APD/GBA (Belgium) - 46/2022

From GDPRhub
APD/GBA (Belgium) - 46/2022
LogoBE.png
Authority: APD/GBA (Belgium)
Jurisdiction: Belgium
Relevant Law: Article 5(1)(a) GDPR
Article 6(1)(f) GDPR
Article 15 GDPR
Article 17 GDPR
Article 18 GDPR
Article 21 GDPR
Article 28 GDPR
Type: Complaint
Outcome: Upheld
Started:
Decided: 01.04.2022
Published: 04.04.2022
Fine: 7500 EUR
Parties: Company
Former employee
National Case Number/Name: 46/2022
European Case Law Identifier: n/a
Appeal: Admissible and partially founded
Court of Appeal of Brussels (Belgium)
2022/AR/549
Original Language(s): French
Original Source: APD (in FR)
Initial Contributor: kc

The Belgian DPA issued a €7500 fine against a company for restoring data on a former employee's work laptop after termination and subsequently violating the data subject's rights to access, erasure, restriction and objection. This decision was later annulled by the Court of Appeal and the DPA was also ordered to pay the procedural damages of €1,680.

English Summary

Facts

The data subject is a former managing director of the controller. When the data subject was dismissed, he deleted the data on the work laptop before handing it in to the former employer. According to the data subject, he had only deleted the private data, such as his private e-mail inbox. The controller, however, stated that he had deleted all data. Therefore, the controller restored all data that had previously been on the laptop, including the data subject's personal data. After finding out about the restoration, the data subject tried to exercise his rights to information, deletion and restriction of processing as well as his right to object. However, his requests were not followed by the controller. The controller did not only process the data on its own but also used a processor.

Holding

The Belgian DPA fined the controller €7500 and ordered the controller to comply with the data subject's requests. Because of the numerous shortcomings of the controller, the DPA was of the opinion that such a sanction was necessary even though the controller argued that it was prepared to comply with the data subject's request after the proceedings.

First, it found a breach of Articles 5(1)(a) and 6(1)(f) GDPR due to the partial absence of a legal basis for processing. The processing failed to meet the balancing of interests necessary under Article 6(1)(f) GDPR. It explained that, in case of dismissal, the employer must delete the e-mail addresses when these constitute personal data, after having informed their holders and third parties of the e-mail closing date. This obligation is also intended to allow holders to sort and transfer any private messages to their personal mailbox. If part of the content must be retrieved to ensure the smooth running of the business (as argued by the controller in this case), this must be done before the dismissal and with his or her assistance.

Second, the DPA found a violation of Articles 15 (right to access), 17 (right to erasure), 18 (right to restriction of processing) and 21 (right to object) GDPR. By refusing to act on the data subject's requests, it had substantially violated his rights.

Third, the DPA held that Article 28 GDPR had been violated since the controller did not have a processing agreement with its processor.

Comment

On 29 April 2022 this decision was annulled by the Court of Appeal because the DPA had not sufficiently specified the controller's alleged GDPR infringements. The DPA was also ordered to pay the procedural damages of €1,680.

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the French original. Please refer to the French original for more details.

                                                                                                1/28







                                                                    Litigation Chamber


                                      Decision on the merits 46/2022 of 1 April 2022r





File number: DOS-2020-02892


Subject: Complaint by a former employee against his former employer for treatment of box


email, and refusal to follow up on the request to exercise his rights



The Litigation Chamber of the Data Protection Authority, made up of Mr Hielke

Hijmans, chairman, and Messrs. Y. Poullet and C. Boeraeve, members, taking up the case in this

composition ;


Having regard to Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the
protection of natural persons with regard to the processing of personal data and

to the free movement of such data, and repealing Directive 95/46/EC (general regulation on the

data protection), hereinafter GDPR;


Having regard to the law of 3 December 2017 establishing the Data Protection Authority (hereinafter

ACL);


Having regard to the internal regulations as approved by the House of Representatives on 20

December 2018 and published in the Belgian Official Gazette on January 15, 2019;


Considering the documents in the file;


Having regard to the hearing of April 12, 2021;



Having regard to the envisaged sanctions form sent to the defendant and its observations,


made the following decision regarding:



The plaintiff: Mr. X, represented by his counsel Mr. Dr. Jan-Henning Strunz, Matray,

                    Matray & Hallet, s.c.r.l, rue des Fories, 2, 4020 Liège, hereinafter “the plaintiff”



The defendant: Y, represented by his counsel, Maître Inger Verhelstet Wouter Van Loon, City
                    Link Posthofbrug 12, 2600 Antwerp as well as Maître Florence Sine, lawyer,

                    Boulevard du Souverain 280, 1160 Auderghem, hereinafter: "the defendant", Decision on the merits 46/2022 - 2/28



I. Facts and procedural history


 1. The plaintiff practiced within the defendant, of which he was the sole shareholder during

     several years, the function of Managing Director from October 15, 2004 until May 29

     2019. On this date, the plaintiff resold all of his shares to Z and ceased his

     administrator functions. Z then assigned all of its rights and obligations to the law company
     Luxembourgish W.


 2. The plaintiff was then hired by the defendant as an employee, from May 29

     2019.

 3. On November 26, 2019 and December 14, 2019, the plaintiff and the shareholder company W

     exchange letters concerning breaches invoked by the two parties with regard to

     of the share transfer agreement.


 4. On April 23, 2020, the plaintiff cited companies Z and W before the Court of First Instance
     francophone in Brussels, before which the dispute is pending. The complainant accuses the

     defendant to owe him an unpaid balance following the transfer of his shares, while the

     defendant is claiming compensation from him for the debts of the acquired company. The

     defendant argues that these breaches are due to the fact that the plaintiff allegedly

     concealed and truncated certain information when selling shares. The sums at stake
     are important, and are the subject of differences between the parties. The plaintiff disputes

     firmly the alleged breaches, and moreover also cited the defendant before the

     Turkish courts for defamation, unfair dismissal, and payment of damages (the

     defendant company is also implemented in Turkey).


 5. The facts giving rise to the complaint to the DPA are as follows. On February 18, 2020, the complainant
     is dismissed by the defendant. Before handing over his computer equipment following his

     dismissal, the complainant erased the data on his laptop

     professional. He claims to have erased only his private data (private email boxes), while

     the defendant argues that he would have erased all of the mailboxes (both professional

     than private). The only evidence put forward in this regard consists of two testimonies
     of employees submitted by the defendant, claiming that all the mailboxes would have been

     erased.


 6. The Complainant then became aware of the Respondent's intention to proceed with the

     recovery of data previously present on his laptop, and gives formal notice to the
     defendant, on February 26, 2020 to suspend all processing of its personal data

     staff, as long as the information under Article 14 of the GDPR is not provided to them.

     He also requests the exercise of his right to erasure, limitation of processing, and

     opposition., Decision on the merits 46/2022 - 3/28




7. On February 28, 2020, the defendant refused to respond to the plaintiff's requests, on the basis
     of the employment contract that bound them, as well as on the basis of article 6.1.f of the GDPR (legitimate interest)

     justifying in its view the processing of the complainant's personal data.


8. On March 4, 2020 the plaintiff challenges the legality of the processing by the defendant, in particular

     concerning his purely private data, as well as professional data prior to the 1st

     June 2019 (period not covered by the employee employment contract on which the

     defendant, contract dated June 01, 2019).

     send him his subcontracting contract with V (having proceeded to the recovery of the
     data previously present on the complainant's laptop).


9. On March 7, 2020, the defendant refused to suspend processing for character data

     personal (professional) of the complainant prior to June 01, 2019, by advancing his interest

     legitimate to the continuity of its activities, and in order to verify alleged shortcomings in its

     leader as a worker.


10. The defendant adds that although for the period prior to June 01, 2019 the complainant
     was not under an employee contract, he performed management functions and used the laptop

     in question. It deduces that for data prior to June 01, 2019, the legitimate interest

     does constitute a lawful basis for processing.


11. The defendant nevertheless also undertakes not to process the private mailboxes of the plaintiff,

     but only professional boxes.

     personal data found during the analysis of the professional mailboxes of the

     complainant, but refuses to erase them.

