APD/GBA (Belgium) - 18/2023

From GDPRhub
Revision as of 13:23, 13 March 2023 by Smtr (talk | contribs) (→‎Holding)
APD/GBA - 18/2023
LogoBE.png
Authority: APD/GBA (Belgium)
Jurisdiction: Belgium
Relevant Law: Article 5(1)(a) GDPR
Article 6(1) GDPR
Type: Complaint
Outcome: Upheld
Started:
Decided: 02.03.2023
Published: 02.03.2023
Fine: n/a
Parties: A care home (the controller)
Mrs. X (the data subject)
National Case Number/Name: 18/2023
European Case Law Identifier: n/a
Appeal: n/a
Original Language(s): French
Original Source: Autorité de Protection des Données (in FR)
Initial Contributor: n/a

A care home unlawfully posted a request for psychosocial intervention for abuse and harassment of one of its employee on the wall and was thus ordered by the Belgian DPA to erase its employee’s personal data.

English Summary

Facts

A nursing home employee (the data subject) made a request for psychosocial intervention for abuse and harassment. Her employer (the controller) subsequently posted a note on a wall of the nursing home indicating that the employee made that request. The controller also wrote an open letter to its staff indicating again her name. The data subject therefore filed a complaint with the Belgian DPA on 23 January 2023.

Holding

The data subject exercised her right of access on 16 January 2023 in order to know what the legal basis was for processing her personal data. In its open letter from 18 January 2023, the controller did not explicitly mention any legal basis but justified the processing stating it had the obligation to publish the recommendations of the external councillor and argued that the origin of the complaint was publicly available.

The DPA argued that there was no legal obligation for an employer to publish the collective or individual measures included in an opinion issued by the external councillor. Moreover, in the letter, the controller stated that the obligation imposed by the external councillor concerned the publication of collective measures. However, the note posted by the controller on the walls of the nursing home was entitled "Information for our staff following the formal complaint for violence and moral harassment lodged by Mrs X against the board + collective measures for the improvement of relations and general organisation". The DPA noted that the data subject's name and surname were not communicated for the purpose of publishing the collective or individual measures. The only measures published were collective measures and did not concern the data subject. The identity of the data subject was therefore only communicated for information purposes. The controller could not therefore rely on a request, or even an obligation, from the external psychosocial prevention adviser to publish the data subject's first and last name. The controller could therefore not rely on Article 6(1)(c) for the processing in question. The controller's second justification that the identity of the data subject as the originator of the request for intervention was already known to the staff was not valid as publicly available data are considered personal data as long as they are relating to an identifiable individual, thus, the provisions of the GDPR applied to this case. In this way, even if the employees of the controller were aware of the origin of the request for action, the controller still had to rely on a legal basis to process the data subject's personal data, even when publicly available. Finally, the DPA conducted the balancing test to see whether the legal basis of legitimate interest could be invoked but the processing did not fulfil the three cumulative criteria.

Therefore, the DPA held that the controller did not process the data of the data subject lawfully (violation of Article 5(1)(a) GDPR and Article 6(1) GDPR. It thus warned the controller that the publication of the names of the data subject in an open letter to the staff without a legal basis could result in a breach of Article 5(1)(a) GDPR and Article 6(1) GDPR, it ordered the controller to comply with the data subject’s request of erasure of her personal data in a timely manner and no later than 30 days from the publication of that decision.

Comment

This decision aimed at informing the alleged controller of the fact that it may have breached the GDPR and thus enabling it to comply with the GDPR requirements.

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the French original. Please refer to the French original for more details.

1/9





                                                                          Litigation Chamber


                                                             Decision 18/2023 of March 2, 2023





File number: DOS-2023-00435


Subject: Complaint relating to the publication in the workplace of the first and last name of a

employee who submitted a request for formal psychosocial intervention




The Litigation Chamber of the Data Protection Authority, made up of Mr. Hielke
Hijmans, chairman;


Having regard to Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the

protection of natural persons with regard to the processing of personal data and

to the free movement of such data, and repealing Directive 95/46/EC (General Regulation on the
data protection), hereinafter “GDPR”;


Having regard to the Law of 3 December 2017 establishing the Data Protection Authority, hereinafter

“ACL”;

Having regard to the internal regulations as approved by the House of Representatives on 20

December 2018 and published in the Belgian Official Gazette on January 15, 2019;


Considering the documents in the file;


Made the following decision regarding:



The complainant: Ms. X, hereinafter “the complainant”; .

