APD/GBA (Belgium) - 01/2024: Difference between revisions
From GDPRhub
(Good summary! Just remember to cite the GDPR Articles according to the guidelines) |
m (→Facts) |
||
| Line 71: | Line 71: | ||
}} | }} | ||
The Belgian DPA found that a controller violated [[Article 5 GDPR#1|Article 5(1) GDPR]] for not timely deleting a former employee's mailbox. The DPA stated that the mailbox must be deactivated on the last work day and the auto-reply within one month or 3 months in some exceptions. | The Belgian DPA found that a controller violated [[Article 5 GDPR#1|Article 5(1) GDPR]] for not timely deleting a former employee's mailbox. The DPA stated that the mailbox must be deactivated on the last work day and the auto-reply within one month or 3 months in some exceptions. | ||
== English Summary == | == English Summary == | ||
Latest revision as of 16:10, 19 March 2024
| APD/GBA - 01/2024 | |
|---|---|
 | |
| Authority: | APD/GBA (Belgium) |
| Jurisdiction: | Belgium |
| Relevant Law: | Article 5(1)(c) GDPR Article 5(1)(e) GDPR Article 5(1)(b) GDPR Article 6(1)(f) GDPR Article 12 GDPR Article 13(1)(c) GDPR Article 15 GDPR |
| Type: | Complaint |
| Outcome: | Upheld |
| Started: | 24.10.2023 |
| Decided: | 05.01.2024 |
| Published: | 05.01.2024 |
| Fine: | n/a |
| Parties: | n/a |
| National Case Number/Name: | 01/2024 |
| European Case Law Identifier: | n/a |
| Appeal: | Unknown |
| Original Language(s): | Dutch |
| Original Source: | APD/GBA (in NL) |
| Initial Contributor: | Matthias Vandamme |
The Belgian DPA found that a controller violated Article 5(1) GDPR for not timely deleting a former employee's mailbox. The DPA stated that the mailbox must be deactivated on the last work day and the auto-reply within one month or 3 months in some exceptions.
English Summary
Facts
A data subject worked at the controller for about ten months, until 6 June 2023. During his employment, a Microsoft account was created.
After the employment contract was terminated, the data subject filed an access request with the controller requesting information on which data the controller was still processing but did not receive a response.
The data subject claimed that his professional mailbox was still active because when he had sent an email to this address, he had received a delivery confirmation. Thus, on 24 October 2023, the data subject filed a complaint with the Belgian DPA.
Holding
The Belgian DPA held that to comply with the purpose limitation principle (Article 5(1)(b) GDPR), in combination with the principles of data minimisation (Article 5(1)(c) GDPR) and storage limitation (Article 5(1)(e) GDPR), the controller should have provided the mailbox of the data subject with an automatic notification no later than his last day and he should have been informed in advance of this.
The DPA stated that this automatic message alerts all subsequent correspondents that the data subject is no longer performing his activities within the controller and should be in place for a reasonable period of time, in principle 1 month. Depending on the context and the degree of responsibility exercised by the employee, a longer period may be allowed, not exceeding 3 months.
In this instance, the DPA confirmed that the period could have been between 1 and 3 months and that it should have been extended only after the data subject gave his consent. Indeed, since the data subject ended his employment on 6 June 2023, the email address should have been closed on 6 July 2023 or 6 September 2023. Meanwhile, the data subject proved that on 13 November 2023, the email was still active. Therefore, the DPA found a violation of Article 5(1)(b) GDPR, Article 5(1)(c) GDPR and Article 5(1)(e) GDPR.
In terms of legal basis, the DPA acknowledged that the legal basis for this processing activity could be the legitimate interest of the controller to ensure the proper functioning of the company under Article 6(1)(f) GDPR. However, the DPA noted that there was no evidence proving that the controller informed the data subject of the applicable legal basis. Consequently, it can be said that the controller processed the data subject's personal data against his expectations. Thus, the DPA found that there was no legal basis applicable to the processing of the email address after the termination of the contract between the data subject and the controller. Thus, the controller violated Article 6(1) GDPR.
For not closing the professional mailbox on time, the DPA issued a warning to the controller.
