APD/GBA (Belgium) - 159/2022

From GDPRhub
Revision as of 15:02, 15 November 2022 by Kv (talk | contribs)
APD/GBA - 159/2022
LogoBE.png
Authority: APD/GBA (Belgium)
Jurisdiction: Belgium
Relevant Law: Article 4(1) GDPR
Article 4(2) GDPR
Article 5(1)(b) GDPR
Article 5(1)(e) GDPR
Article 5(2) GDPR
Article 12(3) GDPR
Article 17(1)(a) GDPR
Article 24 GDPR
Type: Complaint
Outcome: Upheld
Started: 28.09.2022
Decided: 07.11.2022
Published:
Fine: n/a
Parties: n/a
National Case Number/Name: 159/2022
European Case Law Identifier: n/a
Appeal: n/a
Original Language(s): French
Original Source: GBA (in FR)
Initial Contributor: n/a

The Belgian DPA warned an employer and ordered it to comply with an erasure request of an former employee. The website of the controller contained pictures and function of the data subject, more than 6 months after her dismissal.

English Summary

Facts

A former employee (data subject) informed her former employer (controller) on 1 September 2022 that she no longer wanted to be pictured as former staff on its website, more than six months after her dismissal in February 2022. The website included both a photo of the data subject alone as well as a group photo with other staff members. The individual photo also included the title of her former position at the controller.

The data subject stated that controller had not answered to the request in a favourable way. The data subject filed a complaint at the Belgian DPA on 28 September 2022 for this lack of a favourable response.

Holding

The DPA stated that the controller should implement appropriate technical and organisational measures to ensure and that the processing is GDPR compliant, and it should also be able to demonstrate this. It should have regard for nature, scope, context and purposes of the processing and the risks to the rights and freedoms of individuals, which vary in probability and severity. (Articles 5(2) and 24 GDPR).

The DPA stated that in the present case, the purpose of the processing was no longer valid after the dismissal of the data subject. This purpose was to inform internet users about who was working at the controller and in what capacity. Consequently, the personal data had to be erased as soon as this data was no longer necessary for this purposes (Article 5(1)(b) and 5(1)(e) GDPR). The DPA stated that this data had to be deleted or anonymised by the controller on its own initiative, without the data subject asking for deletion. However, deletion or anonymising data is not necessary when the controller processes the same data for another GDPR compliant purpose.

The DPA stated that ideally, an erasure request should result in the erasure of personal data within one month (Articles 12(3) and 17(1)(a) GDPR). However, the DPA stated that a distinction had to be made between the one-month reaction period for informing the data subject (Article 12(3) GDPR) and the actual deletion of personal data, which may require more time because of the complex technical- and operational implications of deleting this personal data.

The DPA determined that when a staff-member leaves, the controller should make an effort to remove the following information as soon as possible from its website/social network page: the identity, function and photograph(s) of the data subject. The DPA stated that a few weeks, or a month at most, were adequate timeframes to remove these identifiers. It also stated that a procedure should be put in place for staff departures and other data protection issues that need to be addressed in situations like the present case. If the controller does not delete the data on its own initiative, it should react as soon as possible when it receives an erasure request.

The DPA considered that the period within deletion should take place (both on the controller's own initiative as well as after a request by a data subject) could vary depending on several factors, such as whether or not the controller is a large company, the nature of the function of the data subject and the context of the departure of the data subject. The DPA stated that in in the present case, the controller should be particularly diligent, because it used a targeted photograph of the data subject in which her function was mentioned as well.

The DPA determined that it did not appear that the controller deleted the data subject’s personal data immediately after her dismissal. It also did not appear that the controller reacted to the data subject’s erasure request, which was submitted almost seven months after her dismissal. Therefore, the DPA determined that there seemed to be a lack a procedure in place to deal with these types of situations and requests, or at least a lack of a follow-up in this case. The personal data remained visible on the website for 7 months period between the dismissal and the filing of the complaint at the DPA). The DPA deemed this period ‘a priori' excessive.

