APD/GBA (Belgium) - 115/2022: Difference between revisions

From GDPRhub
(Created page with "{{DPAdecisionBOX |Jurisdiction=Belgium |DPA-BG-Color= |DPAlogo=LogoBE.png |DPA_Abbrevation=APD/GBA |DPA_With_Country=APD/GBA (Belgium) |Case_Number_Name=115/2022 |ECLI= |Or...")
 
No edit summary
Line 67: Line 67:
}}
}}


The Belgian DPA held that discussing a data subjects health related personal data in a staff meeting where she is absent and consequently including this in the minutes of the meeting does not have a legal basis.
The Belgian DPA held that discussing a data subjects health related personal data in a staff meeting where she was absent and consequently including the data in the minutes of the meeting was incompatible with the purpose of the original processing (personell management) and did not have any other legal basis to rely on.


== English Summary ==
== English Summary ==


=== Facts ===
=== Facts ===
The controller is the data subject´s manager at her job. During a meeting where the data subject was not present, the controller announced her departure and read out a document issued by the company docter, stating that she was unfit to work. This statement was also incuded in the minutes of that meeting, which were then saved on the controller´s server, freely accessible to all its staff. This included staff from other departments.
During a meeting where the data subject was not present, the data subject's manager (controller) announced her departure and read out a document issued by the company docter, stating that she was unfit to work and would leave the company. This statement was also incuded in the minutes of that meeting.


When the data subject discovered this, she filed a complained against the controller with the Belgian DPA for unlawfully disclosing health related personal data to third parties.
When the data subject discovered this, she filed a complained against the controller with the Belgian DPA for unlawfully disclosing health related personal data to third parties. She added that the minutes were then saved on the controller´s server, freely accessible to all its staff, including from other departments.


The controller argued that the communication of the data subject's health related data in the meeting and its includement in the minutes were based on her consent.
=== Holding ===
The DPA noted that the data subject did not dispute the lawfulness of processing of the information that she was unfit to work, but the subsequent communication about her health to her collegues and other staff members. The DPA noted that it was not able to verifify wether the minutes were actually made available on the controllers server. However if that was the case, this would constitute as an additional processing activity and the following findings of the infringement also apply.  


=== Holding ===
The DPA first assessed whether the further processing was compatible with the purpose of the original processing ([[Article 5 GDPR|Article 5(1)(b)]]). It found that the purpose of the original processing was personell management. The DPA held that the dat subject could not reasonably expect that the same data would be communicated widely beyond the persons authorised for personell management. Especially considering the sensitive nature of the data. Therefore the DPA held that the further processing was incompatible with the purpose of the original processing.
The DPA noted that writing minutes is a processing activity that falls under [[Article 4(2) GDPR|Article 4 GDPR#2]].
 
As the further processing was incompatible with the purpose of the original processing, the DPA noted that it could only be lawful if it had its own legal basis pursuant to [[Article 9 GDPR|Article 9(2)]] juncto [[Article 6 GDPR|Article 6(1)]]. However the DPA found that this was also not present.  


The DPA held that the controller did not have a lawful basis for processing the data subject's health related data and violated [[Article 5(1)(b)|Article 5 GDPR#1b]] juncto [[Article 6(4)|Article 6 GDPR#4]] and [[Article 9(2)|Article 9 GDPR#2]].
Therefore, the DPA held that the controller did not have a proper legal basis for processing the data subject's health related data and thereby violated [[Index.php?title=Article 5 GDPR#1b|Article 5(1)(b)]] juncto [[Index.php?title=Article 6 GDPR#4|Article 6(4)]] and [[Index.php?title=Article 9 GDPR#2|Article 9(2)]].


The DPA was not able to verifify wether the minutes were actually made available on the controllers server. It noted that if this was the case, this would constitute as an additional processing activity and the previous findings of the infringement also apply.
The DPA issued a reprimand against the controller. The DPA noted that it was not competent to issue a fine as the controller was a public authority.


