APD/GBA (Belgium) - 159/2022
|APD/GBA - 159/2022|
|Relevant Law:||Article 4(1) GDPR|
Article 4(2) GDPR
Article 5(1)(b) GDPR
Article 5(1)(e) GDPR
Article 5(2) GDPR
Article 12(3) GDPR
Article 17(1)(a) GDPR
Article 24 GDPR
|National Case Number/Name:||159/2022|
|European Case Law Identifier:||n/a|
|Original Source:||GBA (in FR)|
The Belgian DPA warned an employer and ordered it to comply with an erasure request of a former employee. The controller's website contained pictures and the former position of the data subject, more than 6 months after her dismissal.
English Summary[edit | edit source]
Facts[edit | edit source]
In September 2022, a former employee (data subject) informed her former employer (controller) that she no longer wanted to be pictured as former staff on its website, more than six months after her dismissal (February 2022). The website included both a photo of the data subject alone as well as a group photo with other staff members. The individual photo also included the title of her former position at the controller. The controller did not provide an answer to the request and the data subject filed a complaint at the Belgian DPA.
Holding[edit | edit source]
The DPA stated that the controller should implement appropriate technical and organisational measures to ensure and that the processing is GDPR compliant, and it should also be able to demonstrate this. It should have regard for nature, scope, context and purposes of the processing and the risks to the rights and freedoms of individuals, which vary in probability and severity (Articles 5(2) and 24 GDPR).
The DPA stated that in the present case, the purpose of the processing was no longer valid after the dismissal of the data subject. This purpose was to inform internet users about who was working at the controller and in what capacity. Consequently, the personal data had to be erased as soon as this data was no longer necessary for this purposes (Article 5(1)(b) and 5(1)(e) GDPR). The DPA stated that this data had to be deleted or anonymised by the controller on its own initiative, without the data subject asking for deletion. However, deletion or anonymization is not necessary when the controller processes the same data for another GDPR compliant purpose.
The DPA stated that, ideally, an erasure request should result in the deletion of personal data within one month (Articles 12(3) and 17(1)(a) GDPR). However, the DPA stated that a distinction had to be made between the one-month reaction period for informing the data subject (Article 12(3) GDPR) and the actual deletion of personal data, which may require more time because of the complex technical- and operational implications of deleting this personal data.
The DPA determined that when a staff-member leaves the job, the controller should make an effort to remove the following information as soon as possible from its website/social network page: the identity, function and photograph(s) of the data subject. The DPA stated that a few weeks, or a month at most, were adequate time-frames to remove such elements. It also stated that a procedure should be put in place for staff departures and other data protection issues that need to be addressed in situations like the present case. If the controller does not delete the data on its own initiative, it should react as soon as possible when it receives an erasure request.
The DPA considered that the period within deletion should take place (both on the controller's own initiative as well as after a request by a data subject) could vary depending on several factors, such as whether or not the controller is a large company, the nature of the function of the data subject and the context of the departure of the data subject. The DPA stated that in in the present case, the controller should be particularly diligent, because it used a targeted photograph of the data subject in which her function was mentioned as well.
The DPA determined that it did not appear that the controller deleted the data subject’s personal data immediately after her dismissal. It also did not appear that the controller reacted to the data subject’s erasure request, which was submitted almost seven months after her dismissal. Therefore, the DPA determined that there seemed to be a lack a procedure in place to deal with these types of situations and requests, or at least a lack of a follow-up in this case. The personal data remained visible on the website for 7 months (period between the dismissal and the filing of the complaint at the DPA). The DPA deemed this period ‘a priori' excessive.
The DPA ordered the controller to comply with the erasure request of the data subject (Article 95(1)(5) LCA). The DPA stated that it was true that the formal request for erasure was submitted on 1 September by the data subject, and that the data subject filed a complaint at the DPA on 28 September 2022. This was a period of less than a month between the request for erasure and the complaint at the DPA. However, the DPA stated that on the day of the decision (7 November 2022) the group photo still appeared on the website, despite of the name, position and individual photograph of the data subject already removed sometime between 28 September and the day of the decision. The DPA ordered the controller to remove the group photo as well.
