APD/GBA (Belgium) - 40/2023: Difference between revisions

From GDPRhub
No edit summary
(Added a little comment)
 
(9 intermediate revisions by 4 users not shown)
Line 73: Line 73:
}}
}}


<u>'''TO BE UPDATED'''</u>
The Belgian DPA held that an employer violated [[Article 12 GDPR#5|Article 12(5) GDPR]] when refusing to comply with an access request of a former employee. Although the refusal was justified, the controller should have communicated a more detailed motivation for the refusal.
 
The Belgian DPA determined that an employer violated [[Article 12 GDPR#3|Article 12(5) GDPR]] when refusing to comply with an access request of a former employee.  
 
== English Summary ==
== English Summary ==


=== Facts ===
=== Facts ===
<u>'''TO BE UPDATED'''</u>
The data subject was a former employee of the controller, an organisation which supported adult persons with a disability. For his job, he used a work e-mail for about 8 years, occasionally also for private e-mails. This e-mail did not contain any direct identifiers referring to the data subject.  
 
The data subject used to be an employee of the controller, an organisation which supported adult persons with a disability. For his job, he used an e-mail that he occassionally used for sending and receiving private e-mails as well.
 
On 15 September 2020, the data subject was fired. '''(48)''' After the controller fired the data subject, the controller revoked all access to the email by changing passwords. The user account was also deleted. ('''62).'''


On 25 May 2021, the data subject filed an access request at the controller. '''(1)''' He requested documents from his employement file and he wanted to get information on what happened with the email after he had been fired. ('''48)''' 
On 15 September 2020, the data subject was fired. The controller revoked the data subject's access to the e-mail by changing the password and deleting the user account. On 25 May 2021, the data subject filed an access request with the controller. He requested the personal data in the email mailbox and documents from his employment file. He also wanted to get information on what happened with the e-mail after he had been fired.  


On 10 June 2022, the controller informed the data subject that it would use the possibilillity in [[Article 12 GDPR#3|Article 12(3) GDPR]] to extent the deadline for replying with two months. '''(1)'''
On 10 June 2022, the controller informed the data subject that it would use the possibility in [[Article 12 GDPR#3|Article 12(3) GDPR]] to extend the deadline for replying with two months, due to the complexity of the request. On 24 August 2020, the controller provided its answer to the access request. However, according to the data subject, the controller's answer was not sufficient.


On 24 August 2020, the controller provided its answer to the access request by providing several documents. '''(1)''' However, according to the data subject, the controller did not provide answers to all the questions.  
On 22 February 2022, the data subject filed a complaint against the controller with the Belgian DPA concerning the personal data in the mailbox (and not other personal data or documents in his employment file). During the proceedings, it became clear that after 4 January 2018, the e-mail address was also used by other employees of the controller. Before this time, the data subject was the only one using this e-mail, and he had sent emails signing them with his personal name.


On 22 February 2022, the data subject filed a complaint against the controller at the Belgian DPA. '''(1)''' In this complaint, the data subject appearently limited the scope of the complaint to personal data in the mailbox, and not to any other personal data or documents, as the data subject had requested in his access request to the controller. '''(19 - 20)''' 
On 18 July 2022, the controller provided several reasons why it did not comply with the access request. Among other reasons, the controller stated that the e-mail did not contain any personal data in the first place. The controller also held that the request of the data subject to search in 8 years of e-mails was excessive. The controller had also refused to provide access in order to protect the rights and freedoms of other data subjects.


On 18 July 2022, the controller clarified its position to the DPA. It provided several reasons why it did not fully comply with the access request. Among other reasons, the controller stated that the data subjects request was in fact not an access request at all. The controller also stated that the e-mail inbox did not contain any personal data in the first place, which was disputed by the data subject. '''(36)''' Additionally, the controller held that the request of the data subject was too excessive, which justified the controller's partial refusal. The controller had also refused to provide access to protect the rights and freedoms of other data subjects'''. (8) - (51)'''
Also, according to the data subject, the controller would only be allowed to further use this email address after the termination of the contract with the consent of the data subject, pursuant to [[Article 6 GDPR#1a|Article 6(1)(a) GDPR.]] The controller disagreed with this argument.   
 
The data subject and the controller agreed on the fact that there had not been any written agreement between them that the work email could not be used for sending and receiving private e-mails. However, the controller and the data subject disagreed about the consequences of this ommisision. The controller stated that the use of the work e-mail for private e-mail conversation was not allowed. The data subject disagreed and stated that he was allowed to use his work e-mail for receiving private messages. '''(40)'''
 
Also, the data subject complained that access to the email had been revoked by the controller. According to the data subject, the controller would only be allowed to further use this e-mail address with his consent, pursuant to [[Article 6 GDPR#1a|Article 6(1)(a) GDPR.]] The controller disagreed with this argument.   


=== Holding ===
=== Holding ===
<u>'''TO BE UPDATED'''</u>
''First'', The DPA limited the scope of the access request to the data subject's work e-mail and the connected mailbox, since the data subject initial complaint to the DPA did not contain any reference to any other personal data or documents outside the e-mail mailbox.  
 
The DPA limited the scope of the access request to the data subjects work e-mail and the connected mailbox, since the data subject initial complaint to the DPA did not contain any reference request for any other personal data or documents outside of the e-mail mailbox. '''(19-20)''' The fact that the original access request was not limited to the email alone was appearently of no consequence for the scope of the proceedings. 
 
'''E-mail address = personal data? (29 – 35)'''     
 
The DPA first assessed if the email itself was personal data pursuant to [[Article 4 GDPR#1|Article 4(1) GDPR]]. Considering the fact that this was a work e-mail and not a personal e-mail, it contained no identifiers, such as a name, that would make the data subject directly identiffiable. Therefore, the DPA held that it was necessary to determine if this working e-mail contained any indirect identifiers. The DPA held that it was necessary to make a distinction between the situation from the date the email was first used until 4 January 2018 and the situation after 4 January 2018. (WHAT IS THIS DATE?) 
 