Regarding the access request, the DPA held that the controller infringed the right to access of the data subject since there is no proof that the controller ever responded, breaching Article 15(1) GDPR, in conjunction with Article 12(3) and (4) GDPR. Hence, the DPA ordered the controller to comply within 30 days after the decision.
Comment
Comment from the original contributor:
As this is a 'prima facie' decision, not much information is available. The Litigation Chamber of the DPA has ruled solely based on the complaint without having a procedure. The controller can still demand for a procedure if it does not agree.
Regarding the mailbox it is interesting to note that the DPA has confirmed it stance since many years (see for example decision 64/2020 of the Belgian DPA). Controllers would do best to prepare for this situation in advance and include clear procedures (e.g., in an IT-policy).
In the legal doctrine the maximum period of three months is often disputed. It is generally held that, depending on the circumstances, a longer period could be justifiable. For example, someone who often came into contact with clients and worked for many years with the controller.
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Dutch original. Please refer to the Dutch original for more details.
1/11
Dispute Chamber
Decision 01/2024 of January 5, 2024
File number: DOS-2023-04440
Subject: Failure to close a professional mailbox and insufficient follow-up
to the exercise of the right of access
The Disputes Chamber of the Data Protection Authority, composed of Mr
Hielke HIJMANS, sole chairman;
Having regard to Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016
on the protection of natural persons with regard to the processing of
personal data and regarding the free movement of such data and to the revocation of
Directive 95/46/EC (General Data Protection Regulation), hereinafter “GDPR”;
Having regard to the law of 3 December 2017 establishing the Data Protection Authority,
hereinafter “WOG”;
In view of the internal rules of order, as approved by the House of Representatives
Representatives on December 20, 2018 and published in the Belgian Official Gazette on
January 15, 2019;
Considering the documents in the file;
Has made the following decision regarding:
Complainant: X, hereinafter “the complainant”;
The defendant: Y, with registered office in [...], hereinafter “the defendant”. Decision 01/2024 – 2/11
I. Facts and procedure
1. The subject of the complaint concerns the failure to comply with a request
inspection and failure to close the professional mailbox in time after departure
employee.
2. The complainant explains the facts as follows. From August 1, 2022 to June 6, 2023, the company had
of the complainant entered into a contract with the defendant. The complainant states that he is in the
performance of that contract has been employed by the defendant. In this context there was
created a Microsoft account for him. According to the complainant, certain of the
rights from the account had already been withdrawn from the defendant before his departure, but would it
e-mail address [...] with mailbox still exist. The complainant states that he has addressed a letter
to the defendant asking which of his personal data are still being processed,
but would not have received an answer. The complainant also states that after the departure of
an ex-colleague, emails were still sent in the name of this ex-employee.
3. On October 16, 2023, the defendant will be given notice of default by the complainant. In this
notice of default, a request for inspection will be included. The complainant currently has
have not yet received a response from the defendant after filing the complaint.
4. On October 24, 2023, the complainant will submit a complaint to the Data Protection Authority
against the defendants.
5. On November 13, 2023, the complainant allegedly notes that his old professional mailbox
still existed. After all, the complainant himself sent an email to the old mailbox
and received a delivery confirmation. The complainant forwards this confirmation to the
First line service. On December 19, 2023, the complainant confirms that he has not yet received an answer
received from the defendant upon his request for access. On January 3, 2024
The complainant submits a new delivery note to the Dispute Chamber on the basis of which
The complainant states that the mailbox in question had not yet been closed on that date.
6. On November 17, 2023, the complaint will be declared admissible by the First Line Service on
1
on the basis of Articles 58 and 60 of the WOG and the complaint is filed on the basis of Article 62,
2
§ 1 of the WOG transferred to the Disputes Chamber.
II. Justification
7. The elements in this case are divided into two different processes. On the one hand it is
there is an alleged failure to clean the complainant's former business mailbox
removal, on the other hand there is insufficient follow-up to the
exercising the right of inspection of the complainant. The allegations regarding the sending of
1
In accordance with Article 61 of the WOG, the Disputes Chamber hereby informs the parties that the complaint is admissible.
declared.