12. The defendant also refuses to produce the subcontract, on the grounds that the

     subcontractor would not have processed personal data by recovering the

     mailboxes.


13. On March 16, 2020 the Complainant informed the Respondent that it had no legitimate interest in processing

     his personal data prior to the last five years, and invites him to limit the period
     time for which she deals with her e-mails in the last five years (corresponding to the

     limitation of the liability of company directors).


14. He also requests the exercise of his right of access and copy to all emails processed by the

     defendant.


15. On April 7, 2020 the defendant refuses to limit the processing of the data to the last five
     years, on the basis of its legitimate interest in the processing. She adds that the demands

     erasure, opposition and limitation cannot be followed, likewise, on the basis of

     the exception of overriding legitimate reasons (legitimate interest of defense in justice, to ensure the




  1Art 2:143 § 1 Code of Companies and Associations., Decision on the merits 46/2022 - 4/28



     continuity of the company's services, and potential questioning of the responsibility

     professional and penal of the plaintiff).


16. It also accepts the applicant's request for access, but indicates that it cannot comply with it.

     comply within the legal deadline of one month, but three months (due to the complexity of the

     request and circumstances related to the health crisis).

17. On May 25, 2019 the plaintiff disputes the legitimate interest as put forward by the defendant

     as the basis for lawful processing, arguing that these interests are neither current nor precise,

     and that it did not carry out the balance of interests, nor take into account the imbalance between the

     complainant and herself in the context of their relationship as ex-employee to ex-employer.

18. He also accuses it of violating the principles of minimization, insofar as the

     data older than five years was not relevant for the purposes pursued.


19. He also criticizes him for having breached the principle of necessity, arguing that other measures

     less invasive would have enabled the defendant to have the necessary data in
     sparing its interests (a sorting of emails could for example have been operated by a third party in

     presence of the plaintiff, in order to deliver only the relevant emails to the defendant, instead

     of a complete restoration).


20. The complainant reiterates his requests for the suspension of the processing, as well as for the exercise of his

     rights to erasure, limitation, opposition (particularly for data dating back more than
     five years).


21. On June 5, the defendant replied to the plaintiff that it maintained its position as to his interest

     legitimate to the treatment, as well as concerning the absence of obligation to transmit the contract

     of subcontracting with V. She repeats that she will not process the private mailboxes of the complainant

     nor the emails found on his professional mailboxes from these email addresses
     (private).


22. On June 15, 2020, the defendant sent the plaintiff a letter containing a list of

     personal data it holds about him (exhibit 11 from the complainant).


23. On June 16, 2020 the plaintiff informed the defendant of his intention to file a complaint at
     the Data Protection Authority (APD below), which it does on June 17, 2020.


24. This decision is based on the articles invoked by the complainant. Regarding the grievance of

     lack of information raised by the applicant, although the latter repeats Article 14 in its

     conclusions,insofar asthecomplainant's datawascollected within the framework of his

     employment contract with the defendant and it appears that it is this article which was covered by the
     plaintiff in a clumsy wording, the Litigation Chamber considers that Article 13

     GDPR applies., Decision on substance 46/2022 - 5/28




II. As to the reasons for the decision


  II.1. As to the lawfulness of the processing carried out by the controller


 25. In its capacity as data controller, the defendant is required to respect the principles

      data protection and must be able to demonstrate that these are respected

      (principle of responsibility – article 5.2. of the GDPR) and to implement all the measures

      necessary for this purpose (Article 24 of the GDPR).


 26. Pursuant to Article 5.1.a) of the GDPR, any processing of personal data, was

      it, totally or partially automated, must in particular be fair and lawful. To be lawful,

      any processing of personal data must in particular find a basis in

      GDPR Article 6. It is up to the controller to determine what is

      foundation.


 27. In the present case, the recovery by V, subcontractor of the controller, of the data
      present on the computer equipment (laptop) provided by the plaintiff to the defendant as well as

      the analysis of the emails contained in the mailboxes recovered constitutes a processing of

      personal data subject to the application of the GDPR. Contrary to what the

      defendant, the recovery of the data by the subcontractor SA and the subsequent analysis

      of the emails retrieved correspond to processing within the meaning of article 4.2 of the GDPR. 2


 28. These processing operations must therefore be based on one of the bases of lawfulness listed in Article

      6 GDPR.


 29. A distinction should be made from the outset between the processing (or recovery) of a box

      private email of an employee, and the processing of the professional mailbox. The principle is that

      An employee's work emails may be handled by their employer. Bedroom

      Contentitieuse understands, however, that during both private and professional use of a

      same mailbox by the employee being the holder, this distinction can be difficult to

      carry out. It should be noted that in principle, an employer cannot freely consult the emails

      privacy of its employees, even though it has prohibited the use of company tools for

      personal. This principle nevertheless suffers from exceptions, within a strict legal framework and
                3
      foreseeable, such as during pending legal proceedings. In the event of control by the employer,

      employees must also be informed in advance, as well as in particular of the

      purposes pursued, the basis for lawfulness of the control processing, the retention period

      data, the right of opposition for legitimate reasons, the right of access and rectification, or

      still have the possibility of lodging a complaint with the supervisory authority.



  2Article 4.2 of the GDPR: “processing”: any operation or set of operations whether or not carried out using processes
  automated and applied to data or sets of personal data, such as the collection,
  recording, organization, structuring, conservation, adaptation or modification, extraction, consultation,
  the use, communication by transmission, dissemination or any other form of provision, bringing together or
  interconnection, limitation, erasure or destruction;

  3 In accordance in particular with the Bărbulescu case law of the European Court of Human Rights, see points 50 to 53, Decision on the merits 46/2022 - 6/28




II.1.1. The arguments put forward by the defendant as to the basis for the lawfulness of the processing carried out


 30. The defendant indicates that it is relying on Article 6.1.f) of the GDPR under which the

     data processing is lawful “if, and insofar as, it is necessary for the purposes of the interests

     legitimate interests pursued by the controller or by a third party, unless prevailing

     the interests or fundamental rights and freedoms of the data subject which require

     protection of personal data, in particular when the data subject is

     a kid ".

 31. The defendant explains that its legitimate interest in processing the data

     mentioned above is multiple:


           • ensure the continuity of business services


           • legal defense: the defendant (its sole shareholder W ) must be able to

               demonstrate in the litigation pending before the courts that the plaintiff did not

               not disclosed all the information available to it, and that it disclosed

               false information in the context of his professional activities (while he was

               employee of the controller)


           • potential questioning of the complainant's liability in his capacity as former

               director of the defendant company: according to the defendant, the plaintiff

               guilty of several serious breaches. She argues in this regard that "It is not

               therefore not impossible, even if it is naturally not the wish of Y, that the
               responsibility of Mr. X must be engaged for some of the acts he has committed

               as an administrator. (…) It is in this context of the legitimate interest of Y to have

               all the necessary information. 5


           • potential filing of a complaint with civil action by the defendant against

               the plaintiff for breaches described as serious by the defendant: the

               defendant argues in this regard that “It is in the legitimate interest of the company to

               be able to file a complaint with civil action if it deems it necessary

               when the limitation period has not elapsed… Again, Y does not ask

               naturally not up to the Data Protection Authority to confirm the merits

               from his point of view, but it is necessary to be able to give Y the opportunity to

               file such a complaint, and if applicable, document it. MrXnecan, under

               covered by the protection of his personal data, to be freed from having to

               answer for his acts because all the data relating to the acts he has committed

               would have been deleted. It is in Y's legitimate interests to be able to continue to



  4In 2019, Mr. X sold all of his shares representing the capital of Y to the German company Z.

  In 2019, it then resold the shares of Y to the Luxembourg company W, which is currently the shareholder
  of Y (see additional and summary submissions of the defendant p.2 and 4).
  5additional conclusions and summary p14., Decision on the merits 46/2022 - 7/28




               have this information as long as the limitation period has not expired.
                           6
               due date."


