APD/GBA (Belgium) - 07/2021: Difference between revisions

From GDPRhub
No edit summary
 
(No difference)

Latest revision as of 16:51, 12 December 2023

APD/GBA - 07/2021
LogoBE.png
Authority: APD/GBA (Belgium)
Jurisdiction: Belgium
Relevant Law: Article 5(1) GDPR
Article 6(1) GDPR
Article 15(1) GDPR
Article 32 GDPR
Article 33 GDPR
Type: Complaint
Outcome: Upheld
Started:
Decided: 01.2021
Published: 01.2021
Fine: None
Parties: n/a
National Case Number/Name: 07/2021
European Case Law Identifier: n/a
Appeal: n/a
Original Language(s): Dutch
Original Source: Beslissing ten gronde nr. 07/2021 van 29 januari 2021 (in NL)
Initial Contributor: Enzo Marquet

The Belgian DPA (APD/GBA) held that intent is not a criterium to assess processing and that mistakenly sending an e-mail does not necessarily constitute a data breach as a human error does not always mean the technical and organisational measures are not adequate. Finally, the DPA held that merely receiving an e-mail is not processing.

English Summary

Facts

The defendant 1 allegedly did not grant access to the personal data he holds of the complainant.The defendant 1 had sent an e-mail with 32 attachments concerning the company of complainant to the defendant 2, a former associate of the complainant. The attachments had a lot of personal data about the complainant and no consent was given to send the e-mail.

On top of that, that e-mail was then send to the lawyer of the defendant 2. The lawyer then forwarded that mail to the lawyer of the complainant.

Dispute

Holding

Complaint to defendant 1

Right to defence

Defendant 1 stated that his right to defence was violated because in the original complaint, no specific rule of law infractions were included and thus the defendant couldn't adequately prepare.

The DPA reiterates that submitting a complaint should be uncomplicated for the parties whose personal data is being processed. The DPA notes that it is up to each of the parties to provide the necessary evidence for the alleged infringements or for refuting them. The complainant does not have to submit this evidence in the complaint itself. It is up to the DPA to assess which alleged violations it considers sufficiently proven as violations of the GDPR. In doing so, the DPA has considerable policy discretion to determine the scope of the proceedings.The absence of supporting documents for certain allegations cannot be relied upon by the other party as a violation of its right of defence.

Lawful processing

Here, the DPA judged the legality of sending the e-mail between defendant 1 and 2. Defendant 1 states that this was a human error and that such a non-intentional, unintended action cannot constitute a breach of the GDPR.

Intention however, is not a criterium for processing under the GDPR, the DPA states. The mere fact that the e-mail was sent constitutes processing. In line with Article 5(1)(b), processing for other purposes than initially stated can only be done if those purposes are compatible with those original purposes.

To asses if this is the case, the reasonable expectations of the data subject play a critical role. The DPA states that the complainant used the services of defendant 1 for its bookkeeping and there was no reasonable expectation that this would be shared with defendant 2. As such, the processing does not have a compatible purpose.

As the defendant 1 stated, the sending was an error, which means there is no legal basis to conduct the processing.

The DPA then assesses whether the defendant 1 could rely on the legal basis of legitimate interest under Article 6(1)(f). It confirms earlier case law of the CJEU in which three requirements have to be fulfilled, cumulatively; legitimate interest pursued by controller, necessity of the processing and fundamental rights and freedoms of the data subject do not override the legitimate interest.

The DPA states that the defendant 1 had a purpose, reaching all parties with all the document and this can be seen as a legitimate interest. However, the processing was not necessary as two e-mails, without mixed attachment, could have achieved the same goal. The third requirement is also not fulfilled as stated earlier, the complainant did not reasonable expect this processing to happen. As such, there is no legitimate interest legal basis possible.

Right to access

The DPA states that the complainant provided no proof of not being granted right to access.

Safety of processing and data breach

The access of defendant 2 to the e-mail was not related to insufficient technical and organisational measures to ensure adequate safety. The DPA is of the opinion that no security measure can be of a nature to completely exclude an e-mail being sent to a non-intended recipient as a result of human error. It cannot therefore be concluded that, by sending the e-mail to the defendant 2, the defendant 1 did not take sufficient measures to protect the personal data of the complainant against security risks, so that no infringement of Article 32 and Article 33can be established in this case.

Complaint to defendant 2

The defendant 2claims that there is no processing on its part as there is no intentional element present and no initiative was taken by him.

The DPA states that just receiving personal data an sich constitutes no processing as defined in Article 4(2). Accessing or forwarding the attachments with personal data however, does constitute processing. Even though the defendant 2 claims not having read the attachment, it was sent to his lawyer. This means the defendant 2 must be seen as a data controller as defined in Article 4(7) because he defined the purposes and means of processing. His statement that the defendant 2 deleted the e-mail with attachment is irrelevant as the processing already took place.

Additionally, the defendant 2 did not deliver evidence that he had asked his lawyer to remove the e-mail with attachments, a responsibility which comes to all data controllers under Article 19 when deleting personal data in line with Article 17.

The defendant 2 reasons that this processing is lawful as article 237 of the Codex Deontology for Lawyers and WP29 169 state that you can provide information to your lawyer to help exercise your rights/legal defense. Interpreting this any other way would prevent the defendant 2 from sending information to his lawyer.

The DPA states that the personal data was sent to the defendant 2 without a lawful basis. The defendant 2 could not utilise this information as he should not have gotten it in the first place.The DPA can only conclude that there is no legal basis as provided for in Article 6(1) that justifies the forwarding of the e-mail by the defendant 2 to his counsel. The defendant 2 also does not invoke any legal basis of Article 6(1)(f) and explicitly confirms in its reply to the statement of defense with regard to the legitimate interest Article 6(1)(f) that it does not even invoke this legal ground.

Of course, the communication with one's counsel is secret, but only on the condition that the information was received in a lawful manner and this was not the case here and a breach of Article 5(1)(a) and Article 6(1).

Further grievances regarding transparency and purpose limitation are not relevant as the processing itself is unlawful.

Comment

This decision was part of a larger one before another court.

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Dutch original. Please refer to the Dutch original for more details.

                                                                                             1/25




s







                                                                          Litigation chamber



                                     Decision on the merits 07/2021 of 29 January 2021






File number: DOS-2019-06201


Subject: Disclosure of personal information to third parties without permission from

the person concerned






The Disputes Chamber of the Data Protection Authority, composed of Mr Hielke

Hijmans, chairman and Messrs. Christophe Boeraeve and Jelle Stassijns, members;


Having regard to Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016

on the protection of natural persons with regard to the processing of

personal data and on the free movement of such data and repealing Directive

95/46 / EC (General Data Protection Regulation), hereinafter GDPR;




In view of the law of 3 December 2017 establishing the Data Protection Authority, hereinafter

WOG;


Having regard to the rules of internal procedure, as approved by the Chamber of

Representatives on December 20, 2018 and published in the Belgian Official Gazette on

January 15, 2019;




Considering the documents in the file;






                                                                                                      .