2In accordance with Article 95, § 2 of the WOG, the Disputes Chamber hereby informs the parties that the file will be sent to
has been transferred to her as a result of this complaint. Decision 01/2024 – 3/11
emails in the name of a former employee are not part of this decision as
the complainant, on the one hand, does not provide evidence and, on the other, the alleged dispute
processing does not concern his personal data and he has no power of attorney to do so
submits.
II.1. As for the failure to delete the mailbox
8. The Disputes Chamber was taken by the complaint that the professional had not been concluded
e-mail address in the name of the complainant and the respondent concerned after the termination of
the contractual relationship.
Purpose limitation principle as referred to in Article 5.1.b) GDPR in combination with the non-
compliance with articles 5.1.c) (data minimization) and 5.1.e), GDPR (storage limitation)
9. Any processing of personal data must be in line with the principles such as
included in article 5.1 GDPR. Article 5.1.b) of the GDPR reinforces it
purpose limitation principle, being the requirement that the data be collected for
specific, expressly described and legitimate purposes and no further
are processed in a manner that is incompatible with those purposes. Also the principle
of minimum data processing – under which only data is allowed
processed that are adequate, relevant and limited to what is necessary
with regard to the purpose (Article 5.1.c.) of the GDPR) – and the principle of limited
retention period - under which the data may not be retained in any form
which allows those involved to be identified and no longer allowed to be identified
kept as necessary in relation to the purposes for which they are processed
(Article 5.1.e) of the GDPR) apply to the processing of personal data.
10. These principles and the resulting obligations for the
controller also apply to the rights of the data subject,
as the data subject is in accordance with Article 17.1. a) AVG has the right to obtain from the
controller to request the deletion of data concerning him
obtain if this data is no longer necessary for the purposes
for which they were collected or processed.
11. The email address that is the subject of the complaint and the information constitutes a
personal data within the meaning of Article 4.1) of the GDPR, as it relates to
information about an identified or identifiable natural person. This email address
and the associated mailbox, which is used for professional purposes in the context of the
activities of the defendant were created were intended to enable the complainant
to receive and send emails in the context of its activities for the
defendant.
12. The Disputes Chamber is of the opinion that in order to comply with the purpose limitation principle
(Article 5.1.b) GDPR), in combination with the principles of minimum data processing Decision 01/2024 — 4/11
(Article 5.1.c) GDPR) and storage limitation (Article 5.1.e) GDPR), to the
controller is the holder of the mailbox that fulfills his function or
has ceased activities, and must be provided with a certificate no later than on the day of his actual departure
automatic message. The holder must be notified in advance of this. This
automatic message warns all subsequent correspondents that the data subject are
no longer carries out activities within the company and provides the contact details of the
person (or general email address) who should be contacted instead and this
for a reasonable period (a priori 1 month). Depending on the contexts in particular
the degree of responsibility that the person concerned exercises may be a longer period
be allowed, ideally no longer than three months. The extension must happen
with the consent of the person concerned or at least after the extension has been terminated
has been notified. Moreover, an alternative solution must be found as soon as possible
be searched for and entered without the deadline for this extension having to expire
are awaited. However, this does not alter the fact that after the termination of his
function that the person concerned can still have access to for a certain period
mailbox if there is an agreement between him and the
controller. 3 This gives the employee the opportunity to:
for example, to complete the current files.4
13. The Disputes Chamber establishes that prima facie the defendant has not complied with all the provisions of the
Dispute chamber regarding the management of e-mail accounts of former employees
5
seems to have been complied with, although a processing of the business mailbox is in principle
6
legitimate . Since the activities of the complainant for the defendant were terminated
on June 6, 2023, the Disputes Chamber is of the opinion that the processing of his
personal data based on the relevant email address and mailbox within a
should have been terminated within a reasonable period and the complainant should have been notified
informed.The Disputes Chamber is of the opinion that this period could have varied from
1 to 3 months where, as mentioned, the senders of messages to the
3In its recommendation CM/Rec (2015)5 on the processing of personal data in the context of the employment relationship, it states
the Committee of Minister of the Council of Europe in principle 14.5 the following: when an employee his or her job
leaves, the employer must take technical and organizational measures to ensure that the email from the
employee is automatically deactivated. If the contents of the email must be requested for good
functioning of the organization, the employer must take appropriate measures to retrieve the contents of the email
before the employee's departure and, if possible, in his presence. The explanation accompanying the recommendation states further
(para. 122) that in these situations where the employee leaves the organization, the employer retains the account of the former
employee must deactivate so that there is no longer access to the former employee's communications after his
departure. If the employer wishes to recover the contents of the employee's account, the employer must take the necessary steps
to take steps before the employee's departure, preferably in his presence. This sectoral recommendation that
and completes the Convention for the Protection of Individuals with regard to Automated Processing
personal data (STE108), illustrates how the principles regarding purpose limitation, minimal data processing
proportionate retention, which are confirmed in both this Treaty and the GDPR, should be applied.