== Comment ==
== Comment ==

Revision as of 10:38, 3 August 2022

APD/GBA - 115/2022
LogoBE.png
Authority: APD/GBA (Belgium)
Jurisdiction: Belgium
Relevant Law: Article 5(1)(c) GDPR
Article 6(1) GDPR
Article 6(4) GDPR
Article 9(2) GDPR
Article 9(4) GDPR
Type: Complaint
Outcome: Upheld
Started: 16.03.2020
Decided: 19.07.2022
Published: 26.07.2022
Fine: n/a
Parties: n/a
National Case Number/Name: 115/2022
European Case Law Identifier: n/a
Appeal: Unknown
Original Language(s): French
Original Source: APD/GBA (in FR)
Initial Contributor: Jette

The Belgian DPA held that discussing a data subjects health related personal data in a staff meeting where she was absent and consequently including the data in the minutes of the meeting was incompatible with the purpose of the original processing (personell management) and did not have any other legal basis to rely on.

English Summary

Facts

During a meeting where the data subject was not present, the data subject's manager (controller) announced her departure and read out a document issued by the company docter, stating that she was unfit to work and would leave the company. This statement was also incuded in the minutes of that meeting.

When the data subject discovered this, she filed a complained against the controller with the Belgian DPA for unlawfully disclosing health related personal data to third parties. She added that the minutes were then saved on the controller´s server, freely accessible to all its staff, including from other departments.

Holding

The DPA noted that the data subject did not dispute the lawfulness of processing of the information that she was unfit to work, but the subsequent communication about her health to her collegues and other staff members. The DPA noted that it was not able to verifify wether the minutes were actually made available on the controllers server. However if that was the case, this would constitute as an additional processing activity and the following findings of the infringement also apply.

The DPA first assessed whether the further processing was compatible with the purpose of the original processing (Article 5(1)(b)). It found that the purpose of the original processing was personell management. The DPA held that the dat subject could not reasonably expect that the same data would be communicated widely beyond the persons authorised for personell management. Especially considering the sensitive nature of the data. Therefore the DPA held that the further processing was incompatible with the purpose of the original processing.

As the further processing was incompatible with the purpose of the original processing, the DPA noted that it could only be lawful if it had its own legal basis pursuant to Article 9(2) juncto Article 6(1). However the DPA found that this was also not present.

Therefore, the DPA held that the controller did not have a proper legal basis for processing the data subject's health related data and thereby violated Article 5(1)(b) juncto Article 6(4) and Article 9(2).

The DPA issued a reprimand against the controller. The DPA noted that it was not competent to issue a fine as the controller was a public authority.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the French original. Please refer to the French original for more details.

                                                                                                1/13





                                                                        Litigation Chamber


                                         Decision on the merits 115/2022 of 19 July 2022





File number: DOS-2020-01492


Subject: Complaint relating to the communication of data relating to the health of employees

(staff movements – declaration of incapacity) - reprimand




The Litigation Chamber of the Data Protection Authority, made up of Mr. Hielke
Hijmans, chairman, and Messrs. Jelle Stassijns and Romain Robert, members, taking over the business

in this composition;


Having regard to Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the

protection of natural persons with regard to the processing of personal data and
to the free movement of such data, and repealing Directive 95/46/EC (General Regulation on the

data protection), hereinafter "GDPR";


Having regard to the Law of 3 December 2017 establishing the Data Protection Authority (hereinafter

ACL);

Having regard to the Law of 30 July 2018 relating to the protection of natural persons with regard to

processing of personal data (hereinafter LTD);


Having regard to the internal regulations as approved by the House of Representatives on 20
December 2018 and published in the Belgian Official Gazette on January 15, 2019;


Considering the documents in the file;



Made the following decision regarding:


The complainant: X, hereinafter "the complainant".


The Respondent: Y, hereinafter "the Respondent", Decision on the Merits 115/2022 - 2/13



I. Facts and procedure


 1. On March 16, 2020, the complainant lodged a complaint with the Authority for the Protection of

        data (APD) against his immediate superior, Mr Z, director at Y,
        defendant.


 2. Under the terms of her complaint, the complainant denounces the disclosure of personal data

        about her health by her manager at a department meeting at which she

        was not present. In concrete terms, the complainant reports that she was contacted by telephone by

        some of her colleagues who wanted to hear from her, she realized

        that during the meeting of his service on February 18, 2020 - i.e. the service (....) of Y -, the

        Director Z had announced his departure as well as read the document issued by Cohezio to

        destination of the defendant stating her inability to work in the future in india
        the defendant.


 3. It appears from the documents in the file that on February 7, 2020, a prevention adviser – doctor

        du travail de Cohezio informed the defendant of the plaintiff’s inability to occupy

        any position within it. This information was passed on internally by the resources

        to the general management of the defendant who informed the director of the service

        concerned, Mr Z.

