APD/GBA (Belgium) - 46/2022
From GDPRhub
| APD/GBA (Belgium) - 46/2022 | |
|---|---|
 | |
| Authority: | APD/GBA (Belgium) |
| Jurisdiction: | Belgium |
| Relevant Law: | Article 5(1)(a) GDPR Article 6(1)(f) GDPR Article 15 GDPR Article 17 GDPR Article 18 GDPR Article 21 GDPR Article 28 GDPR |
| Type: | Complaint |
| Outcome: | Upheld |
| Started: | |
| Decided: | 01.04.2022 |
| Published: | 04.04.2022 |
| Fine: | 7500 EUR |
| Parties: | Company Former employee |
| National Case Number/Name: | 46/2022 |
| European Case Law Identifier: | n/a |
| Appeal: | Unknown |
| Original Language(s): | French |
| Original Source: | APD (in FR) |
| Initial Contributor: | kc |
The Belgian DPA issued a €7500 fine against a company for restoring data on a former employee's work laptop after termination and subsequently violating the data subject's rights to access, erasure, restriction and objection.
English Summary
Facts
The data subject is a former managing director of the controller. When the data subject was dismissed, he deleted the data on the work laptop before handing it in to the former employer. According to the data subject, he had only deleted the private data, such as his private e-mail inbox. The controller, however, stated that he had deleted all data. Therefore, the controller restored all data that had previously been on the laptop, including the data subject's personal data. After finding out about the restoration, the data subject tried to exercise his rights to information, deletion and restriction of processing as well as his right to object. However, his requests were not followed by the controller. The controller did not only process the data on its own but also used a processor.
Holding
The Belgian DPA fined the controller €7500 and ordered the controller to comply with the data subject's requests. Because of the numerous shortcomings of the controller, the DPA was of the opinion that such a sanction was necessary even though the controller argued that it was prepared to comply with the data subject's request after the proceedings.
First, it found a breach of Articles 5(1)(a) and 6(1)(f) GDPR due to the partial absence of a legal basis for processing. The processing failed to meet the balancing of interests necessary under Article 6(1)(f) GDPR. It explained that, in case of dismissal, the employer must delete the e-mail addresses when these constitute personal data, after having informed their holders and third parties of the e-mail closing date. This obligation is also intended to allow holders to sort and transfer any private messages to their personal mailbox. If part of the content must be retrieved to ensure the smooth running of the business (as argued by the controller in this case), this must be done before the dismissal and with his or her assistance.
Second, the DPA found a violation of Articles 15 (right to access), 17 (right to erasure), 18 (right to restriction of processing) and 21 (right to object) GDPR. By refusing to act on the data subject's requests, it had substantially violated his rights.
Third, the DPA held that Article 28 GDPR had been violated since the controller did not have a processing agreement with its processor.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the French original. Please refer to the French original for more details.
1/28
Litigation Chamber
Decision on the merits 46/2022 of 1 April 2022r
File number: DOS-2020-02892
Subject: Complaint by a former employee against his former employer for treatment of box
email, and refusal to follow up on the request to exercise his rights
The Litigation Chamber of the Data Protection Authority, made up of Mr Hielke
Hijmans, chairman, and Messrs. Y. Poullet and C. Boeraeve, members, taking up the case in this
composition ;
Having regard to Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the
protection of natural persons with regard to the processing of personal data and
to the free movement of such data, and repealing Directive 95/46/EC (general regulation on the
data protection), hereinafter GDPR;
Having regard to the law of 3 December 2017 establishing the Data Protection Authority (hereinafter
ACL);
Having regard to the internal regulations as approved by the House of Representatives on 20
December 2018 and published in the Belgian Official Gazette on January 15, 2019;
Considering the documents in the file;
Having regard to the hearing of April 12, 2021;
Having regard to the envisaged sanctions form sent to the defendant and its observations,
made the following decision regarding:
The plaintiff: Mr. X, represented by his counsel Mr. Dr. Jan-Henning Strunz, Matray,
Matray & Hallet, s.c.r.l, rue des Fories, 2, 4020 Liège, hereinafter “the plaintiff”
The defendant: Y, represented by his counsel, Maître Inger Verhelstet Wouter Van Loon, City
Link Posthofbrug 12, 2600 Antwerp as well as Maître Florence Sine, lawyer,
Boulevard du Souverain 280, 1160 Auderghem, hereinafter: "the defendant", Decision on the merits 46/2022 - 2/28
I. Facts and procedural history
1. The plaintiff practiced within the defendant, of which he was the sole shareholder during
several years, the function of Managing Director from October 15, 2004 until May 29
2019. On this date, the plaintiff resold all of his shares to Z and ceased his
administrator functions. Z then assigned all of its rights and obligations to the law company
Luxembourgish W.
2. The plaintiff was then hired by the defendant as an employee, from May 29
2019.
3. On November 26, 2019 and December 14, 2019, the plaintiff and the shareholder company W
exchange letters concerning breaches invoked by the two parties with regard to
of the share transfer agreement.
4. On April 23, 2020, the plaintiff cited companies Z and W before the Court of First Instance
francophone in Brussels, before which the dispute is pending. The complainant accuses the
defendant to owe him an unpaid balance following the transfer of his shares, while the
defendant is claiming compensation from him for the debts of the acquired company. The
defendant argues that these breaches are due to the fact that the plaintiff allegedly
concealed and truncated certain information when selling shares. The sums at stake
are important, and are the subject of differences between the parties. The plaintiff disputes
firmly the alleged breaches, and moreover also cited the defendant before the
Turkish courts for defamation, unfair dismissal, and payment of damages (the
defendant company is also implemented in Turkey).
5. The facts giving rise to the complaint to the DPA are as follows. On February 18, 2020, the complainant
is dismissed by the defendant. Before handing over his computer equipment following his
dismissal, the complainant erased the data on his laptop
professional. He claims to have erased only his private data (private email boxes), while
the defendant argues that he would have erased all of the mailboxes (both professional
than private). The only evidence put forward in this regard consists of two testimonies
of employees submitted by the defendant, claiming that all the mailboxes would have been
erased.
6. The Complainant then became aware of the Respondent's intention to proceed with the
recovery of data previously present on his laptop, and gives formal notice to the
defendant, on February 26, 2020 to suspend all processing of its personal data
staff, as long as the information under Article 14 of the GDPR is not provided to them.
He also requests the exercise of his right to erasure, limitation of processing, and
opposition., Decision on the merits 46/2022 - 3/28
7. On February 28, 2020, the defendant refused to respond to the plaintiff's requests, on the basis
of the employment contract that bound them, as well as on the basis of article 6.1.f of the GDPR (legitimate interest)
justifying in its view the processing of the complainant's personal data.
8. On March 4, 2020 the plaintiff challenges the legality of the processing by the defendant, in particular
concerning his purely private data, as well as professional data prior to the 1st
June 2019 (period not covered by the employee employment contract on which the
defendant, contract dated June 01, 2019).
send him his subcontracting contract with V (having proceeded to the recovery of the
data previously present on the complainant's laptop).
9. On March 7, 2020, the defendant refused to suspend processing for character data
personal (professional) of the complainant prior to June 01, 2019, by advancing his interest
legitimate to the continuity of its activities, and in order to verify alleged shortcomings in its
leader as a worker.
10. The defendant adds that although for the period prior to June 01, 2019 the complainant
was not under an employee contract, he performed management functions and used the laptop
in question. It deduces that for data prior to June 01, 2019, the legitimate interest
does constitute a lawful basis for processing.
11. The defendant nevertheless also undertakes not to process the private mailboxes of the plaintiff,
but only professional boxes.
personal data found during the analysis of the professional mailboxes of the
complainant, but refuses to erase them.