           • Legitimate interest in documenting the reality in order to be able to counter the allegations of the
               plaintiff


           The Litigation Chamber understands the last four points as parts

           integral to the legal defense exception, as the legitimate interest on which

           the defendant.


II.1.2. The arguments put forward by the plaintiff


 32. The complainant, for his part, considers that there is no lawful basis for processing on the part of the

      defendant. He thus affirms with regard to the interests listed by the defendant the elements

      following:

           - ensure the continuity of the company's services: the defendant would only have

               need data for the current year, see the previous year, but not

               those of previous years. The defendant could not justify the

               retention of data prior to 01-01-2017, i.e. two accounting years, 7

               insofar as the facts alleged by the defendant against the plaintiff go back to the

               month of November 2017.


           - defense in court: insofar as the courts of the judicial order are seized

               of the dispute, the DPA should not rule on the merits of the dispute, and should deal with

               grievances alleged in this context as not established in the absence of testimony


           - the plaintiff argues that there is no legitimate interest on the part of the defendant
               to data processing, at least not for data older than

               five years. He considers that only for data more recent than 5 years the legitimate interest

               may possibly constitute a basis for the lawfulness of the processing due to the

               pending legal proceedings, but not older ones.


           - the other interests put forward by the defendant are vague, not current, and imprecise;


           - the defendant did not carry out a balance of interests in the context of the assessment of

               legitimate interest: no consideration of the imbalance inherent in the situation of ex-

               employee and ex-employer between plaintiff and defendant;

           - violation of the principle of minimization of data, insofar as the data more

               older than five years are irrelevant;






   6
    additional conclusions and summary p14.
   7 Complainant's main conclusions p18-19, Decision on the merits 46/2022 - 8/28




           - violation of the principle of necessity since other less invasive measures would have

               could have been envisaged in order to allow the defendant to have the data (for

               example designation of a third party with whom the defendant could have carried out the analysis
               data together with the complainant).


           - potential questioning of the complainant's liability in his capacity as former

               director of the defendant company: the limitation period for liability

               administrators being five years, the legitimate interest cannot justify a processing

               going beyond this period


II.1.3. Discussionplace


 33. The Litigation Chamber notes that point f) of Article 6.1 of the GDPR refers to an interest

      lawful pursued by the controller. The processing of personal data
      personnelmustbe"necessaryfortheachievementofthelegitimateinterest"followedbytheresponsible

      of the treatment.


 34. Moreover, recourse to legitimate interest is expressly subject to a criterion

      additional balancing act, which aims to protect the interest and the rights and freedoms

      fundamentals of the people concerned. In other words, the legitimate interest pursued by the

      controller must be weighed against the interests or rights and freedoms

      fundamental rights of the person concerned, the objective of the balancing being to prevent

      disproportionate impact on his rights and freedoms.

 35. The interest pursued by the data controller, even if it is legitimate and necessary, cannot therefore

      validly be invoked only if the fundamental rights and freedoms of the persons concerned

      do not prevail over this interest. The Court of Justice of the European Union has clarified that these

      three conditions – either the pursuit of a legitimate interest by the controller (a), the

      necessity of the processing for the achievement of the legitimate interest pursued (b) and the condition that

      the fundamental rights and freedoms of the persons concerned do not prevail over the interest

      continued (c), are cumulative.

 36. In other words, in order to be able to invoke the basis of lawfulness of "legitimate interest"

      in accordance with Article 6.1.f) of the GDPR, the controller must demonstrate that:


        1) the interests it pursues with the processing can be recognized as legitimate (the

            "finality test");


        2) the envisaged processing is necessary to achieve those interests (the “necessity test”);







   8
    See.notablyCourtofJusticeoftheEuropeanUnion(CJEU),Judgmentof11November2019(C-708/18),TKc.Asociațiade
   Proprietari bloc M5A-ScaraA pronounced under Article 7 f) of Directive 95/46/EC., Decision on the merits 46/2022 - 9/28




       3) the weighing of these interests against the fundamental interests, freedoms and rights

           data subjects weighs in favor of the data controller (the "test of

           weighting").

37. These principles are also outlined in Opinion 2/2017 on the processing of data on the location

     working group 29, according to which “the performance of a contract and the interests

     legitimate reasons can sometimes be invoked, provided that the processing is strictly

     necessaryforlegitimatepurposesandrespectstheprinciplesofproportionalityandsubsidiarity; » . 9

     Group 29 recalls more specifically that: “To invoke Article 7(f), as

     legal basis for the processing, it is essential that specific mitigation measures

     provided in such a way as to strike a fair balance between the employer's legitimate interest and the

     fundamentalfreedomsandrightsofemployees.

     should impose limits on surveillance activities in order to avoid any violation of life

     privacy of the employee. These limits could be:


            - geographic (e.g. monitoring only in locations
                specific; surveillance of sensitive areas such as religious places and, by
                example, sanitary areas and rest rooms should be prohibited),

            - related to data (for example, personal electronic records and the
                communication should not be monitored), and

            - temporal (for example, sampling instead of monitoring
                keep on going). »10



38. While the data controller is initially responsible for assessing whether the

     conditions set out in Article 6.1.f of the GDPR are met, the legitimacy of the processing may

     then be subject to another evaluation, and possibly be challenged, among other things by

     data subjects and by the authorities responsible for supervising the protection of

     data. A case-by-case examination, taking into account the concrete circumstances of each case,

     will thus allow the Litigation Chamber to conclude as to the lawfulness of processing based

     on the basis of the legitimate interest invoked, as in this case, by the data controller.

39. The processing of personal data must be “necessary for the performance of

     legitimate interest” pursued by the data controller. This condition of necessity between

     the processing carried out and the legitimate interest pursued is particularly relevant in the case of

     Article 6.1.f) of the GDPR in order to ensure that the processing of data based on the legitimate interest

     does not lead to an overly broad interpretation of the interest in processing data.


40. The defendant relies on several elements to found its legitimate interest, elements which are

     further analyzed below.






  9
   Opinion 2/2017 on data processing in the workplace of Working Party 29, p2
  1Ibid, p7, Decision on the merits 46/2022 - 10/28




II.1.4. The legitimate interest of the defense in court


 41. Legal defense is a fundamental right enshrined in Article 48 of the Charter of Rights

      fundamentals of the Union. In general, "defence in justice" can indeed be

      considered a lawful legitimate interest in the context of the application of Article 6.1.f. of

      GDPR. In accordance with Article 29 Group Opinion 06/2014 on the notion of legitimate interest,

      this interest must be real and present, or not hypothetical.


 42. The Litigation Chamber finds that this interest constitutes a real and present legitimate interest.

      Indeed, during the processing (retrieval and analysis) by the defendant of the data to

      personalcharacteronthelaptopoftheplaintiff,thedisputebeforethecourtsofthejudicialorder

      between plaintiff and defendant was already .11


 43. Nevertheless, the necessity test must be met, as prescribed by the CJEU (see above). In

      Indeed, for this legitimate interest of "defence in justice" of the defendant to prevail, the

      data processing must be “necessary” for the exercise of this legal defence. He

      would be excessive and contrary to these requirements of necessity and proportionality to accept that

      all previous employers of an employee can, by virtue of this capacity, process all

      personal data relating to this employee, even for defense purposes

      in justice.


 44. In the present case, insofar as the defendant bases its grievances against the plaintiff

      (in the context of the dispute before the courts of the judicial order) on the fact that he would have

      culpably refrained from communicating information (or allegedly communicated

      truncated information), the Litigation Chamber considers that the defendant is justified in

      base on Article 6.1.f of the GDPR in order to be able to support the litigation pending and parallel to this

      procedure, and this only for the data necessary for this purpose.

