APD/GBA - 15/2021

From GDPRhub
Revision as of 08:18, 2 April 2021 by JakkeM (talk | contribs) (Expanded on the facts, the legal questions, and the holdings of the case.)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
APD/GBA - 15/2021
Authority: APD/GBA (Belgium)
Jurisdiction: Belgium
Relevant Law: Article 5(2) GDPR
Article 15(1) GDPR
Article 15(2) GDPR
Article 15(3) GDPR
Article 24 GDPR
Article 32 GDPR
Type: Complaint
Outcome: Partly Upheld
Decided: 09.02.2021
Published: 09.02.2021
Fine: None
Parties: n/a
National Case Number/Name: 15/2021
European Case Law Identifier: n/a
Appeal: Unknown
Original Language(s): French
Original Source: APD (in FR)
Initial Contributor: n/a

The Belgian DPA (APD/GBA) ordered an employer to delete the HR evaluation data on its employees. The decision comes after a complaint filed by an employee concerning an access request on his emails, IT logs and other films processed by the employer.

English Summary[edit | edit source]

Facts[edit | edit source]

The ex employee asked a copy of all the data processed on him: emails, images and videos, IT logs, and HR evaluation. The employer refused to grant access to part of it.

An (ex)-employee of an IT company sought to exercise his right of access and, to that end, sent a request to his former employer. Even though the employer replies to and partly complies with the request, not all of the requested information is delivered to the employee.

More specifically, the employer refused to provide a copy of the employee's personal file (including certain comments and remarks that were included in said file), as well as a copy of the IT-logs relevant to the employee.

Dispute[edit | edit source]

Can the employer refuse to give access to an employee's personal file on the ground that rights of others, more specifically the authors of comments and remarks in said file, would be compromised?

Can the employer refuse to provide a copy of IT logs based on the disproportionate amount of time and resources it would take to comply with such a request, based on the sheer quantity of logs and information that need to be checked to that end?

Can the employer refuse to provide a copy of emails based on the protection of trade secrets?

Holding[edit | edit source]

The Belgian DPA found that the employer violated articles 15.1 and 15.3 GDPR by denying the employee his right of access with regards to his personal file. The DPA ordered the Employer to rectify this violation by complying with the access request.

The Belgian DPA hold that in this case, giving access to the IT logs would be a disproportionate burden for the employer, thus justifying the employer's refusal to grant access.

The Belgian DPA considered that copy to the email cannot be refused on the basis that the employee could access the emails. However, the refusal can potentially be based on trade secret. To this end, the employer needs to prove the potential risk to trade secret that providing said emails might entail. The evaluation of this risk needs to be evaluated on a case-by-case basis.

Comment[edit | edit source]

Share your comments here!

Further Resources[edit | edit source]

Share blogs or news articles here!

English Machine Translation of the Decision[edit | edit source]

The decision below is a machine translation of the French original. Please refer to the French original for more details.