12. The defendant also refuses to produce the subcontract, on the grounds that the
subcontractor would not have processed personal data by recovering the
mailboxes.
13. On March 16, 2020 the Complainant informed the Respondent that it had no legitimate interest in processing
his personal data prior to the last five years, and invites him to limit the period
time for which she deals with her e-mails in the last five years (corresponding to the
limitation of the liability of company directors).
14. He also requests the exercise of his right of access and copy to all emails processed by the
defendant.
15. On April 7, 2020 the defendant refuses to limit the processing of the data to the last five
years, on the basis of its legitimate interest in the processing. She adds that the demands
erasure, opposition and limitation cannot be followed, likewise, on the basis of
the exception of overriding legitimate reasons (legitimate interest of defense in justice, to ensure the
1Art 2:143 § 1 Code of Companies and Associations., Decision on the merits 46/2022 - 4/28
continuity of the company's services, and potential questioning of the responsibility
professional and penal of the plaintiff).
16. It also accepts the applicant's request for access, but indicates that it cannot comply with it.
comply within the legal deadline of one month, but three months (due to the complexity of the
request and circumstances related to the health crisis).
17. On May 25, 2019 the plaintiff disputes the legitimate interest as put forward by the defendant
as the basis for lawful processing, arguing that these interests are neither current nor precise,
and that it did not carry out the balance of interests, nor take into account the imbalance between the
complainant and herself in the context of their relationship as ex-employee to ex-employer.
18. He also accuses it of violating the principles of minimization, insofar as the
data older than five years was not relevant for the purposes pursued.
19. He also criticizes him for having breached the principle of necessity, arguing that other measures
less invasive would have enabled the defendant to have the necessary data in
sparing its interests (a sorting of emails could for example have been operated by a third party in
presence of the plaintiff, in order to deliver only the relevant emails to the defendant, instead
of a complete restoration).
20. The complainant reiterates his requests for the suspension of the processing, as well as for the exercise of his
rights to erasure, limitation, opposition (particularly for data dating back more than
five years).
21. On June 5, the defendant replied to the plaintiff that it maintained its position as to his interest
legitimate to the treatment, as well as concerning the absence of obligation to transmit the contract
of subcontracting with V. She repeats that she will not process the private mailboxes of the complainant
nor the emails found on his professional mailboxes from these email addresses
(private).
22. On June 15, 2020, the defendant sent the plaintiff a letter containing a list of
personal data it holds about him (exhibit 11 from the complainant).
23. On June 16, 2020 the plaintiff informed the defendant of his intention to file a complaint at
the Data Protection Authority (APD below), which it does on June 17, 2020.
24. This decision is based on the articles invoked by the complainant. Regarding the grievance of
lack of information raised by the applicant, although the latter repeats Article 14 in its
conclusions,insofar asthecomplainant's datawascollected within the framework of his
employment contract with the defendant and it appears that it is this article which was covered by the
plaintiff in a clumsy wording, the Litigation Chamber considers that Article 13
GDPR applies., Decision on substance 46/2022 - 5/28
II. As to the reasons for the decision
II.1. As to the lawfulness of the processing carried out by the controller
25. In its capacity as data controller, the defendant is required to respect the principles
data protection and must be able to demonstrate that these are respected
(principle of responsibility – article 5.2. of the GDPR) and to implement all the measures
necessary for this purpose (Article 24 of the GDPR).
26. Pursuant to Article 5.1.a) of the GDPR, any processing of personal data, was
it, totally or partially automated, must in particular be fair and lawful. To be lawful,
any processing of personal data must in particular find a basis in
GDPR Article 6. It is up to the controller to determine what is
foundation.
27. In the present case, the recovery by V, subcontractor of the controller, of the data
present on the computer equipment (laptop) provided by the plaintiff to the defendant as well as
the analysis of the emails contained in the mailboxes recovered constitutes a processing of
personal data subject to the application of the GDPR. Contrary to what the
defendant, the recovery of the data by the subcontractor SA and the subsequent analysis
of the emails retrieved correspond to processing within the meaning of article 4.2 of the GDPR. 2
28. These processing operations must therefore be based on one of the bases of lawfulness listed in Article
6 GDPR.
29. A distinction should be made from the outset between the processing (or recovery) of a box
private email of an employee, and the processing of the professional mailbox. The principle is that
An employee's work emails may be handled by their employer. Bedroom
Contentitieuse understands, however, that during both private and professional use of a
same mailbox by the employee being the holder, this distinction can be difficult to
carry out. It should be noted that in principle, an employer cannot freely consult the emails
privacy of its employees, even though it has prohibited the use of company tools for
personal. This principle nevertheless suffers from exceptions, within a strict legal framework and
3
foreseeable, such as during pending legal proceedings. In the event of control by the employer,
employees must also be informed in advance, as well as in particular of the
purposes pursued, the basis for lawfulness of the control processing, the retention period
data, the right of opposition for legitimate reasons, the right of access and rectification, or
still have the possibility of lodging a complaint with the supervisory authority.
2Article 4.2 of the GDPR: “processing”: any operation or set of operations whether or not carried out using processes
automated and applied to data or sets of personal data, such as the collection,
recording, organization, structuring, conservation, adaptation or modification, extraction, consultation,
the use, communication by transmission, dissemination or any other form of provision, bringing together or
interconnection, limitation, erasure or destruction;
3 In accordance in particular with the Bărbulescu case law of the European Court of Human Rights, see points 50 to 53, Decision on the merits 46/2022 - 6/28
II.1.1. The arguments put forward by the defendant as to the basis for the lawfulness of the processing carried out
30. The defendant indicates that it is relying on Article 6.1.f) of the GDPR under which the
data processing is lawful “if, and insofar as, it is necessary for the purposes of the interests
legitimate interests pursued by the controller or by a third party, unless prevailing
the interests or fundamental rights and freedoms of the data subject which require
protection of personal data, in particular when the data subject is
a kid ".
31. The defendant explains that its legitimate interest in processing the data
mentioned above is multiple:
• ensure the continuity of business services
• legal defense: the defendant (its sole shareholder W ) must be able to
demonstrate in the litigation pending before the courts that the plaintiff did not
not disclosed all the information available to it, and that it disclosed
false information in the context of his professional activities (while he was
employee of the controller)
• potential questioning of the complainant's liability in his capacity as former
director of the defendant company: according to the defendant, the plaintiff
guilty of several serious breaches. She argues in this regard that "It is not
therefore not impossible, even if it is naturally not the wish of Y, that the
responsibility of Mr. X must be engaged for some of the acts he has committed
as an administrator. (…) It is in this context of the legitimate interest of Y to have
all the necessary information. 5
• potential filing of a complaint with civil action by the defendant against
the plaintiff for breaches described as serious by the defendant: the
defendant argues in this regard that “It is in the legitimate interest of the company to
be able to file a complaint with civil action if it deems it necessary
when the limitation period has not elapsed… Again, Y does not ask
naturally not up to the Data Protection Authority to confirm the merits
from his point of view, but it is necessary to be able to give Y the opportunity to
file such a complaint, and if applicable, document it. MrXnecan, under
covered by the protection of his personal data, to be freed from having to
answer for his acts because all the data relating to the acts he has committed
would have been deleted. It is in Y's legitimate interests to be able to continue to
4In 2019, Mr. X sold all of his shares representing the capital of Y to the German company Z.
In 2019, it then resold the shares of Y to the Luxembourg company W, which is currently the shareholder
of Y (see additional and summary submissions of the defendant p.2 and 4).
5additional conclusions and summary p14., Decision on the merits 46/2022 - 7/28
have this information as long as the limitation period has not expired.
6
due date."
• Legitimate interest in documenting the reality in order to be able to counter the allegations of the
plaintiff
The Litigation Chamber understands the last four points as parts
integral to the legal defense exception, as the legitimate interest on which
the defendant.