The DPA concluded that before 4 January 2018, the email address constituted personal data. The data subject claimed that he had been the only person using thIS e-mail and the controller had not been able to prove otherwise. However, after 4 January 2018, the e-mail address was no personal data anymore according to the DPA, since the controller was able to prove that the email address was used by multiple employees after 4 January 2018. '''(33-35)''' Therefore, the email itself was only personal data until 4 January 2018. 
 
'''Personal data in the inbox? (36 – 42)'''


The DPA held that a distinction had to be made between personal data processed in the data subject's proffessional capacity and personal data processed outside the proffessional capacity, such as in the supossed private e-mails. '''(38)''' According to the DPA, there was no doubt that there was personal data of the data subject in the mailbox when he had acted in his professional capacity. '''(39)''' With regard to the personal data outside the proffessional capacity, the DPA held that the data subject was allowed to use his work e-mail occassionally to sent and receive private emails. However, due to a lack of evidence provided by the data subject, the DPA was unable to to determine if there even were private emails of the data subject in the mailbbox. '''(41).''' Due to this lack of evidence, there was only personal data in the inbox in relation with the professional capacity of the data subject.  
''Second,'' The DPA assessed if the '''''e-mail address itself was personal data''''' pursuant to [[Article 4 GDPR#1|Article 4(1) GDPR]]. Considering the fact that this was a work e-mail and not a personal e-mail, it contained no identifiers, such as a name, that would make the data subject directly identifiable. The email was connected to the service, not to a person. Therefore, the DPA held that it was necessary to determine if this work e-mail contained any indirect identifiers. The DPA held that it was necessary to make a distinction between the situation prior to 4 January 2018 and the situation after..  


'''Right to access (43 – 65).'''
The DPA concluded that before 4 January 2018, the e-mail address constituted personal data. The data subject claimed that he had been the only person using this e-mail, and the controller had not been able to prove otherwise. Considering the fact that the data subject had been the only one using the e-mail and signed his emails using his personal name, it was possible for recipients to identify the data subject as the administrator of the e-mail over time. However, after 4 January 2018, the e-mail address was not personal data any more, since the controller was able to prove that the e-mail address was used by multiple employees after 4 January 2018. Therefore, the e-mail itself was only personal data <u>''until''</u> 4 January 2018. 


The DPA stated that the matter of what happened with the mailbox at what time could not be seen as an access request pursuant to [[Article 15 GDPR]]. The DPA also held that the request concerned all personal data, also the personal data which could potentially be in the inbox. '''(52)'''  
''Third'', the DPA answered the question '''''if there was any personal data in the mailbox itself.''''' The DPA held that a distinction had to be made between personal data processed in the data subject's professional capacity and personal data processed outside the professional capacity, in this case, in the supposed private e-mails. According to the DPA, there was no doubt that there was personal data of the data subject in the mailbox from the time he had acted in his professional capacity. With regard to the personal data outside the professional capacity, the DPA held that the data subject did not provide sufficient evidence to prove the existence of private emails in the mailbox. Due to this lack of evidence, the DPA only acknowledged the ''existence of personal data in relation with the professional capacity.''  


The DPA then assessed the different arguments made by the controller to refuse the access request. The DPA disagreed with the first argument of the controller, stating that there was deffenitly personal data of the data subject in the proffesional mails in the inbox. '''(54 - 55)''' The second argument of the controller was that the refusal was still justified looking at both the proportionallity principle and the protection of rights and freedoms of others. In this regard, the DPA stated that [[Article 12 GDPR#5|Article 12(5) GDPR]] requires the controller to prove that the request was manifestly unfounded and excessive. The controller did not do this in its reply to the data subject. The fact that the controller later provided some elements that supported the refusal to the DPA did not mitigate this fact. The controller should have provided these elements directly to the data subject. '''(59).''' Therefore, the controller had violated [[Article 12 GDPR#5|Article 12(5) GDPR]]. '''(61)'''
''Fourth'', the DPA assessed the '''''excessiveness of the request.''''' The DPA did agree with the controller that the access request was indeed excessive. The controller would have had to search through 8 years of e-mails in a work e-mail, which had also been used by other employees after 4 January 2018. There had not even been evidence that there would be private e-mails of the data subject in this mailbox. For these reasons, such private e-mails could not be retrieved with reasonable effort. Also, the mailbox contained a lot of sensitive information concerning other data subjects, including health data of users of the controller's services, which were usually adults with a disability. Therefore, the controller's refusal was justified. However, the DPA stated that [[Article 12 GDPR#5|Article 12(5) GDPR]] required the controller to provide explanation to the data subject on his refusal to respond to the access request. Therefore, the controller had violated [[Article 12 GDPR#5|Article 12(5) GDPR]].


Despite the fact that the controller should have provided its reasons to the data subject, the DPA did agree with the controller that the request was too excessive. The controller would have to search through 8 years of emails in a work email, which had also been used by other employees. There had not even been evidence that there would be private emails of the data subject in this mailbox. Therefore, such private emails could not be retrieved with reasonable effort. Also, the mailbox contained a lot of sensitive information of other data subjects, such as health data of users of the controller's services, which were usually adults with a disabillity. Therefore, the controllers partial refusal to grant acess was justified. ('''60 - 61).''' 
''Lastly'', the DPA held that the controller did not need the data subject's consent to further use the work e-mail. Indeed, it already established that the e-mail address was no longer considered personal data after the termination of the contract. The controller was also allowed to further use this email for the purpose of providing continuity for its service.


Lastly, the DPA held that the controller did not need the data subjects consent to further use the work email, since it already established that the email address was no personal data anymore after the data subject had been fired, and the data subject did not prove that there was his personal data was sent to this email after he was fired. The controller was also allowed to further use this email fro the purpose of providing continuity of its service. ('''64)'''
The DPA warned the controller for the violation of [[Article 12 GDPR#5|Article 12(5) GDPR]] pursuant to Article 100(1)(5) WOG (Law establishing the data protection authority)  


== Comment ==
== Comment ==
''Share your comments here!''
''The decision refers to the rights of the data subjects using the e-mail address after the 4 January 2018. It does however not mention [[Article 15 GDPR|Article 15(4)]] which we think could be relevant in that case. This article states that the right of access should not adversely affect the rights and freedoms of others.''  