Page 1
1/32Litigation ChamberDecision on the merits 15/2021 of 09 February 2021File No .: DOS-2018-06125Subject: Complaint against an SA for unsatisfactory response to the exercise of its right of accessThe Contentious Chamber of the Data Protection Authority, made up of Mr. HielkeHijmans, president, and Messrs Yves Poullet and Christophe Boeraeve, members, taking over the casein this composition;Having regard to Regulation (EU) 2016/679 of the European Parliament and of the Council of April 27, 2016 relating toprotection of individuals with regard to the processing of personal data and thefree movement of such data, and repealing Directive 95/46 / EC (general regulation ondata protection), hereinafter GDPR;Considering the law of 3 December 2017 creating the Data Protection Authority (hereinafter LCA ) ;Having regard to the internal regulations as approved by the Chamber of Representatives onDecember 20, 2018 and published in the Belgian Official Gazette on January 15, 2019;Having regard to the documents in the file;Took the following decision regarding:The complainant: Mr X, hereinafter "the complainant".The defendant: SA Y, (hereinafter “the defendant”).1. Feedback from the procedure1. Considering the complaint lodged on October 24, 2018 by the complainant to the Data Protection Authority(APD);
Page 2
Decision on the merits 15/2021 - 2/322. In view of the decision of the Front Line Service to declare the complaint admissible and to transfer it to theLitigation Chamber of September 29, 2018;3. Considering the referral to the Inspection by letter of November 28, 2018;4. Having regard to the Inspector General's report and investigation report sent on July 9, 2019 to theContentious chamber;5. Having regard to the letter dated July 25, 2019 from the Litigation Chamber informing the parties of itsdecision to consider the case ready for substantive processing based on article98 LCA and providing them with a timetable for exchanging conclusions;6. Having regard to the conclusions of the defendant, received on September 6, 2019;7. Having regard to the observations of the complainant sent by email and indicating that he refrains from concluding, receivedOctober 7, 2019;8. Having regard to the pleadings in reply from the defendant, received on 5 November 2019;9. Having regard to the invitation to the hearing addressed by the Contentious Chamber to the parties in application ofArticle 46 of the ODA Internal Rules and Article 93 of the LCA, concerning morespecifically the articulation between article 15.4 of the GDPR and recital 63 of the GDPR, as well asbalancing the right to access and obtain data against the rights and freedomsof others;10. Having regard to the preparatory note for the defendant's hearing on September 4, 2020;11. Having regard to the hearing during the session of the Litigation Chamber of September 14, 2020 in the presence ofMe De Ridder, counsel for the defendant in the absence of the complainant;2. The facts and subject of the complaint12. The defendant is active in the IT consulting sector. The complainant integratedthe defendant in June 2008 as an employee. He then worked as a consultantsenior. From 2015, the complainant is regularly absent. In 2016, he was elected representativeworkers.13. In 2017, the defendant initiated proceedings against the plaintiff before the court ofwork, on the grounds that he would post information on a private blog before it was released.official by the defendant, a practice which it refuses to end despite requestof the defendant in this sense.
Page 3
Decision on the merits 15/2021 - 3/3214. In a judgment of 21 June 2018, the Labor Court ruled that the defendant cannotdismiss the complainant for serious reasons, following which the complainant returns to hisby the defendant on June 27, 2018.15. On July 12, 2018, the complainant asked his employer, the defendant, to exercise his rightaccess and / or copy to all personal data stored about him 1 . The complainant isof the opinion that the respondent's response is unsatisfactory, following which he lodged his complaint on 2October 2018.16. The complainant also argues that the defendant would take photos of the employees duringcompany events and publish these photos on the company intranet, without askingemployee consents.17. On January 18, 2019, the parties enter into a settlement agreement ending the relationshipof work.3. The inspection report of July 9, 201918. In a letter of March 6, 2019 to the complainant, the Inspector General informed the complainant of thefollowing items:• his request for access and copy is not accepted for the following points:o its emails and IT logs because article 15, 4th paragraph of the GDPR states that the right of accessmay not infringe the rights and freedoms of others, and that the copy of all itsemails and logs escape the right of access and go beyond its purpose;o his photos because there is access.• his request for access and copy is retained for:o the notes in his HR file and his evaluations.19. The Inspection Service informed the complainant that his former employer had granted the request.access and copy, and informed him that he had given him a copy of the data to which the complainantdoes not have access and for which the former employer can give him a copy.20. His request lacks precision as to whether or not the photos of the staff taken were targeted.during company events as mentioned by the complainant in his complaint.21. Finally, the Inspector General asks the complainant to send him various documents to supporthis complaint (proof of the letter asking the defendant to exercise his rights,1 See point 2.1, page 14 to 15
Page 4
Decision on the merits 15/2021 - 4/32subsequent correspondence with the defendant, and the privacy statementdefendant).According to his investigation report of July 9, 2019, the Inspector General concludes as follows:Finding 1The employer granted the access and copy request, and informed him that he had given himcopy of the data to which the complainant does not have access and for which the employer cangive him a copy.Finding 2The complainant did not send or refer to the data protection regulationworkers as part of their employment contract (privacy policy).On September 14, 2020, the parties are heard by the Litigation Chamber. October 122020, the minutes of the hearing are submitted to the parties. On October 19, 2020, the ChamberLitigation receives the remarks of the defendant's counsel relating to the minutes,which she decides to resume in her deliberation.4. MOTIVATION1. As regards the procedure before the Data Protection Authority, in particularbefore the Litigation Chamber22. Pursuant to article 4 § 1 LCA, the DPA is responsible for monitoring the principles of protectiondata contained in the GDPR and other laws containing provisions relating to theprotection of the processing of personal data.23. Pursuant to article 33 § 1 LCA, the Litigation Chamber is the litigation bodyadministrative ODA. 2 It receives complaints that the SPL transmits to it in application of article62.1st LCA, or admissible complaints provided that in accordance with article 60 paragraph 2 LCA, thesecomplaints are drafted in one of the national languages, contain a statement of the facts andindications necessary to identify the processing of personal data on whichthey bear and come under the competence of the ODA.2 The administrative nature of the litigation before the Litigation Chamber has been confirmed by the Court ofmarkets, appeal court for decisions of the Litigation Chamber. See. in particular the judgment of June 12, 2019,published on the website of the APD, as well as decision 17/2020 of the Litigation Chamber.
Page 5
Decision on the merits 15/2021 - 5/3224. In application of articles 51 et s. of the GDPR and of article 4 § LCA, it is up to the ChamberLitigation as an administrative litigation body of the ODA, to exercise effective controlof the application of the GDPR and to protect the fundamental rights and freedoms of individualswith regard to the processing and to facilitate the free flow of personal data to thewithin the Union.25. As the Litigation Chamber has already had the opportunity to state 3 , data processingare operated in multiple sectors of activity, especially in the professional context such asin this case.26. The fact remains that the competence of the DPA in general, and of the Litigation Chamberin particular, is limited to monitoring compliance with the regulations applicable to processingdata, regardless of the business sector in which this data processingintervene.27. Its role is not to take the place of the courts of the judiciary in the exercise ofcompetences which are theirs, in particular as regards labor law.28. Consequently, as the defendant points out moreover in its conclusions 4 , the ChamberLitigation is not competent to rule on the issue of compliance with the agreementtransaction between the parties, having terminated their contractual relationship.1.1- As regards the right to a fair trial and its procedural guarantees in the context of thethe APD, and more particularly before the Litigation Chamber29. The defendant alleges a violation of the right to a fair trial and of the rights of thedefense, and in particular the principles of equality of arms, adversarial proceedings and the right to beheard, in the proceedings before the DPA 5 . It develops two arguments in this regard.30. In its submissions, the defendant argues that it “(…) at no time wascontacted by the DPA during the investigation to be heard and to give his version of the facts.The investigation therefore appears to have been carried out solely at the expense of the defendant. The ODA didtherefore could not take into account the arguments of the defendant in the context of its investigation. But if3 See . the decision 03/2020 of the Contentious Chamber and more generally the website page ofDPA dedicated to the processing of employees' personal data by their employers, availableon https://www.autoriteprotectiondonnees.be/professionnel/themes/vie-privee-sur-le-lieu-de-travail/donnees-workers / worker-data-processing.4 Decision 03/2020, point 3.14, p165 The Chamber notes that the summary conclusions (of 5 November 2019) filed by Y differ slightlyof the first set of conclusions received (of September 6, 2019) on this subject. The first concluding game states:"The rights of defense and the right to a fair trial, which must be guaranteed to Y, have therefore been violated",while the summary conclusions indicate that: "" The rights of defense and the right to a fair trial,which must be guaranteed to Y, were therefore violated in the first phases of the case ”(emphasis added). Thisprecision is not trivial, as will be developed below.
Page 6