 4. On April 29, 2020, the APD Front Line Service (SPL) reminded the Complainant that

        the GDPR applies to the processing of personal data, automated, in whole or in

        in part, as well as the non-automated processing of data contained in or intended to appear

        in a file. If these conditions are not met (for example, specifies the SPL, if it is

        questionofthevoicetransmissionofpersonalinformationthatdoesnotcomefrom

        of a database or a file and which are not intended to be saved there), 1

        the DPA is not competent. The SPL concludes at this stage that in the event of this

        complaint under which the complainant denounces only oral remarks, the complaint will be

        declared inadmissible and the file closed, unless there is a new element on the part of the complainant.

 5. On April 30, 2020, the complainant reported to the SPL that the information given during the meeting

        mentioned above was recorded in the minutes of this service meeting. She produces this

        minutes and adds that this is communicated by e-mail to all members

        department (present or absent at the meeting, i.e. 17 people). It is moreover

        stored on the defendant's server with free access and thus made accessible to




1The Litigation Chamber here draws the reader's attention to its decision 143/2021 of December 22, 2021 under the terms of
which she insisted on the fact that "in order to achieve the intended purpose - to recruit only candidates who have been vaccinated
- the response to the verification of the vaccination status which is carried out orally during the application interview involves
necessarily a processing of personal data. It is hardly conceivable that no treatment
does not intervene, especially given the size of the hospital network which employs thousands of collaborators". In other words, the
Chambre Litigation specifies that personal data communicated orally must be protected by the
GDPR when they are (necessarily) required to appear in a file, for example recorded in a file
or in a meeting minutes as in this case., Decision on the merits 115/2022 - 3 /13


      all the members of its personnel, including departments other than that in

      where the complainant worked.


6. The minutes of the meeting produced by the complainant mention in particular the following:
      as far as she is concerned: her absence for several weeks, the fact that she was the subject of

      of a report by Cohezio, the fact that she was declared unfit for work within the

      defendant by Cohezio and the fact that she will no longer work with the

      defendant.

       For the rest, the part of the minutes concerning the complainant relates the announcement of her

       departure and mentions that colleagues have wondered about the allocation of his office, on

       their personal effects and on the future recruitment of a replacement for the position

       which she occupied.


7. On September 30, 2020, after further examination, the complaint was declared admissible by the SPL

      on the basis of Articles 58 and 60 of the LCA and the complaint is transmitted to the Chamber
      Litigation under Article 62, § 1 of the LCA.


8. On October 13, 2020, the Litigation Chamber decides, pursuant to Article 95, § 1, 1° and

      article 98 of the LCA, that the case can be dealt with on the merits.

9. On the same date, the parties concerned are informed by registered letter of the

      provisions as set out in article 95, § 2 as well as in article 98 of the LCA. They are

      also informed, pursuant to Article 99 of the LCA, of the deadlines for transmitting their

      conclusions, i.e. November 25, 2020 and January 8, 2021 respectively for the

      submissions in response and reply of the defendant on the one hand and on December 17
      2020 for the submissions in response of the complainant on the other hand.


10. A copy of the file (art. 95, §2, 3° LCA) is sent to the parties by means of this same

      letter of October 13, 2020.

11. By return email of October 13, 2020, the defendant agrees to receive

      all case-related communications electronically.


12. This e-mail sent directly to the Litigation Chamber by the director Z implicated
      by the complainant further states the following:


               Mr. Z indicates that with regard to the complaint against him, he wishes

               bring to the attention of the Litigation Chamber that in the context of the meeting of

               service mentioned, he informed the entire team of the movements in

               personnel matters. Aware of the delicate nature of the situation of the
               complainant and in order to avoid any discussion or rumor about her departure from the

               management and, more broadly, of the defendant, he reports that it seemed to him relevant

               to use the same terms as those used by the General Secretariat (management

               General) of the Respondent., Decision on the Merits 115/2022 - 4/13



                 He specifies that he was never in possession of the medical diagnosis of the complainant

                 and that it is on the basis of a note between the Human Resources Department and the
                 General Management of the defendant, and in particular of the terminology used in

                 Article 410 of the Civil Service Code (unsuitability), which he informed the

                 co-workers in his management.


                 He adds that his intention was to remain as factual as possible in order to avoid any

                 form of interpretation of the situation and that in no case did it intend to

                 harm the complainant or disseminate confidential information concerning her.

