APD/GBA (Belgium) - 15/2023
|APD/GBA - 15/2023|
|Relevant Law:||Article 4(11) GDPR|
Article 5(1) GDPR
Article 5(1)(a) GDPR
Article 5(2) GDPR
Article 6(1) GDPR
Article 6(1)(a) GDPR
Article 7(1) GDPR
Article 7(3) GDPR
Article 12(1) GDPR
Article 12(6) GDPR
Article 13(1) GDPR
Article 13(2) GDPR
Article 14(1) GDPR
Article 14(2) GDPR
Article 24(1) GDPR
Article 24(2) GDPR
Article 25(1) GDPR
Article 30(1)(a) GDPR
Article 38(3) GDPR
Article 186 §1 Decreet Lokaal Bestuur
Article 78 Bijzondere wet tot hervorming der instellingen
|National Case Number/Name:||15/2023|
|European Case Law Identifier:||n/a|
|Original Source:||Gegevensbeschermingsautoriteit (in NL)|
|Initial Contributor:||Enzo Marquet|
A public authority can rely on Article 6(1)(e) to geo-locate the company cars of its employees since there were no less invasive alternatives and tracking was necessary for an efficient usage of its limited resources. In this case, the controller was however reprimanded for several other breaches of the GDPR.
English Summary[edit | edit source]
Facts[edit | edit source]
The controller was a public authority and the data subject was its employee. The data subject used a company car which the controller was tracking with a GPS.
At some point in the past, the data subject received a fraud report from the employer. The report showed that the car (and therefore the employee) stopped at certain addresses during working hours such as the employee's mother, a bar and some random streets.
Following the complaint, the DPA investigated and the Investigation Service issued a report which concluded that the controller breached the GDPR in several ways. The controller did not refute this and in the meantime, implemented new compliance measures.
Holding[edit | edit source]
Regarding the legal basis for the processing, the DPA firstly stipulated that the controller relied on legitimate interest under Article 6(1)(f) GDPR, which could not be relied upon by a public authority in the performance of its tasks according to Article 6(1).
The DPA secondly assessed if the processing was necessary for the performance of a legal obligation under Article 6(1)(c) GDPR. The DPA held that under national law, public authorities only possess competences formally assigned to them by law. This implies that a public authority may only process personal data if this is necessary for a task it is legally obliged to fulfill. Article 6(1)(c) could therefore not be considered as a legal basis.
Thirdly (and finally), the DPA analysed if the controller could rely on Article 6(1)(e) GDPR as a legal basis. For it to be possible, the GPS tracking had to be necessary and directly related to the performance of a task in the public interest. The DPA considered that this should be interpreted in a broad way. It held that the efficient use of scarce government resources by checking the time tables of employees and the use of the company's car falls under the concept of "task carried out in the public interest".
For the necessity condition, the DPA analysed whether the GPS tracking in this case was necessary for the performance of the public interest task and if there were less invasive alternatives. The DPA determined that the processing happened under specific parameters (professional activities, with the company car, limited to the strictly necessary personal data). Other tracking mechanisms could also be more invasive and there was no other possible way for the controller to monitor the movements of the company car. Lastly, the amount of people who could access the data was strictly limited. The DPA concluded that the controller only processed personal data related to movement of a company car and that the intrusion on the personal life of the data subject was limited to what was strictly necessary for the purpose of fulfilling a public task. There was therefore a legal basis for the processing under Article 6(1)(e) GDPR.
However, following the investigation, the DPA found violations of other sections of the GDPR, in particular :
- The controller breached article Article 30(1)(a) GDPR by not including the contact details of the data protection officer in the register of processing activities ; and
- The controller violated Article 38(3) GDPR in the past but remedied to it in the meantime.
Consequently, the DPA reprimanded the controller but also held that most of the infractions have been remedied since the start of the proceeding.
Comment[edit | edit source]
The Belgian DPA reversed the burden of proof in paragraph 117. as it stated that there were no concrete examples that allowed the DPA to conclude the DPO was not involved in a timely manner. It should come to the controller to prove the DPO was involved in a timely manner.
Further Resources[edit | edit source]
Share blogs or news Articles here!
English Machine Translation of the Decision[edit | edit source]
The decision below is a machine translation of the Dutch original. Please refer to the Dutch original for more details.