== Further Resources ==
== Further Resources ==

Latest revision as of 10:23, 12 April 2023

APD/GBA - 40/2023
LogoBE.png
Authority: APD/GBA (Belgium)
Jurisdiction: Belgium
Relevant Law: Article 4(1) GDPR
Article 12 GDPR
Article 12(2) GDPR
Article 12(3) GDPR
Article 12(5)(b) GDPR
Article 15(1) GDPR
Article 15(3) GDPR
Article 8(1) ECHR
Type: Complaint
Outcome: Partly Upheld
Started: 22.02.2022
Decided: 03.04.2023
Published:
Fine: n/a
Parties: n/a
National Case Number/Name: 40/2023
European Case Law Identifier: n/a
Appeal: n/a
Original Language(s): Dutch
Original Source: APD/GBA (in NL)
Initial Contributor: kv33

The Belgian DPA held that an employer violated Article 12(5) GDPR when refusing to comply with an access request of a former employee. Although the refusal was justified, the controller should have communicated a more detailed motivation for the refusal.

English Summary

Facts

The data subject was a former employee of the controller, an organisation which supported adult persons with a disability. For his job, he used a work e-mail for about 8 years, occasionally also for private e-mails. This e-mail did not contain any direct identifiers referring to the data subject.

On 15 September 2020, the data subject was fired. The controller revoked the data subject's access to the e-mail by changing the password and deleting the user account. On 25 May 2021, the data subject filed an access request with the controller. He requested the personal data in the email mailbox and documents from his employment file. He also wanted to get information on what happened with the e-mail after he had been fired.

On 10 June 2022, the controller informed the data subject that it would use the possibility in Article 12(3) GDPR to extend the deadline for replying with two months, due to the complexity of the request. On 24 August 2020, the controller provided its answer to the access request. However, according to the data subject, the controller's answer was not sufficient.

On 22 February 2022, the data subject filed a complaint against the controller with the Belgian DPA concerning the personal data in the mailbox (and not other personal data or documents in his employment file). During the proceedings, it became clear that after 4 January 2018, the e-mail address was also used by other employees of the controller. Before this time, the data subject was the only one using this e-mail, and he had sent emails signing them with his personal name.

On 18 July 2022, the controller provided several reasons why it did not comply with the access request. Among other reasons, the controller stated that the e-mail did not contain any personal data in the first place. The controller also held that the request of the data subject to search in 8 years of e-mails was excessive. The controller had also refused to provide access in order to protect the rights and freedoms of other data subjects.

Also, according to the data subject, the controller would only be allowed to further use this email address after the termination of the contract with the consent of the data subject, pursuant to Article 6(1)(a) GDPR. The controller disagreed with this argument.

Holding

First, The DPA limited the scope of the access request to the data subject's work e-mail and the connected mailbox, since the data subject initial complaint to the DPA did not contain any reference to any other personal data or documents outside the e-mail mailbox.

Second, The DPA assessed if the e-mail address itself was personal data pursuant to Article 4(1) GDPR. Considering the fact that this was a work e-mail and not a personal e-mail, it contained no identifiers, such as a name, that would make the data subject directly identifiable. The email was connected to the service, not to a person. Therefore, the DPA held that it was necessary to determine if this work e-mail contained any indirect identifiers. The DPA held that it was necessary to make a distinction between the situation prior to 4 January 2018 and the situation after..

The DPA concluded that before 4 January 2018, the e-mail address constituted personal data. The data subject claimed that he had been the only person using this e-mail, and the controller had not been able to prove otherwise. Considering the fact that the data subject had been the only one using the e-mail and signed his emails using his personal name, it was possible for recipients to identify the data subject as the administrator of the e-mail over time. However, after 4 January 2018, the e-mail address was not personal data any more, since the controller was able to prove that the e-mail address was used by multiple employees after 4 January 2018. Therefore, the e-mail itself was only personal data until 4 January 2018.

Third, the DPA answered the question if there was any personal data in the mailbox itself. The DPA held that a distinction had to be made between personal data processed in the data subject's professional capacity and personal data processed outside the professional capacity, in this case, in the supposed private e-mails. According to the DPA, there was no doubt that there was personal data of the data subject in the mailbox from the time he had acted in his professional capacity. With regard to the personal data outside the professional capacity, the DPA held that the data subject did not provide sufficient evidence to prove the existence of private emails in the mailbox. Due to this lack of evidence, the DPA only acknowledged the existence of personal data in relation with the professional capacity.

Fourth, the DPA assessed the excessiveness of the request. The DPA did agree with the controller that the access request was indeed excessive. The controller would have had to search through 8 years of e-mails in a work e-mail, which had also been used by other employees after 4 January 2018. There had not even been evidence that there would be private e-mails of the data subject in this mailbox. For these reasons, such private e-mails could not be retrieved with reasonable effort. Also, the mailbox contained a lot of sensitive information concerning other data subjects, including health data of users of the controller's services, which were usually adults with a disability. Therefore, the controller's refusal was justified. However, the DPA stated that Article 12(5) GDPR required the controller to provide explanation to the data subject on his refusal to respond to the access request. Therefore, the controller had violated Article 12(5) GDPR.

Lastly, the DPA held that the controller did not need the data subject's consent to further use the work e-mail. Indeed, it already established that the e-mail address was no longer considered personal data after the termination of the contract. The controller was also allowed to further use this email for the purpose of providing continuity for its service.

The DPA warned the controller for the violation of Article 12(5) GDPR pursuant to Article 100(1)(5) WOG (Law establishing the data protection authority)

Comment

The decision refers to the rights of the data subjects using the e-mail address after the 4 January 2018. It does however not mention Article 15(4) which we think could be relevant in that case. This article states that the right of access should not adversely affect the rights and freedoms of others.

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Dutch original. Please refer to the Dutch original for more details.