                 On the contrary, he continues, he wished to be able to ensure maximum serenity to the

                 within his team.


        On October 28, 2020, Mr Z will send the same message to the Litigation Chamber,

        these messages being worth “conclusions” for the defendant (see below points 22 et seq.).

 13. On December 15, 2020, the Litigation Chamber received the conclusions in reply of the

        complainant. The complainant highlights that it is not disputed that Mr. Z read the

        document sent by Cohezio mentioning his inability to perform his duties during the

        service meeting on the one hand and which he has also validated, according to the internal procedure which

        requires, the provision of the minutes of the meeting on the server of the

        defendant on the other hand. The complainant further adds that her manager could have

        announce his departure to his colleagues without mentioning the reason for this departure or asking him

        his possible consent to the communication of this sensitive data.


 14. The Litigation Division did not receive any submissions in reply from the

        defendant and none of the parties requested a hearing within the meaning of Article 93 of the LCA

        and Article 51 of the Internal Regulations (RoI) of the APD as they had been

        invited to do so if they so wish via the aforementioned letter of October 13, 2020 from the
        Litigation Chamber.






II. Motivation


 As for the identification of the data processing in question


 15. As the SPL recalled in its letter of April 29, 2020 to the complainant's address

        (point 4), the GDPR - whose DPA is responsible for ensuring the correct application - applies



2
 Art. 410. § 1. Subject to Article 412 and by way of derogation from Article 405, a staff member shall be granted leave without
time limits: 1° when his illness is caused by an accident at work, by an accident occurring on the way to
work or by an occupational disease; 2° when the agent has been removed from his post following a decision
of the occupational physician noting his inaptitude to occupy a post (referred to in article 2 of the royal decree of 28 May
2003 relating to the surveillance of workers' health – AGW of 18 October 2012, art. 31) and that no work of
replacement could not be assigned to him. (…) Version in force of 1 January 2020:, Decision on the merits 115/2022 - 5 /13



        “to the processing of personal data, automated in whole or in part, as well as

        only to the non-automated processing of personal data called upon to appear in

        a file" (article 2.1 of the GDPR).


 16. It is not disputed that the comments made orally by Director Z during the meeting

        of service that their recording in the minutes of this meeting constitute

        personal data relating to the complainant. Section 4.1. of the GDPR defines in

        effect of personal data as being “any information relating to a

        identified or identifiable natural person”. The information that the

        complainant (cited by name – see point 6) had been absent for several weeks, had

        was the subject of a Cohezio report, had been declared unfit for work and would no longer work

        with the defendant in the future are indeed information which makes it possible to

        identify it, in this case directly.

 17. The Litigation Chamber further notes that the information that the complainant has

        been declared unfit for work by the well-being and prevention at work service

        also constitutes data relating to the complainant's health within the meaning of article 4.15

        of the GDPR.


 18. The Litigation Chamber recalls in this regard that the GDPR has opted for a broad definition

        health data. Article 4.15 of the GDPR thus defines the data relating to

        health as "personal data relating to the physical health or

        mental health of a natural person, including the provision of health care services, which

        reveal information about that person's state of health. Recital 35 of the

        GDPR which sheds light on this definition confirms the choice of a broad concept and not

        restrictive. The information that the complainant was declared unfit for work by

        professionals whose mission is specifically to assess the capacity of

        workers to perform their job, certainly does not reveal the physical or mental pathology

        from which the plaintiff suffers. Such a service is indeed not authorized to reveal a

        any medical diagnosis or any other consideration of a medical nature

        that the mere information that the employee is unable or no longer able to exercise his

        functions is sufficient for the purpose pursued: either to allow the employer to derive the


3
 It is the Litigation Chamber which underlines.
4Recital(35): Personal data relating to health should include all data
relating to the state of health of a data subject which reveal information about the state of physical or
mental past, present or future of the person concerned. This includes information about the natural person

collected during the registration of this natural person in order to benefit from health care services or during the
provision of these services within the meaning of Directive 2011/24/EU of the European Parliament and of the Council1 for the benefit of this
Physical person; a specific number, symbol or element assigned to a natural person to identify him from
unique way for health purposes; information obtained during the testing or examination of a part of the body or a
bodily substance, including from genetic data and biological samples; and any information
regarding, for example, illness, disability, risk of illness, medical history, clinical treatment
or the physiological or biomedical condition of the data subject, regardless of its source, whether by
exampleofadoctororotherhealthprofessional,ahospital,amedicaldeviceoradiagnostictest
in vitro., Decision on the Merits 115/2022 - 6/13


        consequences in terms of the rights of the employee, possible departure/reclassification,

        staff movements etc. This incapacity information does not reveal less

        information relating to the complainant's state of health and must therefore be considered

        as personal data relating to his health within the meaning of Article 4.15 of the
        GDPR.