                                                                                                          .
                                                                                                          .
The defendant: the rest home Y, hereinafter: “the defendant”. Decision 18/2023 – 2/9



I. Facts and procedure


 1. The subject of the complaint concerns the publication of the surname and first name of the complainant in a note

       and a letter, both accessible at the complainant's workplace.

       The plaintiff is an employee of the defendant, the rest home Y. As part of her

       work, the complainant submitted a request for formal psychosocial intervention to

       of the external adviser in the prevention of psychosocial aspects, Z, for acts of violence

       and moral harassment. In this context, the external advisor gave an opinion to the

       defendant. This opinion would recommend the adoption by the defendant of collective measures

       and individual vis-à-vis the complainant. Following this notice, the defendant would have published on

       a wall of the nursing home a note identifying the complainant, by her first and last name,

       as the person who submitted the request for formal psychosocial intervention

       (below the note). Subsequently, the defendant again identified the defendant by

       his first and last name in an open letter to the staff of the rest home (hereafter the

       open letter). The plaintiff thus challenges the defendant's right to publish its

       personal data.

 2. On 23 January 2023, the complainant lodged a complaint with the Authority for the Protection of

       given against the defendant.


 3. On January 27, 2023, the complaint was declared admissible by the Front Line Service on the
                                              1
       basis of Articles 58 and 60 of the LCA and the complaint is forwarded to the Litigation Chamber
                                  st 2
       pursuant to Article 62, § 1 of the LCA.

 4. Pursuant to article 95 § 2, 3° of the LCA as well as article 47 of the rules of order

       inside the DPA, a copy of the file may be requested by the parties. If one of

       parties wishes to make use of the possibility of consulting the file, the latter is required to

       contact the secretariat of the Litigation Chamber, preferably via the address

       litigationchamber@apd-gba.be.



II. Motivation


 5. According to Article 4.7 of the GDPR, the controller is the “natural person or

       legal entity, public authority, service or other body which, alone or jointly with

       others, determines the purposes and means of the processing”. Since the parts

       of the file provided by the complainant were either signed by the defendant or written




1
 Pursuant to article 61 LCA, the Litigation Chamber informs the parties by this decision, of the fact that the complaint has been
declared admissible.
2 Pursuant to Article 95, § 2 LCA, by this decision, the Litigation Division informs the parties of the fact that following
of this complaint, the file was forwarded to him. Decision 18/2023 – 3/9


       on their behalf, the Litigation Chamber finds that the person responsible for the disputed processing

       would be the management of Y, the defendant.


 6. The Litigation Chamber recalls that the surname and first name are personal data

       personal within the meaning of Article 4.1 of the GDPR. This is information about a

       identified or identifiable natural person (in this case, the complainant) allowing

       directly identify the data subject. The publication of these personal data
       staff in a note posted on the wall of the institution where the complainant works

       therefore does not constitute processing within the meaning of Article 4.2 of the GDPR.

       of personal data is subject to the general principles as defined in

       Article 5 of the GDPR, the data controller being required to ensure that these principles

       generals are respected. 3


 7. On the basis of Article 5(1)(a) GDPR, personal data
       must be "processed in a lawful, fair and transparent manner with regard to the person

       concerned (lawfulness, fairness and transparency)". The principle of lawfulness of article 5.1.a of the GDPR

       implies that the data controller must designate one of the permitted legal bases

       by Article 6, paragraph 1 of the GDPR on the basis of which he wishes to carry out the processing

       of personal data.


 8. The bases of lawfulness of Article 6.1 of the GDPR are the following:

       “1. Processing is only lawful if and insofar as at least one of the conditions

       following is fulfilled:


       a) the data subject has consented to the processing of his or her personal data
           for one or more specific purposes;


       b) the processing is necessary for the performance of a contract to which the data subject is

           party or the execution of pre-contractual measures taken at the latter's request;

       c) processing is necessary for compliance with a legal obligation to which the controller

           treatment is submitted;


       d) the processing is necessary to protect the vital interests of the person

           concerned or of another natural person;

       e) processing is necessary for the performance of a task carried out in the public interest or falling within the

           the exercise of official authority vested in the controller;


       f) the processing is necessary for the purposes of the legitimate interests pursued by the controller

           processing or by a third party, unless the interests or freedoms and





3Article 5.2 of the GDPR. Decision 18/2023 – 4/9


           fundamental rights of the data subject which require data protection

           of a personal nature, in particular when the person concerned is a child. »


 9. It appears from the documents in the file that the complainant exercised her right of access to the

       defendant on January 16, 2023 in order to know the legal basis of the processing in question.