Decision on the merits 15/2021 - 6/32the defendant had been contacted as part of the investigation she could have communicated theadditional information needed by the DPA and help it shed light on this issue. "31. The second argument developed by the defendant is that the complainant allegedlyhad more time to prepare his case than the defendant. This argumentwill be analyzed in detail below (see “1.2.4- As regards the complaint according to which the defendant hadless time than the complainant to prepare his arguments ”).1.1.1. Place1.1.1.1.- Concerning respect for the right to a fair trial, including the rights of the defense, beforethe Litigation Chamber32. The Contentious Chamber notes that the defendant refers to several provisionsof the GDPR concerning the right to a fair trial and its procedural guarantees.33. Its conclusions reproduce 6 article 83.8 7 of the GDPR as well as recitals 148 8 and 129.34. The Contentious Chamber follows the defendant as to the importance of the application of the guaranteesprocedures related to a fair trial in disputes before it. It also observes that the saidprinciples are applied before the Litigation Chamber. Indeed, both the principle ofcontradictory, that equality of arms, and the right to be heard are scrupulously respectedbefore the Litigation Chamber.35. The parties have access to all the documents in the file from the start of the proceedings at issue.(access which is reminded to them via the invitation letter to conclude, sent on July 25, 2019 by theLitigation Chamber to the parties), which guarantees respect for the adversarial principle.36. Similarly, the parties are informed of their right to be heard by the same letter of invitationto conclude.37. The Respondent further informed the Chamber, on its own initiative, that it did not wishnot be heard, unless the Chamber considers it useful. 96 points 3.1 to 3.2, pp12-137 "The exercise by the supervisory authority of the powers conferred on it by this article is subject toappropriate procedures in accordance with Union and Member State law, including recourseeffective jurisdictional and due process ”we emphasize8 “The application of sanctions including administrative fines should be subject to procedural guaranteesappropriate in accordance with the general principles of Union law and the Charter, including the right toeffective judicial protection and due process. »We underline9 see letter from the Respondent's counsel of 13 November 2019.
Page 7
Decision on the merits 15/2021 - 7/3238. In order to remedy a lack of information concerning certain aspects of the dispute, the Chamber haselsewhere applies in this case this right to convene the parties on his own initiative, whenof the hearing of September 14, 2020. The right to be heard has therefore been respected.39. Insofar as the parties have, in the context of the proceedings in dispute before the ChamberLitigation, with an equal period to conclude and reply, that they all have access to the documents of thecase, that they can equally exercise their right to be heard, it cannotbe concluded that the defendant is placed at a "distinct disadvantage" in relation toto the complainant. 1040. The defendant cannot be followed in its argument that the principles ofcontradictory, equality of arms, and the right to be heard are not respected before theLitigation Chamber.41. The complaint that the proceedings before the DPA, and more particularly before the ChamberLitigation, violates the right to a fair trial is therefore rejected. Additional considerations concerning respect for the right to a fair trial by theLitigation Chamber42. The Cour des Marchés has also already considered that a sufficient remedy exists in theleader of citizens against decisions of administrative bodies, by the possibility of introducing aappeal to her 11.43. The Court added that a lack of impartiality on the part of an administrative authority does not implynot necessarily a violation of article 6.1 of the European Convention on Human RightsMan (hereinafter "ECHR"), if a law college with full litigation power,itself respecting the guarantees of Article 6 .1 ECHR, may exercise control over saiddecision.44. According to the Court, a violation of the principle of the impartiality of the administration at a preliminary stagetherefore does not necessarily lead to a violation of the right to a fair trial if thisviolation can be corrected at a later stage.45. The possibility of bringing an appeal before a body which meets the guarantees of Article 6ECHR tends to allow such corrections 12 .10 Point 3.2, p13 of the conclusions of the defendant.11 “De wetgever heeft de burger een afdoend rechtmiddel tegen de handelswijze van bestuurlijke organen (tedezen de GBA) gegeven door precies een verhaal voor de Marktenhof te voorzien ”, Hof van Beroep Brussel, sectieMarktenhof, 19de kamer A, kamer voor marktenzaken, 2019 / AR / 741, 12 juni 2019, p912“ Een gebrek aan objectieve of structurele onpartijdigheid door een administratieve overheid houdt nietnoodzakelijk een schending van artikel 6.1 EVRM in Indian de beslissing van die overheid vervolgens kan wordengetoetst door een rechtscollege met volle rechtsmacht dat zelfs alle waarborgen van artikel 6.1 biedt. Een
Page 8
Decision on the merits 15/2021 - 8/3246. ​​Specifically concerning the Litigation Chamber of the ODA, the Cour des Marchés recentlydecided that:“[…] Dan nog is deze rechtsbescherming door het rechtssubject slechts wettelijk afdwingbaar vooreen rechter (die deel uitmaakt) van de rechterlijke macht [...]. From wettelijke mogelijkheid omberoep / verhaal in te stellen bij het Marktenhof strekt er toe aan de rechtzoekende de waarborg teverlenen van artikel 6.1 EVRM en meer in het bijzonder van het verhaal voorzien in artikel 47 HGEU[Handvest van de grondrechten van de Europese Unie]. » 13 (the Chamber underlines).Free translation:“[…] This legal protection by the data subject is legally applicable only by ajudge (who is part of) the judiciary [...]. The legal possibility of bringing an appeal before theCour des Marchés aims to offer the litigant the guarantee of Article 6.1 ECHR and, more particularly,of the recourse provided for in article 47 UCE. "47. Consequently, in the event of a lack of impartiality by the Litigation Chamber, quodnot in the present case, and insofar as the Court of the Market exercises a control of full litigationon the decisions of the Chamber, it could not ipso facto be concluded that a breach of thefair trial right procedure. Additional considerations concerning the scope of the rights of the defense and the principle ofcontradictory48. For convenience, two additional observations can be made regarding the scope ofrights of defense and the adversarial principle.49. If it were to be concluded that the investigation as carried out by the Inspection Service (SI) (asas an ODA body exercising its functions independently of the Litigation Chamber)should not meet the requirements of a fair trial because the IS would not have contacted aparty during the investigation, as indicated above, it should be remembered that the SI has nosanction. Its role is limited to making findings and transmitting them to the ChamberLitigation via its report.50. Furthermore, and primarily, while it is true that the rights of the defense, which include the rightto be heard, are part of the fundamental rights which constitute the legal order of the Union andschending van het onpartijdigheidsbeginsel in een eerdere fase leidt bijgevolg niet noodzakelijk tot eenmiskenning van het recht op een eerlijk proces Indian deze schending nog kan worden rechtgezet in een laterefase. Het organizeen van een beroep dor een instantie die voldoet aan alle waarborgen van artikel 6 EVRM strektertoe om dergelijke rechtzettingen mogelijk te maken ”, Market Court, 2019 / AR / 741, 12 juni 2019, p1013 Cour des marchés, September 2, 2020, 2020 / AR / 329.
Page 9
Decision on the merits 15/2021 - 9/32are anchored in Charter 14 , the fact remains that, as taught by the CJEU, the lawto be heard is not absolute and a possible restriction of this right may be possible fora purpose of general interest. This assessment must be made in concreto:“The Court has, however, already considered that fundamental rights, such as respect for the rights ofdefense, do not appear as absolute prerogatives, but may includerestrictions, provided that they effectively meet objectives of general interestpursued by the measure in question and do not constitute, in view of the aim pursued, an interventiondisproportionate and intolerable which would infringe the very substance of the rights thus guaranteed [...].34. In addition, the existence of a violation of the rights of the defense must be assessed on the basis of thespecific circumstances of each case […]. 15 "Concerning more specifically the right of access to documents and respect for the principle ofcontradictory, the CJEU has already indicated that:71. Failure to provide a document does not constitute a violation of the rights of the defenseif the company concerned demonstrates, on the one hand, that the Commission relied on this documentto substantiate his complaint relating to the existence of an infringement […] and, on the other hand, that this complaint could notbe proved by reference to said document]. […]73. It is thus for the undertaking concerned to demonstrate that the result to which the Commission isreached in its decision would have been different if it had to be excluded as evidence against thean undisclosed document on which the Commission relied to incriminate this company.74. On the other hand, as regards the failure to provide a defense document, the companyconcerned need only establish that its non-disclosure could have influenced, to the detriment of thislast, the course of the procedure and the content of the Commission decision […]) ” 1651. The reasoning of the Court can be applied by analogy to the present case. Inspection Serviceis free to contact the parties or not, which it assesses independently. Moreover, in thecase and as indicated above, the report of the Inspection Service is entirely favorableto the defendant. This was therefore in no way affected by the fact that the Inspection Servicedid not contact him as part of his investigation.14 see, to this effect, CJEU, July 18, 2013, Commission and others / Kadi, C ‑ 584/10 P, C ‑ 593/10 P and C ‑ 595/10 P,ECLI: EU: C: 2013: 518, points 98 and 99.15 CJEU, September 10, 2013, C-383/13 PPU, case G. and R., ECLI: EU: C: 2013: 533, points 33 ff.16CJCE, January 7, 2004, Aalborg Portland A / S and a. / Commission, Aff. C-204/00, ECLI: EU: C: 2004: 6.
Page 10
Decision on the merits 15/2021 - 10/321.1.1.4 - As for the autonomy of the Litigation Chamber in relation to other DPA bodies,including the Inspection Service52. For the sake of completeness, it should also be noted that the defendant appears toconfuse the role and prerogatives of the Litigation Chamber with those of other bodiesof ODA.53. As indicated above, in application of article 33 § 1 LCA, the Contentious Chamber isthe administrative litigation body of the ODA. It is not at all apparent from the provisions relating tothe proceedings before the Contentious Chamber (see Article 92 to 100 LCA) that this would be heldby the findings of the SI. Consequently, the Contentious Chamber is in no way bound by theSI findings.54. In light of the fact that, as indicated above, in the context of the proceedings before the ChamberLitigation the procedural guarantees related to the right to a fair trial are respected,observation (of the Chamber's autonomy from the IS) confirms the Chamber's reasoningmentioned above and seeking to dismiss the defendant's complaint that the proceedings beforethe Chamber would violate the right to a fair trial. - Concerning the legal framework surrounding the investigations carried out by the Inspection Service55. For all practical purposes, it should also be remembered that the IS can carry out any investigation,any hearing, as well as gather any information that it considers useful 17 and is not subject to ageneral obligation to hear, particularly in view of the fact that its intervention in theprocedure consists of making findings and that he does not have the power to sanctiona part.56. In the present case, based on the documents submitted by the complainant and notnot contacting the defendant during the investigation, the IS therefore remained within the framework oflegal requirements imposed.57. A similar reasoning has already been used by the Court of Markets, in a case where the plaintiffreproached that the Contentious Chamber had decided on a timetable for conclusions, without filingprior evidence by the parties. The Court held that no legal provisionimposes such an obligation.17 See Art. 72 and 76 LCA “The Inspector General and the inspectors may request in writing any informationuseful to the people they deem necessary. The Inspector General and the inspectors determine the time limitwhich the response to his request for information must be provided and may at any time requestadditional information ”(we underline)