 45. In the present case, the substantive dispute between the parties has its source in the transfer of the shares

      from the Complainant to the Respondent, dated May 29, 2020. The Complainant submits that the grievances

      the defendant accusing him dates back to November 2017.

      same and in parallel with his personal data dating back to a period of five years

      could be processed by the defendant on the basis of the legitimate interest related to the defense in

      justice of it. The defendant nevertheless refused to comply with the request of the

      complainant to process only his personal data older than five years. Bedroom

      Litigation follows the complainant in his assertion that a limit should be placed

      temporal to the period of time in which the defendant can rely on the interest

      legitimate defense in court, justifying only necessary data processing and

      proportionate to the exercise of this defense in court. The time limit of 5 years




   11 See also CNIL thematic sheet, “IT tools at work”,
   https://www.cnil.fr/sites/default/files/atoms/files/_travail-vie_privee_outils_informatiques_travail.pdf

   1Complainant's submissions p 8, Decision on the merits 46/2022 - 11/28




     earlier, corresponding to the prescription of the plaintiff's liability as
     director therefore agrees to be retained.


46. It remains that this data processing must also (to correspond to the conditions

     necessity and proportionality) fit in a relevant and proportionate manner with the purpose

     precisely identified of this legitimate interest, namely the defense in court with regard to the dispute

     concerning. It is therefore still necessary to ensure that the requirements of the weighting test are

     encountered.

47. In this regard, the Litigation Chamber considers that the complainant can be followed in his argument

     according to which the defendant did not realize a balance of interest before proceeding with the treatment

     in dispute insofar as the facts show that it refused the plaintiff's proposal to

     not to carry out the complete restoration, but to involve a third party with whom the

     plaintiff could proceed, in the presence of the defendant, to a sorting of the relevant emails. In

     in other words, less invasive measures than restoring all the mailboxes of the

     complainant, both private and professional, would have been possible. The defendant has

     elsewhere proceeded, as a first step, to the analysis of all its mailboxes (private and
     professionals) despite the opposition of the complainant. She only pledged to stop dealing

     actively the complainant's private mailboxes, and not to analyze emails from

     these private boxes present on the professional boxes only at the complainant's insistence.


48. In its submissions in reply, the defendant argues in this regard that the balance of interests

     to which the complainant refers may be detailed when information is requested.

     According to her, the GDPR does not require, “in its text, to detail for each transaction of

     treatment for which a balance of interests is desired, to document this balance
     of interest". The defendant does not submit any provision on which it would rely to

     justify this assertion. It cannot be followed up in this respect, since this balanced interest

     must at the very least emerge from the history of the exchanges between the parties, which is not

     the case here.


49. The conditions linked to the aforementioned weighting test are therefore not met in the

     head of the defendant.

50. The European Court of Human Rights (ECHR hereafter) has also expressed its opinion on the

     subject of an employer's surveillance of the electronic communications of its employees

     in the case of Barbulescu v. Romania, concerning the decision of a private company to put

     termination of an employee's employment contract after monitoring their electronic communications and

     have had access to their content.


51. The Court concluded that the Romanian courts failed to verify whether Mr Bărbulescu had been
     previously informed by his employer of the possibility that his communications may be




  1Additional conclusions and summary p16, Decision on the merits 46/2022 - 12/28




     monitored. They also failed to take into account the fact that he had not been informed or the nature

     neither of the extent of this surveillance nor, in particular, of the possibility that his employer

     access to the actual content of his messages. Moreover, the national courts have not

     determined, first, what specific reasons had justified the establishment of

     monitoring measures, secondly, whether the employer could have made use of less

     intrusive for Mr. Bărbulescu's private life and correspondence and, thirdly, if access

     to the content of the communications had been possible without his knowledge. 14


52. In its Grand Chamber judgment, the ECHR indicates that the Romanian authorities did not

     struck a fair balance between the right to respect for private and family life, the home and

     the complainant's correspondence and the interests of his former employer, and finds a violation

     of Article 8 of the European Convention on Human Rights.


53. It is clear from this judgment that when an employer takes measures to monitor the

     communications from its employees, these measures must be accompanied by safeguards

     adequate and sufficient against abuse, including the use of the least intrusive measures

     possible (including direct access to the content of employee communications) . 15


54. In the present case, the Litigation Chamber notes that the defendant rejected the

     proposal by the complainant to carry out an examination together with a third of the emails, and not

     proposed an alternative less intrusive measure than the processing of all the emails of the

     complainant (and their content). In this way, without further examining the other criteria

     retained by the ECHR to assess whether there has been a balance of interests, the defendant therefore places itself in

     failure to comply with the aforementioned ECHR case law.


55. The Litigation Chamber concludes in view of the foregoing and in accordance with the

     above-mentioned case law of both the CJEU and the ECHR, that the defendant could not

     base the processing of data referred to in the complaint and older than five years on its

     legitimate interest of the defense in court, in the absence of such processing being necessary for the

     meaning of Article 6.1. f) of the GDPR. This legitimate interest nevertheless constitutes a basis of lawfulness

     for the complainant's personal data relating to the period prior to five years.


56. For information purposes, the Litigation Division points out that it previously ruled on the

     processing of email boxes when an employee leaves. She has thus already recalled “that in the event of

     departure from the organization, the employer must delete the e-mail addresses when these

     constitute personal data, after having informed their holders and third parties of the

     email closing date. This obligation is also intended to allow






  1Questions and Answers, Grand Chamber Judgment in the case of Bărbulescu v. Romania, (application no. 61496/08)
  15
     Case of Bărbulescu v. Romania, application no. 61496/08, 05 September 2017, §136, available via
  https://hudoc.echr.coe.int/fre#{%22itemid%22:[%22001-177083%22]}:“136.
  Court of Appeal did not sufficiently examine the question of whether the aim pursued by the employer could have been
  achieved by less intrusive methods than access to the actual content of the applicant's communications. », Decision on the merits 46/2022 - 13/28



      holders to sort and transfer any private messages to their mailbox

      personal.


           In the same way that it must be left to the person concerned to resume its effects

           personal, it should be left to him to resume or delete his communications

           electronic mail of a private nature before his departure. Similarly, if part of the content of its

           messaging must be retrieved to ensure the smooth running of the business (as

           advanced by the defendant in this case), this must be done before his departure and in his

           presence. In the event of a contentious situation, the intervention of a trusted person is

                           16
           recommended. The assumption of resignation or dismissal or any other form of

           cessation of activity and its consequences should be regulated in an internal Charter
                                                            17
           relating to the use of IT tools. »

 57. Although at the initiative of both parties, these principles can no longer be applied in the case


      case, the Litigation Chamber recommends that the defendant set up such a

      Charter to prevent the repetition of similar situations in the future. The establishment of a

      charter regulating the conditions under which an employer can consult the mailboxes

      professional or monitor the computer tools of its employees, takes over the necessary

      compliance with the case-law lessons set out above, by offering adequate guarantees and

      sufficient against abuse (in particular by warning employees of possible measures of

      control) and respecting the principle of proportionality is recommended by the Chamber

      Litigation more generally.


II.1.5. As for the legitimate interest linked to the potential questioning of the liability of the
         complainant in his capacity as a former director of a defendant company


 58. The defendant indicates in its pleadings that it reserves the right to initiate the

      responsibility of the plaintiff for some of the acts (communication of false information)

      that he posed as administrator of Y.


 59. The Litigation Division refers in this respect to recital 47 of the GDPR which states that the

      processing of personal data strictly necessary for prevention purposes

      fraud constitutes a legitimate interest of the data controller concerned.


 60. The Chamber has previously held that, depending on the case, the purpose of preventing abuse

      and fraud may constitute a basis of legitimate interest, in compliance with the triple test of

      CJEU (see above). In this context, if it is established that the processing of personal data




   16For several years now, the Commission for the Protection of Privacy, which the APD succeeded, had made available to
   available to employers a legal notice on its website

   https://www.autoriteprotectiondonnees.be/sites/privacycommission/files/documents/note-juridique-e-mails-employes-
   absents_0.pdf as well as FAQs: https://www.autoriteprotectiondonnees.be/faq-themas/acc%C3%A8s-aux-e-mails-
   demploy%C3%A9s-absentslicenci%C3%A9s relating to this theme of closing e-mail addresses in the event
   of departure/termination of function in particular.
   1Decision 64/2020 of 29 September 2020, points 39-40, pages 12-13
   18
    See decision 24/2020 of May 14, 2020, Decision on the merits 46/2022 - 14/28




      personalforthispurposeisnecessaryforthepurposesofthelegitimateinterestofthedefendantandthatthis
      interest prevails over the complainant's interest in the protection of his personal data,

      the processing must be considered to have a basis of lawfulness.