1/16







                                                                          Litigation room


                                         Decision on the substance 40/2023 of 3 April 2023



File number : DOS-2022-01387


Subject: Refusal to inspect personal data after termination of employment




The Disputes Chamber of the Data Protection Authority, composed of Mr Hielke
Hijmans, chairman, and Messrs. Dirk Van Der Kelen and Jelle Stassijns, members;


Having regard to Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016

on the protection of natural persons with regard to the processing of

personal data and on the free movement of such data and revocation of
Directive 95/46/EC (General Data Protection Regulation), hereinafter GDPR;


Having regard to the law of 3 December 2017 establishing the Data Protection Authority,

hereafter WOG;


Having regard to the rules of internal order, as approved by the Chamber of
Representatives on 20 December 2018 and published in the Belgian Official Gazette on

January 15, 2019;


Having regard to the documents in the file;


Made the following decision regarding:



The complainant: Mr X, represented by Maarten Verhaghe,

                   with offices at Kortrijksesteenweg 546, 9000 Ghent, hereinafter referred to as “the complainant”;


The defendant: Y, represented by Meester Sara Torrekes, with office at 8790

                   Waregem, Jozef Duthoystraat 112, hereinafter referred to as “the defendant”. Decision on the substance 40/2023 – 2/16


I. Factual Procedure


 1. On 22 February 2022, the complainant submits a complaint to the Data Protection Authority

       against the defendant.

       The complainant worked for 13 years at the defendant, an autonomous association

       with as activity the support and guidance of adults with a

       limit. The complainant was (jointly) responsible for the studio operations of the

       defendant. In the context of the performance of this position, the complainant has during a
       used the e-mail address […] for a period of (at least) 8 years. On September 15, 2020, the

       employment of the complainant terminated. On May 25, 2021, the complainant submitted a request for

       inspection/more information addressed to the defendant. Considering the complexity and size

       of the request, the defendant informed the complainant on 10 June 2022 of the

       extension by 2 months of the deadline for providing information about the consequence

       given to the request. The defendant has its answer on 24 August 2022
       transferred to the right of access.


 2. On March 30, 2022, the complaint will be declared admissible by the First Line Service on the basis

       of Articles 58 and 60 WOG and the complaint is dismissed pursuant to Article 62, § 1 WOG
       submitted to the Disputes Chamber.


 3. On 4 May 2022, the Litigation Chamber shall, in accordance with Article 58(2)(c) of the

       GDPR and Article 95, paragraph 1, 5° WOG the decision 67/2022 with regard to the defendant and
       orders her, before a decision is taken on the merits, to hear within one month

       to the request of the complainant to exercise his right of access (Article 15, par

       1 GDPR). The result of this decision must be brought to the attention of the Litigation Chamber

       be submitted, together with supporting documents, within one month from the date of the

       notification of the decision.

 4. On 24 May 2022, the defendant requests a hearing on the merits of the case and

       she requests a copy of the file (article 95, § 2, 3° WOG), which was sent to her

       transferred on June 1, 2022

 5. On 1 June 2022, the parties concerned will be notified by registered mail

       of the provisions as stated in Article 95, § 2, as well as of these in Article 98 of the WOG.

       they are informed of the time limits for their

       to file defenses.

       The deadline for receipt of the statement of defense from the defendant will be

       recorded on 13 July 2022, those for the complainant's reply on 3 August

       2022 and finally those for the defendant's statement of reply on 24 August
       2022. Decision on the substance 40/2023 – 3/16


6. On June 13, 2022, the defendant will electronically accept all communications regarding the case,

     it indicates that it wishes to make use of the opportunity to be heard

     in accordance with Article 98 WOG, and requests an extension of the deadlines for conclusion.

7. On June 13, 2022, the complainant electronically accepts all communication regarding the case

     to know that he wishes to make use of the opportunity to be heard

     in accordance with Article 98 WOG and confirms the request for extension of the

     deadlines of the defendant. The deadlines are determined as follows:

     The deadline for receipt of the statement of defense from the defendant will be

     recorded on 24 July 2022, this for the conclusion of the complainant's reply on 24 August

     2022 and finally those for the statement of defense of the defendant on 24 September

     2022.

8. On 18 July 2022, the Disputes Chamber received the statement of defense from the

     defendant.In principle, the defendant raises that the writing dated.25 May 2021 of the

     complainant does not request access to personal data relating to (the mailbox

     associated with) the e-mail address in question. In a subordinate order, the
     the defendant that the e-mail address in question does not contain any personal data of the complainant

     contains. In a more subordinate order, the defendant argues that the refusal to inspect

     justified in view of the excessive nature of the request and the protection

     of the rights and freedoms of others.

9. On August 24, 2022, the Disputes Chamber receives the request from both parties for the

     deadlines to adjust so that the final date for receipt of the conclusion

     The complainant's reply is set for August 31, 2022 and this before the conclusion of

     reply of the defendant on 29 September 2022. The Litigation Chamber confirms this

     extension on August 26, 2022.

10. On August 31, 2022, the Disputes Chamber receives the request from both parties for the

     deadlines to extend once again, thereby extending the final date for receipt of

     the statement of reply of the complainant is set for September 5, 2022 and the conclusion

     of the defendant's rejoinder on 4 October 2022. On 31 August 2022, the

     Litigation Chamber has extended these deadlines and emphasizes that no further extension will be made
     be allowed.


11. On 5 September 2022, the Disputes Chamber will receive the statement of reply from the complainant.

     The complainant argues that the letter dd. May 25, 2021 indeed a request for inspection
     pursuant to Article 15 GDPR and that the e-mail address, contrary to what the

     the defendant raises, does constitute his personal data. The complainant also argues that

     request for access not only relates to the e-mail address itself, but also to other Substance decision 40/2023 – 4/16


       personal data. Finally, the complainant argues that the refusal of access is not

       is justified.

 12. On 4 October 2022, the Disputes Chamber will receive the statement of rejoinder from the

       defendant. In these conclusions, the defendant reiterates its arguments

       conclusions of reply and adds that the letter dd. May 25, 2021 of the

       the complainant did not relate to various personal data other than the e-mail address

       connected mailbox.

 13. On 26 January 2023, the parties will be notified that the hearing will

       take place on March 13, 2023.

 14. On March 13, 2023, the parties will be heard by the Disputes Chamber.


 15. On 15 March 2023, the minutes of the hearing will be submitted to the parties.

 16. On March 20, 2023, the Disputes Chamber will receive some from the defendant

       remarks with regard to the official report which it decides to include in

       her deliberation.