Page 11
Decision on the Merits 15/2021 - 11/3258. She further added that insofar as the complainant had the possibility of makingassert this argument in the context of its submissions, it could not be concluded thatillegality of the proceedings before the Contentious Chamber As to the grievance according to which the defendant had less time than the complainantto prepare his arguments59. The defendant also raises a disproportion between the way in which the complainant and hereven were dealt with in the course of the investigation, in that “the APD and [the complainant] havenearly 10 months to put together their case and prepare their arguments within the framework of thetreatment at the bottom of this file. Whereas, conversely, the defendant learned only byletter of 25 July 2019 that a complaint concerning the - allegedly - unsuccessful exercise ofhis right of access by one of his workers was ready for substantive processing. "60. The Litigation Chamber begins the actual litigation procedure by sending ainvitation to the parties to conclude, following the submission by the IS of its report (in cases where suchreport requested by the Chamber or drafted on its own initiative by the IS).61. This invitation, sent to the complainant and the defendant on July 27, 2019, set outthe deadline for concluding on behalf of the defendant on September 6, 2019. The defendanttherefore had 6 weeks (and no less than a month as suggested by the conclusions by thedefendant).62. A period of one month (6 October 2019) was then given to the complainant to transmit hisconclusions in reply, followed by a new deadline of one month for the conclusions in reply of thedefendant.63. A period of 30 days constitutes a standard period, in particular in the administrative procedure.Thus, the time limits granted to the parties for the lodging of the request and between the games ofconclusions before the Council of State (except administrative summary) are 30 days 19 . Goodthat no obligation to observe a 30-day time limit is imposed on the House - particularlyin the event that this is not necessary - the Chamber can only note that a longer periodto this standard time limit was therefore left to the defendant to conclude. A period of 30 days hasthen left to the complainant to respond to the respondent, following which the latter was prepared tonew 30 days for its reply submissions.64. As regards the argument based on the fact that the letter inviting the parties (including the defendant) to concludedoes not include any developments as to the substance of the complaint, the Chamber recalls that thesame letter indicates to the parties the possibility of consulting the administrative file, which18 Voy Marktenhof,, 2019 / AR / 741, 12 juni 2019, p12, published on the website of the APD.19 see Royal Decree of 30 November 2006 determining the cassation procedure before the Council of State, articles3, 13 and 14
Page 12
Decision on the merits 15/2021 - 12/32understands the complaint. The defendant also applied this possibility from 1 August 2019and the entire file was made available to him on August 5, 2019.65. The Cour des Marchés has also already estimated that a timetable for conclusions granting one monthto the parties, and in which the defendant has the final right to conclude is in accordance with theright of defense.This complaint is therefore unfounded.1.2- As to the defendant's argument that the complaint is abusive66. The defendant also accuses the complainant of a “misuse of the right ofcomplaint ” 20 .67. The respondent considers that since the complainant lodged three complaints with hisagainst, in a period corresponding to the discussions on the financial terms of thetransaction to be made between the two parties, the plaintiff would try to put pressure on thedefendant.68. She claims that her complaint is "manifestly abusive" 21 . This circumstance cannot beretained by the Litigation Chamber, since the complainant is free to access his dataof a personal nature at all times.69. The right to lodge a complaint is guaranteed by Article 77 GDPR and is one of the foundations of theright to data protection. By definition, the exercise by a citizen of this right cannot bequalified as "abusive". This grievance is dismissed.2. As to the grounds for the decision2.1. On the defendant's failure to comply with its obligation to follow up the exercisethe complainant's right of access70. In its capacity as controller, the defendant is required to respect the principlesdata protection and must be able to demonstrate that these are respected. Shemust also implement all the necessary measures for this purpose (principle ofliability - articles 5.2. and 24 of the GDPR).20 Voy. Conclusions of Y p. 14 points 3.7 to 3.821 Ibid.
Page 13
Decision on the merits 15/2021 - 13/3271. As a preliminary point, the Chamber recalls that the right of access is one of the major requirements of the rightto data protection, it constitutes the "gateway" which allows the exercise of otherrights that the GDPR confers on the data subject, such as the right to rectification, the right of access. 2272. According to article 15.1 of the GDPR, the data subject has the right to obtain from the controllerprocessing confirmation that personal data concerning him is or is notare not processed. When this is the case, the data subject has the right to obtain access to saidpersonal data as well as a series of information listed in Article 15.1 a) - h)such as the purpose of the processing of his data, the possible recipients of his dataas well as information relating to the existence of their rights, including the right to requestrectification or erasure of his data or even that of filing a complaint with the DPA.73. According to Article 15.3 GDPR, the data subject also has the right to obtaincopy of the personal data which is the object of the processing. Article 15.4 of the GDPRprovides that this right to copy may not infringe the rights and freedoms of others.74. Article 12 of the GDPR relating to the procedures for exercising their rights by data subjectsprovides in particular that the controller must facilitate the exercise of hisrights by the data subject (article 12.2 of the GDPR) and provide him with information on themeasures taken following his request as soon as possible and at the latest within theone month from the request (article 12.3 of the GDPR). When the controllerdoes not intend to follow up on the request, he must notify his refusal within one monthaccompanied by the information that an appeal against this refusal can be lodged withof the data protection supervisory authority (12.4 of the GDPR).75. The complainant asked the defendant to provide him with all the personal datarecorded about him, specifying that he wished to be informed of the reasons, objectives, duration ofconservation etc. for each personal data stored. He also specified that hisrequest concerned access and copy of his personal data, in this case:• All the evaluations concerning him;• Any photo on which he could be identified;• Copy of his emails contained in his mailbox;• Any note, annotation, comment that is part of his resource filehuman;• IT logs concerning him.22 See in particular decision 41/2020, point 47, and more generally the factsheet on the right of access toAPD website, available at https://www.autoriteprotectiondonnees.be/professionnel/rgpd-/droits-des-citizens / right-of-access
Page 14
Decision on the merits 15/2021 - 14/3276. The complainant also claims that the respondent would take photos of the employees duringcompany events and publish these photos on the company intranet, without askingemployee consent.77. On September 19, 2018, the defendant sent the complainant:• The mapping of his personal data, including the purposes ofprocessing and recipients of data;• The content of personal data concerning him, processed by the defendant;• CVs concerning him;• His identity photos recorded by the defendant78. However, on September 24, 2018, the complainant informed the defendant that he considered his responseincomplete, insofar as certain data has not been communicated to it, and puts it inremains to communicate these other data to him by October 1, 2018. The complainant identifiesthe data it considers missing as follows:• emails (in which he is either recipient or sender)• the photos on which it is identifiable• its evaluations• IT logs concerning him• annotations or comments forming part of his HR file79. On October 2, 2018, the defendant replied to the complainant that “ a copy of all the data to bepersonal character to which you do not have access and of which we had to give you a copy has beendiscount. This point is therefore closed as far as we are concerned ”.80. The defendant does not deny having refused to comply with the request for access such asspecified by the complainant in his email of September 24, 2018.81. The Contentious Chamber will therefore examine in the following paragraphs the conformity ofthis refusal of the right to data protection and privacy on the part of the defendant.2.2 As to the obstacles invoked by the defendant to the exercise of the right of access andcopy of the complainant as specified by him in his letter of September 24, 201882. The defendant invokes several obstacles to the exercise of the complainant's right of access, such asspecified by the latter in his letter of September 24, 2018. These obstacles are examined below.below by category of personal data to which the complainant has requested accessand / or copy.2.2.1- Regarding the refusal of the right of access to annotations or comments in the fileof the complainant's human resources2.2.1.1. The defendant's point of view
Page 15
Decision on the merits 15/2021 - 15/3283. The defendant relies primarily on Article 15.4 GDPR, in that it considers that accessby the complainant to such data would violate the protection of personal data offormer supervisors and human resources manager of the complainant, authorsof those notes or comments. In its summary conclusions of November 5, 2019, it addsfurthermore that:'Moreover, and in any event, (the defendant) confirms that the notes in question weredeleted from the HR directory. (the defendant) could therefore not be able to communicatethese notes ” 23 . Chamber positiona- Nowak stop84. Insofar as it is not disputed or disputed that evaluation notes concerningan employee is personal data, the GDPR applies.85. The Contentious Chamber recalls in this regard that the concept of personal dataencompasses any type of information: private (intimate), public,professional or commercial, objective or subjective information.86. In the Nowak judgment, 24 the CJEU clearly states that the concept of personal datacovers both data resulting from objective, verifiable and contestable elements as well assubjective data that contains an assessment or judgment made about the personconcerned.87. This is the case with annotations of an examination which reflect the opinion or the assessment of the examiner.on a candidate's individual performance, or employee evaluation data, thatthis assessment is expressed in the form of points, a scale of values ​​or throughother evaluation parameters. 2588. Beyond the present case of the Nowak judgment (i.e. access to an examination), the judgment covers any opinion orassessment concerning the person in question. 26b- Definition and outline of the right of access89. The Litigation Chamber recalls that article 15.4 of the GDPR limits the right to obtain acopy 27 in the following terms: "the right to obtain a copy does not infringe the rights and23 point 4.30, p 22 summary conclusions24 Judgment of CJEU, December 20, 2017, C-434/16, Nowak, ECLI: EU: C: 2017: 994.25 Ibid, point 27.26 Ibid, pt 24.27 Paragraph 1 of Article 15, namely the right of access, is not affected by this limitation.