 61. In accordance with this position, in view of the fact that the defendant criticizes the plaintiff in the

      dispute before the Court of First Instance already during the communication of information

      truncated and/or false, the Litigation Chamber considers the potential questioning of the

      liability of the plaintiff in his capacity as a former director as a legitimate interest in the

      head of the defendant (for the processing of personal data relating to the five
      recent years only).


II.1.6. As for the legitimate interest linked to the potential filing of a criminal complaint with constitution of
         civil party by the defendant against the plaintiff for breaches that it qualifies

         serious


 62. The defendant also indicates in its pleadings that it reserves the right to
      file a criminal complaint with civil action by the defendant against the

      plaintiff for breaches classified as serious (abuse of the company's credit card).


 63. The Litigation Chamber refers in this regard to recital 47 of the GDPR which states that the

      processing of personal data strictly necessary for prevention purposes

      abuse and fraud constitutes a legitimate interest of the controller concerned.


 64. The Chamber has previously held that, depending on the case, the purpose of preventing abuse
      and fraud may constitute a basis of legitimate interest, in compliance with the triple test of

      CJEU (see above). In this context, if it is established that the processing of personal data

      personnel for this purpose is necessary for the purposes of the legitimate interest of the defendant and that this

      interest prevails over the complainant's interest in the protection of his personal data,

      the processing must be considered to have a basis of lawfulness.


 65. In accordance with this position, in view of the fact that the defendant criticizes the plaintiff in the
      dispute before the Court of First Instance already during the communication of information

      truncated and/or false, and that she also accuses him of misusing the company's credit card

      under his mandate as administrator, the Litigation Chamber considers the potential filing of

      criminal complaint with civil action by the defendant against the plaintiff for

      breaches qualified as serious as a legitimate interest on the part of the defendant

      (for the processing relating to the complainant's personal data for the last five

      years only).

II.1.7. Concerning the continuity of the defendant's services


 66. As indicated above, the Complainant may be followed in his reasoning as appropriate

      to place a time limit on the period during which the legal defense can establish



   1See Decision 24/2020 of May 14, 2020, Decision on the merits 46/2022 - 15/28




     the legitimate interest of the defendant, and thus constitute the basis for the lawfulness of the disputed processing.
     The complainant understands in his conclusions that the need to ensure the continuity of his

     services by the defendant may constitute a basis for the lawfulness of the treatment, but only

     for data dating back to two accounting years, i.e. for data

     prior to January 1, 2017.


67. For the sake of consistency, insofar as the limit is placed (by the complainant himself) at the

     last five years for the legitimate interest of the defendant's legal defense, this

     same limit is retained concerning the legitimate interest of the continuity of the services of the
     defendant (instead of the two accounting years reducing the period of treatment to the

     January 1, 2017 as claimed by the complainant).


68. As indicated above, in the absence of a basis of lawfulness, the Litigation Chamber concludes that

     article 5.1.a. of the GDPR combined with article 6 of the GDPR have not been complied with with regard to

     the processing of data older than five years. Conversely, with regard to

     personal data of the complainant more recent than five years, the legitimate interest constitutes

     a basis of lawfulness.

        3- On the failure to provide information (Articles 13 of the GDPR, combined with Article

        12 GDPR)


69. Pursuant to Articles 13 and 14 of the GDPR, any person whose personal data

     personal are processed must, depending on whether the data is collected directly from it or

     with third parties, to be informed of the elements listed in these articles (§§ 1 and 2). In case of collection
     direct data from the person concerned, the latter will be informed of both the elements

     listed in paragraph 1 and in paragraph 2 of Article 13 of the GDPR, namely: the identity and

     contact details of the data controller as well as the contact details of the data protection officer

     possible data protection, the purposes of the processing as well as the legal basis for

     the latter (when the processing is based on the legitimate interest of the data controller, this

     interest must be specified), recipients or categories of recipients of the processing,

     the intention of the controller to transfer the data outside the Economic Area

     European Union, the duration of data retention, the rights conferred on it by the GDPR in this

     including the right to withdraw consent at any time and the right to lodge a complaint
     with the data protection supervisory authority (in this case the DPA), information

     whether the requirement to provide personal data has a

     regulatory or contractual nature and the consequences of their non-provision as well as of

     the existence of automated decision-making including profiling, referred to in Article 22 of the

     GDPR. Article 14.1 and 14.2 list elements that are similar taking into account however that

     the hypothesis referred to in article 14 of the GDPR is that where data is not collected

     directly with the person concerned but also with third parties. This information is,



  2 Complainant's main submissions p18-19, Decision on the merits 46/2022 - 16/28



     whether on the basis of Article 13 or Article 14 of the GDPR to be provided to the data subject

     in accordance with the terms set out in Article 12 of the GDPR.


70. The Litigation Chamber recalls that an essential aspect of the principle of transparency

     light to Articles 12, 13 and 14 of the GDPR is that the data subject should be able

     to determine in advance what the scope and the consequences of the processing encompass, in order to
     not be caught off guard at a later stage as to how their personal data

     staff were used. The information should be concrete and reliable, it does not

     should not be formulated in abstract or ambiguous terms or leave room for

     different interpretations. More specifically, the purposes and legal bases of the

     processing of personal data should be clear.

71. Article 12.3 of the GDPR imposes information on the data subject within a maximum period

     of three months. The complainant asked for the first time on February 26, 2020 to the

     defendant to send it the information under Article 14 of the GDPR. Bedroom

     Litigation notes here that Article 14 of the GDPR is applicable in the event of indirect collection of

     personal data. In the present case, although the complainant's conclusions repeat

     Article 14 in this respect, insofar as the complainant's data were collected in the
     framework of his employment contract with the defendant, Article 13 GDPR is applicable.


72. It appears from the facts that the Respondent merely sent the Complainant a list of

     personal data concerning him that it holds, by letter dated June 15, 2020 (exhibit

     11 of the complainant), without including all the other information required under Article

     13 GDPR. Nevertheless, Article 13.4 of the GDPR dispenses with the need to communicate the
     information under points 1 to 3 of the same article if the person concerned already had

     these informations. The document sent by the defendant to the plaintiff does not indicate the duration

     retention of data (important aspect in the dispute between the parties), or

     the existence of the right to request access, rectification or erasure of the same, or a

     limitation of processing, nor does it mention the right to object to processing, or the right

     to lodge a complaint with the supervisory authority. Nevertheless, it is reasonable to
     assume that the complainant was not unaware of this information, given his former functions

     of administrator. The element of information under Article 13 of the GDPR particularly

     relevant to the case in hand and absent in the document is therefore the retention period of the

     data processed by the defendant. Although this element constitutes a central point in the

     present dispute and in the plaintiff's claims, it is also necessary to take into account the

     difficulty for the defendant to estimate the time that the resolution of the dispute will take during
     before the courts of the judicial order, duration during which it is entitled to keep the

     data (more recent than five years).


73. In these circumstances, it cannot be concluded that there is a breach of Article 13 of the GDPR., Decision on the merits 46/2022 - 17/28



III. As for the communication of the subcontract between the defendant and its

    subcontracting


 74. Article 28.3 of the GDPR states:


               “Processing by a processor is governed by a contract or other legal act
               under Union law or the law of a Member State, which binds the processor with regard to

               of the controller, defines the purpose and duration of the processing, the nature and

               purpose of the processing, the type of personal data and the categories of

               data subjects, and the obligations and rights of the controller.