 17. The Disputes Chamber does not receive any comments regarding the official report

       because of the complainant.

II. Motivation


    II.1. Object of the procedure


 18. Based on the conclusions and the hearing, the Disputes Chamber establishes that the parties

       disagree on the scope of the subject-matter of this proceeding. The complainant raises

       that the complaint and therefore the procedure relates to the request for inspection with
       regarding all requested personal data and documents, as well

       formulated in writing dd. May 25, 2021. The defendant argues that the complaint only

       relates to the e-mail address and the associated mailbox. Both parties

       explained their position on this at the hearing.

 19. The Disputes Chamber states that the letter dd. May 25, 2021 is broadly formulated, whereby

       on the one hand, you are asked to inspect all personal data, and on the other hand

       various specific documents are mentioned which the complainant wishes to inspect

       to acquire. The defendant has formulated a reply to this letter and

       various requested documents in its possession. The complainant found
       this answer is insufficient and has filed a complaint with the GBA. referred to in this complaint

       the complainant only to the e-mail address and the connected mailbox. There is no reference,

       also not as an example, to other documents that the complainant wishes to obtain, but not

       received after the defendant's letter of reply. The Litigation Chamber upholds Decision 40/2023 – 5/16


      therefore established that the complaint is thus aimed at obtaining personal data contained in

      the mailbox.

20. The Litigation Chamber therefore concludes that these proceedings only concern

      the right to inspect the mailbox [… ] and the associated mailbox.



   II.2. Definition of personal data


       II.2.1. Position of the complainant


21. In his conclusions, the complainant argues that during a period of 13 years
      was employed by the defendant as responsible for the studio operations. During the day

      and with a view to the performance of his duties, the complainant always has the e-mail address

      […] used for both professional and personal purposes. The complainant argues that

      this e-mail address was only used by him, during a period of 8 years until the

      end of his employment. The complainant also states that the general e-mail address of

      the defendant is […] and not […].

22. Consequently, the complainant concludes that the e-mail address is his personal data and contains the

      mailbox also various personal data from him.

23. The complainant also refers to Commission Recommendation 8/2012 of 2 May 2012

      for the protection of privacy (hereinafter: CPP) and decisions 29

      September 2020 and December 2, 2021 of the Litigation Chamber regarding the management of

      the mailbox of an employee who leaves the company and the application of essential

      principles within the GDPR such as purpose limitation, lawfulness, minimal data processing
      and storage limitation by the employer. After all, the complainant never has permission

      given for further use of the mailbox after his departure. The defendant, according to the

      complainant has not acted in accordance with this Recommendation and previous decisions of the

      Litigation room.

       II.2.2. Defendant's position


24. The defendant disputes the complainant's assertion. She states that the e-mail address […] no

      personal data of the complainant and that the mailbox linked to it does not contain any

      contains personal data relating to the complainant. Nor are they in use

      of the mailbox processes personal data relating to the complainant. The email address concerns

      after all, a purely functional e-mail address that belongs exclusively to it and that by it
      employees, including the complainant, can and may only do so for professional purposes

      being used.


25. In its conclusions, the defendant notes that, contrary to what is stated in the

      conclusions of the complainant, this e-mail address at the time of his employment was used by Decision on the substance 40/2023 – 6/16


     several employees, such as colleague Z in particular. This is apparent from communication that the

     the complainant himself sent during his employment, whereby the complainant himself on the one hand

     insisted on using generic email addresses instead of personalized email

     email addresses and on the other hand asked to grant this colleague access to the email address
     in question. In this context, the defendant sends an email dd. January 4, 2018 about in which the

     the complainant asks that e-mails from a colleague be routed to the mailbox so that they can be sent as quickly as possible

     share the same mailbox.


26. The defendant argues that the complainant does not demonstrate or plausible in any way
     means that (the mailbox linked to) the e-mail address would contain personal data

     that pertain to him. The defendant submits witness statements that allege

     that the email address was a professional shared email address in which several

     supervisors had a view and that was not used for private purposes. This

     testimonials also state that, if after the departure of the complainant a

     personal mail have been received for him, quod non, it would have been forwarded to him.

27. In addition, it should be noted that the absence of an ICT policy and/or

     written ban on the private use of an e-mail address, obviously not just like that

     can be deduced that the e-mail address concerned in practice for both professional

     can be used asprivate purposes.ThereferenceofthebearertotheRecommendation
     02/2012 and to the previous decisions of the Litigation Chamber is not relevant according to the

     defendant. This Recommendation and decisions relate to the use of a

     e-mail address in which the name and first name of the person concerned are stated. The email address

     with mailbox therefore did not contain any personal data of the complainant, concludes the

     defendant.

      II.2.3. Review by the Litigation Chamber


28. The Disputes Chamber will first judge whether the e-mail address […] is personal data of the

     complainant and then about the personal data contained in the mailbox.

          II.2.3.1. Email address as personal data


29. Article 4, 1 GDPR defines personal data as follows:


     any information about an identified or identifiable natural person ("de
     data subject”); an identifiable natural person is considered to be directly or

     can be identified indirectly, in particular by means of an identifier such as a

     name, an identification number, location data, an online identifier or one or more

     elements characteristic of the physical, physiological, genetic,

     psychological, economic, cultural or social identity of that natural person. Decision on the substance 40/2023 – 7/16


 30. There are 4 elements in the definition of personal data:

       1) relate to

       2) an identified or

       3) identifiable

       4) natural person.

 31. If there is to be personal data, the data must, in principle, relate

       have on a natural person. Data refers only to a natural

       person when identified or identifiable. A person is

       identified when it is unique from all other individuals within a group

       is distinguished. A person is identifiable when it has not yet been identified,
       but it can be done without disproportionate effort.


 32. The Disputes Chamber has confirmed on several occasions that an e-mail address containing the

       data subject his/her first and last name, i.e. direct identifiers, a
                                                                 1
       personal data within the meaning of Article 4, 1) GDPR. In the present case it concerns
       however, a functional e-mail address, namely […] The e-mail address is thus linked to one

       service, in this case the studio operation, and not to a person. The question arises or something like that

       functional e-mail address can also constitute personal data on the basis of indirect

       identifiers.The extent to which certain (indirect) identifiers are sufficient to

       identification depends on the context of the specific situation. The

       Litigation Chamber finds that a distinction must be made between the e-

       email address in the period from the first use until January 4, 2018 and the period thereafter.