                                                                                                      .

                                                                                                      . Decision on the merits 07/2021 - 2/25




has taken the following decision regarding:

    - Mrs. X, hereinafter “the complainant”

    - Y1, hereinafter “defendant 1”

    - Mr Y2, hereinafter “Respondent 2”




    1. Facts and procedure




1. On December 11, 2019, the complainant files a complaint with the Data Protection Authority, hereinafter

    GBA, against the defendants.



    The subject of the complaint concerns:

    - the refusal by respondent 1 to provide the complainant with access to personal data.

    - the sending by Mrs. Z, partner at defendant 1, of an e-mail with 32 attachments, in part

    concerning the company X bv of which the complainant is a 100% shareholder, making it

    information would allow access to the personal activities, finances and personal data of

    the complainant, to respondent 2, the complainant's former associate. This information would have been provided

    without the consent of the complainant.

    In addition, the respective e-mail containing the information concerning X bv, would be sent by

    Respondent 2 forwarded to his counsel who would then in turn send the email

    forwarded to the complainant's counsel.



2. On 7 January 2020, the complaint will be declared admissible on the basis of articles 58 and 60 of

    the WOG, and the complaint on the basis of art. 62, §1 WOG submitted to the Disputes Chamber.



3. On January 29, 2020, the Disputes Chamber will notify the complainant that pursuant to Article

    95, § 1, 3 ° WOG, it was decided to dismiss the complaint for reasons of expediency. The

    decision states that the complaint does not contain any grievances that have a broad social impact

    as well as that with regard to the deontological and professional errors that were made

    committed by Ms. Z is a complaint pending with the competent authority and the Dispute Chamber

    wish to avoid a possible double investigation.



4. On March 5, 2020, the Disputes Chamber will receive the

    notification of a petition from the complainant against the GBA, deposited at the registry of the Court. Decision on the merits 07/2021 - 3/25




5. On April 30, 2020, the registry of the Brussels Court of Appeal will notify the Disputes Chamber of this

    the initiation of the case was originally set during the period March-April 2020,

    has been canceled and a new initiation date has been set for May 6, 2020.




6. By decision of 6 May 2020, the Marktenhof establishes the conclusion calendar. In it it states

    Court also established that the counsel declare that they agree in writing to a written consultation

    name, which will take place on August 7, 2020 with delivery of the judgment in public

    hearing on 2 September 2020.



7. On September 2, 2020, the Marktenhof will pass judgment.

    The judgment contains the following points for attention regarding the assessment of the


    subject of the petition:



     Annulment of the decision to dismiss the Disputes Chamber for lack of adequate

         motivation

     Granting by the Court to the measure claimed by the complainant, ie to rule that

         the file is ready for treatment on the merits within the meaning of Article 95, §1, 1 ° WOG and the

         Order the data protection authority to consider the merits of the file in

         the meaning of article 98 WOG.


    The Marktenhof not only overturns the decision of the Disputes Chamber of January 28, 2020,

    but also orders the Dispute Chamber to decide within five months from the


    notification of the judgment to make a new decision on the complaint lodged.

    Since the Marktenhof still wishes to assess the claims of the complainant against the

    contradiction by the GBA, the Court claims that the GBA should take a position on the

    claim as stated by the complainant.

    The Court will adjourn the case in order to verify whether the Dispute Chamber is within the stated time limit

    period has taken a new decision and in order to allow the complainant to make a claim

    to the full jurisdiction of the Marktenhof, the Disputes Chamber was not allowed a new one

    have made a decision. The Court refers the case for review in open court of

    February 24, 2021, where the Court specifies that it is not for it to make the new decision


    to judge on its merits in the context of the present proceedings.










1
   The judgment is available on the website of the Data Protection Authority via the following link:
https://www.gegevensbeschermingingsautoriteit.be/publications/tussenarrest-van-02-september-2020-van-het-markthof.pdf Decision on the merits 07/2021 - 4/25




8. Following up on the judgment, the Disputes Chamber will decide on 8 September 2020 on the basis of art. 95,

    §1, 1 ° and art. 98 WOG that the file is ready for consideration on the merits.



9. On September 8, 2020, the parties concerned will be notified by registered mail

    of the provisions as stated in article 95, §2, as well as of those in art. 98 WOG. Also were

    the parties involved on the basis of art. 99 WOG of the deadlines to their

    file defenses. The deadline for receipt of the response

    of the defendants was recorded on October 20, 2020, before receipt of the

    statement of reply of the complainant on 10 November 2020, with the

    possibility to submit a statement of reply until December 1, 2020.



10. On October 19, 2020, the Disputes Chamber will receive the statement of defense from the respondent

    2. The defenses put forward can be summarized as follows:




     With regard to the authority of the GBA, it is argued that the Dispute Chamber is

        on the basis of article 100, §1 WOG, the complaint can be dismissed. Furthermore, be

        arguments drawn from the judgment of the Marktenhof to demonstrate this in the proceedings

        on the merits the Disputes Chamber has power to dismiss. This brings respondent 2

        to urge the Disputes Chamber to renew a

        decision to dismiss after reviewing the factual elements and the basis of the

        complaint to the strategic plan and the internal dismissal guidelines of the GBA.

     According to respondent 2, there would be no processing of personal data (Article 2.1 GDPR)

        lack of an intentional element on the part of respondent 2 of the personal data

        as he was only the recipient of the email and only one

        act, namely forwarding the e-mail to his lawyer, after which the

        email with attachments has been deleted.

     Respondent 2 states that he can neither act as controller nor as processor

        are labeled. He states that he only meets the criteria of the GDPR as a recipient

        and third, as defined in Article 4 GDPR.


     Forwarding the e-mail to his counsel does not constitute an infringement according to respondent 2

        on the GDPR. To this end, he refers to Article 237 of the Codex Deontology for Lawyers

        and Opinion 1/2010 on the concepts of “controller” and “processor”
                                                                                               2
        of the Article 29 Working Party on Data Protection, adopted on 16 February 2010, to

        state that a legal subject may provide information to his / her lawyer. Different

        Judging, according to respondent 2, would have the effect of prohibiting the






2
 https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2010/wp169_en.pdf Decision on the merits 07/2021 - 5/25



        passing on information to counsel insofar as that information relates to

        personal data. Respondent 2 adds that his counsel is there in turn

        was ethically obliged to pass on the information obtained to counsel

        of the complainant.


     Even if an infringement were established, Respondent 2 considers him

        no sanction can be imposed, given the specific circumstances of the case.

        Specific with regard to the possibility of imposing an administrative one

        fine, respondent 2 indicates for each of the criteria stated in Article 83.2 GDPR

        to what extent these apply or not and this leads him to the conclusion that he

        no fine can be imposed.



11. On October 20, 2020, the Disputes Chamber will receive the statement of defense from the respondent

    1. The defenses put forward can be summarized as follows:



     With regard to the competence of the GBA, this is also raised in the context of a

        proceedings on the merits the Dispute Chamber can proceed to dismissal, which was

        confirmed by the judgment of the Marktenhof dated September 2, 2020.

