APD/GBA (Belgium) - 01/2022

From GDPRhub
APD/GBA (Belgium) - 01/2022
LogoBE.png
Authority: APD/GBA (Belgium)
Jurisdiction: Belgium
Relevant Law: Article 5(1) GDPR
Article 12(2) GDPR
Article 17(1) GDPR
Article 24 GDPR
Type: Complaint
Outcome: Partly Upheld
Started:
Decided:
Published: 03.01.2022
Fine: None
Parties: n/a
National Case Number/Name: 01/2022
European Case Law Identifier: n/a
Appeal: n/a
Original Language(s): Dutch
Original Source: Beslissing ten gronde 01/2022 van 3 januari 2022 (in NL)
Initial Contributor: Enzo Marquet

The Belgian DPA found no violation of the GDPR when a company employee did not fulfill an erasure request because its internal procedures were not followed by them and this was an unintentional, one-off violation.

English Summary

Facts

The complainant interviewed the defendant (private employment agency) and did not get the job they applied for. Afterwards, the private employment agency automatically made an account for the complainant. The complainant then asked the private employment agency to delete their account by telephone. The deletion was confirmed by the private employment agency by telephone. The employee had not follow-up on the agency's procedure to process a request for deletion.

As such, the complainant still received two mails about local vacancies and thus formally sent in a complaint. On top of that, the complainant also stated that they weren't fully informed about the automatic creation of an account.

Holding

The private employment agency states that it uses contract for the communication of vacancies, as well as the creation of an account. This is the main business purpose of the private employment agency.

As for the communication based on contract:

The DPA confirms the use of contract as legal basis for the processing of data in order to receive communication of vacancies by the company in their role as private employment agency.

The DPA found that the private employment agency has a procedure for deletion of data, but that the employee who was contacted by the complainant did not adequately follow this procedure. The private employment agency cannot describe why the procedure wasn't followed as the employee no longer works for them. It was thus a one time only, human error.

The DPA follows this reasoning and found no evidence of a faulty procedure, nor of malicious intent. On top of that, the data was promptly removed as soon as the private employment agency was contacted by the DPA and they extended their apologies to the complainant.

The DPA finds that this appears to be a one-off violation, which is not intentional and also has no consequences for several persons involved. As such, no violation of Article 12(2)n Article 17(1) and Article 24. However, the private employment agency is reprimanded for this.

As for the automatic creation of an account:

The DPA finds that the complainant was adequately informed about the creation of the account, by mail and through the privacy policy. On top of that, the complainant could not prove that they effectively used their right to deletion even though the privacy policy of the complainant included two mail addresses to contact and that there was a self service option included in the portal for which the account was created.

As the processing of personal data is based on contract in the role of private employment agency, and the complainant was adequately informed, no breach of Article 5(a) is found.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Dutch original. Please refer to the Dutch original for more details.

                                                                                                 1/12








                                                                                 Dispute room



                                             Decision on the merits01/2022of 3 January 2022






File number : DOS-202020-01182



Subject : Complaint against a private employment intermediary because of the unlawful further

processing of personal data following a request for erasure.



The Disputes Chamber of the Data Protection Authority, composed of Mr Hielke Hijmans,

chairman and Messrs Dirk Van Der Kelen and Jelle Stassijns;

Having regard to Regulation (EU) 2016/679 of the European Parliament and Council of 27 April 2016 on

the protection of natural persons with regard to the processing of personal data and

on the free movement of such data and repealing Directive 95/46/EC (General

Data Protection Regulation), hereinafter GDPR;


Having regard to the law of 3 December 2017 establishing the Data Protection Authority, hereinafter WOG;


Having regard to the internal rules of procedure, as approved by the Chamber of Representatives

on December 20, 2018 and published in the Belgian Official Gazette on January 15, 2019;

Having regard to the documents in the file;



has taken the following decision regarding:




The complainant: X, hereinafter “complainant”;


Defendant: Y, represented by Master Maarten Stassen, hereinafter referred to as “defendant”, Decision on the merits 01/2022 - 2/12




I. Facts procedure


    1. On March 3, 2020, the complainant submits a complaint to the Data Protection Authority against

        defendant. The subject of the complaint concerns the unlawful further processing of

        personal data of the complainant, after he has requested the defendant to obtain the personal data

        to clear.


