APD/GBA (Belgium) - 64/2025

APD/GBA - 64/2025

Authority:	APD/GBA (Belgium)
Jurisdiction:	Belgium
Relevant Law:	Article 4(7) GDPR Article 5(1)(f) GDPR Article 24 GDPR Article 32(1) GDPR Article 33(1) GDPR
Type:	Complaint
Outcome:	Rejected
Started:	22.04.2020
Decided:	01.04.2025
Published:	01.04.2025
Fine:	n/a
Parties:	n/a
National Case Number/Name:	64/2025
European Case Law Identifier:	n/a
Appeal:	Unknown
Original Language(s):	French
Original Source:	APB/GBA (in FR)
Initial Contributor:	claratab

The DPA held that a hospital manager who consults their subordinate's medical file in excess of its internal competences acts as controller for this processing and not the hospital. However, the hospital failed to notify the data breach to the DPA.

English Summary

Facts

The data subject worked at a hospital. On 2 March 2020, their manager consulted the data subject’s medical file, outside working hours, to check their capacity to receive the news of their termination. The hospital acted as the data controller for the medical files.

On 3 March 2020, the data subject was been dismissed.

On 16 April 2020, the employer informed the data subject that their file has been consulted by their manager on the 2 March 2020.

On 22 April 2020, the data subject lodged a complaint to the DPA regarding the dismissal decision.

From the 4 June 2020 to the 11 February 2025, the DPA carried out the proceedings and heard the participants.

Holding

The DPA dismissed the complaint due to the following reasons.

Identification of the controller

The DPA recalls that the controller is defined as the entity who determines the purpose and means of the data processing (Article 4.7 GDPR).

The DPA clarifies that when an organization’s employee processes data, the processing is typically considered as directed under the organization’s authority. But in this case, the manager unlawfully exceeding the powers given to them by defining the purpose of the processing on his own. For this reason, the DPA considered the manager as the sole only controller.

Notification of the violation to the DPA

The DPA reminds that the controller must notify the authority of any violation, except if the violation is not likely to create a risk for rights and freedom of the data subject (Article 33.1 GDPR). The DPA underlines that even in case of doubt, or if the controller can’t be sure of the absence of such a risk, the controller must notify the authority.

Also, the DPA recalls that a risk can be found in the circumstances of a loss of confidentiality, especially when the data were protected by professional secrecy and reveal the health status of the data subject (Recital 75 GDPR).

After recalling these legal provisions, the DPA points out that even if the employer is not the controller, the employer should have notified the violation to the DPA (Article 33 GDPR).

Security of the personal data, technical and organisational measures

The DPA states that the data must be processed in a way that guarantees its security, especially protecting it against unauthorized processing (Article 5.1 f) GDPR). The DPA also underlines that the controller must take appropriated organizational and technical measures, adapting it to the context, nature, scope, purpose and risks of the processing (Article 24 and Article 32.1 GDPR).

Here, the DPA indicates that a hospital processes a large amount of personal data, which calls for vigilance. In addition, the subordinate relationship between the data subject and their manager was a compelling reason not to consult the data subject’s medical file. But the DPA observes that it is not possible to determine in advance the medical staff who will have to treat a patient. This circumstance justifies the global access of the medical staff to the data subject’s files.

Even if the DPA recognizes the security measures as insufficient, the DPA highlights that these measures are designed to evolve, and that the controller acted as pro-active.

Comment

The decision is useful for medical institutions which are facing challenges to define access to the patient’s personal data.

It also clarifies the role of employers and employees in internal data breaches in particular circumstances of exceeding missions.

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the French original. Please refer to the French original for more details.

1/15

Litigation Division

Decision on the merits 64/2025 of April 1, 2025

File number: DOS-2020-01932

Subject: Complaint regarding a dismissal decision taken following consultation

of the complainant's medical file by her line manager

The Litigation Division of the Data Protection Authority, composed of Mr.