The DPA also issued a warning on the basis of Article 95(1)(4) LCA, because there was a risk for a GDPR violation if the controller had to deal with comparable situations in the future. Specifically, there were three omisions at the side of the controller: a procedure for deleting the data of staff members leaving the company; a procedure to respond to a request for erasure within the required timeframe (Articles 12(3) and 17(1)(a) GDPR) and at the very least, an effective follow-up of the data subject's claim within the required timeframe.
The DPA stated that it was not necessary to deal with this case on the merits and this was a preliminary decision, which was meant to inform the alleged controller of the fact that it may have violated the GDPR and to enable the controller to comply with the GPDR in the future.
Comment[edit | edit source]
Share your comments here!
Further Resources[edit | edit source]
Share blogs or news articles here!
English Machine Translation of the Decision[edit | edit source]
The decision below is a machine translation of the French original. Please refer to the French original for more details.
1/9 Litigation Chamber Decision 159/2022 of November 7, 2022 File number: DOS-2022-03933 Subject: Complaint relating to the maintenance of the mention of the identity of a former employee, her function and photographs on the Internet pages of a company The Litigation Chamber of the Data Protection Authority, made up of Mr Hielke Hijmans, chairman; Having regard to Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and to the free movement of such data, and repealing Directive 95/46/EC (general regulation on the data protection), hereinafter GDPR; Having regard to the Law of 3 December 2017 establishing the Data Protection Authority (hereinafter ACL); Having regard to the Rules of Procedure as approved by the House of Representatives on 20 December 2018 and published in the Belgian Official Gazette on January 15, 2019; Considering the documents in the file; Made the following decision regarding: The complainant: Mrs. X, hereinafter “the complainant”; The defendant: SPRL Y, hereinafter: “the defendant”. Decision 159/2022-2/9 I. Procedural feedback, facts and subject of the request 1. The plaintiff filed a complaint with the Data Protection Authority (APD) on 28 September 2022. 2. On October 6, 2022, the Front Line Service (SPL) of the APD declared the complaint admissible and forwarded it to the Litigation Chamber. 3. According to her complaint, the complainant indicates that she worked for the defendant until February 2022, when she was fired. 4. On September 1, 2022, more than 6 months after her dismissal, the complainant indicated by email to the defendant that she no longer wished to appear as a member of its staff on its website. The "Our team" section of this site resumed an individual photo of the complainant with the job title “….” what worked with her as well as a group photo of the defendant's team (4 people), including the complainant. The complainant produces the said email of September 1, 2022. 5. The Complainant indicates that as of the date of the filing of her complaint on September 28, 2022, no no favorable response had been given to her request to take the necessary steps to no longer appears as a staff member on the defendant's site. In terms of its complaint, it asks the DPA to remind the defendant of its obligations. II. PLACE 6. The Litigation Chamber recalls that the contact details of a natural person such as his surnames, first names, his function as well as his photograph constitute data to be personal character within the meaning of Article 4.1 of the GDPR. This is indeed information relating to an identified or identifiable natural person (the "data subject"), here the complainant who can be directly identified from this information. 7. The publication of such data on the defendant's website constitutes processing within the meaning of Article 4.2. of the GDPR. 8. Pursuant to Article 5.1.b) of the GDPR, all processing must pursue a purpose determined, explicit and legitimate (principle of purpose). 9. In its capacity as data controller, it is the responsibility of the defendant, given the the nature, of the scope, of the context and of the purposes of the processing as well as of the risks, including the degree of likelihood and severity varies, for the rights and freedoms of individuals Decision 159/2022-3/9 physical, to implement appropriate technical and organizational measures to ensure and be able to demonstrate that the processing is carried out in accordance with the GDPR (Articles 5.2. and 24 of the GDPR). 10. The Litigation Chamber is of the opinion that since the complainant no longer worked for the defendant, the purpose of processing the aforementioned data concerning him by the latter aimed to inform Internet users of who works with it and with what function, ended with the departure of the complainant. This extinction of finality has the automatic consequence – either without it being required that the data subject (here the complainant) so requests - erasure of this data as soon as it is not no longer necessary in relation to the purposes for which they were processed (Article 5.1.b) and (e) GDPR). 