    2. The complainant declares that he was interviewed by the defendant in the autumn of 2019, but

        was not recruited, and subsequently asked to have his data erased. However, at 2

        March 2020, the complainant receives an e-mail from the defendant, informing the defendant that the defendant

        created an account for him. The complainant replies the same day that he does not have an account

        wishes, and asks the defendant to delete all his personal data. Although the defendant

        on March 3, 2020 in the morning confirms that the personal data has been deleted,

        In the afternoon, the complainant receives another e-mail with a vacancy offer from a local

        Defendant's office.


    3. On April 29, 2020, the Frontline Service will contact the complainant to inquire whether he

        received new emails since the complaint was filed, as well as to provide proof

        to provide the defendant with the exercise of its rights.


    4. On April 29, 2020, the complainant confirms that he has sent a second e-mail with a job offer

        by another Defendant's office on April 15, 2020. The complainant also declares

        that he requested the erasure by telephone at the time at an office of the defendant,

        confident that his request would be granted by the entire organization.

    5. On July 2, 2020, the complaint will be declared admissible by the Frontline Service on the basis of the


        Articles 58 and 60 WOG and the complaint on the basis of art. 62, § 1 WOG transferred to the

        Dispute room.

    6. On July 22, 2020, the Disputes Chamber will decide on the basis of art. 63, 2° and 94, 1° WOG an examination

        to ask the Inspectorate.


    7. On July 22, 2020, in accordance with art.96, § 1 WOG, the request of the Disputes Chamber to the

        conducting an investigation submitted to the Inspectorate, together with the complaint and the

        inventory of the pieces.


    8. On April 21, 2021, the inspection will be completed by the Inspectorate, the report will be submitted to the

        file and the file is submitted by the Inspector General to the President

        of the Disputes Chamber pursuant to art. 91, 1 and § 2 WOG. The research report contains

        determinations with regard to the subject matter of the complaint and distinguishes two processing operations . 1




1The Disputes Chamber emphasizes for the record that the investigation report incorrectly refers to 2 and 3 March 2019 as data for
the e-mails notifying the activation of the Y portal account resp. the e-mails related to the request for

data erasure and subsequent vacancy emails that the complainant received despite this. These exchanges took place in 2020., Decision on the merits 01/2022 - 3/12



    The first processing concerns the complainant's registration on Y mailing lists “for vacancies”. The

    second processing refers to the creation of an account, in the name of the complainant, on the Y portal site.


9. Processing 1 — Defendant declares in its reply to the Inspectorate that the complainant is

    April 29, 2019 at 12:01 am registered as a candidate temporary worker, via a no longer in use

    webpage of Y (…). With regard to the legality of the complainant's registration on Y

    mailing list "for sending vacancies", the DPO Y refers to various

    legal bases depending on the type of processing.


10. Y specifically states that the execution of an agreement (Article 6.1.b GDPR) is the legal basis

    is for the processing of personal data in the context of services that are commissioned within Y as

    private employment intermediaries, including sending job vacancies. Services that

    on the other hand, to be 'auxiliary' to the task of private employment mediation sensu stricto, to acquiesce

    on the legitimate interest of the defendant. This includes proposing a

    training to promote employment opportunities, so that the skills available

    can be matched as closely as possible to the demand for skills on the employee side

    on the employer side. Finally, the defendant uses the consent of the data subjects for

    communication that falls outside Y assignment as a private employment intermediary and if

    marketing communication is considered.


11. Based on these elements, the Inspectorate determines that the first disputed processing of

    personal data, in particular the complainant's registration on Y mailing list “for sending

    vacancies”, fits within Y assignment as a private employment intermediary and is therefore based on the

    execution of an agreement with the person concerned. Consequently, the Inspectorate decides that this

    processing does not violate Articles 6 and 7 GDPR.