The DPA ordered the controller to comply with the erasure request of the data subject (Article 95(1)(5) LCA). The DPA stated that it was true that the formal request for erasure was submitted on 1 September by the data subject, and that the data subject filed a complaint at the DPA on 28 September 2022. This was a period of less than a month between the request for erasure and the complaint at the DPA. However, the DPA stated that on the day of the decision (7 November 2022) the group photo still appeared on the website, despite of the name, position and individual photograph of the data subject already removed sometime between 28 September and the day of the decision. The DPA ordered the controller to remove the group photo as well.

The DPA also issued a warning on the basis of Article 95(1)(4) LCA, because there was a risk for a GDPR violation if the controller had to deal with comparable situations in the future. Specifically, there were three omisions at the side of the controller: a procedure for deleting the data of staff members leaving the company; a procedure to respond to a request for erasure within the required timeframe (Articles 12(3) and 17(1)(a) GDPR) and at the very least, an effective follow-up of the data subject's claim within the required timeframe.

The DPA stated that it was not necessary to deal with this case on the merits and this was a preliminary decision, which was meant to inform the alleged controller of the fact that it may have violated the GDPR and to enable th controller to comply with the GPDR in the future.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the French original. Please refer to the French original for more details.

1/9






                                                                        Litigation Chamber


                                                   Decision 159/2022 of November 7, 2022





File number: DOS-2022-03933



Subject: Complaint relating to the maintenance of the mention of the identity of a former employee, her

function and photographs on the Internet pages of a company



The Litigation Chamber of the Data Protection Authority, made up of Mr Hielke
Hijmans, chairman;


Having regard to Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the

protection of natural persons with regard to the processing of personal data and

to the free movement of such data, and repealing Directive 95/46/EC (general regulation on the
data protection), hereinafter GDPR;


Having regard to the Law of 3 December 2017 establishing the Data Protection Authority (hereinafter

ACL);

Having regard to the Rules of Procedure as approved by the House of Representatives on 20

December 2018 and published in the Belgian Official Gazette on January 15, 2019;


Considering the documents in the file;





Made the following decision regarding:



The complainant: Mrs. X, hereinafter “the complainant”;

The defendant: SPRL Y, hereinafter: “the defendant”. Decision 159/2022-2/9



I. Procedural feedback, facts and subject of the request


  1. The plaintiff filed a complaint with the Data Protection Authority (APD) on 28

      September 2022.



  2. On October 6, 2022, the Front Line Service (SPL) of the APD declared the complaint

      admissible and forwarded it to the Litigation Chamber.


  3. According to her complaint, the complainant indicates that she worked for the defendant

      until February 2022, when she was fired.


  4. On September 1, 2022, more than 6 months after her dismissal, the complainant indicated

      by email to the defendant that she no longer wished to appear as a member of

      its staff on its website. The "Our team" section of this site resumed
      an individual photo of the complainant with the job title “….” what

      worked with her as well as a group photo of the defendant's team (4

      people), including the complainant. The complainant produces the said email of September 1, 2022.


  5. The Complainant indicates that as of the date of the filing of her complaint on September 28, 2022, no

      no favorable response had been given to her request to take the necessary steps to

      no longer appears as a staff member on the defendant's site. In terms

      of its complaint, it asks the DPA to remind the defendant of its obligations.



II. PLACE


  6. The Litigation Chamber recalls that the contact details of a natural person such as

      his surnames, first names, his function as well as his photograph constitute data to be

      personal character within the meaning of Article 4.1 of the GDPR. This is indeed information

      relating to an identified or identifiable natural person (the "data subject"),
      here the complainant who can be directly identified from this information.



  7. The publication of such data on the defendant's website constitutes

      processing within the meaning of Article 4.2. of the GDPR.


  8. Pursuant to Article 5.1.b) of the GDPR, all processing must pursue a purpose

      determined, explicit and legitimate (principle of purpose).


  9. In its capacity as data controller, it is the responsibility of the defendant, given the

      the nature, of the scope, of the context and of the purposes of the processing as well as of the risks, including

      the degree of likelihood and severity varies, for the rights and freedoms of individuals Decision 159/2022-3/9



         physical, to implement appropriate technical and organizational measures

         to ensure and be able to demonstrate that the processing is carried out

         in accordance with the GDPR (Articles 5.2. and 24 of the GDPR).