Hielke H. IJMANS, President, and Messrs. Christophe Boeraeve and Frank De Smet, members;

Having regard to Regulation (EU) 2016/679 of the European Parliament and of the Council of April 27, 2016 on the

protection of natural persons with regard to the processing of personal data and

on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation), hereinafter "GDPR";

Having regard to the Law of December 3, 2017, establishing the Data Protection Authority (hereinafter "LCA");

Having regard to the internal regulations as approved by the House of Representatives on December 1, 2018, and published in the Belgian Official Gazette on January 15, 2019;

Having regard to the documents in the case;

Has made the following decision concerning:

The complainant: X, represented by Mélissa Fernandez Viesca, hereinafter "the complainant"

The defendant: Association Hospitalière Y, hereinafter "the defendant"

The new internal regulations of the DPA, following the amendments made by the Law of December 25, 2023, amending the Law of December 3, 2017 establishing the Data Protection Authority (LCA), entered into force on June 1, 2024.

In accordance with Article 56 of the Law of December 25, 2023, the following applies only to complaints, mediation cases, requests, inspections, and proceedings before the Litigation Chamber initiated on or after this date:
https://www.autoriteprotectiondonnees.be/publications/reglement-d-ordre-interieur-de-l-autorite-de-protection-des-
donnees.pdf.

Cases initiated before June 1, 2024, as in this case, are subject to the provisions of the LCA (French Data Protection Act) as amended by the Law of December 25, 2023, and the internal regulations as they existed prior to that date. Decision on the merits 64/2025 — 2/15

I. Facts and Procedure

1. On April 22, 2020, the complainant filed a complaint with the Data Protection Authority against the defendant. 2. The subject of the complaint concerns a dismissal decision, which decision was allegedly based on health data relating to the complainant that was allegedly unlawfully consulted by her line manager (hereinafter referred to as "the line manager").

3. The complainant worked as an employee at the defendant's establishment.

4. On March 3, 2020, the defendant notified the complainant of the termination of their employment relationship.

5. On April 16, 2020, the defendant, in response to a request from the complainant, informed the latter that her medical records had been consulted by her line manager on March 2, 2020. According to the same registered letter, this was the only consultation carried out by her. In addition, the defendant states that it has initiated an internal investigation into this matter.

6. In her complaint form, the plaintiff states that she was informed of the termination of her employment contract during a meeting in which it was explained to her that one of the reasons for her dismissal concerned her health, about which her line manager had concerns. According to her, the line manager wanted to verify that her health was adequate in order to learn of her dismissal.

7. On June 4, 2020, the complaint was declared admissible by the Front Line Service on the basis of Articles 58 and 60 of the LCA (Local Administrative Code) and forwarded to the Litigation Division pursuant to Article 62, § 1 of the LCA (Local Administrative Code). 8. On January 7, 2021, the Litigation Chamber decided, pursuant to Article 95, § 1, 1° and
Article 98 of the LCA, that the case could proceed on the merits.

9. On the same date, the parties concerned were informed by registered mail of the

provisions set out in Article 95, § 2 and Article 98 of the LCA. They are also informed, pursuant to Article 99 of the LCA, of the deadlines for submitting their submissions. The deadline for receipt of the defendant's submissions in response has been set for February 18, 2021, the deadline for the complainant's submissions in reply has been set for March 11, 2021, and the deadline for the defendant's rejoinder has been set for April 1, 2021.

10. The parties are invited to defend themselves with regard to the following complaints upheld by the Litigation Chamber:

A. As to the lawful basis of the alleged processing of personal data (potential violation of Articles 5.1.a) and 6 of the GDPR) Decision on the merits 64/2025 — 3/15

Taking into account the factual elements raised by the complaint, the Litigation Chamber

invites the defendant to express its point of view on the following points, and invites the

complainant to respond if she wishes, particularly if she has additional factual evidence to provide:

• Did the consultation by the line manager of the complainant's medical record constitute processing of personal data for

which the defendant is the data controller within the meaning of Article 4.7 of the

GDPR? If not, in what capacity did she consult the complainant's medical record?

• Did the defendant and/or the line manager have a valid lawful basis for consulting the complainant's medical record

in accordance with Article 6 of the GDPR? Was this data processing lawful and

transparent within the meaning of Article 5.1.a) of the GDPR?

B. Regarding the classification of the facts under Article 33 of the GDPR

To the extent that the reported facts (consultation of the complainant's medical records)

potentially constitute a personal data breach

within the meaning of Article 33 of the GDPR, did the defendant – to the extent that it

is the controller of this data processing – notify the supervisory authority of the breach in accordance with Article 33.1 of the GDPR, and did it

document the facts, its effects, and the measures taken to remedy them, if applicable,

in accordance with Article 33.5 of the GDPR? If so, what was the outcome of the internal investigation

announced by the defendant in its letter to the complainant of April 16, 2020, and

what measures were taken to remedy the data breach, if applicable?