1 11. Indeed, by virtue of the combination of the principles of finality (article 5.1.b) of the GDPR) and limitation of data retention (article 5.1. e) of the GDPR), the person responsible for processing is only the place to store the data for as long as this storage is justified in view of the purpose of the processing. Hence, as soon as the data personal data are no longer necessary for the pursuit of this purpose, the person responsible for processing must erase the data in question, or, at the very least, anonymize them unless it processes these same data for a distinct purpose that it can legitimately pursue GDPR compliance. The right to erasure as provided for in Article 17.1.a) of the GDPR explicitly recognizes the right of data subjects to verify that the controller processing has complied with this obligation. 12. Under Article 17.1. a) GDPR, the data subject has the right to obtain of the data controller the erasure, as soon as possible, of data to personal character concerning her. In the absence of having done so spontaneously (see points 10 and 11above), the data controller has the obligation to erase this personal data personal as soon as possible when the personal data are no longer necessary in relation to the purposes for which they were processed. 13. Pursuant to Article 12.3. of the GDPR, the controller is required to provide the data subject with information on the measures taken following a request made pursuant to Articles 15 to 22 of the GDPR (thus including a request for erasure on the basis of Article 17.1.a) of the GDPR), as soon as possible and in any case within a period of one month from the receipt of the request. At necessary, this period may be extended by two months, taking into account the complexity and numberofrequestssentbythepersonconcernedtotheprocessingmanager. 1Vo. also decision 62/2021 of the Litigation Chamber. Decision 159/2022-4/9 14. The Litigation Chamber is of the opinion that it results from the combination of articles 12.3. and 17.1.a) of the GDPR that ideally, the request for erasure submitted by the person concerned on the basis of Article 17.1.a) of the GDPR should be followed by an erasure of the data within one month. However, the Litigation Chamber considers that in depending on the concrete context in which the request for erasure is made, a distinction can be made between: has. the one-month reaction period (article 12.3. of the GDPR) under which the controller informs the data subject of the action he intends give (or not) at his request on the one hand and b. the concrete erasure of the data which could require a longer period of time given the complex technical and operational implications associated with this deletion on the other hand. 15. In the event of the departure of a staff member, as in this case, the Dispute is of the opinion that the data controller must make every effort to delete, the as quickly as possible and on its own initiative, the identity, function and photographs of him from his website/social media page featuring him as being part of its staff when this is no longer the case. A procedure should be put in place in the event of the departure of staff members for this purpose in the same way as other data protection issues that need to be resolved on this occasion. 2 A few weeks, or a month at most, seems adequate. no initiative, the data controller receiving a request for erasure must, at a fortiori, to react as soon as possible. 16. This period within which the erasure must occur spontaneously, as well as this "best time" referred to in Article 17.1.a) of the GDPR, may vary depending on the person responsible for processing concerned whether it is an SME as in the present case or a company of larger size which has its own website manager. The nature of the function and the context of the departure of the staff member concerned may also justify a more or less rapid erasure. In the case of targeted photography such as the one of the complainant in respect of which her function was mentioned as well as that presenting the defendant's team, the data controller will ensure that it is particularly diligent. The one-month period referred to in Article 12.3. of the GDPR must meanwhile 2See. for example decision 64/2020 of the Litigation Chamber. 