4Cf. decisions 64/2020 and 133/2021.
5Cf. decisions 64/2020 and 133/2021.
6Cf. decision 64/2020, legal basis. 29 et seq. and decision 133/2021 para. 56 et seq. Decision 01/2024 - 5/11
relevant email address were automatically informed that the data subject
was no longer active within the company, and therefore without the intervention of any third party
person. Possibly (if so agreed between both parties) and in general
such a period could also cause a departing employee
still has temporary access to the information in the mailbox of his former partner
client.
14. The complainant indicates that the agreement between his acting defendant has expired
since June 6, 2023. This means, given the above, that the email address would
must be closed on July 6, 2023, or no later than September 6, 2023. The complainant argues
that this is not the case. In support of this claim, the claimant sends a piece
This should demonstrate that the mailbox was not closed in time. This concerns:
a delivery note dated. November 13, 2023 that an email was successfully delivered to the
disputed email address. This leads the Disputes Chamber to suspect that the defendant
has committed an infringement of Article 5.1.b), Article 5.1.c) and Article 5.1.e). From the pieces
it does not appear that the complainant had not received any information regarding the further use of his
mailbox and his e-mail address, nor that there was anything between the parties in this regard
agreed.
15. This leads the Disputes Chamber to suspect that the defendant has committed an infringement
committed under Article 5.1 b, Article 5.1.c) and Article 5.1 e) GDPR.
Lawfulness of the processing
16. Article 6 of the GDPR requires that all processing must be based on a
legal basis. This means that the controller may not start or,
as in this case, continue with data processing without relying on one of
the legality criteria listed in Article 6.1 GDPR, which is the embodiment of the
principle of lawfulness as referred to in Article 5.1 a) GDPR.
7Article 6.1 GDPR
The processing is only lawful if and to the extent that at least one of the conditions below is met:
a) the data subject has given consent to the processing of his personal data for one or more specific purposes
purposes;
b) the processing is necessary for the performance of a contract to which the data subject is party, or upon request
of the
to take measures before concluding a contract;
c) the processing is necessary for compliance with a legal obligation to which the controller is subject;
d) the processing is necessary to protect the vital interests of the data subject or of another natural person
to protect;
e) the processing is necessary for the performance of a task carried out in the public interest or in connection with the
exercise of
the public authority assigned to the controller;
f) the processing is necessary for the purposes of the legitimate interests pursued by the controller
or from one
third party, except where the interests or fundamental rights and freedoms of the data subject are such
protection of
personal data outweigh those interests, in particular when the data subject is a child.
Point (f) of the first paragraph shall not apply to processing by public authorities in the exercise of their tasks. Decision 01/2024 – 6/11
17. It is true that the mailbox can, in view of the defendant's legitimate interest
accordance with the terms of Article 6.1.f) of the GDPR, for a period of one
certain period after the termination of the agreement between the data subject and the
defendant, will continue to be active insofar as this is limited to automatic transmission
of standard communication regarding the employee's departure, with a view to
guaranteeing the proper functioning of the company and its continuity
services. This is of course only possible provided that the other provisions of the GDPR regarding the
legal basis must also be respected, in particular Article 13.1.c) GDPR, from which
follows that it must be determined before starting processing activities
which legal basis applies, and in relation to which specific purpose, with the
obligation for the controller to inform the complainant thereof
The file does not prima facie show that the defendant was aware of the complainant
of the applicable legal basis. Consequently, it can be said that the
The defendant has processed the complainant's personal data against his expectations
in.