 19. Along the same lines, the other information recorded in the minutes (such as

        identified in point 15) relating to the long absence of the complainant and the fact that she

        is the subject of a report by Cohezio also constitute, and for the same reasons,
        health data.


 20. The material scope of the GDPR further requires that there be “processing” of

        personal data within the meaning of Article 4.2 of the GDPR, this processing being defined

        as “any operation or set of operations whether or not performed using processes
        automated and applied to personal data or sets of data

        such as the collection, recording (…), communication by transmission, dissemination

        or any other form of provision, (…)”.

 21. In this case, the Litigation Chamber therefore considers that the recording in writing of the

        aforementioned information relating to the complainant (point 15) - including in particular her incapacity

        -, in the minutes of the meeting (which was communicated to the Litigation Chamber

        as part) is a processing of personal data within the meaning of Article

        4.2 of the GDPR subject to its application in execution of its article 2.

 22. The availability of the minutes of the service meeting is not

        challenged by Mr Z in the writings he sent to the Litigation Chamber (point

        12). However, the Litigation Chamber was not able to verify materially

        that these meeting minutes have indeed been made available to the staff of the

        defendant through mail and on its server. Sitelshould be the case, this provision
        of the complainant's personal data is additional processing which

        is added to the recording of these data in the minutes drawn up and saved

        electronically and the following findings of violation also apply to it.




 Regarding the identification of the data controller

23. The Litigation Chamber notes that under the terms of the complaint form filed, the

       complainant directs her complaint directly against her supervisor,

       Mr. Z. It nevertheless mentions his status as director within the

       Respondent., Decision on the Merits 115/2022 - 7 /13


                                                       5
 24. The Litigation Chamber has already had the opportunity to point out that it is often complex to
        the complainant to correctly identify the data controller with regard to the

        treatment(s) that he denounces, these notions being legally defined in articles 4.7

        of the GDPR and probably difficult to understand by a person not versed in the

        matter.


 25. The Litigation Chamber recalls here that a data controller is defined

        “the natural or legal person or any other entity which alone or jointly with

        others, determines the purposes and means of the processing of personal data

        personnel” (article 4.7 of the GDPR). It is an autonomous concept, specific to the
        data protection regulations, the assessment of which must be made at the

        starting from the criteria it sets out: the determination of the purposes of the data processing

        concerned as well as that of the latter's means.


 26. In its Guidelines 07/2020, the European Data Protection Board

        (EDPS) states that if the data controller may, under the terms of the aforementioned definition

        of section 4.7. of the GDPR, of course being a natural person, in practice, it is

        usually the organization itself, not a person within it

        (such as the general manager, an employee or a member of the board of directors), who acts
        as a controller within the meaning of the GDPR. Indeed, even though it has

        certainly a certain autonomy in the exercise of its functions, it is in this case

        not Director Z as such who determines the purposes and means of processing

        but the organization in which he works. Except to exceed its functions - this

        which has not been demonstrated in this case - he is not responsible for processing. Bedroom

        Contentious therefore considers that it is the defendant, and not one of its directors, who is

        the data controller since it is up to the defendant to determine the

        purposes and means of the processing carried out within it.

 27. Accordingly, the Litigation Division sent the invitation to conclude on April 8, 2020 both to

        plaintiff than to the defendant as data controller.


 Regarding the compliance of the processing with the GDPR

 28. Any processing of personal data must be based on one of the databases

        lawfulness provided for in Article 6.1 of the GDPR. Regarding the processing of categories

        particular data such as data relating to health as in the present case (points

        16-17), the lawfulness condition referred to in Article 6.1 of the GDPR only applies if Article 9.2 of the

        GDPR provides a specific derogation from the general prohibition on processing categories

        particulars of Article 9.1. In other words, when data within the meaning of Article 9


5
 See. for example decisions 81/2020 and 76/2021 of the Litigation Chamber.
6 European Data Protection Board (EDPB), Guidelines 07/2020 on the concepts of responsible
of processing and processor in the GDPR, adopted on July 7, 2021 (version after public consultation) available
here: https://edpb.europa.eu/system/files/2022-02/eppb_guidelines_202007_controllerprocessor_final_fr.pdf, Decision on the merits 115/2022 - 8 /13



        of the GDPR are processed, their processing must find a basis in article 9.2 of the GDPR read
        in conjunction with Article 6.1. of the GDPR.