12. With regard to the manner in which the defendant submitted the request for erasure by the complainant

    processed, the Inspectorate considers that this is not compatible with the duty of the

    controller to facilitate the exercise of data subjects' rights

    as well as its responsibility to make appropriate organizational and

    take technical measures.


13. In the answers to the inquiries of the Inspectorate with regard to the handling of

    requesting the right to erasure, the defendant first clarifies that

    personal data of candidate temporary workers are stored in a central database for Belgium

    kept. The internal procedure for handling requests from data subjects provides that

    requests for data deletion are sent to the Quality Department by default

    of Y, with a view to its manual treatment. This service examines the application and

    carries out an identity check before clarifying the scope of the request and the

    request in an appropriate manner. In the event of a data erasure request,

    the service, in particular, check from the central database which data can be deleted, Decision on the merits 01/2022 - 4/12



    and, if necessary, adjust the data manually. Upon completion of the request,

    finally informed the person concerned.


14. Notwithstanding the foregoing, the defendant also confirms that the employee who

    received the complainant's application at the time, would have failed to request

    data erasure to the concerned service, with the result that there is no request for

    data erasure was registered and neither was it handled, which ultimately resulted in the complainant

    remained listed in the central database as a candidate temporary worker.


15. Respondent declares in its reply to the Inspectorate that Y furthermore aims to

    to somewhat limit the manual handling of data erasure requests and such

    processing requests automatically in the future. According to the Inspectorate, this seems

    “striving for” an automated processing of data erasure requests not only

    incompatible with the wording used in Article 12.2 GDPR that the

    controller should exercise the rights of the data subject

    facilitate, but the defendant submitted appropriate technical and

    take organizational measures to ensure and to be able to demonstrate that the

    processing is carried out in accordance with the GDPR including a

    automated processing of data erasure requests. The Inspectorate states

    therefore finds that the defendant has infringed Articles 12.2, 17 and 24 GDPR.


16. Processing 2 — With regard to the second contested processing of personal data, with

    in particular the creation of Y portal site account, the defendant explains that Y has switched at the beginning of 2020

    from a central registration page to a self-service portal, which serves as an extension of the bee

    the defendant already registered personal data as well as the candidate temporary workers de

    offer the possibility to manage, update if necessary, and use their personal data themselves

    to apply. Since then, new registrations with the defendant have been accompanied by the creation of

    an account on the Y portal site. Candidate temporary workers who were already registered with Y on

    the moment of "activation" of the Y self-service portal, on the other hand, at the time and

    informed by e-mail on the occasion of its introduction.


17. In the answer to the Inspectorate's request for information, the defendant also clarifies

    that Y does not rely on consent as a legal basis for the creation of Y portal site

    account, but on the execution of an agreement between the candidate temporary worker as

    job seeker and Y as a private employment intermediary.


18. In view of the foregoing elements, the Inspectorate establishes that the creation of Y portal site

    account for the complainant was done lawfully and therefore does not constitute a violation of Articles 6

    and 7 GDPR.

19. With regard to the information to the complainant prior to the creation of Y portal site

    account, the Inspectorate determines, on the basis of the documents submitted by the complainant as well as, Decision on the merits 01/2022 - 5/12



    by the defendant, that the complainant was only informed by e-mail on March 2, 2020 that his

    account has been activated. During the Inspectorate's investigation, Y .'s DPO confirmed

    that Mr X had registered himself with Y as a candidate temporary worker, that the Y

    self-service portal did not yet exist at the time of his registration, and that Y has this for the complainant

    activated upon its implementation, of which he was notified via two 2 . emails


    March 2020. The Inspectorate further notes that these e-mails merely indicate that a Y

    portal site account was created for complainant with complainant's e-mail address as login.

20. Since the complainant was thus not informed of the introduction of the Y portal site

    prior to its creation and activation, the Inspectorate states that this second

    disputed processing of personal data creates confusion and therefore constitutes a violation

    of Article 5.1.a GDPR.


21. On May 20, 2021, the Disputes Chamber will decide on the basis of art. 95, § 1, 1° and art. 98 WOG that it

    file is ready for processing on the merits.