II.1.2. The arguments put forward by the plaintiff
32. The complainant, for his part, considers that there is no lawful basis for processing on the part of the
defendant. He thus affirms with regard to the interests listed by the defendant the elements
following:
- ensure the continuity of the company's services: the defendant would only have
need data for the current year, see the previous year, but not
those of previous years. The defendant could not justify the
retention of data prior to 01-01-2017, i.e. two accounting years, 7
insofar as the facts alleged by the defendant against the plaintiff go back to the
month of November 2017.
- defense in court: insofar as the courts of the judicial order are seized
of the dispute, the DPA should not rule on the merits of the dispute, and should deal with
grievances alleged in this context as not established in the absence of testimony
- the plaintiff argues that there is no legitimate interest on the part of the defendant
to data processing, at least not for data older than
five years. He considers that only for data more recent than 5 years the legitimate interest
may possibly constitute a basis for the lawfulness of the processing due to the
pending legal proceedings, but not older ones.
- the other interests put forward by the defendant are vague, not current, and imprecise;
- the defendant did not carry out a balance of interests in the context of the assessment of
legitimate interest: no consideration of the imbalance inherent in the situation of ex-
employee and ex-employer between plaintiff and defendant;
- violation of the principle of minimization of data, insofar as the data more
older than five years are irrelevant;
6
additional conclusions and summary p14.
7 Complainant's main conclusions p18-19, Decision on the merits 46/2022 - 8/28
- violation of the principle of necessity since other less invasive measures would have
could have been envisaged in order to allow the defendant to have the data (for
example designation of a third party with whom the defendant could have carried out the analysis
data together with the complainant).
- potential questioning of the complainant's liability in his capacity as former
director of the defendant company: the limitation period for liability
administrators being five years, the legitimate interest cannot justify a processing
going beyond this period
II.1.3. Discussionplace
33. The Litigation Chamber notes that point f) of Article 6.1 of the GDPR refers to an interest
lawful pursued by the controller. The processing of personal data
personnelmustbe"necessaryfortheachievementofthelegitimateinterest"followedbytheresponsible
of the treatment.
34. Moreover, recourse to legitimate interest is expressly subject to a criterion
additional balancing act, which aims to protect the interest and the rights and freedoms
fundamentals of the people concerned. In other words, the legitimate interest pursued by the
controller must be weighed against the interests or rights and freedoms
fundamental rights of the person concerned, the objective of the balancing being to prevent
disproportionate impact on his rights and freedoms.
35. The interest pursued by the data controller, even if it is legitimate and necessary, cannot therefore
validly be invoked only if the fundamental rights and freedoms of the persons concerned
do not prevail over this interest. The Court of Justice of the European Union has clarified that these
three conditions – either the pursuit of a legitimate interest by the controller (a), the
necessity of the processing for the achievement of the legitimate interest pursued (b) and the condition that
the fundamental rights and freedoms of the persons concerned do not prevail over the interest
continued (c), are cumulative.
36. In other words, in order to be able to invoke the basis of lawfulness of "legitimate interest"
in accordance with Article 6.1.f) of the GDPR, the controller must demonstrate that:
1) the interests it pursues with the processing can be recognized as legitimate (the
"finality test");
2) the envisaged processing is necessary to achieve those interests (the “necessity test”);
8
See.notablyCourtofJusticeoftheEuropeanUnion(CJEU),Judgmentof11November2019(C-708/18),TKc.Asociațiade
Proprietari bloc M5A-ScaraA pronounced under Article 7 f) of Directive 95/46/EC., Decision on the merits 46/2022 - 9/28
3) the weighing of these interests against the fundamental interests, freedoms and rights
data subjects weighs in favor of the data controller (the "test of
weighting").
37. These principles are also outlined in Opinion 2/2017 on the processing of data on the location
working group 29, according to which “the performance of a contract and the interests
legitimate reasons can sometimes be invoked, provided that the processing is strictly
necessaryforlegitimatepurposesandrespectstheprinciplesofproportionalityandsubsidiarity; » . 9
Group 29 recalls more specifically that: “To invoke Article 7(f), as
legal basis for the processing, it is essential that specific mitigation measures
provided in such a way as to strike a fair balance between the employer's legitimate interest and the
fundamentalfreedomsandrightsofemployees.
should impose limits on surveillance activities in order to avoid any violation of life
privacy of the employee. These limits could be:
- geographic (e.g. monitoring only in locations
specific; surveillance of sensitive areas such as religious places and, by
example, sanitary areas and rest rooms should be prohibited),
- related to data (for example, personal electronic records and the
communication should not be monitored), and
- temporal (for example, sampling instead of monitoring
keep on going). »10
38. While the data controller is initially responsible for assessing whether the
conditions set out in Article 6.1.f of the GDPR are met, the legitimacy of the processing may
then be subject to another evaluation, and possibly be challenged, among other things by
data subjects and by the authorities responsible for supervising the protection of
data. A case-by-case examination, taking into account the concrete circumstances of each case,
will thus allow the Litigation Chamber to conclude as to the lawfulness of processing based
on the basis of the legitimate interest invoked, as in this case, by the data controller.
39. The processing of personal data must be “necessary for the performance of
legitimate interest” pursued by the data controller. This condition of necessity between
the processing carried out and the legitimate interest pursued is particularly relevant in the case of
Article 6.1.f) of the GDPR in order to ensure that the processing of data based on the legitimate interest
does not lead to an overly broad interpretation of the interest in processing data.
40. The defendant relies on several elements to found its legitimate interest, elements which are
further analyzed below.
9
Opinion 2/2017 on data processing in the workplace of Working Party 29, p2
1Ibid, p7, Decision on the merits 46/2022 - 10/28
II.1.4. The legitimate interest of the defense in court
41. Legal defense is a fundamental right enshrined in Article 48 of the Charter of Rights
fundamentals of the Union. In general, "defence in justice" can indeed be
considered a lawful legitimate interest in the context of the application of Article 6.1.f. of
GDPR. In accordance with Article 29 Group Opinion 06/2014 on the notion of legitimate interest,
this interest must be real and present, or not hypothetical.
42. The Litigation Chamber finds that this interest constitutes a real and present legitimate interest.
Indeed, during the processing (retrieval and analysis) by the defendant of the data to
personalcharacteronthelaptopoftheplaintiff,thedisputebeforethecourtsofthejudicialorder
between plaintiff and defendant was already .11
43. Nevertheless, the necessity test must be met, as prescribed by the CJEU (see above). In
Indeed, for this legitimate interest of "defence in justice" of the defendant to prevail, the
data processing must be “necessary” for the exercise of this legal defence. He
would be excessive and contrary to these requirements of necessity and proportionality to accept that
all previous employers of an employee can, by virtue of this capacity, process all
personal data relating to this employee, even for defense purposes
in justice.
44. In the present case, insofar as the defendant bases its grievances against the plaintiff
(in the context of the dispute before the courts of the judicial order) on the fact that he would have
culpably refrained from communicating information (or allegedly communicated
truncated information), the Litigation Chamber considers that the defendant is justified in
base on Article 6.1.f of the GDPR in order to be able to support the litigation pending and parallel to this
procedure, and this only for the data necessary for this purpose.
45. In the present case, the substantive dispute between the parties has its source in the transfer of the shares
from the Complainant to the Respondent, dated May 29, 2020. The Complainant submits that the grievances
the defendant accusing him dates back to November 2017.
same and in parallel with his personal data dating back to a period of five years
could be processed by the defendant on the basis of the legitimate interest related to the defense in
justice of it. The defendant nevertheless refused to comply with the request of the
complainant to process only his personal data older than five years. Bedroom
Litigation follows the complainant in his assertion that a limit should be placed
temporal to the period of time in which the defendant can rely on the interest
legitimate defense in court, justifying only necessary data processing and
proportionate to the exercise of this defense in court. The time limit of 5 years
11 See also CNIL thematic sheet, “IT tools at work”,
https://www.cnil.fr/sites/default/files/atoms/files/_travail-vie_privee_outils_informatiques_travail.pdf
1Complainant's submissions p 8, Decision on the merits 46/2022 - 11/28
earlier, corresponding to the prescription of the plaintiff's liability as
director therefore agrees to be retained.