 29. Since the defendant processed data relating to the complainant's health, the

        processing of such data should, as just mentioned, find a

        based on Article 9.2 of the GDPR, read in conjunction with Article 6.1. of the GDPR.

 30. In the present case, the plaintiff does not dispute the lawfulness of the processing by the defendant of

        the information that, at the end of the Cohezio report, she was declared unfit for

        work. The Litigation Chamber recalls that in addition to the fact that the lawfulness of the processing must

        be based on a combined reading of Articles 6.1. and 9.2. of the GDPR, article 9 of the LTD

        also applies in this case when data relating to health are

        processed.

                                                                                     7
        The national legislator has provided that in execution of Article 9.4 of the GDPR, the person responsible
        of the treatmenttakesthefollowingadditionalmeasureswhenparticularlyduringthetreatment

        health data:


                1° the categories of persons having access to the personal data,

                are designated by the controller or, where applicable, by the data processor.

                treating, with a precise description of their function in relation to the treatment of

                targeted data. This requirement translates the “need to know” principle according to which

                only persons for whom the processing of this data is necessary to

                performance of their duties are authorized to do so;

                2° the list of the categories of persons thus designated is made available

                of the competent supervisory authority by the controller or, where appropriate

                where applicable, by the subcontractor;


                3° it ensures that the designated persons are bound by a legal obligation
                or statutory, or by an equivalent contractual provision, in compliance with the

                confidentiality of the data concerned.


  31. What is disputed by the complainant is the subsequent communication of information

        relating to his health to colleagues in his department as well as to all the staff of the

        defendant by making the minutes of the meeting available on the server.

 32. As it has already had occasion to specify in other decisions, the Chamber

        Litigation recalls here that the processing of personal data carried out for

        purposes other than those for which the personal data was

        collected initially cannot be authorized in accordance with article 5.1. b) GDPR that



7
 Article9.4. :Member States may maintain or introduce additional conditions, including limitations,
with regard to the processing of genetic data, biometric data or data concerning health.
8See. for example decision 80/2022 of the Litigation Chamber and the references cited., Decision on the merits 115/2022 - 9 /13



        if it is compatible with the purposes for which the personal data were

        were originally collected.

                                                                                       9
 33. In view of the criteria set out in Article 6.4. of the GDPR and in recital 50, it is appropriate to

        verify whether the subsequent processing – in this case the communication of said information

        to other staff to inform them about staff movements

        - is or is not compatible with the purpose of the initial processing.

 34. In this case, the Litigation Division notes that this subsequent communication pursues

        an objective distinct from the primary purpose, which was to receive information and to

        process at the level of human resources departments for personnel management purposes

        (end of the employment relationship, granting of rights, possible redeployment/mobility, etc.) At this

        respect, only certain persons are, in the exercise of their specific function,

        authorized to receive this information, particularly given its sensitivity

        and its impact for the data subject and the principle of data minimization

        (proportionality - article 5.1.c) of the GDPR).


 35. The Litigation Division concludes in this case that this subsequent communication is not

        not compatible with the original purpose. This communication does not meet expectations

        reasonableness of the person concerned. Given the specific legal framework of which the

        processing of information processed by Cohezio (personal data relating to

        to health) is subject to (limitation of recipients, lack of precise diagnosis), the person

        concerned – here the complainant – cannot reasonably expect that these same

        data are, on the contrary, communicated widely beyond the only persons

        having a functional need to know them. Data sensitivity collides

        also to broadly designed compatibility.


 36. It follows that there is no question of compatible further processing so that a

        separate legal basis was required for said communication to be qualified as
             10
        lawful.

