APD/GBA (Belgium) - 35/2024: Difference between revisions
mNo edit summary |
Abel.kaszian (talk | contribs) m (→Comment) |
||
| Line 114: | Line 114: | ||
''Comment from the initial contributor'': As this is a 'prima facie' decision, not much information is available. The Litigation Chamber of the DPA has ruled solely based on the complaint without having a procedure. The controller could demand for a procedure on the merits within 30 days after the decision. | ''Comment from the initial contributor'': As this is a 'prima facie' decision, not much information is available. The Litigation Chamber of the DPA has ruled solely based on the complaint without having a procedure. The controller could demand for a procedure on the merits within 30 days after the decision. | ||
The DPA seems to | The DPA seems to contradict itself with regards to the applicability of consent as a legal base. On its website, the DPA explicitly states that an employee's consent is required to use his/her photograph taken for the purpose of a security badge, for other purposes. Also, in the past the DPA has on numerous occasions held that as a rule of thumb consent should be used in the context of 'nice to have' photographs and other legal bases can be relied on for 'need to have' photographs. | ||
== Further Resources == | == Further Resources == | ||
Latest revision as of 10:14, 17 March 2024
| APD/GBA - 35/2024 | |
|---|---|
 | |
| Authority: | APD/GBA (Belgium) |
| Jurisdiction: | Belgium |
| Relevant Law: | Article 4(1) GDPR Article 4(2) GDPR Article 4(11) GDPR Article 5(1)(a) GDPR Article 6(1)(b) GDPR Article 6(1)(a) GDPR Article 6(1)(f) GDPR Article 12(3) GDPR Article 12(4) GDPR Article 17(1)(d) GDPR |
| Type: | Complaint |
| Outcome: | Upheld |
| Started: | 06.11.2023 |
| Decided: | 20.02.2024 |
| Published: | 28.02.2024 |
| Fine: | n/a |
| Parties: | X Y |
| National Case Number/Name: | 35/2024 |
| European Case Law Identifier: | n/a |
| Appeal: | Unknown |
| Original Language(s): | Dutch |
| Original Source: | Belgian DPA (in NL) |
| Initial Contributor: | Matthias Vandamme |
The DPA held that the publication of a former employee's photo in an online recruitment campaign by the former employer constitutes unlawful processing as it could not be based on consent, contract or legitimate interest.
English Summary
Facts
The data subject was a former employee of the controller and worked with them until 2021. In August 2023 the data subject noticed that the controller published her photo in a recruitment campaign on the controller's website and social media. The data subject had never consented to this and was working with one of the controller's competitors at that time.
On 31 August 2023, the data subject requested the controller to erase all her images on the website and social media and not use them again in the future. The controller responded that arrangements were being taken regarding the use of people's photos after their departure from the company. Therefore, the controller refused to delete the images, but informed the data subject that new photographs would be made to prevent situations like this.
On 6 November 2023 the data subject filed a complaint with the Belgian DPA ("APD").
Holding
Firstly, the DPA noted that a person's name, first name and photograph are considered personal data under Article 4(1) GDPR and the publishing of such data is considered to be processing under Article 4(2) GDPR.
Secondly, the APD noted that each processing activity should have a legal basis according to Article 5(1)(a) GDPR read together with Article 6(1) GDPR. The DPA examined consent, contract and legitimate interest as possible legal bases.
Regarding consent, the DPA stressed that consent seemed impossible because there can be no 'free' consent in the context of an employee-employer relationship according to Article 6(1)(a) GDPR and Article 4(11) GDPR.
Regarding contract, the APD stated that to successfully invoke the performance of a contract as a legal basis, the processing needs to be necessary to perform that contract according to Article 6(1)(b) GDPR. Since the data subject's contract had already ended in 2021, the controller could no longer invoke this legal basis. Additionally, the DPA stated that the controller would also not be able to invoke contract as a legal basis during the employment contract, since the publishing of the data subject's photo on the controller's social media and website did not seem necessary to perform that the employment contract.