3The Litigation Chamber considers that this photo representing only 4 people working for the defendant remains a targeted photo of the plaintiff. Decision 159/2022-5/9 be respected, the data controller being able, if necessary, and as indicated below above, explain that he gave instructions for this deletion to take place or indicate that this deletion will take place at an early date. 17. In this case, in support of the documents produced by the complainant, the Litigation Chamber notes that the data controller appears not to have erased the data from the plaintiff after his dismissal in February 2022. He does not seem to have reacted either at the request made nearly 7 months after this on September 1, 2022 by the complainant, nor in the form of a response as to the measures taken or envisaged with regard to his request or in the form of an effective deletion of the data on his site. The Litigation Chamber therefore considers that there seems to be an absence of procedure put in place to manage this type of situation and request or at the very least a lack of follow-up in this case. 18. In other words, it seems that, at a minimum, the complainant's data is remained visible on its website for 7 months (between the dismissal in February 2022 and the filing of the complaint on September 28, 2022), a deadline that the Litigation Chamber judges to be a priori excessive. 19. In the light of the foregoing and in support of all the elements of the file of which it knowledge and skills attributed to it by the legislator under section 95.1. LCA, the Litigation Chamber therefore decides to address to the defendant an order to comply with the complainant's request for erasure based on article 95.1.5° of the ACL as well as a warning based on article 95.1.4° of the ACL. As for the order to comply with the complainant's request for erasure (article 95.1.5° of the ACL) 20. It follows from the foregoing paragraphs that the defendant did not follow up effective at the complainant's request for erasure. Admittedly, the formal request dates from September 1, 2022 and the complaint was lodged on September 28, 2022, i.e. less than a month er after the September 1 request. The Litigation Chamber has been able to observe in consulting the page of the defendant's website only on the date of this decision, the photograph of the 4-person team, including the complainant, was still on the site. The names, position and individual photograph of the complainant were, however, removed between September 28, 2022 and the date of this decision. 21. In support of the foregoing, the Litigation Chamber decides to order the defendant to fully comply (thus including the deletion of Decision 159/2022-6/9 team photograph)uponrequesttoexercisetherighttoerasureofthecomplainantteen execution of article 95.1.5° of the LCA. Regarding the warning (article 95.1.4° of the LCA) 22. The Litigation Chamber also considers that in support of the above analysis, there takes place, to conclude that in the absence prima facie has. of procedure put in place relating to the erasure of the data of members of the staff leaving the company as well as, b. procedure aimed at responding to a request for erasure within the required time respectively by Articles 12.3 and 17.1.a) of the GDPR, or vs. AT LEAST, EFFECTIVE FOLLOW-UP OF THE COMPLAINANT'S REQUEST WITHIN THE REQUIRED DEADLINES in this case, there is a risk of breach of the GDPR by the defendant as soon as it would be confronted in the future with other departures of employees and a situation comparable to that which is the subject of the plaintiff's complaint. 23. Therefore, this risk of violation justifies that the Litigation Chamber address to the defendant a warning within the meaning of Article 58.2.a) of the GDPR on the basis of Article 95.1.4° of the LCA and invites it to put in place a procedure to prevent situations comparable to that which is the subject of the present proceedings does not occur in the future. 24. For the rest, the Litigation Chamber argues that given the limited impact of these violations (points 20-22), it is not necessary to deal with the case on the merits. 25. As already mentioned, this decision is a prima facie decision taken by the Litigation Chamber in accordance with article 95 of the LCA – more particularly on thebasisofarticles95.1.5°and95.1.4°oftheLCA-onthebasisoftheonlycomplaintfiledby the complainant and the supporting documents provided in support thereof, as part of of the "procedure prior to the substantive decision". It is therefore not a decision as to on the merits within the meaning of Article 100 LCA. 26. The purpose of this decision is to inform the defendant, allegedly responsible for the processing, because it may have violated the provisions of the GDPR, in order to enable it to still comply with the aforementioned provisions. 27. Therefore, if the defendant does not agree with the content of this decision prima facie and believes that it can make factual and/or legal arguments that Decision 159/2022-7/9 could lead to another decision, it can send to the Litigation Chamber a request for processing on the merits of the case via the e-mail address firstname.lastname@example.org, within 30 days of notification of the this decision. If necessary, the execution of this decision will be suspended. during the aforementioned period. 