               This contract or other legal act provides, in particular, that the subcontractor:




               a) only processes personal data on documented instructions from the

                   data controller, including with regard to data transfers

                   of a personal nature to a third country or to an international organisation,
                   unless required to do so under Union or State law

                   member to which the subcontractor is subject; in this case, the subcontractor informs the

                   controller of this legal obligation prior to processing, unless

                   the law concerned prohibits such information for important reasons of interest

                   audience;



               b) ensures that the persons authorized to process the personal data
                   personnel undertake to respect confidentiality or are subject to a
                   appropriate legal duty of confidentiality;


               (c) take all measures required under Article 32;


               (d) complies with the conditions referred to in paragraphs 2 and 4 to recruit another
                   subcontracting;


               (e) take into account the nature of the processing, assist the controller, for

                   appropriate technical and organizational measures, to the fullest extent
                   possible, to fulfill its obligation to respond to the requests of which
                   the persons concerned seize it in order to exercise their rights provided for in

                   Chapter III;


               f) assists the data controller in ensuring compliance with the obligations laid down
                   in Articles 32 to 36, taking into account the nature of the processing and the information to be
                   the disposition of the subcontractor;


               g) at the choice of the data controller, delete all data to be
                   personal nature or returns them to the controller at the end of the

                   provision of services relating to the processing, and destroys the existing copies,
                   unless Union law or Member State law requires the retention

                   personal data; and, Decision on the Merits 46/2022 - 18/28






               h) make available to the controller all information
                   necessary to demonstrate compliance with the obligations provided for in this article

                   and to enable audits, including inspections, to be carried out by the
                   controller or another auditor appointed by him, and contribute to

                   these audits.


               With regard to point h) of the first paragraph, the processor shall inform
               the data controller immediately if, in his opinion, an instruction constitutes a

               breach of this Regulation or of other provisions of Union law or of the law
               Member States relating to data protection. »


75. Article 4.8 of the GDPR defines a processor as follows:


               “the natural or legal person, public authority, agency or other body

               who processes personal data on behalf of the data controller
               treatment; »


76. It is not disputed by the defendant that the V having carried out the restoration of the data

     is a third party, and that it acted as a subcontractor. Furthermore, the defendant

     acknowledges the absence of a contract binding it to this subcontractor. She justifies this in her conclusions

     by arguing that the subcontractor “did not process personal information, but

     restored the data deleted by M.X, without examining the content of this data and without

     perform a sorting that it was not for him to perform”. The defendant adds that the sub-

     handler "did not access the mailbox before retrieving the items

     deleted (…) did not recover deleted items from Mr. X's email (after

     request of Y), no action has been taken (…)”, and that he “did not read Mr.
        23
     X”.


77. The Litigation Chamber finds that this constitutes an erroneous reading of the notion

     of “processing”, as set out in article 4.2 of the GDPR:

               “anyoperationoranysetofoperationsperformedornotusingprocedures

               automated and applied to personal data or sets of data

               personnel, such as collecting, recording, organizing, structuring,

               storage, adaptation or modification, extraction, consultation, use,

               communication by transmission, broadcast or any other form of posting

               provision, reconciliation or interconnection, limitation, erasure or

               destruction;".



78. It is also not disputed that the emails contained in the electronic mailboxes

     (professional and/or private) constitute personal data.



  2It thus indicates in its summary conclusions p8 that the subcontractor is “a third-party service provider”
  2Summary conclusions of the defendant p17

  2Ibid. p18, Decision on the merits 46/2022 - 19/28




      personal data relating to the complainant therefore constitutes processing

      personal data within the meaning of the GDPR.


 79. The fact that this data has been encrypted as part of the processing by the processor of the

      defendant, and that only the defendant can decrypt them (as his counsel indicates in a

      mail of May 4, 2021), does not modify the nature of this conclusion, since although encrypted,

      these data remain personal data of the complainant, and that the processing remains. In

      effect, to the extent that pseudonymised 24 or encrypted data may allow

      the identification of a person via additional information, in particular via the key of

      encryption (held in the present case by the defendant), encrypted data constitute

      indeed personal data within the meaning of article 4.1 of the GDPR.


 80. The defendant therefore demonstrates a breach of Article 28.3 of the GDPR.








IV. As to the plaintiff's requests for the exercise of his rights


  IV.1. On the defendant's breach of its obligation to follow up on the exercise of the
        complainant's right of access (Article 15 of the GDPR) in accordance with the terms of Article
        12 GDPR



 81. As indicated above, in its capacity as data controller, the defendant is required to

      comply with data protection principles and must be able to demonstrate that

      these are respected. It must also implement all the measures necessary to

      this purpose (principle of responsibility – articles 5.2. and 24 of the GDPR).






   24
     Article 4.5 of the GDPR defines the notion of pseudonymisation as follows:
   “the processing of personal data in such a way that these movies can no longer be attributed to a person

   data subject without having recourse to additional information, provided that this information

   additional data are kept separately and subject to technical and organizational measures in order to
   guarantee that the personal data is not attributed to an identified or identifiable natural person”

   Recital 26 of the GDPR similarly states:

   “The principles of data protection should apply to any information relating to a person
   identified or identifiable physical. Personal data which has been pseudonymised and which

   could be attributed to a natural person through the use of additional information should be

   considered to be information relating to an identifiable natural person. To determine if a person
   is identifiable, consideration should be given to all reasonably likely means

   to be used by the controller or any other person to identify the natural person

   directly or indirectly, such as targeting. To establish whether means are reasonably likely to be
   used to identify a natural person, all of the objective factors should be taken into consideration, such as

   than the cost of identification and the time required for it, taking into account the technologies available at the time

   their treatment and evolution. »
   25
     See on this subject the Breyer judgment of the ECHR, Case C‑582/14, 19 October 2016, § 49, Decision on the merits 46/2022 - 20/28



82. As a preliminary point, the Chamber recalls that the right of access is one of the foundations of the right to

     data protection, it constitutes the “front door” which allows the exercise of other rights

     that the GDPR confers on the person concerned, such right to rectification, the right to erasure,

     to limitation or limitation.


83. Pursuant to Article 15.1 of the GDPR, the data subject has the right to obtain from the controller
     of processing the confirmation that personal data concerning him are or are not

     are not processed. When this is the case, the data subject has the right to obtain access to the

     said personal data as well as a series of information listed in article 15.1 a) -

     h) such as the purpose of the processing of its data, the duration of data storage, the

     potential recipients of its data as well as information relating to the existence of its

     rightsincludingthatofrequestingthecorrectionorerasureofitsdataorthatof
     lodge a complaint with the DPA.


84. Pursuant to Article 15.3 of the GDPR, the data subject also has the right to obtain

     copy of the personal data which is the subject of the processing. Article 15.4 of the GDPR

     provides that this right to copy may not infringe the rights and freedoms of others.

85. Article 12 of the GDPR relating to the procedures for exercising their rights by persons

     concerned provides in particular that the controller must facilitate

     the exercise of his rights by the person concerned (article 12.2 of the GDPR) and provide him with

     information on the measures taken following his request as soon as possible and no later than

     later within one month of their request (Article 12.3 of the GDPR). This deadline may

     special circumstances, be extended to three months (Article 12.3 of the GDPR). When the
     controller does not intend to respond to the request, he must notify his

     refusal within one month accompanied by the information that an appeal against this

     refusal can be lodged with the data protection supervisory authority (12.4 of the

     GDPR).


86. On March 16, 2020, the plaintiff exercised his right of access and copy with the defendant.
     She replied on April 7, 2020 that she would be unable to comply with his request within the

     one-month delay due to the complexity of the request and difficult working circumstances

     related to the health crisis, but has undertaken to do so within three months.


87. On June 15, 2020, the day before the expiry of the three-month period, the defendant sent the
     complainant a list of personal data about him that she holds.

     double failure to provide it with the information required under Article 15.1 a) to f) (including

     the retention period of the data), and does not send him a copy of this data.


88. The defendant relies in this regard on the argument that, in its letter of March 16

     requesting the application of Article 15 of the GDPR, the complainant would have limited himself to requesting access
     and not the copy, because the letter only refers to article 15.1 and not 15.3 (copy part of the right

     access)., Decision on the merits 46/2022 - 21/28



89. The Litigation Chamber cannot subscribe to this reasoning, inasmuch as although said

     courier expressly refers only to article 15.1 and not to 15.3, the term “copy” (“copy” in

     the mail in English) is explicitly mentioned twice (complainant's exhibit 7):














90. The Litigation Chamber can therefore only find a breach of Article 15.1, prosecution

     incomplete to the Complainant's right of access request, and a breach of Section 15.3 for

     refusal to follow up on the copy part of the right of access.