Regarding legitimate interest, the DPA performed a legitimate interest assessment composed of a purpose test, a necessity test and a balancing test between the consequences for the data subject and the consequences for the controller. Concerning the purpose test, the DPA confirmed that attracting new employees can be considered as a legitimate interest for the controller. Regarding the necessity test, the DPA did not find it necessary to publish images of employees to reach this purpose, especially since the employee in question was no longer working for the controller. Concerning the balancing test, the DPA considered that it may not be within the data subject's reasonable expectations as a former employee that her photograph be published on the data subject's website and social media to recruit new colleagues. Especially, since the data subject was employed by a competitor. The DPA also took into account that the data subject had not been employed by the controller since 2021. The DPA found that that legitimate interest as a legal basis under Article 6(1)(f) GDPR did not apply.
The DPA noted that no other legal bases under Article 6(1) GDPR seemed to apply and therefore did not need to be examined. The DPA concluded that the publication of the the data subject's photograph constituted unlawful processing.
Thirdly, the DPA confirmed that the data subject has the right to request the erasure of her personal data under Article 17(1)(d) GDPR. This Article establishes that the data subject may obtain the erasure of their personal data if such data has been unlawfully processed. The DPA held that there might have been a breach of Article 17(1)(d) GDPR.
Finally, Article 12(3) GDPR indicates that the controller shall provide information on action taken regarding data subject's rights without undue delay. The data subject exercised this right on 31 August 2023 and the controller responded the same day that it refused to erase the photographs since this was covered by the work regulations. The DPA therefore held no infringement regarding Article 12(3) GDPR as the controller did respond (negatively) to the request.
Therefore, the DPA ordered the controller to comply with the data subject's erasure request within 30 days of the notification of the decision.
Comment
Comment from the initial contributor: As this is a 'prima facie' decision, not much information is available. The Litigation Chamber of the DPA has ruled solely based on the complaint without having a procedure. The controller could demand for a procedure on the merits within 30 days after the decision.
The DPA seems to contradict itself with regards to the applicability of consent as a legal base. On its website, the DPA explicitly states that an employee's consent is required to use his/her photograph taken for the purpose of a security badge, for other purposes. Also, in the past the DPA has on numerous occasions held that as a rule of thumb consent should be used in the context of 'nice to have' photographs and other legal bases can be relied on for 'need to have' photographs.
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Dutch original. Please refer to the Dutch original for more details.
1/8
Dispute Chamber
Decision35/2024 of February 20, 2024
File number: DOS-2023-04528
Subject: Failure to comply with a request for data erasure
The Disputes Chamber of the Data Protection Authority, composed of Mr
Hielke HIJMANS, sole chairman;
Having regard to Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016
on the protection of natural persons with regard to the processing of
personal data and regarding the free movement of such data and to the revocation of
Directive 95/46/EC (General Data Protection Regulation), hereinafter “GDPR”;
Having regard to the law of 3 December 2017 establishing the Data Protection Authority,
hereinafter “WOG”;
In view of the internal rules of order, as approved by the House of Representatives
Representatives on December 20, 2018 and published in the Belgian Official Gazette on
January 15, 2019;
Considering the documents in the file;
Has made the following decision regarding:
Complainant: X, hereinafter “the complainant”;
The defendant: Y, hereinafter “the defendant”. Decision 35/2024 — 2/8
I. Facts and procedure
1. The complainant worked as an employee of the defendant until 2021. In August 2023
the complainant found that a photo of her was published on the website of the
defendant in a campaign to recruit new colleagues. The complainant points out that she
never gave permission for this. The complainant is currently employed by a
colleague at the defendant where she was confronted about this by colleagues. Consequently
the complainant wrote to the defendant on August 31, 2023 with the request for the
delete photos on social media accounts and no more images in the future
publish on which she or her name appears. The defendant answers
the same day that a regulation for the use of photo material after termination of employment was introduced
elaborated, as a result of which he claims to be in order. The defendant also states that this is the case
worked on new photo material to avoid such situations in the future. The
Defendant states that he had already requested that no more names be mentioned, but that
he has not yet been able to verify whether this has happened.
2. On November 6, 2023, the complainant will submit a complaint to the Data Protection Authority
against the defendant.
3. On February 6, 2024, the First Line Service informs the complainant that it has received a version of the complaint
without signature, nor the requested additional information, i.e.
has received supporting documents.