28. In the event of further processing of the case on the merits pursuant to Articles 98, 2° and 3° juncto article 99 of the LCA, the Litigation Chamber will invite the parties, either the plaintiff and the defendant, to introduce their arguments in the form of submissions and to attach to the file all the documents they deem useful. decision will be permanently suspended. 29. The Litigation Division also informs the parties that the procedural file relating to the complaint leading to this decision may, pursuant to Article 95.2., 3° of the ACL be requested by preferably sending an e-mail to the Registry of the Chamber Litigation. 30. Finally, in a concern for completeness and transparency, the Litigation Chamber or online that an examination of the case on the merits may lead to the imposition of measures referred to in Section 100 of the ACL. 4 III. Publication of the decision 31. Given the importance of transparency regarding the decision-making process of the Chamber Litigation, this decision is published on the DPA website. However, he 4 1° dismiss the complaint without follow-up; 2° order the dismissal; 3° pronouncing the suspension of the pronouncement; 4° to propose a transaction; 5° issue warnings and reprimands; 6° order to comply with requests from the data subject to exercise his or her rights; 7° order that the person concerned be informed of the security problem; 8° order the freezing, limitation or temporary or permanent prohibition of processing; 9° order compliance of the processing; 10° order the rectification, restriction or erasure of the data and the notification thereof to the data recipients; 11° order the withdrawal of accreditation from certification bodies; 12° to issue periodic penalty payments; 13° to issue administrative fines; 14° order the suspension of cross-border data flows to another State or an international body; 15° forward the file to the public prosecutor's office in Brussels, which informs it of the follow-up given to the case ; 16° decide on a case-by-case basis to publish its decisions on the website of the Data Protection Authority. Decision 159/2022-8/9 it is not necessary for this purpose that the identification data of the parties be directly mentioned. FOR THESE REASONS, The Litigation Division of the Data Protection Authority (APD) decides, subject to the introduction of a request by the defendant for treatment on the merits in accordance with the articles 98 e.s. of the ACL: - pursuant to Article 58.2.c) of the GDPR and Article 95, § 1, 5° of the LCA, to order the defendant to comply with the plaintiff's request to exercise its rights, plus precisely his right to erasure relating to the team photograph (article 17.1.a) of the GDPR), as soon as possible and at the latest within 30 days of the notification of this decision; - to order the defendant to inform, by e-mail, the Data Protection Authority (Litigation Chamber) of the follow-up given to this decision, within the same period of 30 days, via the e-mail address email@example.com; and - if the defendant does not comply in good time with what is requested of it above, to deal ex officio with the case on the merits, in accordance with articles 98 e.s. of the ACL. - pursuant to Article 58.2.a) of the GDPR and Article 95.1, 4° of the LCA, to send by elsewhere to the defendant a warning regarding the absence of proceedings in case of departure of a staff member with regard to the processing of his data and the respect the period prescribed by article 12.3. of the GDPR to respond to a request to exercise the right to erasure. Under Article 108.1 LCA, this decision may be appealed to the Court of contracts (Brussels Court of Appeal) within 30 days of its notification, with the Data Protection Authority (DPA) as defendant. Decision 159/2022-9/9 Such an appeal may be introduced by means of an interlocutory request which must contain the information listed in article 1034ter of the Judicial Code (C. jud.) . The interlocutory motion must be filed with the registry of the Market Court in accordance with article 1034quinquies of the C. jud. , or via the e-Deposit information system of the Ministry of Justice (article 32ter of the C. jud.). (se).Hielke Hijmans President of the Litigation Chamber 5The request contains on penalty of nullity: (1) indication of the day, month and year; 2° the surname, first name, domicile of the applicant, as well as, where applicable, his qualities and his register number national or business number; 3° the surname, first name, domicile and, where applicable, the capacity of the person to be summoned; (4) the object and summary statement of the means of the request; (5) the indication of the judge who is seized of the application; 6° the signature of the applicant or his lawyer. 6The request, accompanied by its appendix, is sent, in as many copies as there are parties involved, by registered letter to the clerk of the court or deposited at the registry.