     The sending of the e-mail with respondent 2 as one of the addressees concerns a

        one-time human mistake in which certain data unintentionally entered into one

        only e-mails were sent to defendant 2.

    Respondent 1 claims to have acted in good faith by immediately taking the necessary action

        to obtain the removal of the email from Respondent 2.

     The rights of defense are alleged to have been violated because the complaint contains no legal rules

        to be mentioned.

    Respondent 1 points out that it has always complied with its privacy obligations.

    Respondent 1 is of the opinion that no infringement has been committed and cannot be sanctioned


        imposed.



12. On November 10, 2020, the Disputes Chamber will receive the statement of reply from the complainant.

    The complainant argues that respondent 1 would have committed the following violations:

    - Violation of the right of access (Article 15 GDPR)


    - Violation of the legal basis requirement (Article 6.1 GDPR); the legality- transparency-

        and the principle of fairness (art. 5.1 a) GDPR); the purpose limitation principle (Article 5.1 b) GDPR) and

        the principle of minimum data processing (Article 5.1 c) GDPR) and this in each case

        as to it still retained by defendant 1 today, as to

        forwarding by e-mail to defendant 2

    - Violation of the integrity and confidentiality principle (Article 5.1 f) GDPR and 32 GDPR)

        and of the obligation to report a data breach (Article 33 GDPR) Decision on the substance 07/2021 - 6/25





    As regards respondent 2, the complainant alleges the following violations:

    - Respondent 2 is jointly controller for the violations

        defendant 1


    - Violation of the legal basis requirement (Article 6.1 GDPR), the legality and

        transparency principle (Article 5.1 a) GDPR), as well as the purpose limitation principle (Article 5.1 b) GDPR)



13. On November 28, 2020, the Disputes Chamber will receive the statement of reply from the respondent

    2. The statement of reply fully reproduces the statement of opinion submitted on 19 October 2020

    answer. The defendant adds the following points:



     According to respondent 2, the complaint should be declared inadmissible because the

        the complainant maintains in the reply that "the use by respondent 2 of the e-mail

        against the complainant "is the problem and not so much" the forwarding by respondent 2 of

        that e-mail to his counsel ", as formulated in the complaint. Thus the complaint would not

        meet the requirement of Article 60, paragraph 2 of the WOG, which includes a complaint

        admissible if it contains a statement of the facts and the necessary indications

        for the identification of the processing to which it relates. This requirement would

        are not satisfied.

     Regarding the complainant's statement in the reply that respondent 1 only the

        Instructions from Respondent 2 follows by which Respondent 2 would determine the object and means

        determining the processing within the meaning of Article 4.7) GDPR, with reference to a

        oral statement by respondent 1 that respondent 2 would have ordered her to

        not to deliver any document to the complainant without informing Respondent 2 thereof

        Respondent 2 responds that no evidence is provided for this, so that in

        Contrary to what the complainant maintains, respondent 1 and respondent 2 are not as joint

        controllers can be labeled.


     With regard to the complainant's statement in the reply regarding the

        legitimate interest as the legal basis for the processing, respondent 2 states that these

        legal basis is not put forward by him.

     The complainant's request to impose a penalty is inadmissible, at least

        unfounded, because without object, since the e-mail and attachments on first request already

        were deleted.



14. On December 1, 2020, the Disputes Chamber will receive the statement of reply from the respondent

    1, which fully repeats and adds to the elements of its statement of defense

    that the extension of the complainant's arguments through its statement of defense leads to this

    that the rights of defense of respondent 1 have been violated. Also disputed Decision on the merits 07/2021 - 7/25



    defendant 1, in fact and in law, any fact that is not expressly acknowledged in his

    statement of reply.



    2. Legal basis






            Principles regarding processing of personal data

Article 5.1 GDPR



1. Personal data must:

a) processed in a manner that is lawful, proper and with regard to the data subject

is transparent ('lawfulness, fairness and transparency');

(b) collected for specified, explicit and legitimate purposes and

may not be further processed in a way incompatible with those purposes; the

further processing for archiving in the public interest, scientific or historical

research or statistical purposes is not considered incompatible in accordance with Article 89 (1)

considered with the original purposes ('purpose limitation');

(c) adequate, relevant and limited to what is necessary for the purposes for which


they are processed ('data minimization');

[…]

f) by taking appropriate technical or organizational measures in such a way

processed to ensure adequate security, including protection

are against unauthorized or unlawful processing and against accidental loss, destruction or

damage (“integrity and confidentiality”).





            Lawfulness of the processing



Article 6.1. AVG



1. The processing is only lawful if and insofar as at least one of the following

conditions are met:

a) the data subject has consented to the processing of his personal data for

one or more specific purposes;

b) the processing is necessary for the performance of a contract with which the data subject

party, or to take measures at the request of the data subject prior to the conclusion of an agreement

take; Decision on the merits 07/2021 - 8/25



c) the processing is necessary to comply with a legal obligation on the

controller rests;

d) the processing is necessary for the vital interests of the data subject or of another

protect a natural person;


e) processing is necessary for the performance of a task carried out in the public interest or for a task

in the exercise of official authority vested in the controller

commissioned;

f) the processing is necessary for the representation of the legitimate interests of the

controller or of a third party, except when the interests or fundamental rights and

the fundamental freedoms of the data subject requiring the protection of personal data,

outweigh those interests, especially if the data subject is a child. The first paragraph,

point f) does not apply to processing by public authorities in the exercise of

their duties.



            Right of access



Article 15.1 GDPR



1. The data subject has the right to obtain information from the controller about

whether or not to process personal data concerning him and, where that is the case, to

obtain access to those personal data and the following information:

a) the purposes of the processing;

b) the categories of personal data concerned;

c) the recipients or categories of recipients to whom the personal data have been or will be

, in particular recipients in third countries or international organizations;

d) if possible, the period during which the personal data are expected to be obtained

stored, or if that is not possible, the criteria for determining that period;

e) that the data subject has the right to request that the controller do so

personal data are rectified or erased, or that concerning the processing of him

personal data is limited, as well as the right to object to that processing;

f) that the data subject has the right to lodge a complaint with a supervisory authority;

g) where the personal data are not collected from the data subject, all available

information about the source of that data;

h) the existence of automated decision-making, including those referred to in Article 22 (1) and (4),

intended profiling, and, at least in those cases, useful information about the underlying logic,

as well as the importance and the expected consequences of that processing for the data subject. Decision on the merits 07/2021 - 9/25




         3. Justification



A. Procedure



     15. This case is the follow-up to the judgment of the Marktenhof dated September 2, 2020 in a case


         against the Data Protection Authority (GBA), following the appeal lodged by the complainant

         against the decision of the Disputes Chamber on the basis of Article 95, § 1, 3 ° WOG, his complaint

         to dismiss.



     16. At present, the defendants in the proceedings on the merits which will be brought before the Disputes Chamber

         the Disputes Chamber can still proceed to dismiss the complaint

         and that this would be appropriate in the present file, after checking against the strategic plan


         and the internal dismissal guidelines of the Disputes Chamber.



