APD/GBA (Belgium) - 40/2023
From GDPRhub
| APD/GBA - 40/2023 | |
|---|---|
 | |
| Authority: | APD/GBA (Belgium) |
| Jurisdiction: | Belgium |
| Relevant Law: | Article 4(1) GDPR Article 12 GDPR Article 12(2) GDPR Article 12(3) GDPR Article 12(5)(b) GDPR Article 15(1) GDPR Article 15(3) GDPR Article 8(1) ECHR |
| Type: | Complaint |
| Outcome: | Partly Upheld |
| Started: | 22.02.2022 |
| Decided: | 03.04.2023 |
| Published: | |
| Fine: | n/a |
| Parties: | n/a |
| National Case Number/Name: | 40/2023 |
| European Case Law Identifier: | n/a |
| Appeal: | n/a |
| Original Language(s): | Dutch |
| Original Source: | APD/GBA (in NL) |
| Initial Contributor: | kv33 |
The Belgian DPA held that an employer violated Article 12(5) GDPR when refusing to comply with an access request of a former employee. Although the refusal was justified, the controller should have communicated a more detailed motivation for the refusal.
English Summary
Facts
The data subject was a former employee of the controller, an organisation which supported adult persons with a disability. For his job, he used a work e-mail for about 8 years, occasionally also for private e-mails. This e-mail did not contain any direct identifiers referring to the data subject.
On 15 September 2020, the data subject was fired. The controller revoked the data subject's access to the e-mail by changing the password and deleting the user account. On 25 May 2021, the data subject filed an access request with the controller. He requested the personal data in the email mailbox and documents from his employment file. He also wanted to get information on what happened with the e-mail after he had been fired.
On 10 June 2022, the controller informed the data subject that it would use the possibility in Article 12(3) GDPR to extend the deadline for replying with two months, due to the complexity of the request. On 24 August 2020, the controller provided its answer to the access request. However, according to the data subject, the controller's answer was not sufficient.
On 22 February 2022, the data subject filed a complaint against the controller with the Belgian DPA concerning the personal data in the mailbox (and not other personal data or documents in his employment file). During the proceedings, it became clear that after 4 January 2018, the e-mail address was also used by other employees of the controller. Before this time, the data subject was the only one using this e-mail, and he had sent emails signing them with his personal name.
On 18 July 2022, the controller provided several reasons why it did not comply with the access request. Among other reasons, the controller stated that the e-mail did not contain any personal data in the first place. The controller also held that the request of the data subject to search in 8 years of e-mails was excessive. The controller had also refused to provide access in order to protect the rights and freedoms of other data subjects.
Also, according to the data subject, the controller would only be allowed to further use this email address after the termination of the contract with the consent of the data subject, pursuant to Article 6(1)(a) GDPR. The controller disagreed with this argument.
Holding
First, The DPA limited the scope of the access request to the data subject's work e-mail and the connected mailbox, since the data subject initial complaint to the DPA did not contain any reference to any other personal data or documents outside the e-mail mailbox.
Second, The DPA assessed if the e-mail address itself was personal data pursuant to Article 4(1) GDPR. Considering the fact that this was a work e-mail and not a personal e-mail, it contained no identifiers, such as a name, that would make the data subject directly identifiable. The email was connected to the service, not to a person. Therefore, the DPA held that it was necessary to determine if this work e-mail contained any indirect identifiers. The DPA held that it was necessary to make a distinction between the situation prior to 4 January 2018 and the situation after..
The DPA concluded that before 4 January 2018, the e-mail address constituted personal data. The data subject claimed that he had been the only person using this e-mail, and the controller had not been able to prove otherwise. Considering the fact that the data subject had been the only one using the e-mail and signed his emails using his personal name, it was possible for recipients to identify the data subject as the administrator of the e-mail over time. However, after 4 January 2018, the e-mail address was not personal data any more, since the controller was able to prove that the e-mail address was used by multiple employees after 4 January 2018. Therefore, the e-mail itself was only personal data until 4 January 2018.
Third, the DPA answered the question if there was any personal data in the mailbox itself. The DPA held that a distinction had to be made between personal data processed in the data subject's professional capacity and personal data processed outside the professional capacity, in this case, in the supposed private e-mails. According to the DPA, there was no doubt that there was personal data of the data subject in the mailbox from the time he had acted in his professional capacity. With regard to the personal data outside the professional capacity, the DPA held that the data subject did not provide sufficient evidence to prove the existence of private emails in the mailbox. Due to this lack of evidence, the DPA only acknowledged the existence of personal data in relation with the professional capacity.