Page 16
Decision on the Merits 15/2021 - 16/32freedoms of others ”. Recital 63 of the GDPR explains in this regard that “this right should notinfringe the rights and freedoms of others, including trade secrets or propertyintellectual property rights, in particular the copyright protecting the software. However, these considerationsshould not result in denying any communication of information to the data subject(…). "(We underline)90. In other words, the balancing of the right to obtain a copy against the rights and freedomsof others, cannot result in the absence of any communication of information to the personconcerned.91. In its YS v. Minister voor immigratie of July 17, 2014, CJEU 28 highlights thescope of the right of access by referring to the protection of the fundamental right of the right to lifeprivate and de facto personal data of the data subject.92. The Court thus specifies the right of access as being limited to own personal datapersonnel of the person concerned. It does not provide access to information associated with thesedata. Indeed, if data appearing in documents constitutes data to bepersonal character (for example, last name, first name and professional e-mail address), atWith regard to the GDPR, the document supporting it is not personal data 29 .93. The CJEU thus considers that (points 57-58) “If Directive 95/46 thus imposes on the Member Statesto ensure that everyone concerned can obtain from the treatmentpersonal data the communication of all the data of this type that it processesconcerning it, it leaves it to these States to determine the concrete material form that thiscommunication must take, insofar as it is "intelligible", that is to say that it allowsthe data subject to take cognizance of this data and to verify that the latterare accurate and processed in accordance with this directive, so that that person canwhere appropriate, exercise the rights conferred on it […]).Therefore, to the extent that the objective pursued by this right of access can be fully satisfied byanother form of communication, the data subject cannot rely on either Article 12 (a),of Directive 95/46 or of Article 8 (2) of the Charter the right to obtain a copy of theoriginal document or file in which this data is contained. So as not to give the personconcerned access to information other than personal data concerning him,the latter may obtain a copy of the original document or file in which this other informationhave been rendered illegible . (Emphasis added).28 CJEU, YS c Minister voor immigratie , 17-7-2014, aff. joined C-141/12 and C-372/12, ECLI: EU: C: 2014: 2081,para. 4429 Legris, L., Chenaoui, H., “13. - The DPO and the right of access” in The Data Protection Officer, Bruxelles, Bruylant,2020, p. 166
Page 17
Decision on the merits 15/2021 - 17/3294. The Contentious Chamber is of the opinion that, in accordance with the interpretation of the Court of Justice ofthe European Union in its aforementioned judgments 30 , that Article 15.3 does not require thatcopy of the original document is provided to the person concerned.95. Article 15.3 requires the controller to provide a copy of the personal datapersonnel processed to the data subject. This right to obtain a copy of the datadoes not entail the right for the data subject to obtain a copy of the original documentcontaining these data since in certain cases, the communication of this document couldinfringe the rights and freedoms of others (see article 15.4 recalled above).96. This position is also that held by the Italian Court of Cassation, in a judgment of 14December 2018, in which it considers as well as the right of access of an employee to hisevaluations cannot be refused on the grounds that these evaluations also containpersonal data relating to third parties 31 .97. This position is also the one defended by the National Commission for Informaticsand French freedoms (CNIL). This recalls that the fact of hiding the data topersonal character concerning third parties before allowing the exercise of their right of access to thedata subject meets the requirement of Article 15.4 not to infringe the rights ofthird party 32 .98. In the present case, the Contentious Chamber considers that the defendant's argument according towhich the right to access would infringe the data protection and privacy of formerhierarchical superiors and members of human resources author of the annotations in thehuman resources file of the complainant, cannot be accepted. Indeed, it was open to thedefendant to communicate to the complainant, in response to his request, the data processed whichconcern him by anonymizing the name or any personal data of the authors of suchannotations.c- Conclusion regarding the complainant's right of access to evaluations in his resource filehuman99. Insofar as CJEU case law teaches that making data illegibleof a personal nature concerning third parties before allowing the exercise of their right of access to thedata subject satisfies the requirement of Article 15.4 not to infringe the rights of30 C. Docksey and H. Hijmans, The Court of Justice as Key Player in Privacy and Data Protection, European DataProtection Law Review, 3/2019, p304.31 Corte Suprema Di Cassazione, 14 December 2018, nr. 17153/2014, in FOCQUET, A. en DECLERCK, E.,Gegevensbescherming in de praktijk, Intersentia, Antwerpen, 2019, 93.32 Legris, L., Chenaoui, H., “13. - The DPO and the right of access” in The Data Protection Officer, Bruxelles, Bruylant,2020, p.173
Page 18
Decision on the merits 15/2021 - 18/32third party, and insofar as there is no legislative provision in Belgian law aimed at limitingthe right of an employee to access his personal data processed by his (ex) employer, 33the defendant's argument that access by the complainant to his data violates theprotection of personal data of former supervisors and managershuman resources department of the complainant, authors of these notes or comments, is rejected.100. Consequently, by refusing to comply with the complainant's request for access to the annotationscontained in its human resources file, the defendant violated Article 15.1 and 3GDPR.e- Reminder of the principle of responsibility101. The Chamber further emphasizes that, in accordance with the principle of liability (Articles 5.2. And24 of the GDPR), it is up to the data controller to develop the internal proceduresintended to allow the effective exercise of their rights by the data subjects. He himis also responsible, in application of article 25 of the GDPR, to integrate the necessary respect ofGDPR rules upstream of its acts and procedures.102. Otherwise, it would be sufficient for a data controller to invoke copyright without furtherconsideration, which article 15 of the GDPR does not allow.103. Insofar as notes taken by an employer (or managers or members of resourceshuman) concerning employee management are in the vast majority of casesof a personal nature, the guarantees of the GDPR must apply to them. Those datawill often focus on employee identity, training, career management, where evaluationprofessional. As indicated above, it is therefore up to the employer to develop the proceduresadequate internal.104. These internal procedures within the framework of human resources management can bedifferent nature.105. We can note the example of the “comments” zones provided for in the evaluation ofemployees. The information inserted therein must be objective, relevant, adequate andnot excessive. A drop-down menu or keyword filtering system can, for example,facilitate this. The authors of the annotations should also keep in mind that the employeescan access their information at any time.106. The employer also remains, as data controller, bound by all the otherGDPR obligations.33 see below point “b.2- The argument taken from the protection of the defendant's business secret and the interpretationrestrictive of limitations to the right of access ”)
Page 19
Decision on the merits 15/2021 - 19/322.2.2- Regarding the refusal of the right of access to IT logs concerning the complainant2.2.2.1-The obligation of security of personal data and the logging ofIT logsa- The outlines of the safety obligation107. On the basis of article 5, 1, f GDPR, personal data must be processedso as to ensure appropriate security, "including protection against unauthorized processing.authorized or unlawful and against loss, destruction or accidental damage, usingappropriate technical or organizational measures ”.108. In the absence of appropriate measures to secure the personal data ofdata subjects, the effectiveness of the fundamental rights to privacy and the protection ofpersonal data cannot be guaranteed 34, a fortiori given the crucial role played byinformation and communication technologies in our society.109. It should be noted that the principles of “integrity, confidentiality 35 and availability 36 ” set out inArticle 5.1, f) are now established in the GDPR at the same rank as the fundamental principleslawfulness, transparency, loyalty.110. The obligations of data controllers with regard to the security of processing are based onArticles 32 et seq. of the GDPR.111. The classic components of recommendations in terms of information security, such asrecommended by ISO27xxx 37 are the confidentiality of data, their integrity and theiravailability. To these is added the notion of imputability, "which makes it possible to identify, forall actions performed, people, systems or processes that initiated them34 The crucial role played by data security for the effective exercise of their rights by individualsconcerned was enshrined in particular by the ECHR in its judgment of 17 July 2008, I. c. Finland, req. n °20511/03, in which the Court finds unanimously that there has been a violation of Article 8 by the Finnish authorities,on the basis of insufficient protection against unauthorized access to a nurse's medical fileHIV positive. The judgment is available at the link: https://hudoc.echr.coe.int/fre# Danemark%22itemid%22:→%22001-87510% 22]}35 According to Group 29 data integrity corresponds to “the quality according to which data isgenuine and have not been inadvertently or maliciously altered during processing, storage ortransmission. The concept of integrity can extend to computer systems and requires that the processing ofpersonal data on these systems remains unaltered ”Group 29, WP 196, Opinion 05/2012 on CloudComputing, p. 18.36 Availability is understood as “the property of information, systems and processes to be accessibleand usable at the request of an authorized entity ”, CPVP,“ note relating to the security of personal datapersonal (in Dumortier, F., Vander Geeten, V., Dargent, M., Docquir, B. and Forget, C., Knockaert, M., “Introduction »in Legal obligations for cybersecurity and incident notifications, Brussels, Politeia, 2019,p. 9). The notion of availability is interpreted by Working Group 29 via the “violation of availability” whichincludes not only accidental or unlawful destruction and loss of personal data, butalso the loss of accidental or unauthorized access to them, access being an intrinsic aspect of thedata availability. (we underline)37 The ISO27xxx suite of standards constitutes one of the main international information security standards
Page 20