 IV.2. On the defendant's breach of its obligation to follow up on the exercise of the
      the complainant's right to erasure (Article 17 of the GDPR), the right to restriction (Article 18

      GDPR), as well as the right of opposition (Article 21 GDPR)

91. Article 17 of the GDPR states:


 1. “The data subject has the right to obtain from the controller the erasure, in
     as soon as possible, of personal data concerning him and the person responsible for the
     processing has the obligation to erase this personal data as soon as possible,

     when one of the following grounds applies:


      a) the personal data is no longer necessary in relation to the purposes for
          which it was collected or otherwise processed;


      b) the data subject withdraws the consent on which the processing is based,
          in accordance with point (a) of Article 6(1) or point (a) of Article 9(2), and
          there is no other legal basis for the processing;


      c) the data subject objects to the processing pursuant to Article 21(1) and he
          there are no overriding legitimate grounds for the processing, or the data subject
          objects to the processing pursuant to Article 21(2);

      d) the personal data has been unlawfully processed;


      e) the personal data must be erased to comply with an obligation
          which is provided for by Union law or by the law of the Member State to which the
          controller is subject;


      f) the personal data was collected in the context of the service offer
          of the information society referred to in Article 8(1).

 2. When he has made the personal data public and is required to delete them in

     pursuant to paragraph 1, the controller, taking into account the technologies
     available and the costs of implementation, take reasonable measures, including order
     technical, to inform the data controllers who process this personal data, Decision on the merits 46/2022 - 22/28



     personal data that the data subject has requested the erasure by those responsible for the

     processing of any link to such personal data, or any copy or
     reproduction of these.
 3. Paragraphs 1 and 2 do not apply insofar as this processing is necessary:


      (a) the exercise of the right to freedom of expression and information;


      b) to comply with a legal obligation which requires the processing provided for by the law of
          the Union or by the law of the Member State to which the controller is subject,
          or to perform a task in the public interest or in the exercise of authority
          authority vested in the controller;


      c) for reasons of public interest in the field of public health, in accordance with
          Article 9, paragraph 2, points h) and i), as well as Article 9, paragraph 3;


      (d) for archival purposes in the public interest, for the purposes of scientific research or
          historical or statistical purposes in accordance with Article 89(1) in the
          extent to which the right referred to in paragraph 1 is likely to render impossible or
          seriously impair the achievement of the objectives of that processing; Where


      e) the establishment, exercise or defense of legal claims. »


92. Recital 65 of the GDPR also includes the exception of legal defense as set out

     provided for in Article 17.3.e of the GDPR to the right to erasure.

93. As indicated above, the Litigation Chamber considers that in view of the dispute pending before the

     jurisdictions of the judicial order, and a fortiori insofar as this is linked to exchanges

     of information (and emails) between the plaintiff, the defendant, and third parties, the legitimate interest

     for defense in court constitutes a basis of valid lawfulness in the head of the

     defendant, for data more recent than five years, from the start of the disputed processing.

     For data after this date, the defendant cannot rely on the interest

     legitimate (see section 2.1.3 above) as the basis for the disputed processing.

94. In all consistency, the exception to the right to erasure set out in Article 17.3.e of the GDPR (the

     defense of rights in court) is applicable to the case in question, according to the same time criterion.


95. There is therefore no breach by the defendant of Article 17 of the GDPR with regard to
     the processing of data five years prior to the processing, but concerning the

     data after this date.


96. Insofar as Articles 18.2 (right to limitation) and 21.1 (right to object) take up

     exception of legal defense, the same reasoning applies to the claim

     exercise of its right of limitation and opposition by the complainant.

97. There is therefore no breach by the defendant of Article 18 of the GDPR and 21 of the GDPR

     which concerns the processing of data five years prior to the processing, but

     regarding data after that date., Decision on the merits 46/2022 - 23/28



V. Corrective Measures and Sanctions


 98. Under Article 100 LCA, the Litigation Chamber has the power to:


      1° dismiss the complaint without follow-up;

      2° order the dismissal;

      3° order a suspension of the pronouncement;
      4° to propose a transaction;

      5° issue warnings or reprimands;

      6° order to comply with requests from the data subject to exercise these rights;

      (7) order that the person concerned be informed of the security problem;

      8° order the freezing, limitation or temporary or permanent prohibition of processing;

      9° order the processing to be brought into conformity;
      10° order the rectification, restriction or erasure of the data and the notification of

      these to the recipients of the data;

      11° order the withdrawal of accreditation from certification bodies;

      12° to issue periodic penalty payments;

      13° to impose administrative fines;

      14° order the suspension of cross-border data flows to another State or a
      international body;

      15° forward the file to the public prosecutor's office in Brussels, who informs it of the follow-up

      data on file;

      16° decide on a case-by-case basis to publish its decisions on the website of the Protection Authority

      Datas.


 99. As to the administrative fine which may be imposed pursuant to Article 83 of the GDPR

      and articles 100, 13° and 101 LCA, article 83 of the GDPR provides:




       1. “Each supervisory authority shall ensure that the administrative fines imposed in
           under this article for violations of this Regulation, referred to in paragraphs
           4, 5 and 6 are, in each case, effective, proportionate and dissuasive.


       2. Depending on the specific characteristics of each case, the administrative fines are
           imposed in addition to or instead of the measures referred to in Article 58(2),
           points a) to h), and j). To decide whether to impose an administrative fine and to
           decide on the amount of the administrative fine, due account shall be taken, in each

           case in point, of the following elements:


              (a) the nature, gravity and duration of the breach, taking into account the nature, scope

              or the purpose of the processing concerned, as well as the number of data subjects

              affected and the level of damage they suffered;

              (b) whether the breach was committed willfully or negligently;, Decision on the Merits 46/2022 - 24/28



              c) any action taken by the controller or processor to mitigate

              the damage suffered by the persons concerned;

              d) the degree of responsibility of the controller or processor, account

              given the technical and organizational measures they have implemented pursuant to

              sections 25 and 32;

              e) any relevant breach previously committed by the controller
              or the subcontractor;

              (f) the degree of cooperation established with the supervisory authority with a view to remedying the

              breach and to mitigate any adverse effects thereof;

              (g) the categories of personal data affected by the breach;

              h) the manner in which the supervisory authority became aware of the breach, in particular whether,

              and the extent to which the controller or processor notified the
              breach;

              (i) where measures referred to in Article 58(2) have previously been

              ordered against the controller or processor concerned for

              the same object, compliance with these measures;

              (j) the application of codes of conduct approved pursuant to Article 40 or

              certification mechanisms approved under section 42; and
              k) any other aggravating or mitigating circumstance applicable to the circumstances of

              the species, such as the financial advantages obtained or the losses avoided, directly

              or indirectly, by reason of the breach”.



100. It is important to contextualize the breaches of these articles in order to identify the measures

      most suitable correctives. In this context, the Litigation Chamber will take into account
      all the circumstances of the case, including - within the limits it specifies below

      after the reaction communicated by the defendant, the amount of the fine envisaged

      has been communicated (see retroacts of the procedure). In this regard, the Litigation Chamber

      specifies that said form expressly mentions that it does not imply the reopening of

      debates. Its sole purpose is to obtain the reaction of the defendant on the amount of

      the proposed fine.

101. The Litigation Division also wishes to specify that it is sovereignly incumbent upon it

      quality of independent administrative authority - in compliance with the relevant articles of the GDPR

      and the ACL - to determine the appropriate corrective action(s) and sanction(s).


102. Thus, it is not for the plaintiff to ask the Litigation Chamber to order
      such or any remedy or sanction. If, notwithstanding the foregoing, the Complainant should

      nevertheless ask the Litigation Chamber to pronounce one or the other measure and/or

      sanction, it is therefore not incumbent on the latter to justify why it would not retain

      any request made by the complainant. These considerations leave intact

      the obligation for the Litigation Chamber to justify the choice of measures and sanctions, Decision on the merits 46/2022 - 25/28




      which it deems, (among the list of measures and sanctions made available to it by the

      articles 58 of the GDPR and 95.1 and 100.1 of the LCA) appropriate to condemn the party in question.