46. It remains that this data processing must also (to correspond to the conditions
necessity and proportionality) fit in a relevant and proportionate manner with the purpose
precisely identified of this legitimate interest, namely the defense in court with regard to the dispute
concerning. It is therefore still necessary to ensure that the requirements of the weighting test are
encountered.
47. In this regard, the Litigation Chamber considers that the complainant can be followed in his argument
according to which the defendant did not realize a balance of interest before proceeding with the treatment
in dispute insofar as the facts show that it refused the plaintiff's proposal to
not to carry out the complete restoration, but to involve a third party with whom the
plaintiff could proceed, in the presence of the defendant, to a sorting of the relevant emails. In
in other words, less invasive measures than restoring all the mailboxes of the
complainant, both private and professional, would have been possible. The defendant has
elsewhere proceeded, as a first step, to the analysis of all its mailboxes (private and
professionals) despite the opposition of the complainant. She only pledged to stop dealing
actively the complainant's private mailboxes, and not to analyze emails from
these private boxes present on the professional boxes only at the complainant's insistence.
48. In its submissions in reply, the defendant argues in this regard that the balance of interests
to which the complainant refers may be detailed when information is requested.
According to her, the GDPR does not require, “in its text, to detail for each transaction of
treatment for which a balance of interests is desired, to document this balance
of interest". The defendant does not submit any provision on which it would rely to
justify this assertion. It cannot be followed up in this respect, since this balanced interest
must at the very least emerge from the history of the exchanges between the parties, which is not
the case here.
49. The conditions linked to the aforementioned weighting test are therefore not met in the
head of the defendant.
50. The European Court of Human Rights (ECHR hereafter) has also expressed its opinion on the
subject of an employer's surveillance of the electronic communications of its employees
in the case of Barbulescu v. Romania, concerning the decision of a private company to put
termination of an employee's employment contract after monitoring their electronic communications and
have had access to their content.
51. The Court concluded that the Romanian courts failed to verify whether Mr Bărbulescu had been
previously informed by his employer of the possibility that his communications may be
1Additional conclusions and summary p16, Decision on the merits 46/2022 - 12/28
monitored. They also failed to take into account the fact that he had not been informed or the nature
neither of the extent of this surveillance nor, in particular, of the possibility that his employer
access to the actual content of his messages. Moreover, the national courts have not
determined, first, what specific reasons had justified the establishment of
monitoring measures, secondly, whether the employer could have made use of less
intrusive for Mr. Bărbulescu's private life and correspondence and, thirdly, if access
to the content of the communications had been possible without his knowledge. 14
52. In its Grand Chamber judgment, the ECHR indicates that the Romanian authorities did not
struck a fair balance between the right to respect for private and family life, the home and
the complainant's correspondence and the interests of his former employer, and finds a violation
of Article 8 of the European Convention on Human Rights.
53. It is clear from this judgment that when an employer takes measures to monitor the
communications from its employees, these measures must be accompanied by safeguards
adequate and sufficient against abuse, including the use of the least intrusive measures
possible (including direct access to the content of employee communications) . 15
54. In the present case, the Litigation Chamber notes that the defendant rejected the
proposal by the complainant to carry out an examination together with a third of the emails, and not
proposed an alternative less intrusive measure than the processing of all the emails of the
complainant (and their content). In this way, without further examining the other criteria
retained by the ECHR to assess whether there has been a balance of interests, the defendant therefore places itself in
failure to comply with the aforementioned ECHR case law.
55. The Litigation Chamber concludes in view of the foregoing and in accordance with the
above-mentioned case law of both the CJEU and the ECHR, that the defendant could not
base the processing of data referred to in the complaint and older than five years on its
legitimate interest of the defense in court, in the absence of such processing being necessary for the
meaning of Article 6.1. f) of the GDPR. This legitimate interest nevertheless constitutes a basis of lawfulness
for the complainant's personal data relating to the period prior to five years.
56. For information purposes, the Litigation Division points out that it previously ruled on the
processing of email boxes when an employee leaves. She has thus already recalled “that in the event of
departure from the organization, the employer must delete the e-mail addresses when these
constitute personal data, after having informed their holders and third parties of the
email closing date. This obligation is also intended to allow
1Questions and Answers, Grand Chamber Judgment in the case of Bărbulescu v. Romania, (application no. 61496/08)
15
Case of Bărbulescu v. Romania, application no. 61496/08, 05 September 2017, §136, available via
https://hudoc.echr.coe.int/fre#{%22itemid%22:[%22001-177083%22]}:“136.
Court of Appeal did not sufficiently examine the question of whether the aim pursued by the employer could have been
achieved by less intrusive methods than access to the actual content of the applicant's communications. », Decision on the merits 46/2022 - 13/28
holders to sort and transfer any private messages to their mailbox
personal.
In the same way that it must be left to the person concerned to resume its effects
personal, it should be left to him to resume or delete his communications
electronic mail of a private nature before his departure. Similarly, if part of the content of its
messaging must be retrieved to ensure the smooth running of the business (as
advanced by the defendant in this case), this must be done before his departure and in his
presence. In the event of a contentious situation, the intervention of a trusted person is
16
recommended. The assumption of resignation or dismissal or any other form of
cessation of activity and its consequences should be regulated in an internal Charter
17
relating to the use of IT tools. »
57. Although at the initiative of both parties, these principles can no longer be applied in the case
case, the Litigation Chamber recommends that the defendant set up such a
Charter to prevent the repetition of similar situations in the future. The establishment of a
charter regulating the conditions under which an employer can consult the mailboxes
professional or monitor the computer tools of its employees, takes over the necessary
compliance with the case-law lessons set out above, by offering adequate guarantees and
sufficient against abuse (in particular by warning employees of possible measures of
control) and respecting the principle of proportionality is recommended by the Chamber
Litigation more generally.
II.1.5. As for the legitimate interest linked to the potential questioning of the liability of the
complainant in his capacity as a former director of a defendant company
58. The defendant indicates in its pleadings that it reserves the right to initiate the
responsibility of the plaintiff for some of the acts (communication of false information)
that he posed as administrator of Y.
59. The Litigation Division refers in this respect to recital 47 of the GDPR which states that the
processing of personal data strictly necessary for prevention purposes
fraud constitutes a legitimate interest of the data controller concerned.
60. The Chamber has previously held that, depending on the case, the purpose of preventing abuse
and fraud may constitute a basis of legitimate interest, in compliance with the triple test of
CJEU (see above). In this context, if it is established that the processing of personal data
16For several years now, the Commission for the Protection of Privacy, which the APD succeeded, had made available to
available to employers a legal notice on its website
https://www.autoriteprotectiondonnees.be/sites/privacycommission/files/documents/note-juridique-e-mails-employes-
absents_0.pdf as well as FAQs: https://www.autoriteprotectiondonnees.be/faq-themas/acc%C3%A8s-aux-e-mails-
demploy%C3%A9s-absentslicenci%C3%A9s relating to this theme of closing e-mail addresses in the event
of departure/termination of function in particular.
1Decision 64/2020 of 29 September 2020, points 39-40, pages 12-13
18
See decision 24/2020 of May 14, 2020, Decision on the merits 46/2022 - 14/28
personalforthispurposeisnecessaryforthepurposesofthelegitimateinterestofthedefendantandthatthis
interest prevails over the complainant's interest in the protection of his personal data,
the processing must be considered to have a basis of lawfulness.