     17. However, the complainant believes that he can state in this regard that the Disputes Chamber does not have the


         possibility of termination, and this deduces from the relevant judgment of the Marktenhof

         stating that the measure claimed by the complainant to decide that file

         is ready for treatment on the merits within the meaning of Article 95, 1 ° WOG and the dossier on the merits

         to be treated within the meaning of article 98 et seq. of the WOG. is granted by the Marktenhof.




     18. The Disputes Chamber wishes to provide clarity on this point, without prejudging

         on the assessment of the facts underlying the complaint and any infringements

         on the GDPR that could result from it. The Disputes Chamber refers to this

         Article 100 WOG 3, in which its decision-making power is determined in the context of a








     3 Art. 100. § 1. The disputes chamber has the power to:

      1 ° to dismiss a complaint;
      2 ° order the non-prosecution;

      3 ° order the suspension of the judgment;
      4 ° propose a settlement;

      5 ° to formulate warnings and reprimands;

      6 ° order that the requests of the data subject to exercise his rights be complied with;
      7 ° order that the person concerned is informed of the safety problem;

      8 ° order that the processing be temporarily or permanently frozen, restricted or prohibited;

      9 ° order that the processing is brought into conformity;
      10 ° the rectification, limitation or deletion of data and the notification thereof to the recipients of the
     to order data;

      11 ° order the withdrawal of the accreditation of certification bodies;

      12 ° to impose penalties;
      13 ° impose administrative fines; Decision on the merits 07/2021 - 10/25




         procedure on the merits. This provision expressly provides that, in addition to many other measures,

         the Disputes Chamber also has the option to file a complaint in the proceedings on the merits


         to be dismissed (Article 100, §1, 1 ° WOG). The Disputes Chamber emphasizes that it is free to

         to dismiss complaints also at this stage for technical or policy reasons,

         in accordance with the conditions in the case law of the Marktenhof. 4




     19. After this, the Disputes Chamber will investigate whether or not there has been any infringement of the

         GDPR and assess which sanction, if any, should be considered appropriate.




     20. Contrary to what the complainant claims, the Marktenhof in its judgment of 2 September

         2020 does not include any restrictions regarding the possible sanctions to be taken by the

         Disputes Chamber and the option to proceed with dismissal is therefore retained. It


         judgment explicitly states that the Disputes Chamber is free to make a new decision
                                                                                        5
         and that this can indeed be a dismissal decision. After all, the judgment states that if the

         new decision would again be a dismissal decision, care must be taken that this

         new decision is properly justified.





B. Investigation of the complaint as formulated with regard to the defendant 1



                   a. Subject of the complaint and rights of defense





     21. Respondent 1 accuses the complainant of extending the complaint in the reply.

         Because the complainant did not include this argumentation in the original complaint, but only in the


         conclusion, respondent 1 is of the opinion that his rights of defense have been violated. Respondent 1








      14 ° the suspension of cross-border data flows to another State or an international institution
     to command;

      15 ° transfer the file to the public prosecutor's office in Brussels, who informs it of the consequences
     that is given to the file;

      16 ° decide on a case-by-case basis to publish its decisions on the website of the Data Protection Authority.

      § 2. If, after application of § 1, 15 °, the public prosecutor refrains from instituting criminal proceedings, an amicable
     propose a settlement or mediation in criminal matters referred to in Article 216ter of the Code of Criminal Procedure, or
     if the Public Prosecution Service has not taken a decision within a period of six months from the day
     upon receipt of the file, the Data Protection Authority decides whether the administrative procedure should be
     resume.

     4 Judgment of the Marktenhof dated 2 September 2020, 9.4.
     5
      The judgment of the Marktenhof dated September 2, 2020 states in 9.11. “Is the dismissal decision - as in this case - not sound
     motivated, it will be destroyed. In that case, the Disputes Chamber is free to make a new decision and
     if that would again be a dismissal decision, to ensure that this new decision is properly substantiated this time
     is. ” Decision on the merits 07/2021 - 11/25




    adds that in the complaint no legal rules are invoked, affecting his rights

    of defense would also have been violated.



22. The Disputes Chamber establishes that the complaint becomes as it is with regard to respondent 1

    formulated, contains two elements:

     - the refusal by respondent 1 to allow the complainant access to personal

     information data

    - the sending by respondent 1 of an e-mail with 32 attachments concerning the complainant through which

    this information would allow access to personal activities, finances and personal data


    of the complainant, to respondent 2, the complainant's former associate. This information would be

    provided without the consent of the complainant.



23. The Disputes Chamber is of the opinion that the complainant's statement of reply is both of these

    repeats elements and the complainant does exactly what defendant 1 puts forward in his conclusion of

    answer in which he states that the complainant should further explain her complaint, stating

    of the invoked legal rules, in order to give respondent 1 the opportunity to act

    to be able to conclude in an appropriate manner.



24. Although Respondent 1 thus had the opportunity to respond to this in his Opinion of

    reply and to fully exercise his rights of defense, respondent 1 limits himself to it

    to state only that the legal and factual discourse contained in the statement of defense of the


    the complainant has been disputed and this should be clear in both fact and in law and the complainant

    on which it attempts to substantiate its claims.



25. The Disputes Chamber emphasizes that impartial and fair treatment of the entire

    trajectory must be assured. The rights of defense of defendant 1 are not

    violated, because he has been given the opportunity to fully present his argument


    by means of its claims, at least by means of its statement of reply.



26. With regard to the defense against the complainant, namely that it must be clear

    provide information about the evidence on which its allegations are based, the Dispute Chamber points out

    reiterate that filing a complaint for those affected whose personal data

                                                      6
    processed should be straightforward. More specifically, the Dispute Chamber notes

    that it is up to each of the parties to make the alleged violations or rebuttal

    to provide the necessary evidence of this. The complainant does not have to submit this proof in the complaint itself





6 See more in detail Decision on the merits 05/2021 of 22 January 2021, 11. Decision on the merits 07/2021 - 12/25




    lay. It is up to the Dispute Chamber to assess the alleged violations

    deemed sufficiently proven to be considered as an infringement of the GDPR. The Dispute Chamber has

    considerable discretion in determining the scope of the procedure. 7 The

    lack of supporting documents for certain assertions cannot be made by the counterparty

    invoked as a violation of its rights of defense.





             b. Lawfulness of the processing




27. The complainant argues that any legal basis for the processing of the personal data of the

    complainant by defendant 1 completely lacks both as far as it is still under itself

    keeping the complainant's accounts, as well as for the processing of personal data

    consists of forwarding the e-mail with attachments to defendant 2.




28. First of all, the Dispute Chamber points out that as far as it is concerned, it is still retained

    of the complainant's accounts, based on the elements available to it, it cannot

    assess the extent to which the documents relating to the complainant's accounts hold them

    are still required by respondent 1 in the context of the existing dispute between

    respondent 1 and respondent 2. The Disputes Chamber will only examine below to what extent the

    forwarding the e-mail with attachments to respondent 2 can be considered lawful.