       Period before January 4, 2018


 33. The complainant claims in its conclusions that he was the only user of the e-mail address.
       Since the defendant does not adduce any evidence that other persons

       used the email address in the period up to January 4, 2018, the

       Litigation Chamber determined that the e-mail address was used and managed exclusively by the

       complainant, as (co-)responsible for the studio activities. While exercising

       tasks, the complainant has always sent and signed e-mails with his name as (co-

       responsible for the studio. The people who sent emails to and received emails from

       this e-mail address in question could, certainly over time, identify the complainant as the
       administrator of the e-mail address. The complainant was therefore indirectly identifiable to third parties by

       using the email address as described above.


 34. In view of the above, the Disputes Chamber therefore concludes that the functional e-

       e-mail address has not been used for the purpose of linking it to the person




1
 See, among others, decision 133/2021 of 2 December 2021 and decision 64/2020 of 20 September 2020. Decision on the merits 40/2023 – 8/16


       of the complainant, but that this was the result because of the exclusive use of it

       the complainer. Consequently, the e-mail address for that period constitutes his personal data.


       Period from January 4, 2018

 35. However, in the period from 4 January 2018, the defendant demonstrates that the e-mail address

       was also used by (at least) the other co-responsible person of the

       studio operation in function of the operation of the service. The purpose of a functional e-

       After all, the mail address is to ensure the continuity of the service, for example when a

       employee is no longer employed within that service. As soon as the co-responsible person

       and other facilitators used the e-mail address and also e-mails in their own
       name as an employee of the atelier, the complainant was no longer indirect

       identifiable. After all, a sender of an e-mail could not know which of the

       employees would handle his mail, even if he addressed the complainant personally

       in his email. The Disputes Chamber therefore rules that from 4 January 2018 the e-mail address

       no longer constitutes personal data of the complainant.

            II.2.3.2. Personal data in the mailbox


 36. The defendant argues that there are no personal data in the mailbox since

       it was not allowed to use the e-mail address for non-professionals

       purposes. This is disputed by the complainant. The complainant claims that there are personal data

       in the mailbox and points out that there is no policy on the use of

       the professional email address.

 37. The Disputes Chamber points out in this regard that the concept of "personal data" includes all

       types of information includes: private (intimate), public, professional or commercial

       information, objective or subjective information. In the Nowak judgment, the Court of

       Justice of the European Union (hereinafter: CJEU) clearly that the concept of "personal data"

       includes both data arising from objective, verifiable and arguable

       elements such as subjective data that provide an evaluation or judgment about the data subject

       contain. Consequently, the Litigation Chamber concludes that the fact that a functional e-mail

       e-mail address does not constitute personal data in the sense of article 4, 1) GDPR, does not prevent that
       personal data of the complainant may be present in the mailbox.


 38. The Disputes Chamber argues that in this case a distinction must be made between

       on the one hand, the personal data of the complainant that were processed in the professional

       context and, on the other hand, personal data that were processed outside the professional

       context of his then capacity as an employee of the defendant (private emails).





2 CJEU, 20 December 2017, C-434/16, Nowak, ECLI:EU:C:2017:994. Decision on the substance 40/2023 – 9/16


39. On the basis of the above, the Litigation Chamber concludes that there can be no doubt

     exist that personal data in the professional context of the complainant is contained in the

     mailbox, such as a registration for a course.

40. With regard to private emails, it is acknowledged by the parties that there is no explicit written

     prohibition on using the professional e-mail address for private purposes

     was applicable. However, the parties do not agree on the consequences

     result. The complainant states that it was thus permitted to send private e-mails and

     to be received with the professional e-mail address. The defendant, on the other hand, points out that
     the lack of such prohibition or ICT policy in that sense does not simply mean it

     concerned e-mail address can be used for both professional and private purposes.


41. The Disputes Chamber refers in this context to the case law of the European Court of Justice

     Human Rights (hereinafter: ECtHR). The ECtHR has ruled that the term
     “private life” should be interpreted broadly. For example, it includes the right to it

     establishing and developing relationships with other people and the right to identity and

     personal development. In particular, the ECtHR has ruled that emails sent from

     the work will be sent prima facie under the notions of private life and correspondence

     within the meaning of Article 8(1) of the European Convention on Human Rights

     by analogy with its earlier position that this is also the case for
     telephone calls from business premises. However, this broad reading does not mean that every

     activity that a person would like to engage in with other people in order to establish relationships

     delivery is protected. The Disputes Chamber is therefore of the opinion that the complainant, in view of

     to the right to protection of private life, could occasionally send private e-mails

     received at the professional e-mail address, partly because he did not have one

     professional email address in name and since no (written) policy on this
     was communicated. However, this private use should be limited to occasional use

     usage. However, the Disputes Chamber reads in the conclusions of the complainant that during 8

     would have sent and received many private e-mails over the years, but at the same time notes that

     he does not provide any evidence in this regard. The Disputes Chamber can therefore not

     determine that such private e-mails date from the period of the complainant's employment

     the mailbox would be present.

42. The defendant argues that there are no private e-mails after the termination of the employment

     arrived for the complainant and substantiates this by various witness statements. During the day

     the hearing has asked the Disputes Chamber to the counsel of the complainant about

     what kind of private emails it would involve in this case. This stated that it concerned private e-mail
     e-mails from friends and acquaintances. However, the Litigation Chamber cannot depart from the claims,

     nor establish from the hearing that there are indications that there are indeed 40/2023 – 10/16


     private e-mails have been received at the e-mail address in question after the termination of the

     employment with the defendant.

   II.3. Right of access (Article 15 GDPR)


43. In accordance with Article 58(2)(c) of the GDPR and Article 95(1)(5) WOG, the

     Litigation Chamber has taken the decision 67/2022 with regard to the defendant and

     ordered her to be heard within one month before a substantive decision is taken

     to the request of the complainant to exercise his right of access (Article 15, par

     1 GDPR). Having regard to the request of the defendant to deal with the substance of the case and
     the arguments set out by the parties are taken by the Litigation Chamber in this regard

     a new decision.