Decision on the merits 15/2021 - 20/32(identification) and keep track of the perpetrator and the action (traceability) ” 38 . Accountabilityis expressed in a concrete way by keeping a log file register according to the principlelogging access.112. Logging therefore consists of recording relevant information concerningevents of a computer system (access to the system or to one of its files, modificationof a file, data transfer ...) in files called "log files". Informationincluded are among others the data consulted, the date, the type of event, the dataallowing the author of the event to be identified, as well as the reason for this access. this allowsin particular to identify any improper consultation of personal data or for a specific purposenot legitimate, or to determine the origin of an accident.113. Although logging is not expressly mentioned in GDPR 39 , maintaining alog file is a technical and organizational measure considered in the article32 GDPR. It constitutes good practice, recommended to any data controller. Thesemeasures must be appropriate to the risks.114. The predecessor institution of the APD (the Commission de la Vie Privée - CPVP below) indicatedalready in its Guidelines for the security of personal data informationstaff 40 as well as in its Recommendations 41 to cities and towns 42 concerning38 Dumortier, F., “Chapter 4 - Cybersecurity, privacy, accountability, logging and log files” in The obligationscybersecurity and incident notification regulations, Brussels, Politeia, 2019, p. 187 and APD, “Note relating tothe security of personal data, p239 Conversely, Directive (EU) 2016/680 attaches particular importance to consultation and disclosure(most common treatment). and requires the identification of the author of the processing as well as that of the recipientsin the event of disclosure, the exact time, as well as the justification for the processing (of April 27, 2016 relating to theprotection of individuals with regard to the processing of personal data by the authoritiescompetent for the purposes of preventing and detecting criminal offenses, investigating and prosecuting themmatter or execution of criminal sanctions, and the free movement of such data)40Available on the link https://www.autoriteprotectiondonnees.be/publications/lignes-directrices-pour-la-information-security.pdf.41 Recommendation to cities and towns concerning the registration of the reason for consulting the Registernational by their staff members (CO-AR-2017-013), August 30, 2017, p742 In its recommendation to cities and municipalities concerning logging, the CPVP underlines the importancelogging as "an essential element of any information security policy" and indicates:" 21. The development of an adequate information security policy is necessary in order to takemeasures that exclude any unauthorized access, in a documented manner allowing the municipalityto take responsibility. In its reference security measures applicable to all processingpersonal data, the Commission has already underlined that the establishment of a selective mechanismresearch and logging is an essential element of any security policy.information. (…) these guidelines prescribe that all access to the computer system must be traceable in order toto check who had access, when, to what and for what reason.(…)23. Finally, the Commission itself has already stated on several occasions that the registration of the reason for theconsultation of the National Register is of crucial importance. In its recommendations on the managementaccess and users in the public sector and the communication of information contained inpopulation registers, the Commission stresses the importance of full tracing (who, what, when, why)involving logging of each consultation of the population registers, so that anyconsultation of data for a non-legitimate purpose or for a personal purpose can be detected and sanctioned.
Page 21
Decision on the merits 15/2021 - 21/32IT log registers that logging is an essential part of any policyinformation security, in that it allows traceability of access to systemsIT 43 .b-Link between the security obligations of data controllers and the principles ofaccountability and transparency115. The Chamber recalls that article 32 RGPD must be read in conjunction with article 5.2 RGPD andArticle 24 GDPR, subjecting the controller to the principle of liability. HeThe controller is responsible for demonstrating compliance with the provisions of the GDPR, bytaking appropriate technical and organizational measures, in a transparent andtraceable, allowing in case of control to provide proof of the guarantees applied.116. The principle of accountability, read in conjunction with the principle of transparency (Article 5.1.aGDPR), allows data subjects to exercise their rights and monitor compliance withprocessing carried out on their personal data. It thus makes it possible to assume theresponsibility 44 .117. Recital 63 of the GDPR further adds to this that this right of access must be considered asa control mechanism: "A data subject should have the right to access the dataof a personal nature that have been collected about him and to exercise this right easily and atreasonable intervals, in order to become aware of the processing and to verify its lawfulness. "118. These principles of accountability and transparency are articulated with article 15 of the GDPR, whichguarantees the right of access of the data subject to their processed personal data. The CPVPalready concluded with regard to logging, unequivocally:"An incomplete log file and no mention of the reason for the consultationconstitute an infringement of the effective exercise of the right of access and control available to the personconcerned. It also compromises the exercise of other rights such as the right to rectification.(article 16 of the GDPR), the right to be forgotten (article 17 of the GDPR), and the right to limit the use ofdata processed unlawfully (article 18 of the GDPR). » (P10) (we underline) 45119. The Litigation Chamber recommends the keeping of a logbook of log files as agood practice, insofar as logging is useful for any data controller,By extension, this obligation is also valid for consulting and updating the National Register. "(P8)(the Chamber underlines)43 Although this recommendation is addressed to municipalities and towns, the reasoning applies to other typesof data processing, especially when it comes to sensitive data.44 See recital 78 of the GDPR.45 In the same sense, see decision of the Sectorial Committee of the National Register of 11/01/2012.
Page 22
Decision on the merits 15/2021 - 22/32in that it ensures the materialization of the principle of availability, itself closelylinked to the principles of confidentiality and data integrity.120. As indicated above, the effectiveness of the fundamental rights to privacy and the protection ofpersonal data depends considerably on the measures put in place to ensuresecurity 46 , the keeping of a log register is therefore strongly recommended by theLitigation Chamber, in view of the good practices followed by many companies. As to the defendant's refusal to follow up the complainant's request for accessto its IT logs121. Regarding the request for access to IT logs concerning him by the complainant, the defendant justifieshis refusal by two arguments. It underlines, in a first argument, (like access toannotations in the complainant's HR file) the right to privacy of the authors of IT logs such asreason for refusing the complainant's right of access to IT logs concerning him.122. In view of the case law of the CJEU according to which the fact of making illegible data topersonal character concerning third parties before allowing the exercise of their right of access to thedata subject fulfills the requirement of Article 15.4 GDPR not to infringe rightsthird parties, and insofar as there is no legislative provision in Belgian law aimed atlimit an employee's right of access to his personal data processed by his (ex) employer,the defendant's argument that the complainant's access to IT logs concerning himviolate the protection of the personal data of the authors of these logs is rejected. 47123. The defendant advances as a second argument for refusing to grant the claimaccess to all IT logs about the complainant the amount of workdisproportionate that this would require of the defendant, related to the enormous quantity of logs andinformation to be checked for this purpose.124. The CJEU ruled in its Rijkeboer judgment on the balance to be struck between the right of access forpersons concerned and the extent of the burden that the obligation to fulfill this right entailsfor the controller. More precisely, the questions were to know fromwhen "the exercise of the right of access to information concerning the past can legitimately beparalyzed by the erasure of this information. And for how long do peopleholding data are required to keep records of past actions carried out on thesedata ” 48 .46 Dumortier, F., Vander Geeten, V., Dargent, M., Docquir, B. and Forget, C., Knockaert, M., “Introduction” in Leslegal cybersecurity and incident notification obligations, Brussels, Politeia, 2019, p. 9 p 14147 See point c), page 24.48 C. de Terwagne, “The extent over time of the right of access to information on data recipientsof a personal nature ”, note under CJEU, December 22, 2010, RDTI, n ° 43, 2011, p. 73 in Tombal, T., “
Page 23
Decision on the merits 15/2021 - 23/32125. Although in this case the question asked was that of the time that a data controllermust keep personal data, the reasoning of the Court can be transposed to the caseof the species, in view of the extent of the complainant's request, extending to all IT logs onconcerning. The Contentious Chamber argues, in particular, the importance of finding “[..] afair balance between, on the one hand, the interests of the data subject to protect their privacy,in particular by means of the means of intervention and recourse provided for by the directive and,share, the burden that the obligation to keep this information represents for the person in charge oftreatment ".126. The parameters underlying this balance must, of course, be careful not to imposedisproportionate obligations and excessive burdens, to the controller.127. In the present case, the defendant emphasizes the disproportionate workload that would representa systematic search of all IT logs concerning the complainant, since he took up his postin June 2008, until the end of his employment contract with the defendant in 2019. TheThe complainant has also provided no explanation as to his interest in this request. He has notdid not submit conclusions and did not return to this point in his email sent to the ChamberLitigation after submission of its conclusions by the defendant. The Litigation Chambercannot therefore perceive any specific need justifying the heavy workload thatwould represent the systematic search linked to the request for access to all IT logs onconcerning by the complainant.128. In these circumstances, the Contentious Chamber follows the defendant in its reasoningaccording to which granting the complainant's request would impose an obligationdisproportionate to the complainant's interest in exercising his right to data protection. There is notherefore no violation on the part of the defendant of the right of access to IT logsconcerning the complainant.2.2.3- As regards the refusal of the complainant's right of access to the assessments129. The complainant also requests access and copies of his assessments. The defendant informsin this regard only insofar as the complainant was regularly absent from October 2015(he worked less than 30 days in 2016, less than half of the year in 2017, around thirtydays in 2018 and no days in 2019), there was no evaluation or operational maintenancesince 2013. The defendant therefore had no personal data to communicate to thecomplainant in this respect.Section 2. - Right of access (article 15 RGPD) ”in The general data protection regulation (RGPD / GDPR),Brussels, Éditions Larcier, 2018, p. 432-447.