22. On 28 May 2021, the concerned parties will be notified of the

    provisions as stated in Article 95, § 2, as well as those in Art. 98 WOG. They will also be

    pursuant to art. 99 WOG of the time limits for submitting their defences.


23. The deadline for receipt of the defendant's statement of defense was thereby set

    laid down on 9 July 2021, this one for the complainant's reply on 30 July 2021 and this

    for the defendant's reply on 20 August 2021.

24. On June 11, 2021, the Disputes Chamber will be informed that Y by master Maarten Stassen

    will be represented. Defendant also requests that all communications with the

    Dispute Chamber, and if possible with the other party, is done electronically. Furthermore, asks

    defendant a copy of the file (art. 95, § 2, 3° WOG), which was sent to him on 16

    June 2021.


25. On 9 July 2021, the Disputes Chamber will receive the statement of defense from the defendant.


26. The defendant states first of all that the complaint concerns an isolated case of non-intentional

    failure to follow the prescribed data erasure procedure. Although the defendant does not

    has been able to ascertain why the procedure was not followed or why the

    employee confirmed that the complainant's data has been removed from the defendant's database

    where this was not the case, because the employee in question no longer defended

    has been working since July 2020, i.e. before the first letter from the Inspectorate, the defendant declares that

    no indications were found that it was an intentional act by the former

    employee would go, and that it was certainly not an intentional act on the part of the defendant, if

    controller., Decision on the merits 01/2022 - 6/12



27. With regard to the second finding by the Inspectorate, the defendant submits that a

    request for erasure cannot be fully automated when “execution of

    a contract" is the legal basis of a processing, as Article 17.1.a GDPR states that the

    In such a case, the controller is only obliged to delete the personal data

    when "the personal data [...] are no longer necessary for the purposes for which they are"


    collected or otherwise processed".

28. The defendant submits that in this case it is, moreover, not clear which factual allegations

    Inspector decide that there is a breach of Articles 17, 12.2 and 24 GDPR, and in the

    in particular whether the determination by the Inspectorate relates to a one-off non-compliance

    of the existing procedure or of the procedure itself.


29. Furthermore, the defendant refutes the decision of the Inspectorate that the automated

    processing of erasure requests is necessary, or at least appropriate, to

    to facilitate the exercise of the rights of data subjects. According to the defendant, a

    after all, automated processing is not possible because it is inherent in this processing and

    the legal basis of Article 6.1.b of the GDPR that not all data can be automatically erased

    turn into. A manual intervention by the department responsible for the treatment of

    According to the defendant, requests would therefore always be necessary.


30. Defendant also clarifies that requests to exercise GDPR-related rights to

    enter a variety of ways, including physically in a defendant's office,

    by telephone, by e-mail to an e-mail address of an office, via e-mail directly to a

    employee, via e-mail to the concerned department (as indicated in the privacy policy), via

    an e-mail to other services, etc. With this approach, the defendant tries to exercise

    rights of data subjects accessible and all requests are handled, regardless of

    the channel through which they enter.


31. Respondent then refers to the investments in a privacy management system

    in order to further optimize existing GDPR-related processes, including

    processes related to handling requests from data subjects. Defendant believes that there

    in view of the current technical and organizational measures as well as the investments in a

    privacy management software to adequately facilitate the exercise of rights, objectionable

    it can be argued that there is a violation of Articles 17, 12.2 and 24 GDPR.


32. With regard to the infringement of Article 5.1.a GDPR, the defendant declares that the complainant knew well that

    defendant could process his personal data to facilitate the application process for new positions

    to facilitate, as well as that the complainant was informed in advance of the introduction

    from the Y portal site. According to the defendant, it follows from this that the processing took place in a way

    which was transparent towards the complainant, in accordance with Article 5.1.a GDPR., Decision on the merits 01/2022 - 7/12



33. The defendant refutes the statement of the Inspectorate that the complainant was only informed about

    the introduction of the Y portal site after its account was created, by means of a

    activation email dated March 2, 2020. More specifically, the defendant declares that the privacy statement for

    candidates, which was available via the website where the complainant registered on April 22, 2019

    as a candidate temporary worker, clearly states that personal data is used to


    facilitate the application process for new positions, which is the exact purpose of the Y portal site,

    according to the defendant.

