APD/GBA (Belgium) - 01/2022
|APD/GBA (Belgium) - 01/2022|
|Relevant Law:||Article 5(1) GDPR|
Article 12(2) GDPR
Article 17(1) GDPR
Article 24 GDPR
|National Case Number/Name:||01/2022|
|European Case Law Identifier:||n/a|
|Original Source:||Beslissing ten gronde 01/2022 van 3 januari 2022 (in NL)|
|Initial Contributor:||Enzo Marquet|
The Belgian DPA found no violation of the GDPR when a company employee did not fulfill an erasure request because its internal procedures were not followed by them and this was an unintentional, one-off violation.
English Summary[edit | edit source]
Facts[edit | edit source]
The complainant interviewed the defendant (private employment agency) and did not get the job they applied for. Afterwards, the private employment agency automatically made an account for the complainant. The complainant then asked the private employment agency to delete their account by telephone. The deletion was confirmed by the private employment agency by telephone. The employee had not follow-up on the agency's procedure to process a request for deletion.
As such, the complainant still received two mails about local vacancies and thus formally sent in a complaint. On top of that, the complainant also stated that they weren't fully informed about the automatic creation of an account.
Holding[edit | edit source]
The private employment agency states that it uses contract for the communication of vacancies, as well as the creation of an account. This is the main business purpose of the private employment agency.
As for the communication based on contract:
The DPA confirms the use of contract as legal basis for the processing of data in order to receive communication of vacancies by the company in their role as private employment agency.
The DPA found that the private employment agency has a procedure for deletion of data, but that the employee who was contacted by the complainant did not adequately follow this procedure. The private employment agency cannot describe why the procedure wasn't followed as the employee no longer works for them. It was thus a one time only, human error.
The DPA follows this reasoning and found no evidence of a faulty procedure, nor of malicious intent. On top of that, the data was promptly removed as soon as the private employment agency was contacted by the DPA and they extended their apologies to the complainant.
The DPA finds that this appears to be a one-off violation, which is not intentional and also has no consequences for several persons involved. As such, no violation of Article 12(2)n Article 17(1) and Article 24. However, the private employment agency is reprimanded for this.
As for the automatic creation of an account:
As the processing of personal data is based on contract in the role of private employment agency, and the complainant was adequately informed, no breach of Article 5(a) is found.
Comment[edit | edit source]
Share your comments here!
Further Resources[edit | edit source]
Share blogs or news articles here!
English Machine Translation of the Decision[edit | edit source]
The decision below is a machine translation of the Dutch original. Please refer to the Dutch original for more details.