Fourth, the DPA assessed the excessiveness of the request. The DPA did agree with the controller that the access request was indeed excessive. The controller would have had to search through 8 years of e-mails in a work e-mail, which had also been used by other employees after 4 January 2018. There had not even been evidence that there would be private e-mails of the data subject in this mailbox. For these reasons, such private e-mails could not be retrieved with reasonable effort. Also, the mailbox contained a lot of sensitive information concerning other data subjects, including health data of users of the controller's services, which were usually adults with a disability. Therefore, the controller's refusal was justified. However, the DPA stated that Article 12(5) GDPR required the controller to provide explanation to the data subject on his refusal to respond to the access request. Therefore, the controller had violated Article 12(5) GDPR.
Lastly, the DPA held that the controller did not need the data subject's consent to further use the work e-mail. Indeed, it already established that the e-mail address was no longer considered personal data after the termination of the contract. The controller was also allowed to further use this email for the purpose of providing continuity for its service.
The DPA warned the controller for the violation of Article 12(5) GDPR pursuant to Article 100(1)(5) WOG (Law establishing the data protection authority)
Comment
The decision refers to the rights of the data subjects using the e-mail address after the 4 January 2018. It does however not mention Article 15(4) which we think could be relevant in that case. This article states that the right of access should not adversely affect the rights and freedoms of others.
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Dutch original. Please refer to the Dutch original for more details.
1/16
Litigation room
Decision on the substance 40/2023 of 3 April 2023
File number : DOS-2022-01387
Subject: Refusal to inspect personal data after termination of employment
The Disputes Chamber of the Data Protection Authority, composed of Mr Hielke
Hijmans, chairman, and Messrs. Dirk Van Der Kelen and Jelle Stassijns, members;
Having regard to Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016
on the protection of natural persons with regard to the processing of
personal data and on the free movement of such data and revocation of
Directive 95/46/EC (General Data Protection Regulation), hereinafter GDPR;
Having regard to the law of 3 December 2017 establishing the Data Protection Authority,
hereafter WOG;
Having regard to the rules of internal order, as approved by the Chamber of
Representatives on 20 December 2018 and published in the Belgian Official Gazette on
January 15, 2019;
Having regard to the documents in the file;
Made the following decision regarding:
The complainant: Mr X, represented by Maarten Verhaghe,
with offices at Kortrijksesteenweg 546, 9000 Ghent, hereinafter referred to as “the complainant”;
The defendant: Y, represented by Meester Sara Torrekes, with office at 8790
Waregem, Jozef Duthoystraat 112, hereinafter referred to as “the defendant”. Decision on the substance 40/2023 – 2/16
I. Factual Procedure
1. On 22 February 2022, the complainant submits a complaint to the Data Protection Authority
against the defendant.
The complainant worked for 13 years at the defendant, an autonomous association
with as activity the support and guidance of adults with a
limit. The complainant was (jointly) responsible for the studio operations of the
defendant. In the context of the performance of this position, the complainant has during a
used the e-mail address […] for a period of (at least) 8 years. On September 15, 2020, the
employment of the complainant terminated. On May 25, 2021, the complainant submitted a request for
inspection/more information addressed to the defendant. Considering the complexity and size
of the request, the defendant informed the complainant on 10 June 2022 of the
extension by 2 months of the deadline for providing information about the consequence
given to the request. The defendant has its answer on 24 August 2022
transferred to the right of access.
2. On March 30, 2022, the complaint will be declared admissible by the First Line Service on the basis
of Articles 58 and 60 WOG and the complaint is dismissed pursuant to Article 62, § 1 WOG
submitted to the Disputes Chamber.
3. On 4 May 2022, the Litigation Chamber shall, in accordance with Article 58(2)(c) of the
GDPR and Article 95, paragraph 1, 5° WOG the decision 67/2022 with regard to the defendant and
orders her, before a decision is taken on the merits, to hear within one month
to the request of the complainant to exercise his right of access (Article 15, par
1 GDPR). The result of this decision must be brought to the attention of the Litigation Chamber
be submitted, together with supporting documents, within one month from the date of the
notification of the decision.
4. On 24 May 2022, the defendant requests a hearing on the merits of the case and
she requests a copy of the file (article 95, § 2, 3° WOG), which was sent to her
transferred on June 1, 2022
5. On 1 June 2022, the parties concerned will be notified by registered mail
of the provisions as stated in Article 95, § 2, as well as of these in Article 98 of the WOG.
they are informed of the time limits for their
to file defenses.