11. Still on the same date, the complainant and the defendant agreed to receive all communications

related to the case electronically. The complainant pointed out

some errors in the letter inviting the parties to conclude.

12. On February 17, 2021, the Litigation Division received the defendant's submissions in response.

13. On March 5, 2021, the complainant informed the Litigation Division that it had not been

notified of the defendant's submissions in response.

14. On March 17, 2021, the Litigation Division set new deadlines for submissions due to the exceptional problem

in notifying the complainant of the submissions. The new deadline for receipt of the complainant's reply submissions is set for April 18, 2021, and the new deadline for receipt of the defendant's rejoinder submissions is set for May 18, 2021. Decision on the merits 64/2025 — 4/15

15. On April 14, 2021, the Litigation Division received the complainant's reply submissions.

16. On May 17, 2021, the Litigation Division received the defendant's rejoinder submissions.

17. On September 26, 2024, the parties were informed that the hearing would take place on October 22, 2024.

18. On October 22, 2024, the parties were heard by the Litigation Division.

19. On October 25, 2024, the minutes of the hearing were submitted to the parties. The Litigation Division also requested the provision of documents to the parties.

20. On October 30, 2024, the Litigation Division received a few comments from the defendant regarding the minutes, which it included in the case file.

21. On January 6, 2025, the defendant sent the Litigation Division and the complainant the documentation relating to the technical and organizational measures that were in effect at the time of the events, as well as those currently in effect.

22. On January 27, 2025, the complainant responded to the documentation provided by the defendant.

23. On February 11, 2025, the defendant responded to the complainant's comments regarding the documentation it submitted on January 6, 2025.

II. Grounds

II.1. Identification of the data controller

II.1.1. The parties' point of view

24. The complainant identifies the defendant as the sole data controller

regarding the grievances on which the parties were invited to submit their submissions, namely, in summary:

• "As to the lawful basis of the alleged processing of personal data (potential violation

of Articles 5.1.a) and 6 of the GDPR);

• As to the classification of the facts under Article 33 of the GDPR."

25. The defendant alleges that the complainant's line manager acted within her full

autonomy when she consulted the complainant's medical records. She specifies that

this consultation was not conducted in her name, and that she in no way gave instructions
to her line manager in the commission of this act. Furthermore, the defendant

2
Letter of invitation to conclude dated January 7, 2021, see point 10 of this decision. Decision on the merits 64/2025 — 5/15

states that her line manager acknowledged her fault as part of the internal investigation

that she conducted. 3

II.1.2. The Litigation Division's assessment

26. The Litigation Division is not bound by the defendant's self-declared status. It

must assess the validity of this characterization and, if necessary, dismiss it if

this analysis shows that it cannot be upheld. 4

27. The Litigation Chamber recalls that a data controller is defined as "the

natural or legal person or any other entity which, alone or jointly

with others, determines the purposes and means of the processing of personal data" (Art. 4.7 of the GDPR). This is an autonomous concept, specific to data protection regulations, the assessment of which must be based on the criteria

it sets out: determining the purposes of the data processing in question as well as

the means thereof.

28. When an employee of an organization processes personal data as part of its activities, the processing is deemed to take place under

the authority of the organization. However, there are exceptional situations in which

the employee may themselves define the purposes of processing personal data,

thus "unlawfully exceeding the authority entrusted to them." In this regard,

it should be noted that it is therefore the responsibility of the organization, as

data controller, to implement appropriate technical and organizational measures.

29. In the present case, the Disputes Division takes into account the fact, firstly, that

the dismissal decision was not based on information gathered during

the consultation of the complainant's medical file.

30. Furthermore, the Disputes Division also notes that the complainant's medical file was accessed on March 2, 2020, at around 10:50 p.m., which does not constitute normal working hours.

31. Furthermore, the line manager admitted to having wrongfully accessed the complainant's medical file, and that she had acted in this way to verify that the complainant was

3See point 5 of this decision).
4See to this effect Brussels (Market Court), 8 June 2022, 2022/AR/42, p. 6.

