APD/GBA (Belgium) - 72/2021
|APD/GBA (Belgium) - 72/2021|
|Relevant Law:||Article 6(1)(e) GDPR|
Article 12(3) GDPR
Article 13(1)(c) GDPR
Article 15(1) GDPR
|National Case Number/Name:||72/2021|
|European Case Law Identifier:||n/a|
|Original Source:||Belgian DPA (in FR)|
The Belgian DPA issued a reprimand against a public authority that shared an audit report including personal data to third parties without a proper legal basis. In addition, the controller was found in violation of the GDPR for not answering the access request in due time.
English Summary[edit | edit source]
Facts[edit | edit source]
A public administration in charge of supervising the organisations hiring persons with disabilities established an audit report on the situation of the organisation after a complaint from the trade union and some members of the staff. The report mentioned some personal data of the director of the organisation (ie, the salary) and was shared with third parties (trade union representatives, social mediator). The director (the complainant) sent an access request to the administration in charge regarding his personal data in the report. The administration did not answer to the request.
Holding[edit | edit source]
The administration did not respect its obligation to inform under Article 12(3), 13(1)(c) and 15(1) GDPR. The sharing of the personal data of the director cannot rely on a proper legal basis such as Article 6(1)(e) since sharing the report with the personal data was not necessary for the performance of the tasks of the administration. In addition, the administration could not rely on Article 6(1)(d) GDPR (vital interests) for communication of the personal data of the director to third parties.
Comment[edit | edit source]
Share your comments here!
Further Resources[edit | edit source]
Share blogs or news articles here!
English Machine Translation of the Decision[edit | edit source]
The decision below is a machine translation of the French original. Please refer to the French original for more details.