18. For cases where the data subject and the controller are in mutual agreement
agree that the person concerned will remain for a period of one year after his departure
may have access to his mailbox for a certain period of time – for example to allow the data subject to
to provide an opportunity to complete ongoing files - permission may be granted (Article
6.1 a) GDPR) are a valid legal basis for continuing to use the mailbox after
termination of cooperation. Based on the documents accompanying the complaint, the
Disputes Chamber cannot determine whether such an arrangement had been agreed between
the complainant and the defendant.
19. Finally, reference should also be made to the legal basis contained in Article 6.1.b) GDPR,
on the basis of which processing can take place if it is necessary for the
execution of an agreement. Incaseyoucannotfallbackonhere,
as the complainant had already terminated his contractual relationship with the defendant on 6
June 2023.
20. Consequently, the Disputes Chamber must determine that there is no prima facie legal basis
is the processing of the email address after the termination of the agreement with the
complainant can justify in the manner used by the defendant. This brings the
Disputes Chamber to suspect that the defendant has violated Article 5.1.a in conjunction with 6.1
GDPR has committed.
21. Based on the above analyses, the Disputes Chamber assumes that the
defendant infringes the provisions of the GDPR, and in particular Articles 5.1.b),
c) and e) GDPR on the one hand and Article 5.1.a) j° Article 6.1 GDPR on the other hand, which
8
In this regard, see Guidelines 05/2020 on consent in accordance with Regulation 2016/679 (edition nos. 121-123);
https://edpb.europa.eu/sites/default/files/files/file1/edpb_guidelines_202005_consent_nl.pdf. Decision 01/2024 — 7/11
justifies that in this case a decision is taken on the basis of
Article 95, §1, 4° of the WOG, more specifically a warning for the future
formulate against the defendant with regard to the failure to conclude the
professional mailbox after the complainant's departure.
22. This decision is a prima facie decision taken by the Disputes Chamber
in accordance with Article 95 of the WOG on the basis of the complaint submitted by the complainant
complaint, in the context of the “procedure prior to the decision on the merits” and not 9
decision on the merits of the Disputes Chamber within the meaning of Article 100 of the WOG. The
Disputes Chamber has thus decided, on the basis of Article 58.2.a) GDPR and Article 95, §1,
4° of the WOG, to formulate a warning regarding the defendant, for what
concerns the failure to close the complainant's professional mailbox in a timely manner after termination
of employment.
23. However, if the defendant does not agree with the content of this prima facie statement
decisions are of the opinion that they can apply factual and/or legal arguments
that could lead to a different decision, this can be done via the e-mail address
litigationchamber@apd-gba.beeenrequesttohandlethesubstancesofthecase
to the Disputes Chamber within thirty days after notification of
the decision. The implementation of this decision will be carried out if necessary
suspended for the aforementioned period.
24. Finally, for the sake of completeness, the Disputes Chamber points out that a substantive hearing
of the case may lead to the imposition of the measures referred to in Article 100 of the
10
WOG.
9
Section 3, Subsection 2 of the WOG (Articles 94 to 97).
10Article 100, §1 WOG: “The Disputes Chamber has the authority to:
1° to dismiss a complaint;
2° to order the dismissal of prosecution;
3° order the suspension of the ruling;
4° to propose a settlement;
5° formulate warnings and reprimands;
6° order that the data subject's requests to exercise his rights be complied with;
7° to order that the person concerned is informed of the security problem.
8° order that processing be temporarily or permanently frozen, restricted or prohibited;
9° to order that the processing be brought into compliance;
10° the rectification, restriction or deletion of data and its notification to the recipients of the data
recommend data;
11° order the withdrawal of the recognition of certification bodies;
12° to impose penalty payments;
13° to impose administrative fines;
14° the suspension of cross-border data flows to another State or an international institution
command;
15° to transfer the file to the public prosecutor's office in Brussels, who will inform it of the outcome
that is given to the file;
16° decide on a case-by-case basis to publish its decisions on the website of the Decision 01/2024 - 8/11
II.2. With regard to the insufficient enforcement of the right of access
25. To begin with, the Dispute Chamber recalls that the right of access is one of the
most important requirements of the right to data protection. It is the
“gateway” that allows the exercise of other rights granted by the GDPR to the
data subject, such as the right to rectification, the right to erasure and the
11
right to restriction of processing.
