, the Litigation Chamber considers that it is inappropriate

       to continue monitoring the case.



III. Publication and communication of the decision


 18. Given the importance of transparency with regard to the process

       decision-making and the decisions of the Litigation Chamber, this decision will be published on the

       website of the Data Protection Authority. However, it is not necessary for this

       so that the identification data of the parties are directly communicated.

 19. In accordance with its policy of dismissal, the Litigation Chamber

       communicate the decision to the respondent. Indeed, the Litigation Chamber decided to

       communicate dismissal decisions to default defendants. There

       However, the Litigation Chamber refrains from such communication when the

       plaintiff requested anonymity vis-à-vis the defendant and when the communication of the

       decision to the defendant, even pseudonymised, nevertheless risks allowing its

       identification . This is not the case in the present case.





    FOR THESE REASONS,


    the Litigation Chamber of the Data Protection Authority decides to classify the

    lodges a complaint without further action pursuant to Article 95, § 1, 3° of the LCA.




In accordance with Article 108, § 1 of the LCA, an appeal against this decision may be lodged,

within thirty days of its notification, to the Court of Markets (court

d'appel de Bruxelles), with the Data Protection Authority as defendant.




6 Cf. Title 5 – Will the ranking without follow-up be published? Will the opposing party be informed? of the policy of
dismissal of the Litigation Chamber.

7Ibidem. Decision 2022-01356/2023 - 6/6




Such an appeal may be introduced by means of an interlocutory request which must contain the

information listed in article 1034ter of the Judicial Code. The interlocutory motion must be

                                                                                                                       9
filed with the registry of the Court of Markets in accordance with article 1034quinquies of the C. jud. , Or

via the e-Deposit information system of the Ministry of Justice (article 32ter of the C. jud.).


To allow him to consider any other possible course of action, the Litigation Chamber sends

the complainant to the explanations provided in its dismissal policy. 10








      (Sé) Hielke HIJMANS


      President of the Litigation Chamber














































8The request contains on pain of nullity:

  (1) indication of the day, month and year;
  2° the surname, first name, domicile of the applicant, as well as, where applicable, his qualities and his national register number or
     Business Number;
  3° the surname, first name, domicile and, where applicable, the capacity of the person to be summoned;

  (4) the object and summary statement of the means of the request;
  (5) the indication of the judge who is seized of the application;
  6° the signature of the applicant or his lawyer.
9
  The request, accompanied by its appendix, is sent, in as many copies as there are parties involved, by letter
recommended to the court clerk or filed with the court office.
10
  See Title 4 – What can I do if my complaint is dismissed? of the Chamber's policy of classification without follow-up
Litigation.