The deadline for receipt of the statement of defense from the defendant will be
recorded on 13 July 2022, those for the complainant's reply on 3 August
2022 and finally those for the defendant's statement of reply on 24 August
2022. Decision on the substance 40/2023 – 3/16
6. On June 13, 2022, the defendant will electronically accept all communications regarding the case,
it indicates that it wishes to make use of the opportunity to be heard
in accordance with Article 98 WOG, and requests an extension of the deadlines for conclusion.
7. On June 13, 2022, the complainant electronically accepts all communication regarding the case
to know that he wishes to make use of the opportunity to be heard
in accordance with Article 98 WOG and confirms the request for extension of the
deadlines of the defendant. The deadlines are determined as follows:
The deadline for receipt of the statement of defense from the defendant will be
recorded on 24 July 2022, this for the conclusion of the complainant's reply on 24 August
2022 and finally those for the statement of defense of the defendant on 24 September
2022.
8. On 18 July 2022, the Disputes Chamber received the statement of defense from the
defendant.In principle, the defendant raises that the writing dated.25 May 2021 of the
complainant does not request access to personal data relating to (the mailbox
associated with) the e-mail address in question. In a subordinate order, the
the defendant that the e-mail address in question does not contain any personal data of the complainant
contains. In a more subordinate order, the defendant argues that the refusal to inspect
justified in view of the excessive nature of the request and the protection
of the rights and freedoms of others.
9. On August 24, 2022, the Disputes Chamber receives the request from both parties for the
deadlines to adjust so that the final date for receipt of the conclusion
The complainant's reply is set for August 31, 2022 and this before the conclusion of
reply of the defendant on 29 September 2022. The Litigation Chamber confirms this
extension on August 26, 2022.
10. On August 31, 2022, the Disputes Chamber receives the request from both parties for the
deadlines to extend once again, thereby extending the final date for receipt of
the statement of reply of the complainant is set for September 5, 2022 and the conclusion
of the defendant's rejoinder on 4 October 2022. On 31 August 2022, the
Litigation Chamber has extended these deadlines and emphasizes that no further extension will be made
be allowed.
11. On 5 September 2022, the Disputes Chamber will receive the statement of reply from the complainant.
The complainant argues that the letter dd. May 25, 2021 indeed a request for inspection
pursuant to Article 15 GDPR and that the e-mail address, contrary to what the
the defendant raises, does constitute his personal data. The complainant also argues that
request for access not only relates to the e-mail address itself, but also to other Substance decision 40/2023 – 4/16
personal data. Finally, the complainant argues that the refusal of access is not
is justified.
12. On 4 October 2022, the Disputes Chamber will receive the statement of rejoinder from the
defendant. In these conclusions, the defendant reiterates its arguments
conclusions of reply and adds that the letter dd. May 25, 2021 of the
the complainant did not relate to various personal data other than the e-mail address
connected mailbox.
13. On 26 January 2023, the parties will be notified that the hearing will
take place on March 13, 2023.
14. On March 13, 2023, the parties will be heard by the Disputes Chamber.
15. On 15 March 2023, the minutes of the hearing will be submitted to the parties.
16. On March 20, 2023, the Disputes Chamber will receive some from the defendant
remarks with regard to the official report which it decides to include in
her deliberation.
17. The Disputes Chamber does not receive any comments regarding the official report
because of the complainant.
II. Motivation
II.1. Object of the procedure
18. Based on the conclusions and the hearing, the Disputes Chamber establishes that the parties
disagree on the scope of the subject-matter of this proceeding. The complainant raises
that the complaint and therefore the procedure relates to the request for inspection with
regarding all requested personal data and documents, as well
formulated in writing dd. May 25, 2021. The defendant argues that the complaint only
relates to the e-mail address and the associated mailbox. Both parties
explained their position on this at the hearing.
19. The Disputes Chamber states that the letter dd. May 25, 2021 is broadly formulated, whereby
on the one hand, you are asked to inspect all personal data, and on the other hand
various specific documents are mentioned which the complainant wishes to inspect
to acquire. The defendant has formulated a reply to this letter and
various requested documents in its possession. The complainant found
this answer is insufficient and has filed a complaint with the GBA. referred to in this complaint
the complainant only to the e-mail address and the connected mailbox. There is no reference,
also not as an example, to other documents that the complainant wishes to obtain, but not
received after the defendant's letter of reply. The Litigation Chamber upholds Decision 40/2023 – 5/16
therefore established that the complaint is thus aimed at obtaining personal data contained in
the mailbox.