Page 24
Decision on the merits 15/2021 - 24/32130. In these circumstances, and to the extent that the defendant cannot be criticized for failing tonot grant a request to access and copy personal data that does not exist, the grievanceof the complainant is dismissed.2.2.4- Regarding the refusal of the request to copy emails131. In its submissions, the defendant justifies its refusal to grant the request for a copy of theemails (the complainant had access to the emails in question at the time of his request) in whichthe complainant is the recipient or sender on the basis of Article 15.4 GDPR, being the right to lifeprivate of other recipients or senders concerned by the emails in question. In hiswritten observations for the hearing on September 14, 2020, the defendant raisesadditional arguments.132. It firstly emphasizes that the complainant had access to all these emails during hisrequest. It then puts forward the right to privacy of other senders or recipients.emails, as well as that of the defendant as a legal person, i.e. its right toprotection of trade secrets. Finally, the defendant notes the secrecy ofelectronic correspondence attached to the emails concerned.The fact that the complainant had access to the emails does not prejudice his right to obtain a copy.133. The defendant raises as its principal claim to refuse to grant the request for a copy of thecomplainant emails (in which he is sender or recipient) the fact that the complainant hadaccess (at the time of request).134. However, the Chamber notes that, as indicated in his complaint, the complainant took care to explainfor what reason it specifically requests the copy of emails. He explains that forreasons of confidentiality (the security and privacy policy of the defendant prohibits itformally) and technical (emails being stored on a cloud system and not onthe complainant's computer), although he had access to these emails from his work computer,it is impossible for him to take a copy.135. Although in the present case it appears from reading the complaint that the complainant did not request accessto his emails, but only to a copy of them, the Chamber reminds, for all purposes,that the circumstance that a complainant is aware of the personal data about him processedby the controller does not constitute a valid reason for the latter to refuseaccess.136. Indeed, no exception comparable to that provided for in article 13.4 of the GDPR (absenceof information obligation when, and to the extent that, the data subject already has
Page 25
Decision on the merits 15/2021 - 25/32of its information) or article 14.5 a) of the GDPR (absence of information to be provided in the event ofindirect collection when the data subject already has this information) does not exist atArticle 15 of the GDPR. The right of access allows the data subject to ensure that nodata concerning her is not processed without her knowledge and constitutes a first step towards exercisepossible rights of rectification, erasure or objection. The objective of the access must gotherefore well beyond the mere knowledge of the processed data, which is why theThe fact that the processed data would be known to the data subject is irrelevant.137. The defendant's argument consisting in refusing the request for a copy, on the basis that theComplainant had access to the emails in question is irrelevant and therefore cannot be tracked.The right to privacy of other senders or recipients in these emails138. The defendant invokes, in order to refuse to respond to the request for a copy of the emails, the right tothe privacy of other senders or recipients in these emails, on the basis of article 15.4GDPR.139. The Chamber refers to the reasoning concerning the annotations in the files ofhuman resources of the complainant 49 .140. Thus, given that the case law of the CJEU teaches that the fact of making illegiblepersonal data concerning third parties before allowing the exercise of their rightaccess 50 to the data subject meets the requirement of Article 15.4 GDPR not toinfringement of the rights of third parties, and insofar as there is no provision in Belgian lawlegislative aimed at limiting the right of access and copy of an employee to his personal dataprocessed by his (ex) employer, the defendant's argument that access by the complainantto the emails from which he is sender or recipient and that the granting of copies of the emails would violatethe protection of personal data of other recipients or senders of emailsin question is rejected.The protection of the defendant's business secrecy and the restrictive interpretation of the limitationspermission to access141. As a preliminary point, the Chamber recalls that the right of access (which necessarily covers the right ofcopy, in that it is a prerequisite) is one of the foundations of the right to data protection,it constitutes the "gateway" which allows the exercise of the other rights that the GDPR confers on theconcerned person. To this extent, following consistent case law of the Court of49 See point page 2450 It should be noted that the right of copy being intrinsically linked to the right of access and necessarilypreceded by this, this reasoning applies in the same way to the right of access and the right of copy.
Page 26
Decision on the merits 15/2021 - 26/32Justice 51 52 , as indicated in the guidelines of the EDPB 53 , any deviation from theright to data protection and privacy must be interpreted restrictively. Alimitation to the right of access, in the event that it should arise, should therefore beinterpreted restrictively.142. Regarding these limitations, the CJEU recalled in its Nowak judgment that “(…) the Member Statesmay take legislative measures to limit the scope of obligations and rightsprovided for, in particular, in Article 6 (1) and in Article 12 of that directive, where suchlimitation constitutes a measure necessary to safeguard the rights and freedoms of others. "(Point60).Article 23.1 GDPR states:' Union law or the law of the Member State to which the controller or subis subject to may, through legislative measures, limit the scope of obligations andrights provided for in Articles 12 to 22 and in Article 34, as well as in Article 5 insofar as the provisionsof the right in question correspond to the rights and obligations provided for in Articles 12 to 22, when asuch limitation respects the essence of fundamental rights and freedoms and constitutes anecessary and proportionate in a democratic society to ensure [an important objectivegeneral public interest] "143. This provision should be read in conjunction with Article 52 of the Charter of RightsFundamentals of the European Union and Article 8 of the European Convention on Human RightsMan, governs the limitation of the rights of the person concerned.144. The CJEU indicates that such a limitation of a fundamental right must be provided for by law, respectthe essential content of those rights and, in application of the principle of proportionality, benecessary and respond effectively to objectives of general interest recognized by the Union (…) "and recalls that “the derogations and limitations to these rights must be made within the limits ofstrictly necessary ” 54 .51 In its judgment of 11 December 2014, Ryneš (C-212/13, EU: C: 2014: 2428), the Court of Justice thus indicatesthat "the protection of the fundamental right to private life, guaranteed by Article 7 of the charter, requires thatexceptions to the protection of personal data and the limitations thereof operate within thelimits of what is strictly necessary. Insofar as the provisions of Directive 95/46 / EC, in so far as they governthe processing of personal data likely to infringe fundamental freedoms and, in particularin particular, the right to privacy, must necessarily be interpreted in the light of fundamental rightswhich are included in the said charter, the derogation provided for in Article 3 (2), second indent, of that directivemust be interpreted strictly ”(paragraphs 27-29)52 See also the judgment of 6 October 2015 (Grand Chamber), Schrems (C-362/14, EU: C: 2015: 650), paragraph 9253 Guidelines 10/2020 on restrictions under Article 23 GDPR, available at https://edpb.europa.eu/our-work-tools / public-consultations-art-704/2020 / guidelines-102020-restrictions-under-article-23_en54 Judgment of 9 November 2010 (Grand Chamber), Volker und Markus Schecke and Eifert (C-92/09 and C-93/09,EU: C: 2010: 662), paragraph 65 and judgment of 27 September 2017, Peter Puskar, (ECLI: EU: C: 2017: 725) paragraph 116
Page 27
Decision on the merits 15/2021 - 27/32145. Group 29 specifies concerning the condition that the limitation be provided for by law (requirementlegality) that any interference with a fundamental right such as the right to the protection ofpersonal data must be provided for by law formulated in clear, precise termsand accessible, and the effects of which are foreseeable for the person concerned.146. Concerning the processing of personal data in the context of employment relationships, article88 GDPR provides that “Member States may provide, by law or by means of conventionscollective, more specific rules to ensure the protection of rights and freedoms with regard toconcerns the processing of personal data of employees within the framework ofprofessional relationships (…) ". However, to our knowledge, such provisions do not exist.147. The Chamber notes that there is no legislative provision in Belgium aimed at limiting theright of access of an employee to his personal data processed by his (ex) employer.148. Consequently, in view of the above developments, insofar as business secrecy tends tolimit the fundamental right to data protection, this must be interpretedrestrictive. Nevertheless, the Litigation Chamber is of the opinion that an analysis should be carried outon a case-by-case basis, in particular when the risk to trade secrets is sufficientdemonstrated.149. It is also necessary to recall the requirement of recital 63 of the GDPR, according to which the rightaccess "should not infringe the rights or freedoms of others, including the secrecy ofbusiness or intellectual property, including copyright protecting software.However, these considerations should not result in denying all communication.information to the data subject. "(We underline)150. The Chamber also notes that Directive 2016/943 on business secrets 55 underlines in itsrecitals 34 and 35 the importance given to respect for the right to data protection, in particularin particular the right of access, which business secrets should not infringe:'(34) This Directive respects the fundamental rights and observes the principles recognizedin particular by the Charter, in particular the right to respect for private and family life, the right toprotection of personal data, freedom of expression and information, freedomprofessional and the right to work, freedom of enterprise, the right to property, the right to a goodadministration, and in particular access to files, while respecting business secrecy, the lawto an effective remedy and access to an impartial tribunal and the rights of the defense.55 Directive (EU) 2016/943 of the European Parliament and of the Council of 8 June 2016 on the protection of know-howand undisclosed business information (trade secrets) against obtaining, using and disclosingillegal (Text with EEA relevance)
Page 28