4. On February 6, 2024, the complainant submits the complaint with signature and the requested information
supporting documents, namely the correspondence between her and the defendant and
screenshots of the photos in question on the defendant's website as well as on the
profile of the defendant on LinkedIn, Facebook and Instagram.
5. On February 13, 2024, the complaint will be declared admissible by the First Line Service on
on the basis of articles 58 and 60 of the WOG and the complaint is filed on the basis of article 62, § 1
of the WOG transferred to the Disputes Chamber. 2
6. In accordance with Article 95, § 2, 3° of the WOG as well as Article 47 of the internal regulations
order of the GBA, the parties can request a copy of the file. If one
both parties wish to make use of the opportunity to consult and
copying the file, he or she must contact the secretariat of the
Disputes Chamber, preferably via litigationchamber@apd-gba.be.
1In accordance with Article 61 of the WOG, the Disputes Chamber hereby informs the parties that the complaint is admissible
declared.
2In accordance with Article 95, § 2 of the WOG, the Disputes Chamber hereby informs the parties that the file will be sent to
has been transferred to her as a result of this complaint. Decision 35/2024 — 3/8
II. Justification
7. It is up to the Disputes Chamber to assess prima facie whether the complainant has opted out
can successfully invoke the right to erasure of data under Article 17 GDPR and/or
where appropriate, the defendant has given appropriate response to this request.
8. The Disputes Chamber points out that the contact details of a natural person, such as
name, first name and photo are personal data within the meaning of Article 4.1 of the GDPR. This is
information relating to an identified or identifiable natural person
person (the "data subject"), in this case the complainant, who can be contacted directly
identified based on this information. The publication of such data on the
website and social media accounts constitutes processing within the meaning of Article 4.2 GDPR. The
Dispute Chamber reminds that any processing must comply with the basic principles
of data protection as set out in article 5.1 GDPR, such as the legality of
the processing (Article 5.1.a) GDPR). The Disputes Chamber notes that the name of the complainant
is not mentioned in the supporting documents submitted by the complainant.
9. In accordance with Article 5.1.a) j° Article 6.1 of the GDPR, any processing of
personal data have a legal basis. Article 6.1 of the GDPR stipulates that the
processing must take place on the basis of one of the following legal bases: de
the person concerned has given permission for the processing of his personal data
for one or more specific purposes (Article 6.1.a) GDPR - consent); the processing
is necessary for the execution of an agreement to which the data subject is a party or
for the implementation of pre-contractual measures at the request of the data subject
taken (Article 6.1.b) GDPR - execution of the agreement); the processing is
necessary to comply with a legal obligation to which the
controller is subject (Article 6.1.c) GDPR - legal obligation);
the processing is necessary for the vital interests of the data subject or of another person
protect natural person (Article 6.1.d) GDPR - vital interest); the processing is
necessary for the performance of a task of general interest or a task in the
in the exercise of official authority vested in the controller
is assigned (Article 6.1.e) GDPR - task of public interest) or the processing is
necessary for the representation of the legitimate interests of the
controller or of a third party, except where the interests or
fundamental rights and freedoms of the data subject which are intended to protect
personal data outweigh those interests, especially when the
the data subject is a child (Article 6.1.f) GDPR - legitimate interest).
10. The Disputes Chamber will then assess whether the processing of the personal data
is based on one of the above legal bases. Decision 35/2024 — 4/8
11. Based on the defendant's email dated. The Disputes Chamber will determine August 31, 2023
that the defendant points out that the publication of images on the website and on social media
media accounts of the defendant is regulated by the employment regulations, that part
forms part of the employment contract.
12. Article 6.1.b) GDPR provides a legal basis for the processing of
personal data if the “processing [is] necessary for the execution of a
agreement to which the data subject is a party, or at the request of the data subject before the
conclusion of an agreement to take measures'. A successful appeal to this one
legal basis therefore requires that the processing is necessary for that specific purpose
to execute the agreement with the data subject. Since the
employment contract between the parties was terminated in 2021, according to the
Disputes Chamber established on the basis of the complaint, is a successful appeal to Article 6.1.b) GDPR
primafacie is no longer possible in the absence of an agreement. Moreover, primafacie also appears
the necessity requirement is not met as the publication of a photo on the
website or on social media to attract new colleagues, not necessarily to
to execute the employment contract. This therefore suggests that it was not successful
an appeal to Article 6.1.b) GDPR is possible in the present case.