5EDPB, Guidelines 07/2020 on the concepts of controller and processor in the GDPR, 7 July 2021, version 2, paragraph 19, accessible via: https://www.edpb.europa.eu/system/files/2023-
10/edpb guidelines 202007 controllerprocessor final fr.pdf.
6
See In this regard, the letter of April 14, 2020, in which the defendant provides the reasons that led it to dismiss the complainant. Decision on the merits 64/2025 — 6/15

in a suitable state to learn of her dismissal. In this regard, the defendant

initiated disciplinary proceedings against the line manager.

32. Consequently, the Litigation Chamber considers that the line manager acted as the sole data controller when consulting the complainant's medical file, and that in doing so, she exceeded the authority conferred on her by the defendant.

II.2. As for the breach of Articles 5.1.a) and 6 of the GDPR: the lack of a lawful basis for consulting the complainant's health data

II.2.1. The Parties' Points of View

33. The complainant alleges that the defendant consulted her medical records without a valid basis for lawfulness.

34. The defendant states that the consultation of the medical records itself is regrettable and has specifically initiated disciplinary proceedings against the line manager for this reason. However, the defendant claims that it is not the person responsible for this processing.

II.2.2. The Litigation Chamber's Assessment

35. It is not appropriate to examine this element, given that the processing whose lawfulness is being contested and debated was not carried out by the defendant, and that the person responsible for this processing – namely the line manager – is a third party to these proceedings.

For the remainder, the Litigation Chamber refers to paragraphs 26 to 32 of this decision.

II.3. Regarding the breach of Article 33 of the GDPR: the failure to notify the supervisory authority

II.3.1. The parties' views

36. The complainant complains of the failure to notify the DPA of the breach of her data under

Article 33 of the GDPR, as well as the lack of documentation relating to said breach.

In this regard, she notes in particular that the defendant does not explain the specific measures

it took with regard to the line manager, nor does it further explain

the implications of the disciplinary proceedings brought against the line manager. Decision on the merits 64/2025 — 7/15

Finally, she criticizes the defendant for not having documented the data breach

in accordance with Article 33.5 of the GDPR.

37. The defendant justifies the failure to notify the DPA of the complainant's personal data breach by the fact that, following a joint analysis between its DPO and its legal department, it was determined that the breach was not likely to pose a substantial risk to the complainant's rights and freedoms. Furthermore, the defendant states that it notified the complainant of this breach. It further notes that although sensitive data was accessed in an unauthorized manner, the breach was limited to the complainant, that the supervisor was not motivated by malicious intent, and that the complainant was subject to disciplinary proceedings in any case.

38. The defendant adds that it documented the breach of the complainant's personal data in its incident log, in accordance with Article 33.5 of the GDPR. 39. In any event, the defendant notes that the plaintiff does not allege any specific risks that it could have incurred as a result of the breach of its personal data.

II.3.2. The Litigation Chamber's Assessment

40. Article 4.12 of the GDPR defines a "data breach" as "a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed."

41. Article 33.1 of the GDPR provides that "[i]n the event of a personal data breach,

the controller shall notify the relevant supervisory authority

competent in accordance with Article 55 without undue delay and, if possible, within 72 hours

of becoming aware of it, unless the relevant breach is not

likely to result in a risk to the rights and freedoms of natural persons.

Where notification to the supervisory authority is not made within 72 hours, it shall

8
be accompanied by the reasons for the delay." The fifth paragraph of this article provides that

"The controller shall document any personal data breach,

stating the facts of the personal data breach,

its effects, and the remediation measures taken." The documentation thus compiled allows

7
Article 33.5 of the GDPR: "The controller shall document any personal data breach,
indicating the facts concerning the personal data breach, its effects, and the measures taken to remedy it.
The documentation thus compiled allows the supervisory authority to verify compliance with this article."
8. Emphasis added by the Litigation Chamber. Decision on the merits 64/2025 — 8/15