 37. Processing of personal data, including further processing

        incompatible as in the present case, is in fact lawful only if it is based on a basis of lawfulness

        own. Recital 50 of the GDPR 11 is explicit in this regard. These legal bases




9Recital 50 of the GDPR: [...] In order to establish whether the purposes of further processing are compatible with those for
which the personal data was initially collected, the controller, after having
complied with all requirements relating to the lawfulness of the initial processing, should take into account, inter alia: any link between these
purposes and purposes of the intended further processing; the context in which the personal data was
collected, in particular the reasonable expectations of the persons concerned, according to their relationship with the
responsible for the processing, as to the subsequent use of said data; the nature of the personal data;

the consequences for data subjects of the intended further processing; and the existence of appropriate safeguards
both as part of the initial treatment and as part of the planned subsequent treatment.
10In the same direction see. the substantive decision 03/2021 of January 13, 2021 of the Litigation Chamber, point 14
https://www.autoriteprotectiondonnees.be/publications/decision-quant-au-fond-n-03-2021.pdf.
11
  Recital 50 of the GDPR: The processing of personal data for purposes other than those for
which the personal data was originally collected should only be allowed if compatible, Decision on the merits 115/2022 - 10/13


       distinct are those defined in article 6.1. of the GDPR and, where applicable, when it comes to

       of data relating to health as in the present case, of Article 9.2. GDPR read

       in conjunction with its article 6.1.

 38. The Respondent itself does not cite any basis of legality and the Chamber

       Litigation could confine itself to this finding. The Litigation Chamber is however of the opinion

       that the complainant's communication of (health) data cannot in this case be based

       on no basis of proper lawfulness,

 39. The Litigation Division certainly does not question the will or the legitimacy of

        the defendant to inform its employees of staff movements. In this

        meaning, the Litigation Chamber has already stated in its decision 63/2021, that it is appropriate,

        within the framework of personnel policy, to inform employees of such

        movements. However, to comply with the principle of data minimization
        (proportionality) of the data, it is sufficient that this communication remains limited to the

        factual communication of the fact that the person concerned, such as the complainant here, is no longer

        in service.

 40. Regarding the assumptions of Article 9.2. read in conjunction with Article 6.1. of the GDPR, the

        Litigation Chamber finds that


       - said communication to other members of staff and its recording in a

             minutes of the meeting are not based on the consent of the complainant, although
             on the contrary (article 9.2. a) of the GDPR) and this, even assuming that it can constitute

             a valid basis of lawfulness in the context of the professional relationship which binds it to the

             defendant, quod non;


       - said communication to other members of staff and its recording in a
             minutes of the meeting cannot be considered necessary for the purposes of

             the execution of the obligations and the exercise of the rights specific to the person in charge of the

             treatment or the complainant in matters of labor law, social security and

             social protection (article 9.2. b) of the GDPR);

       - this communication to other staff members and its recording in a

             meeting minutes are not necessary to safeguard vital interests

             of the complainant (article 9.2. c) of the GDPR);


       - communication and recording in meeting minutes are not

             carried out by a foundation, an association or any other non-profit organization

             lucrative and pursuing a political, philosophical, religious or union purpose,

             in the context of their legitimate activities (article 9.2. d) of the GDPR);


with the purposes for which the personal data was originally collected. In this case, none
separate legal basis from that which allowed the collection of personal data will be required. [...], Decision on the merits 115/2022 - 11 /13



        - the communication and recording in the minutes of the meeting do not relate
              on personal data which would obviously have been made

              public by the complainant (Article 9.2. e) of the GDPR);


        - communication and recording in the meeting minutes are not

              necessary for the establishment, exercise or defense of legal claims or

              whenever courts act within the framework of their judicial function

              (article 9.2. f) of the GDPR);

        - communication and recording in the meeting minutes are not

              necessary for reasons of important public interest (Article 9.2. g) of the GDPR);


        - communication to other staff members and recording in the

              meeting minutes are not necessary for the purposes of preventive medicine

              or occupational medicine, the assessment of the worker's ability to work,
              medical diagnoses, health or social care, or management

              health care or social protection systems and services on the basis of

              Union law, the law of a Member State or under a contract concluded with a

              healthcare professional (article 9.2. h) of the GDPR);


        - this communication and the recording in the minutes of the meeting are not

              necessary for reasons of public interest in the field of public health, such as

              that protection against serious cross-border threats to health, or

              for the purpose of ensuring high standards of quality and safety in healthcare
              and medicines or medical devices (Article 9.2. i) of the GDPR);


        - communication and recording in the meeting minutes are not

              necessary for archival purposes in the public interest, for research purposes

              scientific or historical or for statistical purposes (Article 9.2. j) of the GDPR).