44. According to Article 15(1) of the GDPR, the data subject has the right to obtain from the

     to obtain a definite answer from the controller as to whether or not he is being processed
     regarding personal data. If that is the case, the data subject has the right to

     obtain access to those personal data and information listed in Article 15(1a)-h) of

     the GDPR is stated, such as the purpose of the processing of the data and the

     any recipients of the data, as well as information about its existence

     rights, including the right to request rectification or erasure of its data, or to

     submit a complaint to the GBA.

45. Pursuant to Article 15(3) of the GDPR, the data subject also has the right to obtain a

     obtain a copy of the personal data that are the object of the processing.

46. Article 12 of the GDPR on the way in which data subjects can exercise their rights,

     provides that the controller shall prevent the exercise of those rights by the

     the data subject (article 12, paragraph 2 of the GDPR) must facilitate, and in any case inform him without delay

     must provide information about the

     measures taken in response to his request (Article 12(3) of the GDPR).
     If the controller does not intend to comply with the request, it must

     communicate his refusal within one month, and inform the person concerned about the

     possibility to appeal against that refusal to the supervisory authority

     for data protection (Article 12 (4) of the GDPR).

47. The Disputes Chamber finds that on 25 May 2021 the complainant received the notification and/or inspection

     requested by letter below. Decision on the substance 40/2023 – 11/16




































48. The complainant also requests copies of several documents from its

     personnel file and adds that he would also like to have known what happened when

     happened to his work mailbox […] after his dismissal.

49. On 10 June 2021, the defendant notified the complainant by registered letter of the

     extension of the deadline for providing information about the consequence to it

     request is given, with two months, in accordance with Article 12 (3) GDPR. On 24

     August 2021, the defendant will forward and light various requested documents

     to the complainant why other documents cannot be submitted, either
     because they do not exist, or because the defendant is not the controller

     is.


50. In his complaint to the GBA, the complainant denounces that he does not have access to the data

     received in the emails in his work mailbox.

51. In its conclusions, the defendant argues that this initial application dated. May 25, 2021 none

     request for access to personal data in accordance with Article 15 GDPR

     until (the mailbox linked to) contains the email address […]. The complainant asks, according to the

     defendant with regard to the email address just what happened when
     work mailbox. The defendant replied that the access rights of the e-

     email address and password have been changed. The defendant replied

     also that the e-mail address was not personal and therefore does not constitute personal data Decision on the substance 40/2023 – 12/16



       and rejects the complainant's request. In subordinate order, the defendant argues that if

       it would nevertheless constitute personal data, the rejection of the request for access still remains

       would always be justified, in view of the principle of proportionality on the one hand and the

       protection of the rights and freedoms of others on the other.

        II.3.1. Request access regarding the e-mail address and the mailbox


 52. The Disputes Chamber finds that the complainant's question about what to do and when

       mailboxishappenedcannotbequalifiedasarequesttoinspect/notify

       his personal data The request for inspection, however, arises from the first part of the

       letter dd. May 25, 2021 as resumed above (see supra marginal number 47). The GDPR

       after all, does not provide any formal requirements for the request for inspection, and unless stated otherwise,

       a request for access relates to all personal data of the data subject.

       The above request is therefore formulated in accordance with the GDPR and is related

       on all personal data, including those that may be in the mailbox.


 53. The Disputes Chamber also points out in this context that the right of inspection is one of the

       constitutes essential elements of the right to data protection, as such

       included in Article 8 of the Charter of Fundamental Rights of the European Union, and

       that, as is also apparent from the EDPB's guidelines on the right of access, there are limitations
       the exercise of this right is only permitted to a limited extent

       of a data subject to request access of no importance. 3


        II.3.2. Refusal of the right to inspect the mailbox


 54. The complainant argues that the right of access includes several elements, such as getting

       information about whether or not personal data of the complainant is being processed

       such as personal data contained in the mailbox. In its conclusions, the

       the defendant explained the reasons why it refused the right to inspect the mailbox

       has. In principle, the defendant argues that no personal data are present in

       the mailbox (see section II.2.3.2). In the first instance, therefore, the defendant replied to

       request access by stating that there are no personal data in the mailbox

       are located.

 55. In view of the above (see section II.2.3.2), the Litigation Chamber finds that the

       it is unavoidable that personal data of the complainant are present in professional e-mails

       the mailbox.









3 EDPB, Guidelines 01/2022 on data subject rights – right of access, available at
https://edpb.europa.eu/system/files/2022-01/edpb_guidelines_012022_right-of-access_0.pdf Decision on the substance 40/2023 – 13/16


56. In orderly order, the defendant argues that the refusal is still justified

     is, in view of the principle of proportionality on the one hand and the protection of rights and

     freedoms of others on the other hand.

57. The Disputes Chamber points out that the right of access is not absolute. In this context

     the Litigation Chamber refers to Article 12(5)(b) of the GDPR which reads as follows:

     “Providing the information referred to in Articles 13 and 14, and providing

     the communication and the taking of the measures referred to in Articles 15 to 22

     and Article 34 are free of charge. When requests from a data subject are evident

     are unfounded or excessive, in particular because of their repetitive nature, the

     controller or:

     […]

     b) refuse to comply with the request.


     It is up to the controller to correct the manifestly unfounded or excessive

     nature of the request”

58. In its Rijkeboer judgment, the CJEU ruled on the balance that must be struck

     be sought between the right of access of the data subjects and the burden imposed on the

     obligation to comply with that law entails for the
     controller. More specifically, the question was "from when the

     exercise of the right to access information about the past may become lawful

     paralyzed by the erasure of that information. And how long do people need to own it

     of that data are the traces of past actions with that data

     performed, keep". Although the question in this case was how long a

     controller must keep personal data, the reasoning of
     the CJEU should be applied to the present case, given the scope of the request

     of the complainant, that all e-mails concerning him are concerned. The Disputes Chamber points to it

     importance of finding “[…] a fair balance between, on the one hand, the interests of the

     data subject to protect his privacy […] and, on the other hand, the burden that the obligation to that

     information for the controller constitutes". The parameters on the
     based on this balance, the controllers are of course not allowed to

     impose disproportionate obligations and excessive burdens.


