APD/GBA (Belgium) - 56/2021
|APD/GBA (Belgium) - 56/2021|
|Relevant Law:||Article 4(7) GDPR|
Article 5(2) GDPR
Article 24 GDPR
Article 32 GDPR
Article 38 GDPR
|National Case Number/Name:||56/2021|
|European Case Law Identifier:||n/a|
|Original Source:||Chambre Contentieuse (in FR)|
|Initial Contributor:||Tara Taubman-Bassirian|
The Belgium DPA considered the employer responsible for failing to implement adequate security measures to control employee's unlawful access to credit data. Based on Art 32 GDPR the employer remains responsible to take the necessary measures to ensure the integrity and security of the data under their control. The employee is only controller for the exclusif processing of the data outside his professional duties. Additionally, the controller has not responded to the request of information art 15 GDPR made by the claimant. The DPA rejects the allegation of the conflict of interest between the functions of the DPO who is also the CISO as in this particular case, the DPA is satisfied by the defendant's explanation that the CISO is not responsible of any operational department.
English Summary[edit | edit source]
Facts[edit | edit source]
In the context of a divorce, Mrs X's ex-husband, employee of the Multinational Bank Y, had accessed at several occasions the credit records of his ex-wife for personal reason. Mrs X has made several complaints to the DPA. This case exclusively and initially treats of the responsibility of the employer for the unlawful data access of their employee. The bank argued the latter was the data controller based on the WP opinion : "where a natural person acting within a legal person uses data for his or her own purposes outside the scope and the possible control of the legal person's activities. In this case the natural person involved would be controller of the processing decided on, and would bear responsibility for this use of personal data. The original controller could nevertheless retain some responsibility in case the new processing occurred because of a lack of adequate security measures. ... Summarising the above reflections it can be concluded that the one liable for a data protection breach is always the controller, i.e. the legal person (company or public body) or the natural person as formally identified according to the criteria of the Directive. If a natural person working within a company or public body uses data for his or her own purposes, outside the activities of the company, this person shall be considered as a de facto controller and will be liable as such. " The court referred to the WP opinion that has since been replaced by the EDPB opinion 07/2020 "« An employee etc. who obtains access to data that he or she is not authorised to access and for other purposes than that of the employer does not fall within this category. Instead, this employee should be considered as a third party vis-à-vis the processing undertaken by the employer. Insofar as the employee processes personal data for his or her own purposes, distinct from those of his or her employer, he or she will then be considered a controller and take on all the resulting consequences and liabilities in terms of personal data processing”. The court accepted that the ex-husband who has exceeded his functions by accessing the plaintiff's credit data, should therefore be considered as an independent third party in the exclusive processing of these data. Therefore liability remains on the bank to keep data secure and control access to the credit records. Additionally, in this particular context, the DPA decided there was no conflict of interest between the functions of DPO and a non operational CISO.
Dispute[edit | edit source]
The defendant argued that : - They were not the controller in the unlawful processing for personal purposes of Mrs X's credit data by her ex husband, the bank's employee. - There is no conflict of interest between DPO functions and the CISO. - There has not been formal request art 15 GDPR.
Holding[edit | edit source]
The defendant is the data controller who has a duty to ensure the security and integrity of the data under his control based on Art 32, 5 and 24 GDPR. The bank's employee is not a separate entity and cannot be considered as the data processor acting for the controller. The measures taken since the incident remain insufficient with regard to the mass of data handled and their sensitivity. the DPA ordered an injunction to the defendant, within three months, to justify the creation of a record of access with an administrative fine of 100.000 euros.
Comment[edit | edit source]
This case relates to the UK Supreme Court Morissons case of vicarious liability where the employee was said to be the data controller of the HR data unlawfully copied and recklessly published on the net.
Further Resources[edit | edit source]
Share blogs or news articles here!
English Machine Translation of the Decision[edit | edit source]
The decision below is a machine translation of the French original. Please refer to the French original for more details.