26. Pursuant to Article 12.1 of the GDPR, the controller must provide appropriate
take measures to respond to requests from data subjects exercising their rights
wish to exercise pursuant to Articles 15 to 22 and Article 34 of the GDPR.
Pursuant to Article 12.3 GDPR, the controller must, as soon as possible and in
in any case within one month of the request (this period may be possible under certain circumstances).
conditions are extended by two months). As the data controller
decides not to respond to a request from the data subject, the
controller the data subject within one month of receipt of it
request, provide an answer stating the reasons for the decision (Article 12.4
GDPR).
27. According to Article 15.1 of the GDPR, the data subject has the right to obtain from the
to obtain a decision from the controller as to whether or not to process it
regarding personal data. If the latter is the case, the person concerned has it
right to inspect those personal data and information referred to in Article
15.1.a)–h) of the GDPR is stated, such as the purpose of the processing of the
data and the possible recipients of the data, as well as information about it
existence of his rights, including the right to rectification or erasure of his data
or to file a complaint with the GBA. The purpose of the right of access is the
to enable the data subject to understand how his data are processed
and what the consequences are as well as the accuracy of the processed data
control without having to justify his intention.12
28. Based on the documents in the file, the Disputes Chamber determines that the complainant was on 16
exercised his right of inspection in October 2023, but the documents do not show that the
complainant should receive an answer from the defendant. Consequently, the
Dispute Chamber also stated that the defendant may have acted contrary to Article
12.3 and 12.4 of the GDPR, as well as Article 15.1 of the GDPR.
Data Protection Authority.
11
See, among others. CJEU, January 12, 2023, ÖsterreichischePost AG, C-154/21, ECLI:EU:C:2023:3, edge no. 38;CJEU, July 17, 2014, YS etal.,
C-141/12 and C-372/12, EU:C:2014:2081, edge no. 44, and CJEU, 20 December 2017; Nowak, C-434/16,EU:C:2017:994, edge no. 57.
See also decision 15/2021 of February 9, 2021, edge no. 141, and decision 41/2020 of July 29, 2020, edge no. 47, to be consulted
on the GBA website.
1EDPB — Guidelines 01/2022 on data subject rights – Right of access (v2.0, March 28, 2023), edge no. 13, can be consulted via
https://edpb.europa.eu/system/files/2023-04/edpb_guidelines_202201_data_subject_rights_access_v2_en.pdf. Decision 01/2024 — 9/11
29. The Disputes Chamber is of the opinion that an analysis should be carried out on the basis of the above
concluded that the controller may have committed an infringement of the
provisions of the GDPR was committed, which justifies this in this case
proceeded to make a decision on the basis of Article 95, §1, 5° WOG, more
stipulates that the controller should be ordered to take action where appropriate
indicate the exercise by the complainant of his right of access (Article 15.1 GDPR) and this in
particularly in view of the document that the complainant has provided which shows that the complainant
has indeed exercised his right of access, but the controller
prima facie did not comply with that."
30. This decision is a prima facie decision taken by the Disputes Chamber
in accordance with Article 95 of the WOG on the basis of the complaint submitted by the complainant,
in the context of the “procedure prior to the decision on the merits” 13 and none
decision on the merits of the Disputes Chamber within the meaning of Article 100 of the WOG.
31. The Disputes Chamber has thus decided on the basis of Article 58.2.c) GDPR and
Article 95, § 1, 5° of the WOG, ordering the defendant to comply with the request
of the data subject to exercise his rights, in particular the right of access such as
determined in Article 15 GDPR.
32. The purpose of this decision is to inform the defendant of the fact that
it has committed an infringement of the provisions of the GDPR and this is possible
to still comply with the aforementioned provisions.
33. However, if the defendant does not agree with the contents of this fine
facie decision and is of the opinion that it may allow factual and/or legal arguments
funds that could lead to a different decision can be made via the e-mail address
litigationchamber@apd-gba.beeenrequesttohandlethesubstancesofthecase
to the Disputes Chamber and this within the period of 30 days after notification of this
decision. The implementation of this decision will be carried out if necessary
suspended for the aforementioned period.