61. In accordance with this position, in view of the fact that the defendant criticizes the plaintiff in the
dispute before the Court of First Instance already during the communication of information
truncated and/or false, the Litigation Chamber considers the potential questioning of the
liability of the plaintiff in his capacity as a former director as a legitimate interest in the
head of the defendant (for the processing of personal data relating to the five
recent years only).
II.1.6. As for the legitimate interest linked to the potential filing of a criminal complaint with constitution of
civil party by the defendant against the plaintiff for breaches that it qualifies
serious
62. The defendant also indicates in its pleadings that it reserves the right to
file a criminal complaint with civil action by the defendant against the
plaintiff for breaches classified as serious (abuse of the company's credit card).
63. The Litigation Chamber refers in this regard to recital 47 of the GDPR which states that the
processing of personal data strictly necessary for prevention purposes
abuse and fraud constitutes a legitimate interest of the controller concerned.
64. The Chamber has previously held that, depending on the case, the purpose of preventing abuse
and fraud may constitute a basis of legitimate interest, in compliance with the triple test of
CJEU (see above). In this context, if it is established that the processing of personal data
personnel for this purpose is necessary for the purposes of the legitimate interest of the defendant and that this
interest prevails over the complainant's interest in the protection of his personal data,
the processing must be considered to have a basis of lawfulness.
65. In accordance with this position, in view of the fact that the defendant criticizes the plaintiff in the
dispute before the Court of First Instance already during the communication of information
truncated and/or false, and that she also accuses him of misusing the company's credit card
under his mandate as administrator, the Litigation Chamber considers the potential filing of
criminal complaint with civil action by the defendant against the plaintiff for
breaches qualified as serious as a legitimate interest on the part of the defendant
(for the processing relating to the complainant's personal data for the last five
years only).
II.1.7. Concerning the continuity of the defendant's services
66. As indicated above, the Complainant may be followed in his reasoning as appropriate
to place a time limit on the period during which the legal defense can establish
1See Decision 24/2020 of May 14, 2020, Decision on the merits 46/2022 - 15/28
the legitimate interest of the defendant, and thus constitute the basis for the lawfulness of the disputed processing.
The complainant understands in his conclusions that the need to ensure the continuity of his
services by the defendant may constitute a basis for the lawfulness of the treatment, but only
for data dating back to two accounting years, i.e. for data
prior to January 1, 2017.
67. For the sake of consistency, insofar as the limit is placed (by the complainant himself) at the
last five years for the legitimate interest of the defendant's legal defense, this
same limit is retained concerning the legitimate interest of the continuity of the services of the
defendant (instead of the two accounting years reducing the period of treatment to the
January 1, 2017 as claimed by the complainant).
68. As indicated above, in the absence of a basis of lawfulness, the Litigation Chamber concludes that
article 5.1.a. of the GDPR combined with article 6 of the GDPR have not been complied with with regard to
the processing of data older than five years. Conversely, with regard to
personal data of the complainant more recent than five years, the legitimate interest constitutes
a basis of lawfulness.
3- On the failure to provide information (Articles 13 of the GDPR, combined with Article
12 GDPR)
69. Pursuant to Articles 13 and 14 of the GDPR, any person whose personal data
personal are processed must, depending on whether the data is collected directly from it or
with third parties, to be informed of the elements listed in these articles (§§ 1 and 2). In case of collection
direct data from the person concerned, the latter will be informed of both the elements
listed in paragraph 1 and in paragraph 2 of Article 13 of the GDPR, namely: the identity and
contact details of the data controller as well as the contact details of the data protection officer
possible data protection, the purposes of the processing as well as the legal basis for
the latter (when the processing is based on the legitimate interest of the data controller, this
interest must be specified), recipients or categories of recipients of the processing,
the intention of the controller to transfer the data outside the Economic Area
European Union, the duration of data retention, the rights conferred on it by the GDPR in this
including the right to withdraw consent at any time and the right to lodge a complaint
with the data protection supervisory authority (in this case the DPA), information
whether the requirement to provide personal data has a
regulatory or contractual nature and the consequences of their non-provision as well as of
the existence of automated decision-making including profiling, referred to in Article 22 of the
GDPR. Article 14.1 and 14.2 list elements that are similar taking into account however that
the hypothesis referred to in article 14 of the GDPR is that where data is not collected
directly with the person concerned but also with third parties. This information is,
2 Complainant's main submissions p18-19, Decision on the merits 46/2022 - 16/28
whether on the basis of Article 13 or Article 14 of the GDPR to be provided to the data subject
in accordance with the terms set out in Article 12 of the GDPR.
70. The Litigation Chamber recalls that an essential aspect of the principle of transparency
light to Articles 12, 13 and 14 of the GDPR is that the data subject should be able
to determine in advance what the scope and the consequences of the processing encompass, in order to
not be caught off guard at a later stage as to how their personal data
staff were used. The information should be concrete and reliable, it does not
should not be formulated in abstract or ambiguous terms or leave room for
different interpretations. More specifically, the purposes and legal bases of the
processing of personal data should be clear.
71. Article 12.3 of the GDPR imposes information on the data subject within a maximum period
of three months. The complainant asked for the first time on February 26, 2020 to the
defendant to send it the information under Article 14 of the GDPR. Bedroom
Litigation notes here that Article 14 of the GDPR is applicable in the event of indirect collection of
personal data. In the present case, although the complainant's conclusions repeat
Article 14 in this respect, insofar as the complainant's data were collected in the
framework of his employment contract with the defendant, Article 13 GDPR is applicable.
72. It appears from the facts that the Respondent merely sent the Complainant a list of
personal data concerning him that it holds, by letter dated June 15, 2020 (exhibit
11 of the complainant), without including all the other information required under Article
13 GDPR. Nevertheless, Article 13.4 of the GDPR dispenses with the need to communicate the
information under points 1 to 3 of the same article if the person concerned already had
these informations. The document sent by the defendant to the plaintiff does not indicate the duration
retention of data (important aspect in the dispute between the parties), or
the existence of the right to request access, rectification or erasure of the same, or a
limitation of processing, nor does it mention the right to object to processing, or the right
to lodge a complaint with the supervisory authority. Nevertheless, it is reasonable to
assume that the complainant was not unaware of this information, given his former functions
of administrator. The element of information under Article 13 of the GDPR particularly
relevant to the case in hand and absent in the document is therefore the retention period of the
data processed by the defendant. Although this element constitutes a central point in the
present dispute and in the plaintiff's claims, it is also necessary to take into account the
difficulty for the defendant to estimate the time that the resolution of the dispute will take during
before the courts of the judicial order, duration during which it is entitled to keep the
data (more recent than five years).
73. In these circumstances, it cannot be concluded that there is a breach of Article 13 of the GDPR., Decision on the merits 46/2022 - 17/28
III. As for the communication of the subcontract between the defendant and its
subcontracting
74. Article 28.3 of the GDPR states:
“Processing by a processor is governed by a contract or other legal act
under Union law or the law of a Member State, which binds the processor with regard to
of the controller, defines the purpose and duration of the processing, the nature and
purpose of the processing, the type of personal data and the categories of
data subjects, and the obligations and rights of the controller.