20. The Litigation Chamber therefore concludes that these proceedings only concern
the right to inspect the mailbox [… ] and the associated mailbox.
II.2. Definition of personal data
II.2.1. Position of the complainant
21. In his conclusions, the complainant argues that during a period of 13 years
was employed by the defendant as responsible for the studio operations. During the day
and with a view to the performance of his duties, the complainant always has the e-mail address
[…] used for both professional and personal purposes. The complainant argues that
this e-mail address was only used by him, during a period of 8 years until the
end of his employment. The complainant also states that the general e-mail address of
the defendant is […] and not […].
22. Consequently, the complainant concludes that the e-mail address is his personal data and contains the
mailbox also various personal data from him.
23. The complainant also refers to Commission Recommendation 8/2012 of 2 May 2012
for the protection of privacy (hereinafter: CPP) and decisions 29
September 2020 and December 2, 2021 of the Litigation Chamber regarding the management of
the mailbox of an employee who leaves the company and the application of essential
principles within the GDPR such as purpose limitation, lawfulness, minimal data processing
and storage limitation by the employer. After all, the complainant never has permission
given for further use of the mailbox after his departure. The defendant, according to the
complainant has not acted in accordance with this Recommendation and previous decisions of the
Litigation room.
II.2.2. Defendant's position
24. The defendant disputes the complainant's assertion. She states that the e-mail address […] no
personal data of the complainant and that the mailbox linked to it does not contain any
contains personal data relating to the complainant. Nor are they in use
of the mailbox processes personal data relating to the complainant. The email address concerns
after all, a purely functional e-mail address that belongs exclusively to it and that by it
employees, including the complainant, can and may only do so for professional purposes
being used.
25. In its conclusions, the defendant notes that, contrary to what is stated in the
conclusions of the complainant, this e-mail address at the time of his employment was used by Decision on the substance 40/2023 – 6/16
several employees, such as colleague Z in particular. This is apparent from communication that the
the complainant himself sent during his employment, whereby the complainant himself on the one hand
insisted on using generic email addresses instead of personalized email
email addresses and on the other hand asked to grant this colleague access to the email address
in question. In this context, the defendant sends an email dd. January 4, 2018 about in which the
the complainant asks that e-mails from a colleague be routed to the mailbox so that they can be sent as quickly as possible
share the same mailbox.
26. The defendant argues that the complainant does not demonstrate or plausible in any way
means that (the mailbox linked to) the e-mail address would contain personal data
that pertain to him. The defendant submits witness statements that allege
that the email address was a professional shared email address in which several
supervisors had a view and that was not used for private purposes. This
testimonials also state that, if after the departure of the complainant a
personal mail have been received for him, quod non, it would have been forwarded to him.
27. In addition, it should be noted that the absence of an ICT policy and/or
written ban on the private use of an e-mail address, obviously not just like that
can be deduced that the e-mail address concerned in practice for both professional
can be used asprivate purposes.ThereferenceofthebearertotheRecommendation
02/2012 and to the previous decisions of the Litigation Chamber is not relevant according to the
defendant. This Recommendation and decisions relate to the use of a
e-mail address in which the name and first name of the person concerned are stated. The email address
with mailbox therefore did not contain any personal data of the complainant, concludes the
defendant.
II.2.3. Review by the Litigation Chamber
28. The Disputes Chamber will first judge whether the e-mail address […] is personal data of the
complainant and then about the personal data contained in the mailbox.
II.2.3.1. Email address as personal data
29. Article 4, 1 GDPR defines personal data as follows:
any information about an identified or identifiable natural person ("de
data subject”); an identifiable natural person is considered to be directly or
can be identified indirectly, in particular by means of an identifier such as a
name, an identification number, location data, an online identifier or one or more
elements characteristic of the physical, physiological, genetic,
psychological, economic, cultural or social identity of that natural person. Decision on the substance 40/2023 – 7/16
30. There are 4 elements in the definition of personal data:
1) relate to
2) an identified or
3) identifiable
4) natural person.
31. If there is to be personal data, the data must, in principle, relate
have on a natural person. Data refers only to a natural
person when identified or identifiable. A person is
identified when it is unique from all other individuals within a group
is distinguished. A person is identifiable when it has not yet been identified,
but it can be done without disproportionate effort.