29. Respondent 1 admits that the email was indeed addressed to Respondent 2 as one of the

    recipients, but that this was the result of a one-time human error involving

    personal data concerning the complainant was unintentionally sent to respondent 2. He light

    admits that at the root of this mistake is the fact that e-mails were sent for many years

    sent to both the complainant and respondent 2 in the context of the notary association between


    both. He specifies that the e-mail that is the subject of the complaint has both attachments

    relating to the notary's association, as appendices relating to the

    personal partnership of the complainant. Respondent 1 argues that such unintentional, no

    intentional act, cannot give rise to an infringement of the GDPR.



30. The Disputes Chamber draws attention to the presence or absence of an intention

    does not constitute a criterion for the processing of personal data within the meaning of Article 4.2) GDPR. 8






7 See, inter alia, Decision on the merits 05/2021 of 22 January 2021, 10-13.

8 Art. 4. GDPR

For the purposes of this Regulation:
[…] Decision on the merits 07/2021 - 13/25




    Even if respondent 1 did not intend to send the email to respondent 2,

    the mere fact that the e-mail was actually sent to defendant 2 is sufficient for this

    shipping as processing.



31. The sending by Respondent 1 to Respondent 2, of an email containing 32 attachments regarding


    the complainant through which this information would give access to personal activities, finances and

    personal data of the complainant, constitutes a processing of which the lawfulness must be

    be checked.




32. In accordance with article 5.1. b) GDPR may allow the processing of personal data for other

    purposes other than those for which the personal data were initially collected

    permitted if the processing is compatible with the purposes for which the personal data

    initially collected. Taking into account the criteria included in article 6.4. AVG and

    Recital 50 of the GDPR must thus be ascertained whether the further processing, in this case the

    forwarding the email with attachments to respondent 2, whether or not it is compatible with the initial

    processing consisting of keeping the accounts of the complainant's company


    by respondent 1. The reasonable expectations of the

    involved an important role. The Disputes Chamber reaches the decision that the complainant should appeal

    has performed on the services of defendant 1 solely for the purposes of accounting

    its company and it could not reasonably be expected that respondent 1 would accept that

    share data with respondent 2.



33. This leads to the finding that there is no compatible further processing, so that

    a separate legal basis is required for the communication of the personal data of the


    complainant to respondent 2 could be considered lawful.



34. Processing of personal data, including incompatible further processing

    as in the present case, is only lawful if there is a legal basis for this.

    For incompatible further processing operations, it is necessary to fall back on article 6.1. AVG and





2) 'processing' means an operation or a set of operations relating to personal data or a set of
personal data, whether or not carried out by automated processes, such as collecting, recording, organizing,
structure, save, update or change, retrieve, consult, use, provide by means of transmission,

disseminate or otherwise make available, align or combine, shield, erase or destroy
data;
9 Recital 50 GDPR: […] To determine whether a purpose of further processing is compatible with the purpose for which the
personal data were initially collected, the controller must, after he has complied with all rules on

lawfulness of the original processing, including taking into account: a possible link
between those purposes and the purposes of the intended further processing; the framework in which the data was collected;
in particular, the reasonable expectations of data subjects based on their relationship with the controller
regarding its further use; the nature of the personal data; the consequences of the intended further
processing for data subjects; and appropriate safeguards for both the original and the intended further ones
processing. Decision on the merits 07/2021 - 14/25



                                                 10
    recital 50 GDPR. Recital 50 of the GDPR states that this is a separate legal basis

    required for the processing of personal data for other purposes that are incompatible

    with the purposes for which the personal data was initially collected. That

    separate legal grounds on the basis of which a processing, including

    incompatible further processing, which can be considered lawful, are provided in

    article 6.1. AVG.




35. To this end, the Disputes Chamber examines the extent to which the legal grounds as determined in Article 6.1.

    GDPR can be invoked by defendant 1 in order to further process the

    justify personal data relating to the complainant.



36. Respondent 1 himself does not mention any legal basis which would allow him to transfer

    proceed to the data processing that is the subject of the complaint, being the forwarding

    of the e-mail to Respondent 2. In addition, Respondent 1 expressly admits that this

    forwarding was a mistake and it was by no means the intention to send the email as well


    respondent 2. Respondent 1 therefore does not argue that such forwarding was allowed

    take place and therefore does not try to justify it by relying on any

    legal basis.



37. On the basis of the factual elements present in the file, the Disputes Chamber proceeds ex officio

    whether a legal ground can be invoked, if any, that respondent 1 would allow over

    to proceed until the e-mail is sent to the defendant. 2. The Disputes Chamber will investigate this

    whether the sending of the e-mail containing the complainant's personal data can be based on

    any legitimate interest on the part of respondent 1 (Article 6.1. f) GDPR).



38. The other legal grounds included in Article 6.1. points a), b), c), d) and e) GDPR are in

    present case not applicable.




39. In accordance with Article 6.1 f) GDPR and the case law of the Court of Justice of the European

    Union (hereinafter “the Court”) three cumulative conditions must be fulfilled for a

    controller can validly invoke this ground of lawfulness, “te

    know, in the first place, the promotion of a legitimate interest of the

    controller or of the third party (ies) to whom the data are provided, in the

    second, the necessity of the processing of personal data for the purpose of





10 Recital 50 GDPR: The processing of personal data for purposes other than those for which the personal data
initially collected should only be allowed if the processing is compatible with the purposes for which
the personal data was initially collected. In such case, no separate legal basis other than that on
grounds for which the collection of personal data was permitted. […] Decision on the merits 07/2021 - 15/25



    the legitimate interest, and, thirdly, the condition that the fundamental rights

    and freedoms of the person concerned with data protection do not prevail ”(judgment

    “Rigas”).




40. In order to be able to rely on the ground of lawfulness of the

    "Legitimate interest", in other words, must be indicated by the controller

    show that:

             the interests pursued by this processing can be justified

                be recognized (the “target test”);

             the intended processing is necessary for the realization of these interests

                (the “necessity test”); and

             the balancing of these interests against the interests, fundamental

                freedoms and fundamental rights of data subjects weighs in favor of the

                controller (the “balancing test”).



41. With regard to the first condition (the so-called “target test”), the Disputes Chamber of

    consider that the purpose of reaching all parties involved at the same time

    by sending a single email with attachments to all parties involved

    interests, must be considered as performed for a legitimate interest.

    The interest that respondent 1 pursued as controller may be similar

    Recital 47 GDPR can be considered justified in itself. Consequently, it is satisfied

    the first condition contained in Article 6.1, f) GDPR.



42. In order to fulfill the second condition, it must be demonstrated that the processing

    necessary for the achievement of the objectives pursued. This means more

    stipulates that the question should be asked whether the same result can be achieved by other means

    are achieved without processing of personal data or without unnecessarily invasive

    processing for the data subjects.