This contract or other legal act provides, in particular, that the subcontractor:
a) only processes personal data on documented instructions from the
data controller, including with regard to data transfers
of a personal nature to a third country or to an international organisation,
unless required to do so under Union or State law
member to which the subcontractor is subject; in this case, the subcontractor informs the
controller of this legal obligation prior to processing, unless
the law concerned prohibits such information for important reasons of interest
audience;
b) ensures that the persons authorized to process the personal data
personnel undertake to respect confidentiality or are subject to a
appropriate legal duty of confidentiality;
(c) take all measures required under Article 32;
(d) complies with the conditions referred to in paragraphs 2 and 4 to recruit another
subcontracting;
(e) take into account the nature of the processing, assist the controller, for
appropriate technical and organizational measures, to the fullest extent
possible, to fulfill its obligation to respond to the requests of which
the persons concerned seize it in order to exercise their rights provided for in
Chapter III;
f) assists the data controller in ensuring compliance with the obligations laid down
in Articles 32 to 36, taking into account the nature of the processing and the information to be
the disposition of the subcontractor;
g) at the choice of the data controller, delete all data to be
personal nature or returns them to the controller at the end of the
provision of services relating to the processing, and destroys the existing copies,
unless Union law or Member State law requires the retention
personal data; and, Decision on the Merits 46/2022 - 18/28
h) make available to the controller all information
necessary to demonstrate compliance with the obligations provided for in this article
and to enable audits, including inspections, to be carried out by the
controller or another auditor appointed by him, and contribute to
these audits.
With regard to point h) of the first paragraph, the processor shall inform
the data controller immediately if, in his opinion, an instruction constitutes a
breach of this Regulation or of other provisions of Union law or of the law
Member States relating to data protection. »
75. Article 4.8 of the GDPR defines a processor as follows:
“the natural or legal person, public authority, agency or other body
who processes personal data on behalf of the data controller
treatment; »
76. It is not disputed by the defendant that the V having carried out the restoration of the data
is a third party, and that it acted as a subcontractor. Furthermore, the defendant
acknowledges the absence of a contract binding it to this subcontractor. She justifies this in her conclusions
by arguing that the subcontractor “did not process personal information, but
restored the data deleted by M.X, without examining the content of this data and without
perform a sorting that it was not for him to perform”. The defendant adds that the sub-
handler "did not access the mailbox before retrieving the items
deleted (…) did not recover deleted items from Mr. X's email (after
request of Y), no action has been taken (…)”, and that he “did not read Mr.
23
X”.
77. The Litigation Chamber finds that this constitutes an erroneous reading of the notion
of “processing”, as set out in article 4.2 of the GDPR:
“anyoperationoranysetofoperationsperformedornotusingprocedures
automated and applied to personal data or sets of data
personnel, such as collecting, recording, organizing, structuring,
storage, adaptation or modification, extraction, consultation, use,
communication by transmission, broadcast or any other form of posting
provision, reconciliation or interconnection, limitation, erasure or
destruction;".
78. It is also not disputed that the emails contained in the electronic mailboxes
(professional and/or private) constitute personal data.
2It thus indicates in its summary conclusions p8 that the subcontractor is “a third-party service provider”
2Summary conclusions of the defendant p17
2Ibid. p18, Decision on the merits 46/2022 - 19/28
personal data relating to the complainant therefore constitutes processing
personal data within the meaning of the GDPR.
79. The fact that this data has been encrypted as part of the processing by the processor of the
defendant, and that only the defendant can decrypt them (as his counsel indicates in a
mail of May 4, 2021), does not modify the nature of this conclusion, since although encrypted,
these data remain personal data of the complainant, and that the processing remains. In
effect, to the extent that pseudonymised 24 or encrypted data may allow
the identification of a person via additional information, in particular via the key of
encryption (held in the present case by the defendant), encrypted data constitute
indeed personal data within the meaning of article 4.1 of the GDPR.
80. The defendant therefore demonstrates a breach of Article 28.3 of the GDPR.
IV. As to the plaintiff's requests for the exercise of his rights
IV.1. On the defendant's breach of its obligation to follow up on the exercise of the
complainant's right of access (Article 15 of the GDPR) in accordance with the terms of Article
12 GDPR
81. As indicated above, in its capacity as data controller, the defendant is required to
comply with data protection principles and must be able to demonstrate that
these are respected. It must also implement all the measures necessary to
this purpose (principle of responsibility – articles 5.2. and 24 of the GDPR).
24
Article 4.5 of the GDPR defines the notion of pseudonymisation as follows:
“the processing of personal data in such a way that these movies can no longer be attributed to a person
data subject without having recourse to additional information, provided that this information
additional data are kept separately and subject to technical and organizational measures in order to
guarantee that the personal data is not attributed to an identified or identifiable natural person”
Recital 26 of the GDPR similarly states:
“The principles of data protection should apply to any information relating to a person
identified or identifiable physical. Personal data which has been pseudonymised and which
could be attributed to a natural person through the use of additional information should be
considered to be information relating to an identifiable natural person. To determine if a person
is identifiable, consideration should be given to all reasonably likely means
to be used by the controller or any other person to identify the natural person
directly or indirectly, such as targeting. To establish whether means are reasonably likely to be
used to identify a natural person, all of the objective factors should be taken into consideration, such as
than the cost of identification and the time required for it, taking into account the technologies available at the time
their treatment and evolution. »
25
See on this subject the Breyer judgment of the ECHR, Case C‑582/14, 19 October 2016, § 49, Decision on the merits 46/2022 - 20/28
82. As a preliminary point, the Chamber recalls that the right of access is one of the foundations of the right to
data protection, it constitutes the “front door” which allows the exercise of other rights
that the GDPR confers on the person concerned, such right to rectification, the right to erasure,
to limitation or limitation.
83. Pursuant to Article 15.1 of the GDPR, the data subject has the right to obtain from the controller
of processing the confirmation that personal data concerning him are or are not
are not processed. When this is the case, the data subject has the right to obtain access to the
said personal data as well as a series of information listed in article 15.1 a) -
h) such as the purpose of the processing of its data, the duration of data storage, the
potential recipients of its data as well as information relating to the existence of its
rightsincludingthatofrequestingthecorrectionorerasureofitsdataorthatof
lodge a complaint with the DPA.
84. Pursuant to Article 15.3 of the GDPR, the data subject also has the right to obtain
copy of the personal data which is the subject of the processing. Article 15.4 of the GDPR
provides that this right to copy may not infringe the rights and freedoms of others.
85. Article 12 of the GDPR relating to the procedures for exercising their rights by persons
concerned provides in particular that the controller must facilitate
the exercise of his rights by the person concerned (article 12.2 of the GDPR) and provide him with
information on the measures taken following his request as soon as possible and no later than
later within one month of their request (Article 12.3 of the GDPR). This deadline may
special circumstances, be extended to three months (Article 12.3 of the GDPR). When the
controller does not intend to respond to the request, he must notify his
refusal within one month accompanied by the information that an appeal against this
refusal can be lodged with the data protection supervisory authority (12.4 of the
GDPR).
86. On March 16, 2020, the plaintiff exercised his right of access and copy with the defendant.
She replied on April 7, 2020 that she would be unable to comply with his request within the
one-month delay due to the complexity of the request and difficult working circumstances
related to the health crisis, but has undertaken to do so within three months.
87. On June 15, 2020, the day before the expiry of the three-month period, the defendant sent the
complainant a list of personal data about him that she holds.
double failure to provide it with the information required under Article 15.1 a) to f) (including
the retention period of the data), and does not send him a copy of this data.
88. The defendant relies in this regard on the argument that, in its letter of March 16
requesting the application of Article 15 of the GDPR, the complainant would have limited himself to requesting access
and not the copy, because the letter only refers to article 15.1 and not 15.3 (copy part of the right
access)., Decision on the merits 46/2022 - 21/28
89. The Litigation Chamber cannot subscribe to this reasoning, inasmuch as although said
courier expressly refers only to article 15.1 and not to 15.3, the term “copy” (“copy” in
the mail in English) is explicitly mentioned twice (complainant's exhibit 7):
90. The Litigation Chamber can therefore only find a breach of Article 15.1, prosecution
incomplete to the Complainant's right of access request, and a breach of Section 15.3 for
refusal to follow up on the copy part of the right of access.