103. In the present case, the Litigation Chamber notes that the Complainant requested in particular from the Chamber

      Litigation that it sanctions the defendant for its failure to respond to its requests

      to exercise their rights. He also requests that the Chamber issue an injunction to the

      defendant, on two counts. First, he asks for an injunction to stop the treatment
      personal data concerning him older than 5 years (and even more recent if the

      Chamber had to conclude that there was no basis of lawfulness for these as well), as well as

      their deletion. Next, the plaintiff seeks an injunction on the defendant to do

      following requests to exercise its various rights. Finally, he asks for confirmation that the

      defendant cannot validly rely on Article 6.1.f (legitimate interest) to found the

      contentious treatments, regardless of time at the very least.





  V.1. As for the shortcomings


104. The Litigation Chamber found a breach of Articles 5.1.a combined with Article 6.1.f

      of the GDPR, due to the partial absence of a legal basis for processing. She also noted a

      breach of Article 15 (right of access and copying), 17 (right to erasure), 18 (right to

      limitation), and 21 (right to object). Finally, article 28 has also been violated (in the absence of a contract

      between the defendant and its subcontractor).

105. It appears from the complainant's conclusions that the defendant undertook, at the insistence of the

      complainant, not to analyze the personal data of the complainant found in his boxes

      private emails, as well as to cease all active processing of private emails found during the analysis

      professional mailboxes .26


106. The Litigation Chamber also notes that the defendant indicates in its submissions

      be prepared to delete the emails relating to the private mailboxes of the complainant, provided
                                                                                    27
      that the emails in question do not interfere with his right of defense in court. However, in view

      numerous shortcomings on the part of the defendant, the Litigation Chamber is

      of the opinion that this concession is not sufficient to justify an absence of sanctions.


107. Accordingly, the Litigation Chamber orders the defendant:

          - to comply with the complainant's requests to exercise his rights to the extent

              explained above


          - to put in place a charter as set out in point 56





   26
     Complainant's conclusions p.5
   27 Respondent's summary submissions p.17, Decision on the merits 46/2022 - 26/28



          - to cease the processing of personal data relating to the older complainant

              only 5 years


108. In addition to this compliance order, the Litigation Division is of the opinion that, in addition,

      an administrative fine is in this case justified for the reasons below, reasons analyzed on

      basis of article 83.2 GDPR and in accordance with the recent teaching of the Court of Markets.

109. The rights of data subjects are part of the essence of the GDPR and violations of these

      rights are punished with the highest fines, in accordance with Article 83.5 GDPR. In this

      spirit, serious breaches of the rights of the persons concerned must be sanctioned

      proportionally high fines, depending on the circumstances of the case. In this

      In this regard, reference may be made to the Group Guidelines 29 on the application and setting of
      administrative fines, according to which:


          “Fines are an important tool that enforcement authorities should use

          in the appropriate circumstances. Supervisors are encouraged to adopt

          a well-considered and balanced approach when applying measures

          remedies in order to react to the violation in a manner that is both effective and dissuasive
          proportionate. This is not to see fines as a last resort or to

          fear of imposing them, but, on the other hand, they should not be used

          such that their effectiveness would be reduced. »


110. Insubparagrapha),Article83.2.concerns“thenature,seriousnessanddurationoftheviolation,

      taking into account the nature, scope or purpose of the processing concerned, as well as the number of
      data subjects affected and the level of harm they have suffered”. In the case

      In this case, the Litigation Chamber notes that the principles of legality and minimization

      (articles 5.1.a and 5.1.c GDPR) that the right of access (article 15), erasure (article 17),

      limitation (article 18) and opposition (article 21) are essential principles of the regime of

      GDPR protection. The principle of liability set out in Article 5.2. of

      GDPR and developed in article 24 is also at the heart of the GDPR and reflects the change of
      paradigm brought about by it, i.e. a changeover from a regime that was based on

      prior declarations and authorizations from the supervisory authority towards greater

      accountabilityandresponsibilityoftheprocessor.Compliancewithitsobligations

      by the latter and its ability to demonstrate it are therefore all the more important. The

      breaches of these principles constitute serious breaches.

      28 GDPR also constitutes a serious violation.

111. With regard more specifically to the nature of the data, although it is not clear

      of the submissions filed (to the extent that the parties contradict each other on this subject and

      lack of evidence) whether the defendant restored the mailboxes, both private and

      Complainant's professional interests, the Chamber notes that the Respondent acknowledges at the very least, Decision on the Merits 46/2022 - 27/28



      have also processed (restored) the private emails on the complainant contained in its boxes

      professionals.


112. With regard to the duration and scope of the impugned processing, the Chamber notes that the

      defendant proceeded from the outset and deliberately (art 83.2.b GDPR) to restore the

      complainant's emails without any time limit, despite the latter's opposition and his
      request to place a limit of 5 years.


113. The other criteria of section 83.2. of the GDPR are neither relevant nor likely to influence

      the decision of the Litigation Chamber regarding the imposition of an administrative fine and its

      amount.

114. Pursuant to Articles 83.4 and 83.5 GDPR, breaches of the provisions identified above

      may amount to up to 20,000,000 euros or in the case of a company, up to 4% of the

      total worldwide annual turnover for the previous financial year. A breach of Articles 5.1.a

      combined with article 6.1.f of the GDPR, with articles 12 and 13, 15, 17, 18, and 21 and 28 GDPR is retained. the

      maximum amount of the fine in the specific case, as provided for in article 83.5 is therefore

      €20,000,000.

115. As regards, among other things, breaches of a fundamental right, enshrined in Article 8 of the

      Charter of Fundamental Rights of the European Union, their seriousness will be assessed,

      as the Litigation Chamber has already had the opportunity to point out, in support of Article 83.2.a)

      of the GDPR, independently.

116. In conclusion, in view of the elements developed above specific to this case, the Chamber

      Litigation considers that the aforementioned breaches justify that as a sanction

      effective, proportionate and dissuasive as provided for in Article 83 of the GDPR and taking into account

      assessment factors listed in Article 83.2. GDPR and the respondent's reaction to the

      envisaged sanctions form, a compliance order accompanied by a fine
      administrative order in the amount of 7,500 euros (article 100.1, 13° and 101 LCA) be pronounced at

      against the defendant.


117. The amount of 7500 euros remains in view of these elements proportionate to the shortcomings

      denounced. This amount also remains well below the maximum amount provided for by

      Article 83.5 GDPR, of 20,000,000 euros (see above).

118. This amount is justified for the reasons set out above, including the fact that the defendant

      immediately processed the complainant's mailboxes without any time limit.


119. The Litigation Chamber is of the opinion that a lower amount of fine would not meet,

      case, the criteria required by section 83.1. of the GDPR according to which the administrative fine
      must not only be proportionate, but also effective and dissuasive. These elements

      constitute a specification of the general obligation of Member States under Union law, Decision on substance 46/2022 - 28/28




      European Union, based on the principle of sincere cooperation (article 4.3 of the Treaty on European Union
      European).


120. Given the importance of transparency regarding the decision-making process of the Chamber

      Litigation and in accordance with Article 100, § 1, 16° of the LCA, this decision is

      published on the website of the Data Protection Authority by deleting the data

      identification of the parties, since these are neither necessary nor relevant in the context of

      of the publication of this decision.








      FOR THESE REASONS,


      the Litigation Chamber of the Data Protection Authority issues, after deliberation:

      - On the basis of article 100, § 1, 9° of the LCA, a compliance order as worded

          supra, including the establishment of a charter as set out in point 56

      - Based on article 83 of the GDPR and articles 100, 13° and 101 of the LCA, a fine

          from 7500 EUR

                                  er
      Under Article 108, § 1 of the LCA, this decision may be appealed to

      of the Court of Markets within thirty days of its notification, with
      the Data Protection Authority as defendant.











   (Sr.) Hielke Hijmans

   President of the Litigation Chamber