9
the supervisory authority to verify compliance with this article." In order to give

effectiveness to these two provisions, the controller should also date the

documentation containing this risk analysis.42. The Litigation Chamber notes that the data controller must in all circumstances notify the DPA of a personal data breach, unless it is unlikely to pose a risk to the rights and freedoms of natural persons. Furthermore, it should be understood that this notification is a matter of principle, and that failure to notify the DPA of the breach in question constitutes an exception, for which the data controller must demonstrate that the conditions for its application are actually met in a given situation. In any event, out of an abundance of caution and with a view to protecting the rights and freedoms of data subjects, a data controller should always, in case of doubt, notify the DPA of a data breach within 72 hours of becoming aware of it, even in cases where, for various reasons, the controller considers that the breach is unlikely to pose a risk to the rights and freedoms of the data subject, but that, given the circumstances of the case, the controller cannot be entirely certain. 43. The Litigation Chamber notes that the complainant's personal data

was subject to unauthorized access (breach of confidentiality) by her line manager,

and that, moreover, this data included health data, which

is protected in particular by Article 9 of the GDPR and professional secrecy, and requires

special vigilance. It adds that the defendant did not provide it with the

documentation compiled in accordance with Article 33.5 of the GDPR. 44. It follows from Recital 75 of the GDPR that a risk within the meaning of Article 33 of the same Regulation may arise "in particular: [...] when the processing may give rise to

discrimination, identity theft or misuse, financial loss, damage to

reputation, loss of confidentiality of data protected by professional secrecy, [...] when the processing concerns personal data which

reveal racial or ethnic origin, political opinions, religion or philosophical beliefs, trade union membership, as well as genetic data, data

concerning health or data concerning a person's sex life, or data relating to

criminal convictions and offenses, or related security measures;"1

9. Emphasis added by the Litigation Chamber. 10EDPB, Guidelines 9/2022 on the notification of personal data breaches under the GDPR, Version 2.0, adopted on 28 March 2023, paragraph 119, available at: https://www.edpb.europa.eu/system/files/2024-

10/edpb guidelines 202209 personal data breach notification v2.0 fr 0.pdf.

1Emphasis added. Decision on the merits 64/2025 — 9/15

45. The Litigation Chamber considers that the fact that the data breach concerned

the complainant alone, that the defendant initiated disciplinary proceedings

against the superior who admitted to having acted improperly, and

that the latter presumably had no malicious intent when she inappropriately accessed the complainant's medical records are not sufficient in this case to

discharge the defendant from its obligation to notify the supervisory authority of the data breach

as it arises from the present case. 46. Indeed, although the line manager claimed to have been guided by motives that may appear laudable in the context of her inappropriate access to the plaintiff's medical records, the defendant could not be certain that the line manager did not make this access for hidden reasons or did not plan for further processing. In any event, certain risks have already materialized, given that the plaintiff has suffered a loss of control and confidentiality over data concerning her, which is protected by professional secrecy. Therefore, the above considerations relate more to the issue of the seriousness of the risks, and not to the possibility of the risks themselves. In this regard, it cannot be accepted that the complainant was the only person affected by the data breach, given that while it is admitted that the consequences of a data breach can be greater if the number of data subjects is high, it cannot be concluded that a data breach limited to a single data subject could not pose a risk to the data subject's rights and freedoms. This is clearly the case when data relating to the data subject's health is involved in the data breach, and the data controller cannot be certain of the motives that led the person who accessed the data in question to do so.

47. However, the Litigation Chamber takes into account that the events occurred around the beginning of 2020; that at that time, the GDPR had only been in force for

less than two years, that the EDPB had not yet published its Guidelines 01/2021

on examples regarding the notification of personal data breaches nor its update of the WP250 Guidelines adopted on 3 October 2017 on

the notification of personal data breaches under Regulation (EU)

2016/679 and Guidelines 9/2022 on the notification of personal data breaches

under the GDPR, and that, more generally, the level of

knowledge and practice regarding the management of personal data breaches was not at the same level as today. Consequently, the Litigation Chamber considers that, given the context in which Decision on the Merits 64/2025 — 10/15

was rendered, the defendant could not be criticized for not having notified the DPA of the breach

of the complainant's data in accordance with Article 33 of the GDPR at the time of the events.

48. The Litigation Chamber specifies, however, that the current level of knowledge and

practice regarding the management of personal data breaches is at a stage

such that if similar events were to occur again, the data controller

could not rely on the exception provided for in Article 33 of the GDPR, and

could therefore not discharge its obligation to notify the DPA in the event of a data breach

on the grounds that it would not pose a risk to the rights and freedoms of the data subject.