34. In the event of a continuation of the merits of the case, the
Dispute Chamber the parties on the basis of Articles 98, 2° and 3° in conjunction with Article 99 WOG
invite them to submit their defenses as well as any documents they deem useful
file to add. If necessary, the present decision will be permanently suspended.
35. Finally, for the sake of completeness, the Disputes Chamber points out that a substantive hearing
14
of the case may lead to the imposition of the measures stated in Article 100 of the WOG.
13Section 3, Subsection 2 of the WOG (Articles 94 to 97).
14Article 100. § 1. The Disputes Chamber has the authority to:
1° to dismiss a complaint;
2° to order the dismissal of prosecution;
3° order the suspension of the ruling;
4° to propose a settlement;
5° formulate warnings and reprimands; Decision 01/2024 – 10/11
III. Publication of the decision
36. Considering the importance of transparency with regard to decision-making
Dispute Chamber, this decision will be published on the website of the
Data Protection Authority. However, it is not necessary that the
identification details of the parties are disclosed directly.
FOR THESE REASONS ,
the Disputes Chamber of the Data Protection Authority decides, with reservations
from the submission of a request by the defendant for a hearing on the merits
in accordance with Article 98 et seq. of the WOG, to:
- on the basis of Article 58.2.a) of the GDPR and Article 95, § 1, 4° of the WOG the
to warn the defendant in the future that failure to conclude a contract in a timely manner
mailbox of an employee after termination of service employment a
constitutes an infringement of Article 5.1.b), c) and e) GDPR and Article 5.1.a) j° Article 6.1 GDPR;
- on the basis of Article 58.2.c) of the GDPR and Article 95, § 1, 5° of the WOG the
order the defendant to comply with the data subject's request
to exercise its rights, in particular the right of access (Article 15.1 GDPR), and
this within a period of 30 days from the notification of this
decision;
- order the defendant to contact the Data Protection Authority (Dispute Chamber)
by e-mail within the same period of the consequences
this decision will be given via the email address litigationchamber@apd-gba.be;
and
- in the absence of timely implementation of the above by the defendant,
to consider the merits of the case ex officio in accordance with Articles 98 et seq.
of the WOG.
6° order that the data subject's requests to exercise his rights be complied with;
7° to order that the person concerned is informed of the security problem;
8° order that processing be temporarily or permanently frozen, restricted or prohibited;
9° to order that the processing be brought into compliance;
10°the rectification, limitation or deletion of data and its notification to the recipients of the data
recommend data;
11° order the withdrawal of the recognition of certification bodies;
12° to impose penalty payments;
13° to impose administrative fines;
14° the suspension of cross-border data flows to another State or an international institution
command;
15° to transfer the file to the public prosecutor's office in Brussels, who will inform it of the
follow-up given to the file;
16° decide on a case-by-case basis to publish its decisions on the website of the
Data Protection Authority. Decision 01/2024 – 11/11
Pursuant to Article 108, § 1 of the WOG, within a period of thirty days from the
notice, an appeal against this decision will be filed with the Market Court (court of
appeal Brussels), with the Data Protection Authority as defendant.
Such an appeal can be lodged by means of an inter partes petition
must contain information listed in Article 1034ter of the Judicial Code. It 15
an objection petition must be submitted to the registry of the Market Court
16
in accordance with Article 1034quinquies of the Dutch Civil Code. , or via the e-Deposit
IT system of Justice (Article 32ter of the Judicial Code).
(transl.) Hielke H IJMANS
Chairman of the Disputes Chamber
15The petition states, under penalty of nullity:
1° the day, month and year;
2° the surname, first name, place of residence of the applicant and, where applicable, his capacity and his national register or
company number;
3° the surname, first name, place of residence and, where applicable, the capacity of the person to be
summoned;
4° the subject matter and brief summary of the grounds of the claim;
5° the judge before whom the claim is brought;
6° the signature of the applicant or his lawyer.
16The application with its attachment will be sent by registered letter in as many copies as there are parties involved
deposited with the clerk of the court or at the registry.