     10. The Litigation Chamber is of the opinion that since the complainant no longer worked for

         the defendant, the purpose of processing the aforementioned data concerning him by

         the latter aimed to inform Internet users of who works with it and with what

         function, ended with the departure of the complainant. This extinction of finality has the

         automatic consequence – either without it being required that the data subject (here the
         complainant) so requests - erasure of this data as soon as it is not

         no longer necessary in relation to the purposes for which they were processed (Article 5.1.b)

         and (e) GDPR). 1


     11. Indeed, by virtue of the combination of the principles of finality (article 5.1.b) of the GDPR) and

         limitation of data retention (article 5.1. e) of the GDPR), the person responsible for

         processing is only the place to store the data for as long as this storage

         is justified in view of the purpose of the processing. Hence, as soon as the data

         personal data are no longer necessary for the pursuit of this purpose, the person responsible for

         processing must erase the data in question, or, at the very least, anonymize them unless it
         processes these same data for a distinct purpose that it can legitimately pursue

         GDPR compliance. The right to erasure as provided for in Article 17.1.a) of the GDPR

         explicitly recognizes the right of data subjects to verify that the controller

         processing has complied with this obligation.


     12. Under Article 17.1. a) GDPR, the data subject has the right to obtain

         of the data controller the erasure, as soon as possible, of data to

         personal character concerning her. In the absence of having done so spontaneously (see points 10 and

         11above), the data controller has the obligation to erase this personal data

         personal as soon as possible when the personal data are no longer

         necessary in relation to the purposes for which they were processed.


     13. Pursuant to Article 12.3. of the GDPR, the controller is required to

         provide the data subject with information on the measures taken following a
         request made pursuant to Articles 15 to 22 of the GDPR (thus including a

         request for erasure on the basis of Article 17.1.a) of the GDPR), as soon as possible and

         in any case within a period of one month from the receipt of the request. At

         necessary, this period may be extended by two months, taking into account the complexity and

         numberofrequestssentbythepersonconcernedtotheprocessingmanager.


1Vo. also decision 62/2021 of the Litigation Chamber. Decision 159/2022-4/9





     14. The Litigation Chamber is of the opinion that it results from the combination of articles 12.3. and

         17.1.a) of the GDPR that ideally, the request for erasure submitted by the person

         concerned on the basis of Article 17.1.a) of the GDPR should be followed by an erasure of the
         data within one month. However, the Litigation Chamber considers that in

         depending on the concrete context in which the request for erasure is made, a

         distinction can be made between:



            has. the one-month reaction period (article 12.3. of the GDPR) under which the
                controller informs the data subject of the action he intends

                give (or not) at his request on the one hand and

            b. the concrete erasure of the data which could require a longer period of time

                given the complex technical and operational implications associated with this

                deletion on the other hand.



     15. In the event of the departure of a staff member, as in this case, the Dispute

         is of the opinion that the data controller must make every effort to delete, the

         as quickly as possible and on its own initiative, the identity, function and

         photographs of him from his website/social media page featuring him as
         being part of its staff when this is no longer the case. A procedure should be

         put in place in the event of the departure of staff members for this purpose in the same way as

         other data protection issues that need to be resolved on this occasion. 2

         A few weeks, or a month at most, seems adequate.

         no initiative, the data controller receiving a request for erasure must, at

         a fortiori, to react as soon as possible.



     16. This period within which the erasure must occur spontaneously, as well as this

         "best time" referred to in Article 17.1.a) of the GDPR, may vary depending on the person responsible for

         processing concerned whether it is an SME as in the present case or a company of
         larger size which has its own website manager. The nature of the

         function and the context of the departure of the staff member concerned may also

         justify a more or less rapid erasure. In the case of targeted photography such as the one

         of the complainant in respect of which her function was mentioned as well as that

         presenting the defendant's team, the data controller will ensure that it is

         particularly diligent. The one-month period referred to in Article 12.3. of the GDPR must meanwhile



2See. for example decision 64/2020 of the Litigation Chamber.


3The Litigation Chamber considers that this photo representing only 4 people working for the
defendant remains a targeted photo of the plaintiff. Decision 159/2022-5/9



    be respected, the data controller being able, if necessary, and as indicated below

    above, explain that he gave instructions for this deletion to take place or indicate that

    this deletion will take place at an early date.