13. Article 6.1.f) GDPR stipulates that the processing is lawful if “the processing[…]
necessary for the pursuit of the legitimate interests of the
controller or of a third party, except when fundamental
freedoms of the data subject that require the protection of personal data are more stringent
weigh those interests, in particular when the person concerned is a child”. The case law of
the Court of Justice of the European Union requires that an appeal to Article 6.1.f) of the GDPR
meets three cumulative conditions. The controller must:
show that:
a. the interests he pursues with the processing can be justified
recognized ('the target test');
b. the intended processing is necessary for the realization of these interests ('de
necessity test'); and
c. the weighing of these interests against fundamental interests, freedoms and
fundamental rights of the data subjects in favor of the controller or
of a third party ('the assessment test').
14. With regard to the first condition, the Disputes Chamber acknowledges that attracting
new employees constitutes a legitimate interest on the part of the defendant
so that the first condition, the target test, appears to be met. As for the
second condition, the Disputes Chamber notes that the publication of a photo of a Decision 35/2024 - 5/8
employee, a fortiori a former employee, does not seem necessary for this purpose
reaches. The Disputes Chamber refers to the strict interpretation of the
necessity requirement by the Court of Justice. Also the third condition, the
assessment, prima facie, does not seem to be satisfied. According to consideration 47 GDPR, it must exist
of a legitimate interest are carefully assessed. When determining whether the
legitimate interest outweighs the interest or fundamental rights and
freedoms of the data subject must be taken into account, among other things
reasonable expectations based on his relationship with the controller.
The Disputes Chamber notes that it may not fall within reasonable expectations
of the complainant as a former employee that her photo is published on the website for new reasons
to recruit colleagues, and certainly not if she herself works for a competitor. Hereby
the Disputes Chamber takes into account the fact that the complainant no longer works at the
defendant since 2021. A successful appeal to Article 6.1.f) GDPR seems prima facie
ruled out.
15. The Dispute Chamber then reminds that consent can only become valid
invoked if, in accordance with the definition in Article 4.11 GDPR, it is free, specific,
is informed and unambiguous. The Disputes Chamber emphasizes that this is not possible
are of free consent in the context of an employee-employer relationship
prima facie no successful appeal to Article 6.1.a) GDPR appears possible.
16. Finally, the Disputes Chamber notes that the other legal grounds from Article 6.1 GDPR do not apply
seem to apply to the present case.
17. The above makes the Dispute Chamber suspect that the publication of the photo of the
complainant constitutes unlawful processing.
18. The right to erasure under Article 17.1.d) GDPR expressly recognizes the right
of data subjects to obtain the erasure of data without delay
controller if the personal data has been processed unlawfully.
19. In accordance with Article 12.3 GDPR, the controller shall provide the
person concerned without delay and in any case within one month of receipt of the request
pursuant to Articles 15 to 22 GDPR information about the outcome of the request
is given. Depending on the complexity of the requests and the number of requests
that period may be extended by a further two months if necessary. The
the controller shall inform the data subject within one month of receipt of the
request of such extension.
20. The Disputes Chamber determines, based on the e-mail conversation attached to the complaint,
that the complainant has exercised her right to erasure in accordance with Article 17.1 GDPR
3
CJEU Judgment of 4 May 2017, Rīgas Satiksme, C-13/16 ECLI:EU:C:2017:336, para. 30. Decision 35/2024 — 6/8
August 31, 2023. Pursuant to Article 12.3 GDPR, the controller must, in
in this case the defendant, without delay and no later than one month after receipt of the request
to respond to the request for data erasure. This period may possibly be extended
may be extended for another two months, given the complexity of the request. The complainer
This extension must be submitted within one month of the request for data deletion
to be informed. If the defendant decides not to comply with the
request of the complainant, it must do so within one month of receipt of the request
communicate to the data subject, in accordance with Article 12.4 GDPR.
21. The Disputes Chamber determines that the complainant will have an answer on August 31, 2023
may receive about the consequences that the defendant has of the data erasure
is given. The defendant states that her name had already been deleted and that the photo was
published on the basis of the employment regulations. Prima facie, the defendant has
responded in a timely manner to the complainant's request for data erasure.