II.4. Regarding the defendant's technical and organizational measures

49. At the end of the hearing held on October 22, 2024, the defendant was invited to

provide the technical and organizational measures in effect at the

time of the events concerning aspects relating to access to medical records by its staff, as well as those in effect to date. The parties were then able

to meaningfully discuss this matter. The Litigation Division specifies that the parties were

not invited to submit submissions regarding the defendant's technical and

organizational measures in the letter it sent to them on January 7, 2021, and that the Litigation Division will therefore not make a decision regarding

this matter.

II.4.1. The Parties' Points of View

50. First, the defendant notes that the technical and organizational measures

have not changed since the occurrence of the events giving rise to the present case, which the plaintiff denounces.

51. Regarding these measures, the defendant states that a therapeutic relationship is presumed to exist

for all of its healthcare professionals. It notes that its staff is

multidisciplinary, that it includes both medical and paramedical staff, and that during the course of

patient care, patients may be treated by multiple practitioners. It adds that the fact that its employees are unable to obtain adequate
information about patients could undermine the continuity of

care. It is for this reason that the defendant claims that all medical and paramedical staff have access to the Oribase software by default, and therefore access to the medical records of all its patients. In any event, access to medical records is tracked electronically. Decision on the merits 64/2025 — 11/15

52. The defendant adds that these technical and organizational measures are intended to evolve. Indeed, the software it has been using since at least the occurrence of the events, namely

"Oribase", will be replaced by the "Patient Portal" when it merges with two other hospitals. 53. Regarding this new software, the defendant notes several measures that will be

implemented, which can be summarized as follows:

- For each access request, a warning window will appear asking the person

in question whether they have a therapeutic relationship with the person whose medical

record they wish to access;

- When the person seeking access to a medical record has an administrative profile,

they must provide supporting documentation;

- Supporting documentation must always be provided when an employee of the defendant seeks

to access a staff member's record;

- When opening a patient's record, part of the screen will provide information on

the last five accesses to the same record;

- There will also be a redefinition of profiles and access to medical records.

54. The defendant also shared (i) the presentation it provides each month to new employees regarding the confidentiality of medical records and the fact that employees may only consult medical records in the event of a therapeutic link, as well as (ii) mandatory e-learning training that has been in place since January 1, 2024, for all new hires. It also provides occasional awareness-raising sessions to all staff through newsletters.

12
55. In addition, it also shared two letters informing the recipients of their dismissal for serious misconduct, which consisted of the inappropriate consultation of medical records. The most recent letter is dated July 24, 2024.

II.4.2. The Litigation Division's Assessment

56. The Litigation Division notes that the defendant processes a very large amount of health data, given that it is a hospital institution, and that this data,

as stated in point 43, requires particular vigilance.

Exhibits 6 and 7 of the file of documents that the defendant provided to the Litigation Division and the plaintiff on January 6, 2025. The Litigation Division notes that the two documents are exactly identical; however, Exhibit 6 is titled "Exhibit 6, letter of dismissal for serious misconduct dated January 24, 2022," while Exhibit 7 is titled "Exhibit 7, letter of dismissal for serious misconduct dated July 24, 2024." Furthermore, the defendant clearly refers to these two documents separately in its letters. Therefore, the Disputes Chamber considers that the fact that the two documents are identical is merely the result of a material error. Decision on the merits 64/2025 — 12/15

57. Article 5.1.f) of the GDPR provides that personal data must be "processed in a manner that ensures appropriate security of the personal data, including protection against unauthorized or unlawful processing and against accidental loss, destruction, or damage, using appropriate technical or organizational measures (integrity and confidentiality)" and that, pursuant to Article 5.2 of the GDPR, data controllers must be able to demonstrate compliance with the first paragraph of Article 5 of the GDPR (principle of accountability).

58. Article 24 of the GDPR states in its first two paragraphs that: "1. Taking into account the

nature, scope, context, and purposes of the processing, as well as the risks of varying likelihood and severity for the rights and freedoms of natural persons,

the controller shall implement appropriate technical and organizational measures

to ensure and be able to demonstrate that processing is carried out

in accordance with this Regulation. These measures shall be reviewed and updated as

necessary.