 41. In the absence of a basis of lawfulness legitimizing the processing complained of (subsequent incompatible)

        of the complainant's data, the Litigation Chamber concludes that the defendant has

        violates Articles 5.1.b) juncto 6.4 and 9.2. read in conjunction with Article 6.1. of the GDPR.

        The complainant's data were indeed the subject of further processing incompatible

        with the specified, lawful and legitimate purposes for which they were initially

        collected, without being able to rely on a basis of proper lawfulness.


Regarding corrective measures and sanctions

42. Under Article 100 LCA, the Litigation Chamber has the power to:
        1° dismiss the complaint without follow-up;

        2° order the dismissal;



12
  See. footnote 11 above.
13Article 5.1.b) of the GDPR., Decision on the substance 115/2022 - 12 /13


        3° order a suspension of the pronouncement;

        4° to propose a transaction;

        5° issue warnings or reprimands;

        6° order to comply with the data subject's requests to exercise these rights;
        (7) order that the person concerned be informed of the security problem;

        8° order the freezing, limitation or temporary or permanent prohibition of processing;

        9° order the processing to be brought into conformity;

        10° order the rectification, the restriction or the erasure of the data and the notification of

        these to the recipients of the data;

        11° order the withdrawal of accreditation from certification bodies
        12° to issue periodic penalty payments;

        13° to impose administrative fines;

        14° order the suspension of cross-border data flows to another State or a

        international body;

        15° forward the file to the public prosecutor's office in Brussels, which informs it of the

        follow-up given to the file;
        16° decide on a case-by-case basis to publish its decisions on the website of the Authority of

        Data protection.



43. It is important to contextualize the breaches for which the defendant is responsible

    with a view to identifying the most appropriate corrective measures and sanctions.



44. In view of the breach of Article 5.1.b) juncto 6.4 and 9.2. read in conjunction with Article
    6.1. of the GDPR noted in point 41, the Litigation Chamber is of the opinion that the measure

    adequate remedy is to issue a reprimand to the defendant. Like the

    defendant is a public authority within the meaning of Article 221, § 2, of the LTD, the Chambre

    Litigation is not competent to impose any fine on it. Bedroom

    Contentious also invites the defendant to raise awareness among its staff

    so that similar situations do not occur in the future.


45. In addition, the Litigation Division also notes that in support of the breaches

    found in this decision, it is for the defendant to take, in its capacity

    of data controller, the measures necessary to restrict or even eliminate

    henceforth the dissemination of information relating to the health of the complainant and as identified

    in points 17 and 19 with regard to third parties. In line with what it states in point 39 above,
    only the information covered by the certificate issued by Cohezio relating to the absence and

    reason for absence (inaptitude) are concerned here; the statement – reformulated if necessary - of

    that the Complainant will no longer be in service with the Respondent may stand., Decision on the Merits 115/2022 - 13/13






III. Publication of the decision


 45. Given the importance of transparency regarding the decision-making process of the Chamber


        Litigation, this decision is published on the website of the Protection Authority

        data (APD). However, it is not necessary for this purpose that the data

        identification of the parties are directly mentioned.




    FOR THESE REASONS,


    the Litigation Chamber of the Data Protection Authority decides, after deliberation:


    - Pursuant to Article 100 §1, 5 of the LCA, to formulate a reprimand against the

         defendant.




In accordance with Article 108, § 1 of the LCA, an appeal against this decision may be lodged,

within thirty days of its notification, to the Court of Markets (court


d'appel de Bruxelles), with the Data Protection Authority as defendant.

Such an appeal may be introduced by means of an interlocutory request which must contain the

information listed in article 1034ter of the Judicial Code. The interlocutory motion must be

filed with the registry of the Court of Markets in accordance with article 1034quinquies of the C. jud. , or 15

via the e-Deposit information system of the Ministry of Justice (article 32ter of the C. jud.).






(Sr.) Hielke HIJMANS


President of the Litigation Chamber












14The application contains on pain of nullity:
 (1) indication of the day, month and year;
 2° the surname, first name, domicile of the applicant, as well as, where applicable, his qualities and his national register number or

     Business Number;
 3° the surname, first name, domicile and, where applicable, the capacity of the person to be summoned;
 (4) the object and summary of the grounds of the application;
 (5) the indication of the judge who is seized of the application;
 6° the signature of the applicant or his lawyer.
15The request, accompanied by its annex, shall be sent, in as many copies as there are parties involved, by letter

recommended to the court clerk or filed with the court office.