IV.2. On the defendant's breach of its obligation to follow up on the exercise of the
the complainant's right to erasure (Article 17 of the GDPR), the right to restriction (Article 18
GDPR), as well as the right of opposition (Article 21 GDPR)
91. Article 17 of the GDPR states:
1. “The data subject has the right to obtain from the controller the erasure, in
as soon as possible, of personal data concerning him and the person responsible for the
processing has the obligation to erase this personal data as soon as possible,
when one of the following grounds applies:
a) the personal data is no longer necessary in relation to the purposes for
which it was collected or otherwise processed;
b) the data subject withdraws the consent on which the processing is based,
in accordance with point (a) of Article 6(1) or point (a) of Article 9(2), and
there is no other legal basis for the processing;
c) the data subject objects to the processing pursuant to Article 21(1) and he
there are no overriding legitimate grounds for the processing, or the data subject
objects to the processing pursuant to Article 21(2);
d) the personal data has been unlawfully processed;
e) the personal data must be erased to comply with an obligation
which is provided for by Union law or by the law of the Member State to which the
controller is subject;
f) the personal data was collected in the context of the service offer
of the information society referred to in Article 8(1).
2. When he has made the personal data public and is required to delete them in
pursuant to paragraph 1, the controller, taking into account the technologies
available and the costs of implementation, take reasonable measures, including order
technical, to inform the data controllers who process this personal data, Decision on the merits 46/2022 - 22/28
personal data that the data subject has requested the erasure by those responsible for the
processing of any link to such personal data, or any copy or
reproduction of these.
3. Paragraphs 1 and 2 do not apply insofar as this processing is necessary:
(a) the exercise of the right to freedom of expression and information;
b) to comply with a legal obligation which requires the processing provided for by the law of
the Union or by the law of the Member State to which the controller is subject,
or to perform a task in the public interest or in the exercise of authority
authority vested in the controller;
c) for reasons of public interest in the field of public health, in accordance with
Article 9, paragraph 2, points h) and i), as well as Article 9, paragraph 3;
(d) for archival purposes in the public interest, for the purposes of scientific research or
historical or statistical purposes in accordance with Article 89(1) in the
extent to which the right referred to in paragraph 1 is likely to render impossible or
seriously impair the achievement of the objectives of that processing; Where
e) the establishment, exercise or defense of legal claims. »
92. Recital 65 of the GDPR also includes the exception of legal defense as set out
provided for in Article 17.3.e of the GDPR to the right to erasure.
93. As indicated above, the Litigation Chamber considers that in view of the dispute pending before the
jurisdictions of the judicial order, and a fortiori insofar as this is linked to exchanges
of information (and emails) between the plaintiff, the defendant, and third parties, the legitimate interest
for defense in court constitutes a basis of valid lawfulness in the head of the
defendant, for data more recent than five years, from the start of the disputed processing.
For data after this date, the defendant cannot rely on the interest
legitimate (see section 2.1.3 above) as the basis for the disputed processing.
94. In all consistency, the exception to the right to erasure set out in Article 17.3.e of the GDPR (the
defense of rights in court) is applicable to the case in question, according to the same time criterion.
95. There is therefore no breach by the defendant of Article 17 of the GDPR with regard to
the processing of data five years prior to the processing, but concerning the
data after this date.
96. Insofar as Articles 18.2 (right to limitation) and 21.1 (right to object) take up
exception of legal defense, the same reasoning applies to the claim
exercise of its right of limitation and opposition by the complainant.
97. There is therefore no breach by the defendant of Article 18 of the GDPR and 21 of the GDPR
which concerns the processing of data five years prior to the processing, but
regarding data after that date., Decision on the merits 46/2022 - 23/28
V. Corrective Measures and Sanctions
98. Under Article 100 LCA, the Litigation Chamber has the power to:
1° dismiss the complaint without follow-up;
2° order the dismissal;
3° order a suspension of the pronouncement;
4° to propose a transaction;
5° issue warnings or reprimands;
6° order to comply with requests from the data subject to exercise these rights;
(7) order that the person concerned be informed of the security problem;
8° order the freezing, limitation or temporary or permanent prohibition of processing;
9° order the processing to be brought into conformity;
10° order the rectification, restriction or erasure of the data and the notification of
these to the recipients of the data;
11° order the withdrawal of accreditation from certification bodies;
12° to issue periodic penalty payments;
13° to impose administrative fines;
14° order the suspension of cross-border data flows to another State or a
international body;
15° forward the file to the public prosecutor's office in Brussels, who informs it of the follow-up
data on file;
16° decide on a case-by-case basis to publish its decisions on the website of the Protection Authority
Datas.
99. As to the administrative fine which may be imposed pursuant to Article 83 of the GDPR
and articles 100, 13° and 101 LCA, article 83 of the GDPR provides:
1. “Each supervisory authority shall ensure that the administrative fines imposed in
under this article for violations of this Regulation, referred to in paragraphs
4, 5 and 6 are, in each case, effective, proportionate and dissuasive.
2. Depending on the specific characteristics of each case, the administrative fines are
imposed in addition to or instead of the measures referred to in Article 58(2),
points a) to h), and j). To decide whether to impose an administrative fine and to
decide on the amount of the administrative fine, due account shall be taken, in each
case in point, of the following elements:
(a) the nature, gravity and duration of the breach, taking into account the nature, scope
or the purpose of the processing concerned, as well as the number of data subjects
affected and the level of damage they suffered;
(b) whether the breach was committed willfully or negligently;, Decision on the Merits 46/2022 - 24/28
c) any action taken by the controller or processor to mitigate
the damage suffered by the persons concerned;
d) the degree of responsibility of the controller or processor, account
given the technical and organizational measures they have implemented pursuant to
sections 25 and 32;
e) any relevant breach previously committed by the controller
or the subcontractor;
(f) the degree of cooperation established with the supervisory authority with a view to remedying the
breach and to mitigate any adverse effects thereof;
(g) the categories of personal data affected by the breach;
h) the manner in which the supervisory authority became aware of the breach, in particular whether,
and the extent to which the controller or processor notified the
breach;
(i) where measures referred to in Article 58(2) have previously been
ordered against the controller or processor concerned for
the same object, compliance with these measures;
(j) the application of codes of conduct approved pursuant to Article 40 or
certification mechanisms approved under section 42; and
k) any other aggravating or mitigating circumstance applicable to the circumstances of
the species, such as the financial advantages obtained or the losses avoided, directly
or indirectly, by reason of the breach”.
100. It is important to contextualize the breaches of these articles in order to identify the measures
most suitable correctives. In this context, the Litigation Chamber will take into account
all the circumstances of the case, including - within the limits it specifies below
after the reaction communicated by the defendant, the amount of the fine envisaged
has been communicated (see retroacts of the procedure). In this regard, the Litigation Chamber
specifies that said form expressly mentions that it does not imply the reopening of
debates. Its sole purpose is to obtain the reaction of the defendant on the amount of
the proposed fine.
101. The Litigation Division also wishes to specify that it is sovereignly incumbent upon it
quality of independent administrative authority - in compliance with the relevant articles of the GDPR
and the ACL - to determine the appropriate corrective action(s) and sanction(s).
102. Thus, it is not for the plaintiff to ask the Litigation Chamber to order
such or any remedy or sanction. If, notwithstanding the foregoing, the Complainant should
nevertheless ask the Litigation Chamber to pronounce one or the other measure and/or
sanction, it is therefore not incumbent on the latter to justify why it would not retain
any request made by the complainant. These considerations leave intact
the obligation for the Litigation Chamber to justify the choice of measures and sanctions, Decision on the merits 46/2022 - 25/28
which it deems, (among the list of measures and sanctions made available to it by the
articles 58 of the GDPR and 95.1 and 100.1 of the LCA) appropriate to condemn the party in question.