34. Moreover, the defendant argues that this improvement, and the specific purpose of

    Facilitate the application process for new positions, explained a second time in an email

    was sent to all those involved whose data was in the defendant's database, a

    a few days prior to the email of 2 March 2020 to the complainant regarding the activation

    from his Y account. Consequently, the respondent believes that Y has taken the necessary steps to be transparent

    concerning the processing in question, so that it can be argued that there is a

    infringes Article 5.1.a GDPR.


35. Defendant refers to the policy of the Disputes Chamber regarding the publication of decisions

    on the website of the GBA, as well as the fact that the cause that led to the complaint is a

    human error, before requesting the Disputes Chamber not to disclose information

    in the decision that would allow the identification of the defendant. Defendant sees

    in the facts of this case nor in his own attitude a reason for the identification of the involved

    parties in this file as a sanction.


36. Finally, the defendant requests that the Disputes Chamber establish that the failure to delete the data

    of the complainant, at the request of the complainant, concerns an isolated case without intentional wrongdoing

    acts of the defendant and to take note of the efforts that the defendant makes and has

    made to optimally exercise the rights, including the right to erasure

    facilitating, and on that basis to judge that it is not necessary to take one of the measures

    provided for in Article 100 § 1, WOG to be pronounced.


37. Also in the main proceedings, the defendant asks that the Disputes Chamber determine that it is based on

    of the investigation report of the Inspectorate and the means put forward therewith is established

    that the defendant has not violated any provisions of the GDPR, and on that basis on the basis of

    Article 100 § 1, 2° WOG to order the suspension of prosecution.


38. Also in principal order the defendant requests not to be identified in the publication of

    the decision, as the defendant demonstrates by his positive and cooperative attitude that

    "naming and shaming" is not necessary to take its GDPR-related obligations seriously,

    because this is already the case even without a sanction.

39. In a subordinate order, if the Disputes Chamber, based on the findings of the

    Inspection service would nevertheless rule that the defendant has violated the provisions of the GDPR, Decision on the merits 01/2022 - 8/12



        Defendant requests that the Disputes Chamber rule that these infringements are not of such nature

        that a sanction must be imposed for this, and on that basis on the basis of Article 100 § 1,

        2° WOG to order the suspension of prosecution.


    40. The complainant does not submit a statement of reply to the Disputes Chamber.


    41. On August 16, 2021, the Disputes Chamber will receive the summary conclusion from the defendant.



II. Justification


    42. The Disputes Chamber determines that the complaint relates to the failure to comply with

        a request for erasure, on the one hand, and an alleged breach of the principles of

        legality, fairness and transparency, on the other.



    II.1. Registration on Y mailing lists for vacancies (processing 1) and request for

         data erasure by the complainant


    43. On the basis of the inspection report of the Inspectorate as well as the supporting documents that

        submits the defendant, the Disputes Chamber will first rule that the defendant complainant at the time of

        has informed his registration as a candidate temporary worker in an appropriate manner about the

        services that Y offers as a private employment intermediary, through the privacy statement for

        candidates.


    44. The Disputes Chamber decides that the complainant's registration on Y's mailing lists with regard to

        to vacancies, was done lawfully and therefore does not infringe Articles 6 and 7 GDPR. This

        part of the complaint should therefore be dismissed.


    45. With regard to the request for erasure of data, the Disputes Chamber understands that the complainant

        29 April 2019 in the context of a telephone conversation with an employee of the office Y [..]

        allegedly asked to have his data erased when he learned that he had not been recruited.

        In addition, in response to the two-part announcement that Y portal site account

        was created for him, sent an email to Y [..](...) on March 2, 2020 in order to

        to have his personal data removed, whereupon an employee of the same office

        March 3, 2020 replied in writing that his personal data has been removed from the databases

        became.