       In its response of January 18, 2023 and its open letter, the defendant does not cite

       explicitly of the legal bases of Article 6.1 of the GDPR but justifies such publication
       for two reasons: (1) the obligation to publish the recommendations and (2) the public nature of

       the origin of the complaint.


 10. As for the first justification, the Litigation Chamber notes that the execution of a

       possible request from the external psychosocial prevention adviser cannot be based on

       a legal obligation. Indeed, there is no legal obligation on the part of a

       employer to publish the collective or individual measures included in a notice issued
       by the external prevention adviser. Moreover, in the letter, the defendant indicates that

       the obligation imposed by Z related to the publication of the collective measures. However, the note

       posted by the management on the walls of the nursing home is entitled “Information for

       our staff following the formal complaint for violence and moral harassment filed by

       Mrs. X against management + collective measures for the improvement of relations and

       general organization” (the Litigation Chamber underlines). The complainant is again

       identified in the memorandum under the subtitle “Conclusionconcerningthecomplaint”: “Advisor

       prevention of occupational medicine (Z) did not reveal any violence or

       moral harassment on the part of the management towards Mrs X”.

 11. On the basis of these elements, the Litigation Division finds that the surname and first name of the

       complainant have not been communicated for the purpose of publishing the collective measures, or

       even individual. The only measurements published are the collective measurements and do not

       do not concern the complainant. The identity of the complainant in adequacy communicated only as

       informative. The defendant could then not rely on a request, or even a

       obligationoftheexternalpsychosocialpreventionadvisortopublishfirstnameandsurname

       of the complainant. The defendant could therefore not rely on Article 6.1.c of the GDPR
       for the disputed treatment.


 12. The defendant's second justification resides in the fact that the identity of the

       complainant as being at the origin of the request for intervention would already be known to the

       staff of Y. The external adviser would have carried out a survey among the workers

       of the institution during which the workers would have had the opportunity to express themselves on the



4See article 32sexiesdecies, paragraph 1 of the law of 4 August 1996 on the well-being of workers during the performance of
their work with regard to the prevention of psychosocial risks at work including, in particular, violence and moral harassment
or sexual at work, as amended by the law of February 28, 2014, where the employer is only obliged to send the written notice by
the prevention counselor and the person concerned by the request for formal psychosocial intervention and the person
having submitted the request for formal psychosocial intervention. Decision 18/2023 – 5/9


       ongoing dispute between the plaintiff and the defendant. The fact that the complainant is the

       person who requested the intervention of an external adviser would be in a way a

       information already public.


 13. With regard to the processing of publicly accessible data, the European Committee for

       data protection reminded “that personal data, even if they are

       been made public, remain considered as personal data and

       that their processing therefore continues to require appropriate safeguards”. The treatment of

       publicly accessible personal data must therefore also meet the

       principle of lawfulness recalled in points 7 and 8. Even if the employees of the institution of

       defendant knew the origin of the request to intervene, the defendant must

       rely on a legal basis to process the personal data of the complainant,

       certainly publicly accessible.


 14. Given the nature of the processing in question, the Litigation Chamber considers that the

       legal bases provided for in Article 6 of the GDPR do not seem to apply in

       the species. For the sake of completeness, the Litigation Chamber nevertheless examines whether the

       data processing could be based on the basis of lawfulness of the legitimate interest

       provided for in Article 6.1.f of the GDPR.


 15. As recalled by the Litigation Chamber in its decision 35/2020, pursuant to

       Article 6.1.f of the GDPR and the case law of the Court of Justice, three conditions

       cumulative must be met for a data controller to be able to validly

       rely on this legal basis, “namely, first, the pursuit of an interest

       legitimate by the data controller or by the third party or third parties to whom the data is

       communicated, secondly, the need for the processing of personal data

       personnel for the achievement of the legitimate interest pursued and, thirdly, the condition

       that the fundamental rights and freedoms of the person concerned by the protection of

       data do not prevail”. 7


 16. In order to be able to invoke the ground of lawfulness of “legitimate interest” under Article 6.1.f

       of the GDPR, the controller must demonstrate, in other words, that:


       1) the interests he pursues with the processing can be recognized as

       legitimate (the “purpose test”);






5European Data Protection Board (or EDPB), opinion 06/2014 on the notion of legitimate interest pursued by the
data controller within the meaning of Article 7 of Directive 95/46/EC, p. 43.