103. In the present case, the Litigation Chamber notes that the Complainant requested in particular from the Chamber
Litigation that it sanctions the defendant for its failure to respond to its requests
to exercise their rights. He also requests that the Chamber issue an injunction to the
defendant, on two counts. First, he asks for an injunction to stop the treatment
personal data concerning him older than 5 years (and even more recent if the
Chamber had to conclude that there was no basis of lawfulness for these as well), as well as
their deletion. Next, the plaintiff seeks an injunction on the defendant to do
following requests to exercise its various rights. Finally, he asks for confirmation that the
defendant cannot validly rely on Article 6.1.f (legitimate interest) to found the
contentious treatments, regardless of time at the very least.
V.1. As for the shortcomings
104. The Litigation Chamber found a breach of Articles 5.1.a combined with Article 6.1.f
of the GDPR, due to the partial absence of a legal basis for processing. She also noted a
breach of Article 15 (right of access and copying), 17 (right to erasure), 18 (right to
limitation), and 21 (right to object). Finally, article 28 has also been violated (in the absence of a contract
between the defendant and its subcontractor).
105. It appears from the complainant's conclusions that the defendant undertook, at the insistence of the
complainant, not to analyze the personal data of the complainant found in his boxes
private emails, as well as to cease all active processing of private emails found during the analysis
professional mailboxes .26
106. The Litigation Chamber also notes that the defendant indicates in its submissions
be prepared to delete the emails relating to the private mailboxes of the complainant, provided
27
that the emails in question do not interfere with his right of defense in court. However, in view
numerous shortcomings on the part of the defendant, the Litigation Chamber is
of the opinion that this concession is not sufficient to justify an absence of sanctions.
107. Accordingly, the Litigation Chamber orders the defendant:
- to comply with the complainant's requests to exercise his rights to the extent
explained above
- to put in place a charter as set out in point 56
26
Complainant's conclusions p.5
27 Respondent's summary submissions p.17, Decision on the merits 46/2022 - 26/28
- to cease the processing of personal data relating to the older complainant
only 5 years
108. In addition to this compliance order, the Litigation Division is of the opinion that, in addition,
an administrative fine is in this case justified for the reasons below, reasons analyzed on
basis of article 83.2 GDPR and in accordance with the recent teaching of the Court of Markets.
109. The rights of data subjects are part of the essence of the GDPR and violations of these
rights are punished with the highest fines, in accordance with Article 83.5 GDPR. In this
spirit, serious breaches of the rights of the persons concerned must be sanctioned
proportionally high fines, depending on the circumstances of the case. In this
In this regard, reference may be made to the Group Guidelines 29 on the application and setting of
administrative fines, according to which:
“Fines are an important tool that enforcement authorities should use
in the appropriate circumstances. Supervisors are encouraged to adopt
a well-considered and balanced approach when applying measures
remedies in order to react to the violation in a manner that is both effective and dissuasive
proportionate. This is not to see fines as a last resort or to
fear of imposing them, but, on the other hand, they should not be used
such that their effectiveness would be reduced. »
110. Insubparagrapha),Article83.2.concerns“thenature,seriousnessanddurationoftheviolation,
taking into account the nature, scope or purpose of the processing concerned, as well as the number of
data subjects affected and the level of harm they have suffered”. In the case
In this case, the Litigation Chamber notes that the principles of legality and minimization
(articles 5.1.a and 5.1.c GDPR) that the right of access (article 15), erasure (article 17),
limitation (article 18) and opposition (article 21) are essential principles of the regime of
GDPR protection. The principle of liability set out in Article 5.2. of
GDPR and developed in article 24 is also at the heart of the GDPR and reflects the change of
paradigm brought about by it, i.e. a changeover from a regime that was based on
prior declarations and authorizations from the supervisory authority towards greater
accountabilityandresponsibilityoftheprocessor.Compliancewithitsobligations
by the latter and its ability to demonstrate it are therefore all the more important. The
breaches of these principles constitute serious breaches.
28 GDPR also constitutes a serious violation.
111. With regard more specifically to the nature of the data, although it is not clear
of the submissions filed (to the extent that the parties contradict each other on this subject and
lack of evidence) whether the defendant restored the mailboxes, both private and
Complainant's professional interests, the Chamber notes that the Respondent acknowledges at the very least, Decision on the Merits 46/2022 - 27/28
have also processed (restored) the private emails on the complainant contained in its boxes
professionals.
112. With regard to the duration and scope of the impugned processing, the Chamber notes that the
defendant proceeded from the outset and deliberately (art 83.2.b GDPR) to restore the
complainant's emails without any time limit, despite the latter's opposition and his
request to place a limit of 5 years.
113. The other criteria of section 83.2. of the GDPR are neither relevant nor likely to influence
the decision of the Litigation Chamber regarding the imposition of an administrative fine and its
amount.
114. Pursuant to Articles 83.4 and 83.5 GDPR, breaches of the provisions identified above
may amount to up to 20,000,000 euros or in the case of a company, up to 4% of the
total worldwide annual turnover for the previous financial year. A breach of Articles 5.1.a
combined with article 6.1.f of the GDPR, with articles 12 and 13, 15, 17, 18, and 21 and 28 GDPR is retained. the
maximum amount of the fine in the specific case, as provided for in article 83.5 is therefore
€20,000,000.
115. As regards, among other things, breaches of a fundamental right, enshrined in Article 8 of the
Charter of Fundamental Rights of the European Union, their seriousness will be assessed,
as the Litigation Chamber has already had the opportunity to point out, in support of Article 83.2.a)
of the GDPR, independently.
116. In conclusion, in view of the elements developed above specific to this case, the Chamber
Litigation considers that the aforementioned breaches justify that as a sanction
effective, proportionate and dissuasive as provided for in Article 83 of the GDPR and taking into account
assessment factors listed in Article 83.2. GDPR and the respondent's reaction to the
envisaged sanctions form, a compliance order accompanied by a fine
administrative order in the amount of 7,500 euros (article 100.1, 13° and 101 LCA) be pronounced at
against the defendant.
117. The amount of 7500 euros remains in view of these elements proportionate to the shortcomings
denounced. This amount also remains well below the maximum amount provided for by
Article 83.5 GDPR, of 20,000,000 euros (see above).
118. This amount is justified for the reasons set out above, including the fact that the defendant
immediately processed the complainant's mailboxes without any time limit.
119. The Litigation Chamber is of the opinion that a lower amount of fine would not meet,
case, the criteria required by section 83.1. of the GDPR according to which the administrative fine
must not only be proportionate, but also effective and dissuasive. These elements
constitute a specification of the general obligation of Member States under Union law, Decision on substance 46/2022 - 28/28
European Union, based on the principle of sincere cooperation (article 4.3 of the Treaty on European Union
European).
120. Given the importance of transparency regarding the decision-making process of the Chamber
Litigation and in accordance with Article 100, § 1, 16° of the LCA, this decision is
published on the website of the Data Protection Authority by deleting the data
identification of the parties, since these are neither necessary nor relevant in the context of
of the publication of this decision.
FOR THESE REASONS,
the Litigation Chamber of the Data Protection Authority issues, after deliberation:
- On the basis of article 100, § 1, 9° of the LCA, a compliance order as worded
supra, including the establishment of a charter as set out in point 56
- Based on article 83 of the GDPR and articles 100, 13° and 101 of the LCA, a fine
from 7500 EUR
er
Under Article 108, § 1 of the LCA, this decision may be appealed to
of the Court of Markets within thirty days of its notification, with
the Data Protection Authority as defendant.
(Sr.) Hielke Hijmans
President of the Litigation Chamber