59. However, the Litigation Chamber notes that Article 12(5) GDPR requires that the
     controller the manifestly unfounded and excessive nature of the

     request must be demonstrated. In her letter dd. As of August 24, 2021, the defendant does not have this

     done. The defendant does have elements in its statement of defense and rejoinder

     which demonstrate the excessive nature, but this should already have been done

     in the above-mentioned letter to the complainant. Decision on the substance 40/2023 – 14/16


 60. In the present case, the Litigation Chamber finds that searching all e-mails

       concerning the complainant, for at least 8 years, after the moment of termination of the

       employment, would imply a disproportionate workload for the defendant. The
       work mailbox was also used by different people for years. The complainer

       also did not transfer a single document showing that there are private e-mails in the mailbox

       nor does the complainant provide specific e-mail addresses or other parameters

       on the basis of which targeted searches can be made in the mailbox. In his conclusions, the complainant states

       moreover, that no internal instructions indicate that he was obliged to apply any labelling

       to the e-mails that are personal or to classify them in a separate folder.
       Any private e-mails present are therefore not possible with a reasonable effort

       found by the defendant. In addition, the mailbox concerns many sensitive

       information, such as health data about the users of the services of

       defendant, namely adults with a disability, so that not just inspection

       can be granted in all professional emails with personal data of the complainant
       on the basis of the aforementioned elements, the Disputes Chamber concludes that the request for

       access by the complainant is excessive and that the defendant has lawfully refused to

       to follow up on this.

 61. In view of the above, the Disputes Chamber concludes that there is no infringement

       is on Articles 12 (1) – (4) and 15 GDPR, but that there is a violation of

       Article 12 (5) GDPR due to failure to sufficiently demonstrate the apparent in time

       excessive or unfounded nature of the request for inspection by the complainant. That infringement is

       however, not of such a serious nature as to warrant a fine or corrective sanction

       must be imposed. The Disputes Chamber believes that a reprimand can be
       suffice.


III. Access and use of the e-mail address after termination of employment


 62. In its conclusions, the complainant states that the defendant unilaterally controlled access to the mailbox
       denied him. After all, his permissions as a user of the mailbox were deleted

       and then the password was changed. The complainant argues that the defendant

       can only rely on the legal basis of permission to make further use of the

       mailbox after his departure. Since the complainant has not given consent, the

       processing of his personal data is not based on a legal basis from Article 6,

       paragraph 1 GDPR. In this context, the complainant refers to the Recommendation already mentioned above
       02/2021 of the CPP and the aforementioned decisions September 29, 2020 and December 2

       2021 of the Disputes Chamber regarding the use of

       professional resources, such as an email address.

 63. The defendant argues in its conclusions that no personal data of the complainant

       further processed by using the mailbox. After all, it concerns a decision on the merits 40/2023 – 15/16


      functional e-mail address and not a registered e-mail address. The complainant's reference to the

      Recommendation 02/2012 and previous decisions of the Litigation Chamber are not relevant

      according to the defendant. This Recommendation and decisions relate to it
      use of an e-mail address in which the name and first name of the data subject are stated.

      Consequently, the Respondent may lawfully continue to use the email address

      and the mailbox.


    III.1. Review by the Litigation Chamber

 64. The Disputes Chamber states that the e-mail address is indeed a functional e-mail address

      time of termination of the complainant's employment and therefore no

      personal data of the complainant, as a result of which the GDPR does not apply. The

      references to Recommendation 02/2020 of the CPP and the aforementioned decisions

      of the Disputes Chamber are therefore not relevant in this case. During the hearing, the
      explained to the defendant that in the meantime she has started using a different e-mail address

      for the studio operation, which has entailed the necessary problems, considering

      its target audience, adults with disabilities. The Disputes Chamber is of the opinion that

      the defendant could have lawfully continued to use the functional e-mail

      email address. After all, the purpose of such an e-mail address is the continuity of the
      service(provision). Finally, the Disputes Chamber once again points out that the complainant does not have

      made plausible that after the termination of the employment there are still matters concerning him

      personal data would have arrived in the e-mail box.


IV. Publication of the decision

 65. Given the importance of transparency with regard to decision-making by the

      Litigation Chamber, this decision will be published on the website of the

      Data Protection Authority. However, it is not necessary for the

      identification data of the parties are disclosed directly.




    FOR THESE REASONS,


    the Disputes Chamber of the Data Protection Authority decides, after deliberation, to:

        - on the basis of article 100, §1, 5°, to reprimand the defendant for not doing so in time

           sufficient proof of the manifestly excessive or unfounded character of the

           request for inspection, which constitutes a violation of Article 12, paragraph 5 GDPR.



        - to dismiss all other grievances pursuant to Article 100, §1, 1° WOG. Decision on the substance 40/2023 – 16/16


Pursuant to Article 108, § 1 of the WOG, within a period of thirty days from the

notification against this decision may be appealed to the Marktenhof (court of

Brussels appeal), with the Data Protection Authority as defendant.


Such an appeal may be made by means of an inter partes petition

must contain the information listed in Article 1034ter of the Judicial Code . It 4

a contradictory petition must be submitted to the Registry of the Market Court

                                                                       5
in accordance with article 1034quinquies of the Ger.W. , or via the e-Deposit

IT system of Justice (Article 32ter of the Ger.W.).






         (get). Hielke HIJMANS

         Chairman of the Litigation Chamber









































4
 The petition states under penalty of nullity:
 1° the day, month and year;
 2° the surname, first name, place of residence of the applicant and, where applicable, his capacity and his national register or
     enterprise number;
 3° the surname, first name, place of residence and, if applicable, the capacity of the person to be

     summoned;
 4° the object and brief summary of the means of the claim;
 5° the court before which the action is brought;
 6° the signature of the applicant or his lawyer.
5 The petition with its appendix, in as many copies as there are parties involved, will be sent by registered letter

sent to the clerk of the court or deposited at the clerk's office.