6 Litigation Chamber, decision 35/2020 of June 30, 2020, points 26 and 27, available at
https://www.autoriteprotectiondonnees.be/publications/decision-quant-au-fond-n-35-2020.pdf
7
  CJEU, judgment of 4 May 2017, Valsts policijas Rīgas reģiona pārvaldes Kārtības policijas pārvalde t. Rīgas pašvaldības
SIA “Rīgas satiksme”, C-13/16; ECLI: EU:C:2017:336, para. 28-31; CJEU, judgment of December 11, 2019,
TK v. Asociaţia de Proprietari block M5A-ScaraA, C-708/18, ECLI:EU:C:2019:1064, para. 40. Decision 18/2023 – 6/9


       2) the envisaged processing is necessary for the realization of these interests (the “criterion of

       need ") ; And


       3) the balancing of these interests with the fundamental interests, freedoms and rights of

       data subjects leans in favor of the controller or a third party (the
       “balancing test”).


 17. With regard to the first condition, the Litigation Chamber notes, according to the documents

       of the file and more particularly its letter to the complainant of January 18, 2023, that the

       defendant justifies the publication of the identity of the complainant by, on the one hand, the fact that

       staff members reportedly inquired about the results of the investigation
       carried out by the external adviser Z and, on the other hand, his desire to show that no act of

       violence or harassment would have been observed on his part. Since the legitimacy

       processing can be interpreted broadly, the Chamber considers that the purposes which

       consist of informing the staff of an opinion of the external adviser and defending its reputation,

       must be considered as pursuing a legitimate interest. The first requirement

       included in Article 6.1.f of the GDPR is therefore fulfilled.

 18. With regard to the second condition (the “necessity test”), it should be

       demonstrate that the processing is necessary for the achievement of the purposes

       pursued. This means more precisely that one must ask oneself if the same result

       not be achieved by other means, without processing personal data or

       without processing that is unnecessarily burdensome or intrusive for the data subjects.

 19. Based on the purposes mentioned in point 17, it should therefore be checked whether the publication

       surnames and first names of the complainant may or may not contribute to informing staff about

       the existence of acts of violence and moral harassment on the part of the defendant. There

       Litigation Chamber considers that the publication of the surname and first name of the complainant

       is not strictly necessary for the pursuit of such purposes. Indeed, the mere mention

       the results of the external counsel's investigation, without containing the identity of the complainant,

       was sufficient for this purpose. The second condition is therefore not met.

 20. The three conditions for invoking legitimate interest as a legal basis being

       cumulative, the Litigation Chamber does not analyze the balancing criterion because the

       disputed treatment does not meet the requirements of the necessity test.

 21. The defendant could therefore not invoke Article 6.1.f of the GDPR to justify the

       publication of the surname and first name of the complainant in the note and the letter in question.

       presenting no legal basis for the disputed processing, the defendant does not seem to

       respect the principle of lawfulness prescribed by articles 5.1.a and 6.1 of the GDPR.



8 "Article 29" Working Party on data protection, Opinion 06/2014 on the notion of legitimate interest pursued by the
data controller within the meaning of Article 7 of Directive 95/45/EC, p. 27. Decision 18/2023 – 7/9


 22. The Litigation Chamber therefore considers that on the basis of the facts set out above, it

       must be concluded that the defendant may have committed a violation of the principle of

       legality prescribed by Article 5.1.a and 6.1 of the GDPR, which justifies, in this case, proceeding to

       making a decision in accordance with Article 95, § 1, 4° of the ACL, more specifically

       to warn the defendant that the publication of the surname and first name of the complainant in

       open notes or letters to staff without a legal basis could constitute a breach of
                                                                                      er
       article 5.1.a and article 6.1 of the GDPR, as well as, in accordance with article 95, §1, 5° of the ACL,

       to order it to comply with the complainant's request to delete the data at

       personal nature of the complainant of the note and the open letter, and this in particular seen:

            - The information note displayed concerning the psychosocial intervention and the letter

                opened in response to the letter from the CNE regional secretary, presumably

                written by the defendant, in which the plaintiff is identified;

            - The complainant's reply letter to the registered letter of January 18, 2023

                presumably written by the defendant, in which the defendant

                would explain the legal bases of the disputed processing in non-legal terms.


 23. This decision is a prima facie decision taken by the Litigation Chamber

       pursuant to Article 95 of the LCA on the basis of the complaint submitted by the complainant,
                                                                         9
       within the framework of the “procedure prior to the substantive decision” and not a decision on the
       merits of the Litigation Chamber within the meaning of Article 100 of the LCA.