43. Based on the purpose, being to reach all parties involved by means of

    sending a single e-mail with attachments affecting all parties involved serves the

    The litigation chamber found that the email contained both attachments pertaining to the

    notary association between the complainant and respondent 2 as well as annexes relating to the

    personal partnership of the complainant. In order to avoid mixing of both types of attachments

    avoid, Respondent 1 could have simply sent an email to the complainant and

    respondent 2 with the appendices relating to the notary association between the complainant and

    defendant 2 and a separate email addressed only to the complainant with the attachments provided

    related to her personal partnership. The second condition is thus not Decision on the substance 07/2021 - 16/25




    met because the principle of minimum data processing (Article 5.1. c) GDPR) was not

    complied.



44. In order to verify whether the third condition of Article 6.1, f) GDPR - the so-called

    “Balancing test” between the interests of the controller, on the one hand, and the

    fundamental freedoms and fundamental rights of the person concerned, on the other hand - can be fulfilled, should

    reasonable, in accordance with Recital 47 GDPR

    expectations of the data subject. More specifically, it should be evaluated whether “data subject

    at the time and in the context of the collection of the personal data is reasonably permitted

    expect processing to take place for that purpose ”.



45. This is also emphasized by the Court in its judgment “TK t / Asociaţia de Proprietari bloc M5A-

    ScaraA ”of December 11, 2019, in which it states:




    “Also relevant to this assessment are the reasonable expectations of the data subject that are or

    her personal data will not be processed when, in the circumstances of

    the case, the data subject cannot reasonably further process the data

    expect".



46. With regard to this third condition, the Disputes Chamber can only establish that the complainant is on

    could not expect a single moment to share the attachments pertaining to her

    personal partnership with defendant 2.



47. The Disputes Chamber is of the opinion that all of the elements set out demonstrate that

    Respondent 1 cannot rely on any legal basis proving the legality of

    the data processing as set up by him. Moreover, respondent 1 disputes the

    facts and states that in the relevant e-mail that is the subject of the complaint the

    Respondent 2's email address was placed in the “CC” field, although not intentionally

    happened. By doing so, he indicates that he has infringed the processing of the


    personal data of the complainant. The Disputes Chamber thus decides that the infringement of Article

    5.1 b) in conjunction with Article 6.4. AVG, on article 5.1 a) in conjunction with article 6.1. AVG and on article

    5.1 c) GDPR has been proven.



48. The complainant also submits that respondent 1 applies the principles of transparency (Article 5.1 a) GDPR,

    Articles 12 and 13 GDPR) and propriety (Article 5.1 a) GDPR). In that regard






11
  See in the same sentence: Decision on the merits 03/2021 of 13 January 2021 Decision on the merits 07/2021 - 17/25




    the Disputes Chamber is of the opinion that in view of the fact that the forwarding was an error

    and it was by no means the intention to also send the e-mail to defendant 2, defendant 2

    had not foreseen that such forwarding would occur. This stems from the very nature of

    a mistake. In the absence of any intention to send the email to Respondent 2,

    Respondent 1 also failed to comply with the principles of transparency and fairness that require

    that certain communications prior to the forwarding by defendant 1 to defendant

    2 should have happened. However, the breach of these principles does not affect in any way

    the sanction imposed by this decision, in view of the fact that an error was the basis

    lay of data processing.




49. Taking into account the fact that respondent 1 claims that the necessary steps were taken immediately to

    from defendant 2 to obtain the removal of the e-mail and became counsel for the complainant

    informed of the confirmation of this removal by Respondent 2, proving that

    Respondent 1 acted in good faith, as well as the fact that the infringement was only for a first

    time, the Disputes Chamber is of the opinion that it is appropriate to refer to

    respondent 1 to formulate a reprimand. In view of these circumstances, the Disputes Chamber sees

    from imposing an administrative fine.




            c. Right of access




50. The complainant argues that respondent 1 refuses to allow inspection and to provide a copy

    of the complete accounts of its sole proprietorship. Respondent 1 asserts in this regard

    does not specifically state any position in his conclusions, but merely indicates that he does not have any fact

    is expressly recognized in his claims, is disputed by him.



51. The Disputes Chamber finds that the complainant does not provide any document proving the refusal

    respondent 1 to allow access to its complete accounts

    sole proprietorship appears. Consequently, the Disputes Chamber cannot proceed with the determination

    of any infringement by respondent 1 of the complainant's right of access (Article 15 GDPR).



            d. Security of processing and data breach



52. The complainant argues that respondent 1, in application of Article 33 GDPR, meets the

    Data protection authority should have reported that forwarding the

    personal data of the complainant to respondent 2, an infringement related to

    personal data. Decision on the merits 07/2021 - 18/25




    53. The Disputes Chamber explains that Article 33 GDPR relates to violations regarding the

        security of personal data as described in Article 32 GDPR. Recital 83 GDPR 12

        determines that the controller has appropriate technical and organizational

        take measures to limit data security risks.



    54. The Disputes Chamber finds that the access that respondent 2 has been given to the

        personal data of the complainant is not related to insufficient technical and


        organizational measures that defendant 1 would have taken to protect the personal data

        of the complainant against security risks. The email was addressed by respondent 1

        to both the complainant and respondent 2. The fact that the e-mail has reached respondent 2 cannot

        associated with a security problem for the personal data that

        are processed by defendant 1. The Disputes Chamber is of the opinion that none

        security measure may be to completely rule out the possibility that human error causes a

        e-mail is sent to an unintended recipient. It cannot be decided thus

        that defendant 1 by sending the email to defendant 2 insufficient action

        would have taken to protect the complainant's personal data from


        security risks, so that no violation of Articles 32 and 33 GDPR can be established.




C. Investigation of the complaint as formulated with regard to the defendant 2




                 a. Processing and controller



    55. Respondent 2 disputes that there would be any processing of personal data on his part

        ground, within the meaning of Article 2.1. AVG. He argues that since he is merely in his capacity

        of the recipient of the e-mail in question, there can be no processing at all

        lack of any initiative on his part. Respondent 2 is of the opinion that a

        processing involves an intentional element to be able to use personal data.













    12 Recital 83 GDPR: In order to ensure security and to prevent the processing from infringing this

    Regulation, the controller or processor should assess the risks inherent in the processing and
    take measures, such as encryption, to limit those risks. Those measures should be at an appropriate level of
    safeguard security, including confidentiality, taking into account the state of the art and the
    implementation costs set against the risks and the nature of the personal data to be protected. When assessing the
    data security risks, attention should be paid to risks arising from personal data processing,
    such as the destruction, loss, alteration, unauthorized disclosure of, or unauthorized access to the
    data transmitted, stored or otherwise processed, whether accidentally or unlawfully, which in particular leads to
    physical, material or immaterial damage. Decision on the merits 07/2021 - 19/25