32. The Disputes Chamber has confirmed on several occasions that an e-mail address containing the
data subject his/her first and last name, i.e. direct identifiers, a
1
personal data within the meaning of Article 4, 1) GDPR. In the present case it concerns
however, a functional e-mail address, namely […] The e-mail address is thus linked to one
service, in this case the studio operation, and not to a person. The question arises or something like that
functional e-mail address can also constitute personal data on the basis of indirect
identifiers.The extent to which certain (indirect) identifiers are sufficient to
identification depends on the context of the specific situation. The
Litigation Chamber finds that a distinction must be made between the e-
email address in the period from the first use until January 4, 2018 and the period thereafter.
Period before January 4, 2018
33. The complainant claims in its conclusions that he was the only user of the e-mail address.
Since the defendant does not adduce any evidence that other persons
used the email address in the period up to January 4, 2018, the
Litigation Chamber determined that the e-mail address was used and managed exclusively by the
complainant, as (co-)responsible for the studio activities. While exercising
tasks, the complainant has always sent and signed e-mails with his name as (co-
responsible for the studio. The people who sent emails to and received emails from
this e-mail address in question could, certainly over time, identify the complainant as the
administrator of the e-mail address. The complainant was therefore indirectly identifiable to third parties by
using the email address as described above.
34. In view of the above, the Disputes Chamber therefore concludes that the functional e-
e-mail address has not been used for the purpose of linking it to the person
1
See, among others, decision 133/2021 of 2 December 2021 and decision 64/2020 of 20 September 2020. Decision on the merits 40/2023 – 8/16
of the complainant, but that this was the result because of the exclusive use of it
the complainer. Consequently, the e-mail address for that period constitutes his personal data.
Period from January 4, 2018
35. However, in the period from 4 January 2018, the defendant demonstrates that the e-mail address
was also used by (at least) the other co-responsible person of the
studio operation in function of the operation of the service. The purpose of a functional e-
After all, the mail address is to ensure the continuity of the service, for example when a
employee is no longer employed within that service. As soon as the co-responsible person
and other facilitators used the e-mail address and also e-mails in their own
name as an employee of the atelier, the complainant was no longer indirect
identifiable. After all, a sender of an e-mail could not know which of the
employees would handle his mail, even if he addressed the complainant personally
in his email. The Disputes Chamber therefore rules that from 4 January 2018 the e-mail address
no longer constitutes personal data of the complainant.
II.2.3.2. Personal data in the mailbox
36. The defendant argues that there are no personal data in the mailbox since
it was not allowed to use the e-mail address for non-professionals
purposes. This is disputed by the complainant. The complainant claims that there are personal data
in the mailbox and points out that there is no policy on the use of
the professional email address.
37. The Disputes Chamber points out in this regard that the concept of "personal data" includes all
types of information includes: private (intimate), public, professional or commercial
information, objective or subjective information. In the Nowak judgment, the Court of
Justice of the European Union (hereinafter: CJEU) clearly that the concept of "personal data"
includes both data arising from objective, verifiable and arguable
elements such as subjective data that provide an evaluation or judgment about the data subject
contain. Consequently, the Litigation Chamber concludes that the fact that a functional e-mail
e-mail address does not constitute personal data in the sense of article 4, 1) GDPR, does not prevent that
personal data of the complainant may be present in the mailbox.
38. The Disputes Chamber argues that in this case a distinction must be made between
on the one hand, the personal data of the complainant that were processed in the professional
context and, on the other hand, personal data that were processed outside the professional
context of his then capacity as an employee of the defendant (private emails).
2 CJEU, 20 December 2017, C-434/16, Nowak, ECLI:EU:C:2017:994. Decision on the substance 40/2023 – 9/16
39. On the basis of the above, the Litigation Chamber concludes that there can be no doubt
exist that personal data in the professional context of the complainant is contained in the
mailbox, such as a registration for a course.
40. With regard to private emails, it is acknowledged by the parties that there is no explicit written
prohibition on using the professional e-mail address for private purposes
was applicable. However, the parties do not agree on the consequences
result. The complainant states that it was thus permitted to send private e-mails and
to be received with the professional e-mail address. The defendant, on the other hand, points out that
the lack of such prohibition or ICT policy in that sense does not simply mean it
concerned e-mail address can be used for both professional and private purposes.