Decision on the merits 15/2021 - 28/32(35) It is important that the right to respect for private and family life and the right toprotection of the personal data of any person whose personal datapersonnel may be processed by the trade secret holder when taking actionaimed at protecting a trade secret, or of any person concerned by legal proceedingsrelating to the unlawful obtaining, use or disclosure of business secrets covered by thisdirective, and whose personal data are processed. Directive 95/46 / ECof the European Parliament and of the Council (10) governs the processing of personal datacarried out in the Member States within the framework of this Directive and under the control of the authoritiescompetent authorities of the Member States, in particular the independent public authorities designated byMember States. Therefore, this Directive should not affect the rightsand obligations set out in Directive 95/46 / EC, in particular the right of the data subject to accessto personal data concerning him which are the subject of processing and the right to obtainthe rectification, erasure or blocking of this data when it is incomplete orinaccurate and, where applicable, the obligation to process sensitive data in accordance with Article 8,paragraph 5 of Directive 95/46 / EC. " (We underline)151. The Contentious Chamber also refers to the reasoning of Working Group 29 regarding theright to data portability (article 20 GDPR), the exercise of which may not affect therights and freedoms of others (article 20.4 RGPD), like the right of access and copy (article 15.4GDPR). The wording of this limitation in both articles is identical. In this measurement,and taking into account that both the right of access and copy, and the right to data portabilityare among the fundamental components of the GDPR, the Chamber is of the opinion that the reasoningof Group 29 concerning limitation can also be applied to the right of access and copy.152. Group 29 specifies with regard to the limitation of the right to portability by trade secrecy that a"Potential risk to business cannot, however, by itself serve as a basis for justifying therefusal to act on a portability request ” 56 . The risk for secrecycase must therefore be clearly demonstrated by the controller. In the casecase in point, although this was not developed in the written documents of the defendant, theCouncil of the latter explained during the hearing that because of his executive function, the complainant hadknowledge of the identity of the defendant's clients, the amounts of the orders andinvoices to these customers, which is potentially sensitive business informationof the defendant. The defendant also indicated that the plaintiff posted on a private blogstill confidential information, before management publishes it through official channels(facts partially or entirely at the origin of the dispute before the Labor Court between itselfand the complainant). The Chamber also takes note of the fact that the complainant requests a copy ofall emails in which he is the recipient or sender.56 Group 29, Guidelines on the right to data portability, WP 242, 13 April 2017, p. 12
Page 29
Decision on the merits 15/2021 - 29/32153. As indicated above, although trade secrets should be interpreted restrictivelywhen this constitutes a limitation to the fundamental right to data protection, inin the present case, the Contentious Chamber considers that in view of the potentiallysensitive content contained in the emails in question the risk to the confidentiality of thedefendant is sufficiently demonstrated.154. The Chamber is therefore of the opinion that the Respondent did not violate Article 15.1 and 3 by refusing tofollow up on the complainant's request for a copy of the emails in which he is sent orsenders.155. For all practical purposes, the Chamber adds that in cases where the risk is not demonstrated, it is appropriateto apply the teaching of the CJEU case law (see above), according to which the fact ofmake personal data concerning third parties illegible before allowing the exerciseof his right of access to the data subject satisfies the requirement of Article 15.4 not to wearinfringement of the rights of third parties.c- The argument based on the secrecy of electronic correspondence from other recipients orsenders of the emails concerned156. The defendant then raises article 124 of the law of 13 June 2005 relating to communicationselectronic, as the last argument to justify its refusal to grant the access requestand a copy of the complainant's emails in which he is the recipient or sender.157. However, this provision applies only to third parties to electronic communicationsconcerned, and not to a person party to the communications, as clearly indicated bythe Cour de Cassation in a judgment of 22 April 2015 57.This argument is not convincing, and is therefore rejected.d-Conclusion regarding the defendant's refusal to follow up on the request for a copy of the emails from thecomplainant158. The defendant's arguments to justify the refusal to comply with the request for a copyof the emails in question taken from the right to privacy of other recipients or senders ofemails, as well as the secrecy of electronic correspondence are not convincing, and are thereforediscarded. However, in the present case, the argument based on the business secret of the defendantis relevant. There is therefore no breach of article 15.3 of the GDPR.2.2.5- As regards the refusal of the right to copy the photos on which the complainant isidentifiable159. In this part of his complaint, the complainant explains that he is not invoking the violation of the right of accessor copy, but its image rights. It indicates that photos of the employees were taken during57 Cass. (2nd ch.), April 22, 2015, JT, 2015, p. 1021 and 1022
Page 30
Decision on the merits 15/2021 - 30/32company events, without their consent, and that they are disseminated (on the intranet ofthe defendant company) without consent.160. In a letter of March 6, 2019, the Inspection Service of the DPA informed the complainant that hiscomplaint lacks clarity on whether or not the photos of members of thestaff during company events, and asks for more details on this subject.161. However, the taking and distribution of targeted photos requires a legal basis, this is not the case foruntargeted photos (in which staff cannot be identifiedclearly). In an email of June 8, the complainant specifies that during the events photosportraits are taken, and that for these a prior consent is not requested nor fortaking a photo or for broadcasting.162. The Contentious Chamber notes that the defendant invites its employees who do not wishthat the photos in which they appear are recorded or disseminated in the intranet tocontact the DPR (Data Protection Representative) in order to notify them and undertake that theseany photos are deleted. 58163. The complainant did not provide proof of the existence and / or dissemination of targeted photo (s)of him, and does not indicate that such photos or portraits of him were taken during eventsbusiness organized by the defendant.To this extent, the Chamber finds that there has been no violation of the complainant's image rights.5. Corrective measures and sanctions164. On the basis of the above analysis, the Contentious Chamber considers that by refusing to follow up on theright of access and / or copy of the complainant concerning the annotations in his resource filehuman, the data controller violated articles 15.1 and 15.3 of the RPGDPursuant to article 100 LCA, the Litigation Chamber has the power to:1 ° dismiss the complaint;2 ° order the dismissal;3 ° pronounce a suspension of the pronouncement;4 ° propose a transaction;5 ° issue warnings or reprimands;6 ° order compliance with the requests of the person concerned to exercise these rights;7 ° order that the person concerned be informed of the security problem;8 ° order the freezing, limitation or temporary or definitive prohibition of processing;9 ° order that the processing be brought into conformity;58Analysis of Exhibit 37 submitted by the defending party (an email addressed to all staffon 04/10/2018).
Page 31
Decision on the merits 15/2021 - 31/3210 ° order the rectification, restriction or erasure of the data and the notification thereofdata recipients;11 ° order the withdrawal of accreditation of certification bodies;12 ° give periodic penalty payments;13 ° issue administrative fines;14 ° order the suspension of transborder data flows to another State or an organizationinternational;15 ° send the file to the public prosecutor's office in Brussels, who informs them of the consequencesdata on file;16 ° decide on a case-by-case basis to publish its decisions on the website of thedata.It is important to contextualize the breach of Articles 15.1 and 15.3 of the GDPR on the other hand with a view toto identify the most appropriate sanctions and / or corrective measures.165. As indicated above, the right of access (article 15.1) constitutes one of the foundations of the GDPR. Whenbreach of the right to copy (article 15.3), the Litigation Chamber notes that obtaininga copy of the data is the major contribution of the GDPR in terms of the right of access. She mustallow the strengthening of the control of data subjects over personal dataconcerning them. The informational self-determination of which the GDPR is imbued is found in thisnew version of the right of access (including the right to obtain a copy) one of its moststrong expressions.166. By refusing to communicate his data to the complainant, the defendant deprivedthe complainant of his right under Article 15 of the GDPR but more broadly, it has infringedto its informational autonomy by not allowing it to take cognizance of thesedata.167. Nevertheless, an order to follow up on the request for access to the annotations in the HR fileconcerning the complainant cannot be issued, as the respondent has erased theseannotations after the complainant's request. In this regard, the Chamber orders the Respondentto send him a sworn statement attesting to the fact that these annotations have beenerased after the complainant's request via the address litigationchamber@apd-gba.be within a30 days from the notification of this decision.168. The Contentious Chamber furthermore takes note of the fact that the defendant is a companymedium-sized, employing 40 to 50 employees, and that it has never previously beensanctions from ODA.169. The Chamber also notes that the Respondent reacted and followed up on the Complainant's requests,some of which cover a wide range of data, although not completely.170. The efforts raised in the conclusions of the defendant in terms of information securityand data protection are also taken into account. Therefore, the Litigation Chamber decidesnot to impose a fine or reprimand.
Page 32
Decision on the merits 15/2021 - 32/32171. In view of the importance of transparency in the decision-making process anddecisions of the Contentious Chamber, this decision will be published on the website ofthe Data Protection Authority by deleting direct identification dataparties and persons cited, whether natural or legal.FOR THESE REASONS,THE LITIGATION CHAMBERDecide, after deliberation:- To order the defendant to communicate to the Contentious Chamber a declaration onthe honor attesting to the fact that the notes in the human resources file relating to thecomplainant were deleted after his request for access, via the address litigationchamber@apd-gba.bewithin 30 days of notification of this decision;- To order the defendant to bring the processing of the annotations into conformity with thewithin the human resources files of its staff, in accordance with Article 15 GDPR.Under Article 108, § 1 LCA, this decision may be appealed against to the Court ofmarkets within 30 days after s has notified , with Protection Authoritydata as a defendant.Hielke hijmansPresident of the Litigation Chamber
Google Traduction
Texte d'origine
Objet : Plainte contre une SA pour réponse insatisfaisante à l’exercice de son droit d’accès
Proposer une meilleure traduction