56. With regard to the notion of "processing", the Disputes Chamber notes that this concept is defined

    in Article 4.2) GDPR, and clearly delineated. Just receiving


    personal data does not constitute processing within the meaning of Article 4.2) GDPR. On the other hand,

    must consult it, as well as forward the e-mail with the corresponding attachments

    contain personal data, indeed as processing within the meaning of the GDPR

    considered. Although respondent 2 argues that he has not taken note of the annexes to

    the e-mail in question and therefore no consultation took place, he admits that he received the e-mail

    to his counsel, thus making it unmistakably established that the defendant


    2 has provided personal data by means of forwarding within the meaning of Article 4.2) GDPR

    and must defendant 2 on this aspect, consisting of forwarding the email

    with attachments containing personal data about the complainant, if

    controller 14 within the meaning of Article 4. 7) GDPR, because he has the

    determines the purpose and means of this transmission. He simply cannot be himself

    label as recipient 15 of the email within the meaning of Article 4.9) GDPR, since defendant 2


    has not limited himself to receiving the e-mail, but because he has it in turn

    forwarded, he has himself as to that forwarding to

    controller. By that act he received the

    after all, personal data used for its own purpose 16. Given its capacity as

    controller with regard to the transfer, respondent 2 cannot, and this

    contrary to what he argues, be considered third 17 within the meaning of Article 4.10)






13 Art. 4. GDPR

For the purposes of this Regulation:
[…]

2) 'processing' means an operation or a set of operations relating to personal data or a set of
personal data, whether or not carried out by automated processes, such as collecting, recording, organizing,
structure, save, update or change, retrieve, consult, use, provide by means of transmission,
disseminate or otherwise make available, align or combine, shield, erase or destroy

data;
14 Art. 4. GDPR

For the purposes of this Regulation:

[…]
7) 'controller' means a natural or legal person, public authority, agency or other
body that determines, alone or together with others, the purpose and means of the processing of personal data;

where the purposes and means of such processing become in Union or Member State law
determined, it may determine who the controller is or according to which criteria he becomes
designated;
15 Art. 4. GDPR

For the purposes of this Regulation:

[…]
9) 'recipient' means any natural or legal person, public authority, agency or other body, whether or not

a third party to whom / to whom the personal data are provided. […]
16 Guidelines of the European Data Protection Board 07/2020 on the concepts of controller and processor in the GDPR (p. 29):
“A third party recipient shall be considered a controller for any processing that it carries out for its own purpose (s) after it

receives the data. ”
17 1 Art. 4. GDPR Decision on the substance 07/2021 - 20/25




    AVG. His statement that he deleted the e-mail with attachments after the forwarding does this

    no detriment.



57. For the sake of completeness, the Disputes Chamber notes that respondent 2 does not provide proof that his

    counsel has also proceeded to delete the e-mail with attachments, as Article 19

    GDPR implies an obligation for the controller to inform each recipient to whom

    personal data have been provided, of any erasure of personal data

    in accordance with Article 17 GDPR, unless this proves impossible or requires a disproportionate effort.

    On this basis, Respondent 2 should also have had to delete the email in question

    requests regarding his counsel in his capacity as recipient of the by

    defendant 2 forwarded email.



58. The Disputes Chamber also adds that with regard to the plaintiff's assertion that defendant

    2 is jointly controller with respondent 1, it considers that none

    piece of the file demonstrates this assertion. After all, the complainant bases this allegation solely on

    an oral statement allegedly made by respondent 1 at the last meeting

    which the complainant had with defendant 1. It would then have been declared that defendant 2 to defendant

    1 had instructed not to deliver any document to the complainant without his notification

    was informed. There is no evidence whatsoever for this one-sided allegation of the complainant

    so that there is no reason for the Disputes Chamber to assume that both

    defendants acted as joint controllers.



            b. Admissibility of the complaint



59. Although defendant 2 denies that there would be any data processing on his behalf

    it appears from the above that based on the factual elements, the Dispute Chamber has

    determined that Respondent 2, as controller for the forwarding of the e-mail

    mail to his counsel should be considered.




60. The complainant argues in the reply that the forwarding of the e-mail by

    respondent 2 is processing to his counsel for which respondent 2 de

    is the controller and states that it is not accused that respondent 2 has the data of







For the purposes of this Regulation:

[…]
10) 'third party' means any natural or legal person, public authority, agency or other body other than the

data subject, nor the controller, nor the processor, nor any person under the direct authority of the
controller or processor are authorized to process the personal data; Decision on the merits 07/2021 - 21/25




    the complainant has forwarded it to his lawyer, but that respondent 2 has forwarded that information to him

    in violation of the GDPR, then used as a document in the dispute against the complainant.



61. The latter, being that "it is not accused that respondent 2 has the complainant's data

    forwarded to his attorney, but that defendant 2 violates that information sent to him

    with the GDPR, then used as a document in the dispute against the complainant "is by respondent 2


    seized to argue that the complaint should be declared inadmissible.



62. As the complainant maintains in the reply that "the use by respondent 2 of

    the email against the complainant "is the problem and not merely" the forwarding by itself. "

    Respondent 2 of that e-mail to his counsel ", as formulated in the complaint," believes

    Respondent 2 to be able to argue that the complainant in the reply is suddenly a completely new one

    claim / violation. In that view, the complaint would not meet the requirement of Article

    60 (2) WOG which states that a complaint is admissible when it is an explanation


    of the facts, as well as the necessary indications for identifying the processing on which they

    relates. Because the violation of the GDPR alleged in the complaint is fundamental

    would be different from those set out in the complainant's reply, it would meet this

    requirement have not been met.

63. The Disputes Chamber notes that the complainant already referred to in the initial complaint

    document 7, which was attached to the complaint as an appendix. That piece is exactly an email from the

    counsel for the complainant, which is addressed to the complainant himself in order to inform the latter of the

    to notify that the email forwarded by defendant 2 to his counsel concerning

    personal data of the complainant "as a document" is communicated by defense counsel

    2 to the complainant's counsel. The complainant repeats this fact with reference to the same document

    in the reply. The problem that the e-mail is used "as piece" in a

    pending proceedings between the complainant and respondent 2 are thus not new like respondent 2

    tries to make it appear. The Disputes Chamber therefore decided that Article 60, paragraph 2, became WOG

    respected, the admissibility of the complaint has not been affected and the rights of defense

    are respected. 18





             c. Lawfulness of the processing



64. Respondent 2 argues that the only act he has committed is the forwarding of the e-mail

    to his counsel and that this was done lawfully on the basis of a specific legal basis that






18
  See also the statements in point 26 regarding respondent 1. Decision on the merits 07/2021 - 22/25




    lawyers to receive information from their clients. To this end, he refers to Article 237

    of the Codex Deontology for Lawyers and Advice 1/2010 on the concepts “for the

    controller ”and“ processor ”of the Article 29 Data Protection Working Party,
                                       19
    approved on February 16, 2010, to state that any legal information is allowed

    deliver to his / her lawyer. To judge otherwise would, according to respondent 2, have the effect

    that there would be a prohibition on passing on information to counsel insofar as that

    information relates to personal data.



65. The complainant responds by stating that defendant 2, wrongly, argues that it would

    are allowed to transfer personal data obtained in violation of the GDPR from a counterparty to a

    lawyer to use in this way against the opposing party. This is according to the

    complainant completely violates the GDPR. The complainant states that respondent 2 uses her personal data

    email has been forwarded to his attorney and has been used in the dispute against her without it

    to be able to rely on one of the legal grounds specified in Article 6.1 GDPR.