41. The Disputes Chamber refers in this context to the case law of the European Court of Justice
Human Rights (hereinafter: ECtHR). The ECtHR has ruled that the term
“private life” should be interpreted broadly. For example, it includes the right to it
establishing and developing relationships with other people and the right to identity and
personal development. In particular, the ECtHR has ruled that emails sent from
the work will be sent prima facie under the notions of private life and correspondence
within the meaning of Article 8(1) of the European Convention on Human Rights
by analogy with its earlier position that this is also the case for
telephone calls from business premises. However, this broad reading does not mean that every
activity that a person would like to engage in with other people in order to establish relationships
delivery is protected. The Disputes Chamber is therefore of the opinion that the complainant, in view of
to the right to protection of private life, could occasionally send private e-mails
received at the professional e-mail address, partly because he did not have one
professional email address in name and since no (written) policy on this
was communicated. However, this private use should be limited to occasional use
usage. However, the Disputes Chamber reads in the conclusions of the complainant that during 8
would have sent and received many private e-mails over the years, but at the same time notes that
he does not provide any evidence in this regard. The Disputes Chamber can therefore not
determine that such private e-mails date from the period of the complainant's employment
the mailbox would be present.
42. The defendant argues that there are no private e-mails after the termination of the employment
arrived for the complainant and substantiates this by various witness statements. During the day
the hearing has asked the Disputes Chamber to the counsel of the complainant about
what kind of private emails it would involve in this case. This stated that it concerned private e-mail
e-mails from friends and acquaintances. However, the Litigation Chamber cannot depart from the claims,
nor establish from the hearing that there are indications that there are indeed 40/2023 – 10/16
private e-mails have been received at the e-mail address in question after the termination of the
employment with the defendant.
II.3. Right of access (Article 15 GDPR)
43. In accordance with Article 58(2)(c) of the GDPR and Article 95(1)(5) WOG, the
Litigation Chamber has taken the decision 67/2022 with regard to the defendant and
ordered her to be heard within one month before a substantive decision is taken
to the request of the complainant to exercise his right of access (Article 15, par
1 GDPR). Having regard to the request of the defendant to deal with the substance of the case and
the arguments set out by the parties are taken by the Litigation Chamber in this regard
a new decision.
44. According to Article 15(1) of the GDPR, the data subject has the right to obtain from the
to obtain a definite answer from the controller as to whether or not he is being processed
regarding personal data. If that is the case, the data subject has the right to
obtain access to those personal data and information listed in Article 15(1a)-h) of
the GDPR is stated, such as the purpose of the processing of the data and the
any recipients of the data, as well as information about its existence
rights, including the right to request rectification or erasure of its data, or to
submit a complaint to the GBA.
45. Pursuant to Article 15(3) of the GDPR, the data subject also has the right to obtain a
obtain a copy of the personal data that are the object of the processing.
46. Article 12 of the GDPR on the way in which data subjects can exercise their rights,
provides that the controller shall prevent the exercise of those rights by the
the data subject (article 12, paragraph 2 of the GDPR) must facilitate, and in any case inform him without delay
must provide information about the
measures taken in response to his request (Article 12(3) of the GDPR).
If the controller does not intend to comply with the request, it must
communicate his refusal within one month, and inform the person concerned about the
possibility to appeal against that refusal to the supervisory authority
for data protection (Article 12 (4) of the GDPR).
47. The Disputes Chamber finds that on 25 May 2021 the complainant received the notification and/or inspection
requested by letter below. Decision on the substance 40/2023 – 11/16
48. The complainant also requests copies of several documents from its
personnel file and adds that he would also like to have known what happened when
happened to his work mailbox […] after his dismissal.
49. On 10 June 2021, the defendant notified the complainant by registered letter of the
extension of the deadline for providing information about the consequence to it
request is given, with two months, in accordance with Article 12 (3) GDPR. On 24
August 2021, the defendant will forward and light various requested documents
to the complainant why other documents cannot be submitted, either
because they do not exist, or because the defendant is not the controller
is.
50. In his complaint to the GBA, the complainant denounces that he does not have access to the data
received in the emails in his work mailbox.
51. In its conclusions, the defendant argues that this initial application dated. May 25, 2021 none
request for access to personal data in accordance with Article 15 GDPR
until (the mailbox linked to) contains the email address […]. The complainant asks, according to the
defendant with regard to the email address just what happened when
work mailbox. The defendant replied that the access rights of the e-
email address and password have been changed. The defendant replied
also that the e-mail address was not personal and therefore does not constitute personal data Decision on the substance 40/2023 – 12/16
and rejects the complainant's request. In subordinate order, the defendant argues that if
it would nevertheless constitute personal data, the rejection of the request for access still remains
would always be justified, in view of the principle of proportionality on the one hand and the
protection of the rights and freedoms of others on the other.