17. In this case, in support of the documents produced by the complainant, the Litigation Chamber

    notes that the data controller appears not to have erased the data from the

    plaintiff after his dismissal in February 2022. He does not seem to have reacted either
    at the request made nearly 7 months after this on September 1, 2022 by the

    complainant, nor in the form of a response as to the measures taken or envisaged

    with regard to his request or in the form of an effective deletion of the data on his site.

    The Litigation Chamber therefore considers that there seems to be an absence of procedure

    put in place to manage this type of situation and request or at the very least a

    lack of follow-up in this case.



18. In other words, it seems that, at a minimum, the complainant's data is
    remained visible on its website for 7 months (between the dismissal in February 2022

    and the filing of the complaint on September 28, 2022), a deadline that the Litigation Chamber judges to be

    a priori excessive.


19. In the light of the foregoing and in support of all the elements of the file of which it

    knowledge and skills attributed to it by the legislator under

    section 95.1. LCA, the Litigation Chamber therefore decides to address to the defendant

    an order to comply with the complainant's request for erasure based on

    article 95.1.5° of the ACL as well as a warning based on article 95.1.4° of the ACL.




   As for the order to comply with the complainant's request for erasure (article 95.1.5°
   of the ACL)


20. It follows from the foregoing paragraphs that the defendant did not follow up

    effective at the complainant's request for erasure. Admittedly, the formal request dates from

    September 1, 2022 and the complaint was lodged on September 28, 2022, i.e. less than a month
                          er
    after the September 1 request. The Litigation Chamber has been able to observe in

    consulting the page of the defendant's website only on the date of this decision,

    the photograph of the 4-person team, including the complainant, was still on the site.
    The names, position and individual photograph of the complainant were, however,

    removed between September 28, 2022 and the date of this decision.



21. In support of the foregoing, the Litigation Chamber decides to order the defendant

    to fully comply (thus including the deletion of Decision 159/2022-6/9



    team photograph)uponrequesttoexercisetherighttoerasureofthecomplainantteen

    execution of article 95.1.5° of the LCA.


   Regarding the warning (article 95.1.4° of the LCA)



22. The Litigation Chamber also considers that in support of the above analysis, there

    takes place, to conclude that in the absence prima facie


       has. of procedure put in place relating to the erasure of the data of members of the

            staff leaving the company as well as,
       b. procedure aimed at responding to a request for erasure within the required time

            respectively by Articles 12.3 and 17.1.a) of the GDPR, or

       vs. AT LEAST, EFFECTIVE FOLLOW-UP OF THE COMPLAINANT'S REQUEST WITHIN THE REQUIRED DEADLINES

            in this case,


   there is a risk of breach of the GDPR by the defendant as soon as it would be
   confronted in the future with other departures of employees and a situation comparable to

   that which is the subject of the plaintiff's complaint.


23. Therefore, this risk of violation justifies that the Litigation Chamber address to the

    defendant a warning within the meaning of Article 58.2.a) of the GDPR on the basis of Article

    95.1.4° of the LCA and invites it to put in place a procedure to prevent situations
    comparable to that which is the subject of the present proceedings does not occur in the future.



24. For the rest, the Litigation Chamber argues that given the limited impact of these

    violations (points 20-22), it is not necessary to deal with the case on the merits.


25. As already mentioned, this decision is a prima facie decision taken by the

    Litigation Chamber in accordance with article 95 of the LCA – more particularly on

    thebasisofarticles95.1.5°and95.1.4°oftheLCA-onthebasisoftheonlycomplaintfiledby

    the complainant and the supporting documents provided in support thereof, as part of
    of the "procedure prior to the substantive decision". It is therefore not a decision as to

    on the merits within the meaning of Article 100 LCA.



26. The purpose of this decision is to inform the defendant, allegedly responsible for the

    processing, because it may have violated the provisions of the GDPR,

    in order to enable it to still comply with the aforementioned provisions.




27. Therefore, if the defendant does not agree with the content of this decision
    prima facie and believes that it can make factual and/or legal arguments that Decision 159/2022-7/9



         could lead to another decision, it can send to the Litigation Chamber

         a request for processing on the merits of the case via the e-mail address

         litigationchamber@apd-gba.be, within 30 days of notification of the

         this decision. If necessary, the execution of this decision will be suspended.

         during the aforementioned period.