    46. However, it is apparent from the subject-matter of the complaint and the complainant's supporting documents that the defendant did not


        complied with the complainant's request. Article 17.1 GDPR nevertheless provides for the right

        for data subjects to delete from the controller without undue delay

        of their personal data. If personal data is no longer necessary for the

        purposes for which they were collected or otherwise processed, the controller is

        in principle obliges to delete this personal data without undue delay., Decision on the merits 01/2022 - 9/12




    47. In the present case, the defendant even continued to process the complainant's personal data,


         as evidenced by the fact that Y continued with the that same day and again on April 15, 2020

         sending vacancy emails to the complainant's personal email address.


    48. According to the defendant, this was due to a one-off human error by

         the employee at the time, who allegedly failed to submit the request for erasure to the

         competent service measurements, as nevertheless prescribed by the internal procedures for the


         handling requests from data subjects to exercise their rights under the GDPR.


    49. Notwithstanding the foregoing, the Disputes Chamber rules that on the basis of the above
                                                                                                                        2
         analysis, it must be concluded that the defendant is thereby infringing Articles 12.2

         and 17.1 3 of the GDPR, nor has he complied with the obligations imposed on him

         accountability in accordance with Articles 5.2 and 24 GDPR.


    50. However, the Disputes Chamber takes note of the fact that the defendant has applied to the complainant for this


         apologized and emphasized that his personal data has meanwhile been removed from the database of
                                          4
         defendant were cleared. The Disputes Chamber also decides that it does not have

         indications that the proceedings instituted by the defendant are not of such a nature that they

         ensure that the rights of data subjects are safeguarded in accordance with the GDPR


         rescued.


    51. The Disputes Chamber also notes that the Inspectorate has not found any indications

         that this was an intentional violation, and that after the intervention of the

         Inspectorate immediately granted the complainant's request. The complainant's case seems (until





2Article 12 GDPR — Transparent information, communication and modalities for exercising the rights of the data subject

†
2. The controller shall facilitate the exercise of the data subject's rights under Articles 15 to

22. In the cases referred to in Article 11(2), the controller may not refuse to comply with the
request by the data subject to exercise his or her rights under Articles 15 to 22, unless the
controller demonstrates that it is unable to identify the data subject.

†
3Article 17 GDPR — Right to erasure ("right to be forgotten")

1. The data subject has the right of the controller to erasure without undue delay
obtain personal data and the controller is obliged to provide personal data without undue delay

to be deleted when one of the following applies:
a) the personal data are no longer necessary for the purposes for which they were collected or otherwise processed;

b) the data subject withdraws the consent on which the processing is based in accordance with article 6, paragraph 1, point a), or article 9, paragraph 2, point a),
in, and there is no other legal ground for the processing;

c) the data subject objects to the processing in accordance with Article 21(1), and there are no overriding overriding
justified grounds for the processing, or the data subject objects to the processing in accordance with article 21, paragraph 2;

d) the personal data has been unlawfully processed;
(e) the personal data must be erased in order to comply with a . laid down in Union or Member State law

legal obligation resting on the controller;
f) the personal data were collected in connection with an offer of information society services as referred to in

Article 8(1).
†

4 With the exception of the personal data that according to the defendant are necessary for the present proceedings., Decision on the merits 01/2022 - 10/12



                                                      5
        so far) to be an isolated case, and the defendant sufficiently indicates that there is to

        As a result of the investigation, the necessary measures were taken by the Inspectorate to

        prevent similar incidents in the future.


    52. Furthermore, the Disputes Chamber points out that the complainant in no way argues in his complaint that he

        would have suffered damage as a result of the incident.

    53. Finally, it should be noted that the complainant has no answer during the investigation

        responded to the questions of the Inspectorate and has not submitted any means of defence

        during the proceedings before the Disputes Chamber.


    54. In view of the above elements, the Disputes Chamber rules that the infringement of Articles 12.2,

        17.1 and 24 GDPR is proven. In view of the fact that it appears to be a one-off

        violation, which is not intentional and also does not affect several parties involved decision

        the Disputes Chamber to formulate a reprimand pursuant to Article 100, § 1, 5° of the WOG


        with regard to the defendant for not complying with a request for erasure of data.