II.3.1. Request access regarding the e-mail address and the mailbox
52. The Disputes Chamber finds that the complainant's question about what to do and when
mailboxishappenedcannotbequalifiedasarequesttoinspect/notify
his personal data The request for inspection, however, arises from the first part of the
letter dd. May 25, 2021 as resumed above (see supra marginal number 47). The GDPR
after all, does not provide any formal requirements for the request for inspection, and unless stated otherwise,
a request for access relates to all personal data of the data subject.
The above request is therefore formulated in accordance with the GDPR and is related
on all personal data, including those that may be in the mailbox.
53. The Disputes Chamber also points out in this context that the right of inspection is one of the
constitutes essential elements of the right to data protection, as such
included in Article 8 of the Charter of Fundamental Rights of the European Union, and
that, as is also apparent from the EDPB's guidelines on the right of access, there are limitations
the exercise of this right is only permitted to a limited extent
of a data subject to request access of no importance. 3
II.3.2. Refusal of the right to inspect the mailbox
54. The complainant argues that the right of access includes several elements, such as getting
information about whether or not personal data of the complainant is being processed
such as personal data contained in the mailbox. In its conclusions, the
the defendant explained the reasons why it refused the right to inspect the mailbox
has. In principle, the defendant argues that no personal data are present in
the mailbox (see section II.2.3.2). In the first instance, therefore, the defendant replied to
request access by stating that there are no personal data in the mailbox
are located.
55. In view of the above (see section II.2.3.2), the Litigation Chamber finds that the
it is unavoidable that personal data of the complainant are present in professional e-mails
the mailbox.
3 EDPB, Guidelines 01/2022 on data subject rights – right of access, available at
https://edpb.europa.eu/system/files/2022-01/edpb_guidelines_012022_right-of-access_0.pdf Decision on the substance 40/2023 – 13/16
56. In orderly order, the defendant argues that the refusal is still justified
is, in view of the principle of proportionality on the one hand and the protection of rights and
freedoms of others on the other hand.
57. The Disputes Chamber points out that the right of access is not absolute. In this context
the Litigation Chamber refers to Article 12(5)(b) of the GDPR which reads as follows:
“Providing the information referred to in Articles 13 and 14, and providing
the communication and the taking of the measures referred to in Articles 15 to 22
and Article 34 are free of charge. When requests from a data subject are evident
are unfounded or excessive, in particular because of their repetitive nature, the
controller or:
[…]
b) refuse to comply with the request.
It is up to the controller to correct the manifestly unfounded or excessive
nature of the request”
58. In its Rijkeboer judgment, the CJEU ruled on the balance that must be struck
be sought between the right of access of the data subjects and the burden imposed on the
obligation to comply with that law entails for the
controller. More specifically, the question was "from when the
exercise of the right to access information about the past may become lawful
paralyzed by the erasure of that information. And how long do people need to own it
of that data are the traces of past actions with that data
performed, keep". Although the question in this case was how long a
controller must keep personal data, the reasoning of
the CJEU should be applied to the present case, given the scope of the request
of the complainant, that all e-mails concerning him are concerned. The Disputes Chamber points to it
importance of finding “[…] a fair balance between, on the one hand, the interests of the
data subject to protect his privacy […] and, on the other hand, the burden that the obligation to that
information for the controller constitutes". The parameters on the
based on this balance, the controllers are of course not allowed to
impose disproportionate obligations and excessive burdens.
59. However, the Litigation Chamber notes that Article 12(5) GDPR requires that the
controller the manifestly unfounded and excessive nature of the
request must be demonstrated. In her letter dd. As of August 24, 2021, the defendant does not have this
done. The defendant does have elements in its statement of defense and rejoinder
which demonstrate the excessive nature, but this should already have been done
in the above-mentioned letter to the complainant. Decision on the substance 40/2023 – 14/16
60. In the present case, the Litigation Chamber finds that searching all e-mails
concerning the complainant, for at least 8 years, after the moment of termination of the
employment, would imply a disproportionate workload for the defendant. The
work mailbox was also used by different people for years. The complainer
also did not transfer a single document showing that there are private e-mails in the mailbox
nor does the complainant provide specific e-mail addresses or other parameters
on the basis of which targeted searches can be made in the mailbox. In his conclusions, the complainant states
moreover, that no internal instructions indicate that he was obliged to apply any labelling
to the e-mails that are personal or to classify them in a separate folder.
Any private e-mails present are therefore not possible with a reasonable effort
found by the defendant. In addition, the mailbox concerns many sensitive
information, such as health data about the users of the services of
defendant, namely adults with a disability, so that not just inspection
can be granted in all professional emails with personal data of the complainant
on the basis of the aforementioned elements, the Disputes Chamber concludes that the request for
access by the complainant is excessive and that the defendant has lawfully refused to
to follow up on this.