     28. In the event of further processing of the case on the merits pursuant to Articles 98, 2° and 3°

         juncto article 99 of the LCA, the Litigation Chamber will invite the parties, either the

         plaintiff and the defendant, to introduce their arguments in the form of submissions

         and to attach to the file all the documents they deem useful.

         decision will be permanently suspended.



     29. The Litigation Division also informs the parties that the procedural file

         relating to the complaint leading to this decision may, pursuant to Article 95.2., 3° of

         the ACL be requested by preferably sending an e-mail to the Registry of the Chamber

         Litigation.


     30. Finally, in a concern for completeness and transparency, the Litigation Chamber or online

         that an examination of the case on the merits may lead to the imposition of measures

         referred to in Section 100 of the ACL. 4



  III. Publication of the decision


     31. Given the importance of transparency regarding the decision-making process of the Chamber

         Litigation, this decision is published on the DPA website. However, he






4
 1° dismiss the complaint without follow-up;
 2° order the dismissal;
 3° pronouncing the suspension of the pronouncement;
 4° to propose a transaction;
 5° issue warnings and reprimands;
 6° order to comply with requests from the data subject to exercise his or her rights;
 7° order that the person concerned be informed of the security problem;
 8° order the freezing, limitation or temporary or permanent prohibition of processing;
 9° order compliance of the processing;

 10° order the rectification, restriction or erasure of the data and the notification thereof to the
data recipients;
 11° order the withdrawal of accreditation from certification bodies;
 12° to issue periodic penalty payments;
 13° to issue administrative fines;
 14° order the suspension of cross-border data flows to another State or an international body;
 15° forward the file to the public prosecutor's office in Brussels, which informs it of the follow-up given to the
case ;
 16° decide on a case-by-case basis to publish its decisions on the website of the Data Protection Authority. Decision 159/2022-8/9



           it is not necessary for this purpose that the identification data of the parties be

           directly mentioned.






FOR THESE REASONS,




The Litigation Division of the Data Protection Authority (APD) decides, subject to

the introduction of a request by the defendant for treatment on the merits in accordance with the

articles 98 e.s. of the ACL:

    - pursuant to Article 58.2.c) of the GDPR and Article 95, § 1, 5° of the LCA, to order the

        defendant to comply with the plaintiff's request to exercise its rights, plus

        precisely his right to erasure relating to the team photograph (article 17.1.a)

        of the GDPR), as soon as possible and at the latest within 30 days of the notification

        of this decision;


    - to order the defendant to inform, by e-mail, the Data Protection Authority

        (Litigation Chamber) of the follow-up given to this decision, within the same period of

        30 days, via the e-mail address litigationchamber@apd-gba.be; and


    - if the defendant does not comply in good time with what is requested of it above,

        to deal ex officio with the case on the merits, in accordance with articles 98 e.s. of the ACL.



    - pursuant to Article 58.2.a) of the GDPR and Article 95.1, 4° of the LCA, to send by

        elsewhere to the defendant a warning regarding the absence of proceedings in
        case of departure of a staff member with regard to the processing of his data and the respect

        the period prescribed by article 12.3. of the GDPR to respond to a request to exercise the

        right to erasure.








  Under Article 108.1 LCA, this decision may be appealed to the Court of

  contracts (Brussels Court of Appeal) within 30 days of its notification, with

  the Data Protection Authority (DPA) as defendant. Decision 159/2022-9/9



Such an appeal may be introduced by means of an interlocutory request which must contain the

information listed in article 1034ter of the Judicial Code (C. jud.) . The interlocutory motion

must be filed with the registry of the Market Court in accordance with article 1034quinquies of the C.

jud. , or via the e-Deposit information system of the Ministry of Justice (article 32ter of the C. jud.).








(se).Hielke Hijmans


President of the Litigation Chamber













































5The request contains on penalty of nullity:

 (1) indication of the day, month and year;
 2° the surname, first name, domicile of the applicant, as well as, where applicable, his qualities and his register number

     national or business number;
 3° the surname, first name, domicile and, where applicable, the capacity of the person to be summoned;
 (4) the object and summary statement of the means of the request;

 (5) the indication of the judge who is seized of the application;
 6° the signature of the applicant or his lawyer.
6The request, accompanied by its appendix, is sent, in as many copies as there are parties involved,

by registered letter to the clerk of the court or deposited at the registry.