2. Where proportionate to the processing activities, the measures referred to
in paragraph 1 shall include the implementation of appropriate data protection policies by the controller." 13

59. Article 32.1 of the GDPR provides that "taking into account the state of the art, the costs of

implementation and the nature, scope, context, and purposes of the processing, as well as the risks, the likelihood and severity of which vary, for the rights and freedoms

of natural persons, the controller and the processor shall implement

appropriate technical and organizational measures to ensure a level of

security appropriate to the risk (...)." The fifth paragraph of Article 32 provides that "The

controller and the processor shall take measures to ensure that

any natural person acting under the authority of the controller or

the processor, who has access to personal data, does not process them, except

on instructions from the controller, unless required to do so by Union law

15
or the law of a Member State."

60. In the present case, the Disputes Chamber notes that the complainant's medical file was consulted by her line manager without the processing being for a

purpose relating to a possible diagnostic follow-up or possible therapeutic monitoring of the complainant. There is no evidence in the case file that the line manager was ever

part of one of the defendant's staff groups responsible for the plaintiff's medical care, which could have demonstrated that it was

13. Emphasis added by the Litigation Division.

14. Emphasis added by the Litigation Division.

15. Emphasis added by the Litigation Division. Decision on the merits 64/2025 — 13/15

medically necessary for the line manager to consult the plaintiff's medical file.

Moreover, the fact that the plaintiff was in a subordinate relationship with her line manager constituted in itself a compelling reason for the latter not to consult the plaintiff's medical file, except in exceptional circumstances. 61. The Litigation Division therefore adds that it is possible that the technical and organizational measures in effect at the time of the events were not sufficient,

especially because the inappropriate consultation of the plaintiff's medical records was only

detected after the plaintiff raised the issue with the defendant.

However, the Litigation Division specifies that these technical and organizational measures cannot jeopardize the continuity of patient care, which could put their health at risk. Also, as
the defendant alleges (see paragraph 51 of this decision), it is not always possible

to determine in advance which members of a hospital's medical or paramedical staff

– which are multidisciplinary – will come into contact with a patient,

which justifies that all medical and paramedical staff have access to the

medical records of the hospital's patients.

62. Furthermore, in a letter dated July 24, 2024, the defendant set out the various misconducts

found in the dismissal for serious misconduct of one of its employees. In summary, it appears that the former employee who was dismissed was dismissed because he

inappropriately consulted several of his former colleagues' medical records. Consequently,

inappropriate consultations occurred repeatedly.

63. However, the Litigation Division notes that in the context of this dismissal, this time the defendant was able to quickly become aware of this inappropriate access to the medical records of staff members, and that it promptly took appropriate measures, in particular the dismissal decision. It thus acted appropriately and proactively.

64. In any event, the Litigation Division takes into account the fact that, as indicated by the defendant, these technical and organizational measures are intended to evolve.

III. Corrective Measures and Sanctions

65. Pursuant to Article 100, § 1 of the LCA, the Litigation Division has the power to:

1° Dismiss the complaint;

2° Order that the case be dismissed;

16Exhibit 7 of the file that the defendant submitted to the Litigation Chamber and the plaintiff on January 6, 2025. Decision on the merits 64/2025 — 15/15

In accordance with Article 108, § 1 of the LCA, an appeal against this decision may be filed,

within thirty days of its notification, with the Cour des Marchés (Brussels Court of Appeal), with the Data Protection Authority as the defendant.

Such an appeal may be filed by means of an interlocutory application, which must contain the

17
information listed in Article 1034ter of the Judicial Code. The interlocutory application must be
18
filed with the registry of the Cour des Marchés in accordance with Article 1034quinquies of the Judicial Code. , or

via the Ministry of Justice's e-Deposit information system (Article 32ter of the Judicial Code).

(Senate). Hielke H IJMANS

President of the Litigation Chamber

17. The application must contain, under penalty of nullity:

1° the day, month, and year;
2° the applicant's surname, first name, and address, as well as, where applicable, their position and national register number or company number;

3° the surname, first name, address, and, where applicable, the position of the person to be summoned;
4° the purpose and summary of the grounds for the application;
5° the name of the judge hearing the application;
6° the signature of the applicant or their lawyer. 18
The application, accompanied by its annex, shall be sent, in as many copies as there are parties involved, by registered letter to the clerk of the court or filed with the registry.