61. In view of the above, the Disputes Chamber concludes that there is no infringement
is on Articles 12 (1) – (4) and 15 GDPR, but that there is a violation of
Article 12 (5) GDPR due to failure to sufficiently demonstrate the apparent in time
excessive or unfounded nature of the request for inspection by the complainant. That infringement is
however, not of such a serious nature as to warrant a fine or corrective sanction
must be imposed. The Disputes Chamber believes that a reprimand can be
suffice.
III. Access and use of the e-mail address after termination of employment
62. In its conclusions, the complainant states that the defendant unilaterally controlled access to the mailbox
denied him. After all, his permissions as a user of the mailbox were deleted
and then the password was changed. The complainant argues that the defendant
can only rely on the legal basis of permission to make further use of the
mailbox after his departure. Since the complainant has not given consent, the
processing of his personal data is not based on a legal basis from Article 6,
paragraph 1 GDPR. In this context, the complainant refers to the Recommendation already mentioned above
02/2021 of the CPP and the aforementioned decisions September 29, 2020 and December 2
2021 of the Disputes Chamber regarding the use of
professional resources, such as an email address.
63. The defendant argues in its conclusions that no personal data of the complainant
further processed by using the mailbox. After all, it concerns a decision on the merits 40/2023 – 15/16
functional e-mail address and not a registered e-mail address. The complainant's reference to the
Recommendation 02/2012 and previous decisions of the Litigation Chamber are not relevant
according to the defendant. This Recommendation and decisions relate to it
use of an e-mail address in which the name and first name of the data subject are stated.
Consequently, the Respondent may lawfully continue to use the email address
and the mailbox.
III.1. Review by the Litigation Chamber
64. The Disputes Chamber states that the e-mail address is indeed a functional e-mail address
time of termination of the complainant's employment and therefore no
personal data of the complainant, as a result of which the GDPR does not apply. The
references to Recommendation 02/2020 of the CPP and the aforementioned decisions
of the Disputes Chamber are therefore not relevant in this case. During the hearing, the
explained to the defendant that in the meantime she has started using a different e-mail address
for the studio operation, which has entailed the necessary problems, considering
its target audience, adults with disabilities. The Disputes Chamber is of the opinion that
the defendant could have lawfully continued to use the functional e-mail
email address. After all, the purpose of such an e-mail address is the continuity of the
service(provision). Finally, the Disputes Chamber once again points out that the complainant does not have
made plausible that after the termination of the employment there are still matters concerning him
personal data would have arrived in the e-mail box.
IV. Publication of the decision
65. Given the importance of transparency with regard to decision-making by the
Litigation Chamber, this decision will be published on the website of the
Data Protection Authority. However, it is not necessary for the
identification data of the parties are disclosed directly.
FOR THESE REASONS,
the Disputes Chamber of the Data Protection Authority decides, after deliberation, to:
- on the basis of article 100, §1, 5°, to reprimand the defendant for not doing so in time
sufficient proof of the manifestly excessive or unfounded character of the
request for inspection, which constitutes a violation of Article 12, paragraph 5 GDPR.
- to dismiss all other grievances pursuant to Article 100, §1, 1° WOG. Decision on the substance 40/2023 – 16/16
Pursuant to Article 108, § 1 of the WOG, within a period of thirty days from the
notification against this decision may be appealed to the Marktenhof (court of
Brussels appeal), with the Data Protection Authority as defendant.
Such an appeal may be made by means of an inter partes petition
must contain the information listed in Article 1034ter of the Judicial Code . It 4
a contradictory petition must be submitted to the Registry of the Market Court
5
in accordance with article 1034quinquies of the Ger.W. , or via the e-Deposit
IT system of Justice (Article 32ter of the Ger.W.).
(get). Hielke HIJMANS
Chairman of the Litigation Chamber
4
The petition states under penalty of nullity:
1° the day, month and year;
2° the surname, first name, place of residence of the applicant and, where applicable, his capacity and his national register or
enterprise number;
3° the surname, first name, place of residence and, if applicable, the capacity of the person to be
summoned;
4° the object and brief summary of the means of the claim;
5° the court before which the action is brought;
6° the signature of the applicant or his lawyer.
5 The petition with its appendix, in as many copies as there are parties involved, will be sent by registered letter
sent to the clerk of the court or deposited at the clerk's office.