    II.2. Creation of Y portal account (processing 2) and compliance with the principles of

         legality, fairness and transparency with regard to the complainant


    55. The second part of the complaint relates to the activation of Y named portal account

        of the complainant despite his previous request for erasure. The complainant declares that he

        incidentally, was not notified of the creation of his account prior to the

        activation on March 2, 2020.


    56. The Inspectorate supports the complainant's position by establishing the infringement of Article 5.1.a GDPR

        without, however, concluding that the defendant will not process the personal data of

        complainant has unlawfully carried out for the creation of a Y portal site account.


    57. In that regard, the Disputes Chamber notes that the defendant rebuts that position in its

        defenses and declares that the e-mail containing information regarding the rollout of the Y Portal to

        was sent to all those involved who were in the defendant's database, and for whom a Y-

        account would be created.


    58. However, it is not apparent from the supporting documents submitted by the defendant that this preliminary e-mail

        was actually sent. Unlike the two dated activation emails, the

        After all, the Disputes Chamber does not have a sending date or recipient of this prior e-mail, with as

        The consequence is that it considers it insufficiently proven that the defendant actually acted upon the complainant in an appropriate manner

        manner about the further processing of his/her personal data in the context of his/her

        new Y portal account.






5
 Decision on the merits 67/2021 of 4 June 2021, available at: https://www.dataprotectionauthority.be/, Decision on the merits 01/2022 - 11/12




    59. Nevertheless, the defendant argues that a portal site such as Y is a service which the complainant in a

       modern online environment should have been expected. Defendant refers in particular to the

       privacy statement for candidates, which was available via the complainant's website

       registered and clearly informed him about the use of his personal data for the

       facilitating the application process for new positions, which, according to the defendant, also

       exact purpose is of the Y portal site.


    60. In addition, the Disputes Chamber establishes that the complainant does not provide evidence of his first request for

       data erasure, although the privacy statement expressly refers to the self-service portal

       or two functional e-mail addresses to exercise its rights. Also declares

       defendant that no evidence of such application was found in the internal

       systems. Thus, the Disputes Chamber cannot determine that the complainant prior to the receipt

       of the activation e-mails has requested the deletion of his personal data.


    61. The Disputes Chamber decides on the basis of the foregoing analysis that the complainant, in the absence of

       data erasure before March 2, 2020, in accordance with the internally prescribed retention periods

       has been preserved in the databases of candidate agency workers, leading to

       that his personal data has been transferred to the new Y portal site.

    62. Since the latter processing is part of the service provided by the defendant in its

       capacity of private employment intermediary, and since the complainant through the

       privacy statement — of which he took note when registering — was informed of the

       possible data processing associated with this service, the

       Disputes Chamber that in this case no violation of Article 5.1.a GDPR can be established.


    63. According to the Disputes Chamber, the whole of the elements set out above justifies

       that in the present case a decision is taken on the basis of Article 100, § 1, 1°

       WOG. More specifically, the Disputes Chamber decides to dismiss the complaint, with regard to the aspect of the

       possible breach of the principles of legality and transparency in the framework

       from the creation of Y portal account.



III. Publication of the decision



    64. Given the importance of transparency in the decision-making of the

       Litigation Chamber, this decision will be published on the website of the

       Data Protection Authority. It is not necessary, however, that the identification data

       of the parties be published directly., Decision on the substance 01/2022 - 12/12






    FOR THESE REASONS,


    the Disputes Chamber of the Data Protection Authority decides, after deliberation, to:


        - on the basis of Article 100, § 1, 1° of the WOG, the complaint regarding the registration

            to dismiss the complainant from the respondent's vacancy newsletters;

        - to formulate a reprimand pursuant to Article 100, § 1, 5° of the WOG with regard to

            defendant for not complying with a request for erasure;


        - pursuant to Article 100, § 1, 1° of the WOG, the complaint regarding the violation of

            the principle of legality and the principle of transparency in the context of the production of

            to cancel a Y portal account;


    An appeal can be lodged against this decision pursuant to Article 108, § 1 of the WOG

    within a period of thirty days, from the notification, to the Marktenhof, with the

    Data Protection Authority as Defendant.









(get) Hielke HIJMANS

Chairman of the Disputes Chamber