22. The above analysis suggests to the Disputes Chamber that this should be done
concluded that the defendant may have violated Article 17.1.d) of the GDPR
was committed, which justifies taking one in this case
decision on the basis of Article 95, § 1, 5° of the WOG, more specifically
23. This decision is a prima facie decision taken by the Disputes Chamber
in accordance with Article 95 of the WOG on the basis of the complaint submitted by the complainant,
in the context of the “procedure prior to the decision on the merits” and none
decision on the merits of the Disputes Chamber within the meaning of Article 100 of the WOG.
24. The Disputes Chamber has thus decided, on the basis of Article 58.2.c GDPR and Article 95, §
1, 5° WOG, to order the defendant to comply with the data subject's request
to exercise its rights, in particular the right to erasure ("right to
oblivion”) as provided for in Article 17 GDPR.
25. The purpose of this decision is to inform the defendant of the fact that this
has committed an infringement of the provisions of the GDPR and has the opportunity to do so
still agree to comply with the aforementioned provisions.
26. If the defendant does not agree with the content of this primafacie case
decision and is of the opinion that it can apply factual and/or legal arguments
that could lead to a different decision, this can be done via the e-mail address
litigationchamber@apd-gba.be send a request to hear the merits of the case
to the Disputes Chamber within 30 days after notification of this
decision. The implementation of this decision will, if necessary, continue for a period of time
suspended for the aforementioned period. Decision 35/2024 — 7/8
27. In the event of a continuation of the merits of the case, the
Dispute Chamber the parties on the basis of Articles 98, 2° and 3° in conjunction with Article 99 WOG
invite them to submit their defenses as well as any documents they consider useful in the case
file to add. If necessary, the present decision will be permanently suspended.
28. Finally, for the sake of completeness, the Disputes Chamber points out that a hearing on the merits
of the case may lead to the imposition of the measures stated in Article 100 of the WOG.
III. Publication of the decision
29. Considering the importance of transparency with regard to decision-making
Dispute Chamber, this decision will be published on the website of the
Data Protection Authority. However, it is not necessary that the
identification details of the parties are disclosed directly.
FOR THESE REASONS ,
the Disputes Chamber of the Data Protection Authority decides, with reservations
from the submission of a request by the defendant for a hearing on the merits
in accordance with Article 98 et seq. of the WOG, to:
- on the basis of Article 58.2.c) of the GDPR and Article 95, § 1, 5° of the WOG the
to order the defendant to comply with the complainant's request
to exercise rights, in particular the right to erasure (Article 17.1
GDPR), and to erase the personal data of the data subject
website and social media accounts, within 30 days
count from the notification of this decision;
- order the defendant to contact the Data Protection Authority (Dispute Chamber)
by e-mail within the same period of the consequences
this decision will be given via the email address litigationchamber@apd-gba.be;
and
- in the absence of timely implementation of the above by the defendant,
to consider the merits of the case ex officio in accordance with Articles 98 et seq.
of the WOG.
Pursuant to Article 108, § 1 of the WOG, within a period of thirty days from the
notice, an appeal against this decision will be filed with the Market Court (court of
appeal Brussels), with the Data Protection Authority as defendant. Decision 35/2024 — 8/8
Such an appeal can be lodged by means of an inter partes petition
4
must contain statements listed in Article 1034ter of the Judicial Code. It
an objection petition must be submitted to the registry of the Market Court
5
in accordance with Article 1034quinquies of the Dutch Civil Code. , or via the e-Deposit
IT system of Justice (Article 32ter of the Judicial Code).
(ge). Hielke H IJMANS
Chairman of the Disputes Chamber
4The petition states, under penalty of nullity:
1° the day, month and year;
2° the surname, first name, place of residence of the applicant and, where applicable, his capacity and his national register or
company number;
3° the surname, first name, place of residence and, where applicable, the capacity of the person to be
summoned;
4° the subject matter and brief summary of the grounds of the claim;
5° the judge before whom the claim is brought;
6° the signature of the applicant or his lawyer.
5The petition with its attachment will be sent by registered letter in as many copies as there are parties involved
deposited with the clerk of the court or at the registry.