66. The Disputes Chamber finds that respondent 2 ignores the fact that he is in possession

    came from the e-mail at the hands of defendant 1 who forwarded it to him without it

    that there was some legal basis for this (see above). Forwarding by defendant 1

    Respondent 2 was thus affected by a lack of legality. It's clear that

    defendant 2 - in his capacity as recipient - obtained them unlawfully

    personal data, in turn - this time in the capacity of

    controller - by forwarding it to his lawyer to send this email with


    subsequently use the complainant's personal data as a document in pending proceedings.



67. After all, a processing of personal data is only lawful if a

    legal basis exists. The Disputes Chamber can only establish that there are none

    legal basis as defined in article 6.1. GDPR the forwarding of the email by the defendant 2

    to his counsel. Respondent 2 also does not rely on any legal basis

    article 6.1. AVG and explicitly confirms in its reply statement with regard to the


    legitimate interest (Article 6.1. f) GDPR) that he does not even invoke this legal basis.

    Respondent 2 relies only on Article 237 of the Codex Deontology for Lawyers

    confirming that the client's confidential communications to his attorney

    take place, which are covered by professional secrecy. The Disputes Chamber recognizes, of course

    the principle that a client must be able to make confidential statements to his lawyer,

    but this is only possible, insofar as it concerns personal data, on the condition that it





19
  https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2010/wp169_en.pdf Decision on the merits 07/2021 - 23/25




    personal data is processed in a manner that is lawful with regard to the data subject

    is (Article 5.1 a) GDPR and Article 6.1. GDPR). However, in the present case it appears that the forwarding

    to defense counsel for defendant 2, with disregard of the principle of legality

    in the absence of any legal basis as provided in Article 6.1. AVG.



68. The Disputes Chamber is of the opinion that the entirety of the elements set out demonstrates that

    Respondent 2 cannot rely on any legal basis proving the legality of

    the data processing as set up by him. The Disputes Chamber thus concludes

    the violation of article 5.1. a) GDPR and Article 6.1. AVG has been proven.




69. In addition to the breach of the principle of lawfulness, the complainant also submits that the

    transparency principle (Article 5.1. a), Article 12 and Article 14 GDPR) and the purpose limitation principle

    (Article 5.1. b) GDPR) would have been violated by respondent 2.



70. With regard to the purpose limitation principle, the Disputes Chamber draws attention to the fact that this principle


    requires personal data for specified, explicitly defined and justified
                                     20
    purposes are "collected". Of any collection for an expressly defined and

    legitimate purpose of the complainant's personal data by respondent 2

    no way. He has merely received the email with personal data without this at all

    legal basis could be supported. Because he forwarded that data to

    appropriated his counsel, also without any legal basis, to use as a document

    defendant 2 assumes the capacity of controller, which in principle means that he

    to respect all applicable provisions of the GDPR, including the

    purpose limitation principle and the transparency principle.

71. Both principles could not be applied simply because the processing by

    defendant 2 is fundamentally affected by a lack of legal basis, so that the

    Disputes Chamber not in breach of the principle of transparency (Article 5.1. A), Article 12 and Article 14


    GDPR) and the purpose limitation principle (Article 5.1. B) GDPR). Because the forwarding

    is unlawful by respondent 1 to respondent 2 ab initio, any processing by respondent

    2 also unlawful for any own purpose. As for the transparency principle

    adds the Disputes Chamber that even if defendant 2 had the principle of transparency








20 Article 5.1. Personal data must:

[…]
(b) collected for specified, explicit and legitimate purposes and may not be subsequently
further processed in a manner incompatible with those purposes; further processing for archiving purposes
the public interest, scientific or historical research or statistical purposes becomes in accordance with Article 89 (1)
1, not considered incompatible with the original purposes (“purpose limitation”); Decision on the merits 07/2021 - 24/25



        endeavor to respect, the forwarding to his attorney and the use that is made of it

        made nonetheless remains unlawful.



    72. Taking into account that Respondent 2 states that the email with attachments will be sent immediately


        first request was cleared, as well as that the infringement was committed only for the first time

        the Disputes Chamber is of the opinion that it is appropriate to order the defendant 2 to do so

        definitively prohibit the processing of the e-mail in question with attachments (art. 100, §1, 8 °

        WOG), as well as to order the notification of this definitive prohibition to his counsel (Article 100,

        §1, 10 ° WOG) both for the processing of the e-mail with attachments that have already taken place and

        for these in the future.



    73. In determining these sanctions, the Disputes Chamber also takes into account that the complaint

        is part of a broader conflict between the parties that is the subject of a

        arbitration procedure regarding financial matters and the refusal to hand over

        accounting and other documents in the context of the liquidation of the partnership

        in which the notary activity was exercised by the complainant and defendant 2, of which the

        Disputes Chamber notes that it is not the task of the Data Protection Authority

        to intervene with regard to aspects that do not relate to the

        processing of personal data. The Disputes Chamber therefore decides that, in the concrete

        factual circumstances of this case, the sanctions imposed are sufficient. Considering this

        In circumstances, the Disputes Chamber will refrain from imposing an administrative fine.





D. No decision to dismiss



    74. Although the Disputes Chamber in the context of the proceedings prior to the decision ten

        on the merits has proceeded to dismiss the complaint, is in the proceedings on the basis of

        the full statement of the factual elements in the claims of each of the parties,

        found that there have been breaches of fundamental principles of processing

        of personal data. As a result, the Disputes Chamber is of the opinion that a decision on the merits

        seeking to dismiss the complaint cannot be reconciled with the

        infringements established, but that, on the contrary, it is necessary to proceed to the following


        sanctions.


E. Publication of the decision



    75. Considering the importance of transparency with regard to the decision-making of the

        Disputes Chamber, this decision will be published on the GBA website. However, it is Decision on the merits 07/2021 - 25/25



    does not need to be directly identifying the parties

    announced.



FOR THESE REASONS,




the Disputes Chamber of the Data Protection Authority decides, after deliberation, to:

     with regard to the defendant 1, on the grounds of Article 100, §1, 5 ° WOG, a

        formulate a reprimand as a result of the infringement of article 5.1 b) in conjunction with article 6.4. AVG, op

        Article 5.1 a) in conjunction with Article 6.1. GDPR and Article 5.1 c) GDPR.



     with regard to respondent 2 as a result of the infringement of Article 5.1. a) GDPR and Article 6.1.
        GDPR:

    - on the basis of Article 100, §1, 8 ° WOG, to order the processing of the e-mail in question

    permanently ban with attachments;

    - on the basis of Article 100, §1, 10 ° WOG, to order notification of this final

    prohibition to his counsel both for the processing of the e-mail with attachments already


    occurred as well as for future processing.



On the basis of article 108, §1 WOG, an appeal can be lodged against this decision within

a period of thirty days from the notification at the Marktenhof, with the

Data protection authority as defendant.







Hielke Hijmans

Chairman of the Disputes Chamber