APD/GBA (Belgium) - 17/2020

From GDPRhub
Revision as of 15:47, 13 May 2020 by Juliette Leportois (talk | contribs) (Created page with "{{DPAdecisionBOX |Jurisdiction=Belgium |DPA-BG-Color= |DPAlogo=LogoBE.png |DPA_Abbrevation=APD/GBA |DPA_With_Country=APD/GBA (Belgium) |Case_Number_Name=DOS-2019-05450 |ECLI...")
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
APD/GBA - DOS-2019-05450
LogoBE.png
Authority: APD/GBA (Belgium)
Jurisdiction: Belgium
Relevant Law: Article 5(1)(a) GDPR
Article 6(1)(f) GDPR
Type: Complaint
Outcome: Partly Upheld
Started:
Decided:
Published:
Fine: None
Parties: n/a
National Case Number/Name: DOS-2019-05450
European Case Law Identifier: n/a
Appeal: n/a
Original Language(s): French
Original Source: APD/GBA (in FR)
Initial Contributor: n/a

The Belgian data protection authority (APD/GBA) ruled that an employer who collected orally personal information relating to a former employee and further shared to a third party for the purpose of legal defense, breached the GDPR.

English Summary

Facts

The complainant has been dismissed in December 2017 and April 2018 by the two defendants who are thus, former employers. In April 2018, the Complainant and his Union challenged the first dismissal and further exchanged with the first employers regarding the dismissal. The second employer initiated a proceeding against him to retrieve documents, over the same period in 2018. The complainants learned through his Union that the second employer gave personal information linked to the undergoing litigation to the first employer. The first employer further shared the same information to the Union. Thus, the Complaint filed a complaint with the Belgian data protection authority claiming that the second employer unlawfully transmitted personal data to the first employer who unlawfully collected and further shared that information with a third party, the Union.

Dispute

The Authority had to discuss whether the two processing at stake fallen into the scope of the GDPR and then, if there were unlawful.

Holding

Concerning the second employer, the authority ruled that personal information linked to the litigation was not a processing within the meaning of Article 2(1) GDPR. Indeed, the first employer never had access to the ruling which was issued shortly before the two employers talked about the complainant only orally. Thus, there is neither an automated processing system, nor a filing system. As a consequence, the first part of the complaint was rejected. Concerning the first employer, the authority ruled that the information collected from the second employer was unlawfully processed under Aticle 6(1)(f) GDPR, and thus, the controller breached the principle of fairness under Article 5(1)(a) GDPR. First, the authority pointed out that the information linked to the civil litigation does not fall under Article 10 GDPR which only applies to criminal convictions and offences. Secondly, the authority recalled that the processing is lawful under Article 6(1)(f) GDPR to the extent that the pursuit of a legitimate interest by the controller (a), the necessity of the processing for the fulfilment of the legitimate interest pursued (b) and the condition that the fundamental rights and freedoms of the data subjects do not prevail over the interest pursued (c), are cumulative -. The authority acknowledged that the interest invoked by the controller, namely his legal defense, was legitimate. However, it also ruled that the necessity and proportionally criteria were not fulfilled. Indeed, the authority highlighted that it would be excessive and disproportional to accept that all previous employers can exchange any information relating to an employee, for their legal defense. Thus the sharing of information to the Union was unlawful.

Comment

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the French original. Please refer to the French original for more details.