APD/GBA (Belgium) - 145/2023: Difference between revisions

From GDPRhub
No edit summary
No edit summary
Line 81: Line 81:
'''2. Necessity test:''' In relation to sending the email to former students, the Belgian DPA argued that the communication was not necessary and found a breach of [[Article 6 GDPR|Article 6(1)(f) GDPR]]. In relation to current students and colleagues, the Belgian DPA found that there was no need to communicate the reason for dismissal, which was 'physical aggression'. It considered that there was no current need for the college to do so. The Belgian DPA did acknowledge that there may be situations where it is necessary to state the reason for dismissal. However, in this instance, it was not necessary.
'''2. Necessity test:''' In relation to sending the email to former students, the Belgian DPA argued that the communication was not necessary and found a breach of [[Article 6 GDPR|Article 6(1)(f) GDPR]]. In relation to current students and colleagues, the Belgian DPA found that there was no need to communicate the reason for dismissal, which was 'physical aggression'. It considered that there was no current need for the college to do so. The Belgian DPA did acknowledge that there may be situations where it is necessary to state the reason for dismissal. However, in this instance, it was not necessary.


'''3. Balancing test:''' Finally, the Belgian DPA found that the balancing test was not respected. The Belgian DPA concluded that the college had failed to adequately consider the data subject's fundamental rights and freedoms when sending the emails. The DPA found that the controller in the emails ''<nowiki/>'did not provide enough objectively substantiated elements''' and while the college claimed in its communication that the decision to dismiss had been taken only after ''<nowiki/>'a thorough investigation','' this was insufficient for the purposes of the balancing test. As a result, the DPA found that the rights and freedoms of the data subject were excessively infringed.
'''3. Balancing test:'''  
 
Finally, the Belgian DPA found that the balancing test was not respected. The Belgian DPA concluded that the college had failed to adequately consider the data subject's fundamental rights and freedoms when sending the emails. The DPA found that the controller in the emails '<nowiki/>''did not provide enough objectively substantiated elements''<nowiki/>' and while the college claimed in its communication that the decision to dismiss had been taken only after '''a thorough investigation''<nowiki/>', this was insufficient for the purposes of the balancing test. As a result, the DPA found that the rights and freedoms of the data subject were excessively infringed.


Consequently, a breach of [[Article 6 GDPR#1f|Article 6(1)(f) GDPR]] was found. As a result the Belgian DPA reprimanded the college.  
Consequently, a breach of [[Article 6 GDPR#1f|Article 6(1)(f) GDPR]] was found. As a result the Belgian DPA reprimanded the college.  

Revision as of 09:30, 14 November 2023

APD/GBA - DOS-2020-00200
LogoBE.png
Authority: APD/GBA (Belgium)
Jurisdiction: Belgium
Relevant Law: Article 4(1) GDPR
Article 6(1)(f) GDPR
Type: Complaint
Outcome: Upheld
Started: 17.01.2020
Decided: 26.10.2023
Published: 27.10.2023
Fine: n/a
Parties: n/a
National Case Number/Name: DOS-2020-00200
European Case Law Identifier: n/a
Appeal: Unknown
Original Language(s): Dutch
Original Source: GBA (in NL)
Initial Contributor: Matthias Vandamme

The Belgian DPA found that a college's communication of the reasons for dismissal of one of its former teachers to their colleagues and students was in violation of Article 6(1)(f) GDPR, as including the reason for dismissal in the communication did not meet the necessity test under Article 6(1)(f) GDPR.

English Summary

Facts

A college (the controller) dismissed one of its teachers after a student had alleged that they had committed a physical assault against them. Following an internal investigation, the lecturer was dismissed for urgent cause.

The college's management decided to inform its staff and the lecturer's students of the dismissal via three emails sent emails on 21 and 22 March 2019. As the mailboxes of former students are not closed until the following academic year, a number of former students also received the emails. In total, at least 195 students received the emails.

The emails stated the following:

'This [dismissal] follows physical aggression towards one of the students [...] a thorough investigation has shown that this incident makes any further functioning of [complainant's name] as an employee of [controller] impossible'.

The emails led the lecturer to lodge a complaint with the Belgian DPA on 17 January 2020.

Holding

The Belgian DPA held that the emails were unlawful and reprimanded the college. The controller (the college) had relied on Article 6(1)(f) GDPR as a lawful ground for processing. The Belgian DPA held that for the purposes of Article 6(1)(f) GDPR, the controller had no legitimate interest to send the emails, and thus the processing was unlawful.

In reaching its conclusion, the Belgian DPA applied the following three-step test to determine legitimate interest, as outlined by the CJEU in Case C-13/16[1]:

1. Purpose test: First, the Belgian DPA confirmed that the mere fact that the lecturer has been dismissed for cause is sufficient to establish that there is an immediate and legitimate need to communicate this to students and colleagues.

2. Necessity test: In relation to sending the email to former students, the Belgian DPA argued that the communication was not necessary and found a breach of Article 6(1)(f) GDPR. In relation to current students and colleagues, the Belgian DPA found that there was no need to communicate the reason for dismissal, which was 'physical aggression'. It considered that there was no current need for the college to do so. The Belgian DPA did acknowledge that there may be situations where it is necessary to state the reason for dismissal. However, in this instance, it was not necessary.

3. Balancing test:

Finally, the Belgian DPA found that the balancing test was not respected. The Belgian DPA concluded that the college had failed to adequately consider the data subject's fundamental rights and freedoms when sending the emails. The DPA found that the controller in the emails 'did not provide enough objectively substantiated elements' and while the college claimed in its communication that the decision to dismiss had been taken only after 'a thorough investigation', this was insufficient for the purposes of the balancing test. As a result, the DPA found that the rights and freedoms of the data subject were excessively infringed.

Consequently, a breach of Article 6(1)(f) GDPR was found. As a result the Belgian DPA reprimanded the college.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Dutch original. Please refer to the Dutch original for more details.


  1. Case C-13/16, Rīgas satiksme, para 28.