 24. The purpose of this decision is to inform the defendant, allegedly responsible for the

       processing, because it may have violated the provisions of the GDPR,

       in order to enable it to still comply with the aforementioned provisions.

 25. If, however, the defendant does not agree with the content of this decision

       prima facie and believes that it can make factual and/or legal arguments that

       could lead to another decision, it may send the Litigation Chamber a

       request for treatment on the merits of the case via the e-mail address litigationchamber@apd-

       gba.be, within 30 days of notification of this decision. The case

       applicable, the execution of this decision is suspended for the period

       aforementioned.

 26. In the event of further processing of the case on the merits, pursuant to Articles 98, 2° and 3°

       juncto article 99 of the LCA, the Litigation Chamber will invite the parties to introduce their

       conclusions and attach to the file all the documents they deem useful. If applicable, the

       this decision is permanently suspended.






9Section 3, Subsection 2 of the ACL (Articles 94 to 97 inclusive). Decision 18/2023 – 8/9


 27. With a view to transparency, the Litigation Division finally emphasizes that a

        dealing with the case on the merits may lead to the imposition of the measures mentioned in

        section 100 of the ACL. 10



III. Publication of the decision



 28. Given the importance of transparency regarding the decision-making process of the Chamber

        Litigation, this decision is published on the website of the Protection Authority

        Datas. However, it is not necessary for this purpose that the identification data

        of the parties are communicated directly.






    FOR THESE REASONS,


    the Litigation Chamber of the Data Protection Authority decides, subject to

    the introduction of a request by the defendant for treatment on the merits in accordance with

    to articles 98 e.s. of the ACL:


        - pursuant to Article 58.2.a) of the GDPR and Article 95, § 1, 4° of the LCA, to notify the

            defendant FOR THE FUTURE THAT THE PUBLICATION OF THE NAME AND FIRST NAME OF THE COMPLAINANT

            in open notes or letters to staff without a legal basis could constitute

            a violation of Article 5.1.a and Article 6.1 of the GDPR.


        - pursuant to Article 58.2.c) of the GDPR and Article 95, §1, 5° of the LCA, to order

            the defendant to comply with the plaintiff's request to delete the

            disputed personal data, as soon as possible and at the latest

            within 30 days of notification of this decision.








10Art. 100. § 1. The litigation chamber has the power to
 1° dismiss the complaint without follow-up;
 2° order the dismissal;
 3° pronouncing the suspension of the pronouncement;

 4° to propose a transaction;
 5° issue warnings and reprimands;
 6° order to comply with requests from the data subject to exercise his or her rights;
 7° order that the person concerned be informed of the security problem;
 8° order the freezing, limitation or temporary or permanent prohibition of processing;
 9° order compliance of the processing;
 10° order the rectification, restriction or erasure of the data and the notification thereof to the recipients of the
     data ;
 11° order the withdrawal of accreditation from certification bodies;
 12° to issue periodic penalty payments;

 13° to issue administrative fines;
 14° order the suspension of cross-border data flows to another State or an international body;
 15° forward the file to the public prosecutor's office in Brussels, who informs it of the follow-up given to the file;
 16° decide on a case-by-case basis to publish its decisions on the website of the Data Protection Authority. Decision 18/2023 – 9/9



In accordance with Article 108, § 1 of the LCA, an appeal against this decision may be lodged,

within thirty days of its notification, to the Court of Markets (court

d'appel de Bruxelles), with the Data Protection Authority as defendant.


Such an appeal may be introduced by means of an interlocutory request which must contain the

information listed in article 1034ter of the Judicial Code. The interlocutory motion must be

filed with the registry of the Court of Markets in accordance with article 1034quinquies of the C. jud. , or 12

via the e-Deposit information system of the Ministry of Justice (article 32ter of the C. jud.).










    (Sé). Hielke H IJMANS

    President of the Litigation Chamber












































11The request contains on pain of nullity:
  (1) indication of the day, month and year;

  2° the surname, first name, domicile of the applicant, as well as, where applicable, his qualities and his national register number or
     Business Number;
  3° the surname, first name, domicile and, where applicable, the capacity of the person to be summoned;
  (4) the object and summary statement of the means of the request;
  (5) the indication of the judge who is seized of the application;
  6° the signature of the applicant or his lawyer.

12The request, accompanied by its annex, shall be sent, in as many copies as there are parties involved, by letter
recommended to the court clerk or filed with the court office.