IDPC (Malta) - CDP/COMP/577/2023: Difference between revisions
(In general a good summary! Please ensure that the facts are specific and in chronological order. If the decision is split into sections, please try and follow this for the Holding. For example, that the DPA considered the access and the deletion as two seperate points. Thank you so much!) |
|||
| Line 66: | Line 66: | ||
=== Facts === | === Facts === | ||
On the 14th of May 2023 a data subject lodged a complaint with the Maltese DPA. He complained that when terminating his employment, his employer (the controller) accessed his work emails and failed to provide him with a right to clear his mailbox. The data subject highlighted that he had personal documents on the account such as electricity bills. | |||
The controller | The controller defended himself against these allegations to the DPA under when given the opportunity under [[Article 58 GDPR|Article 58(1)(a) GDPR.]] The controller stated that the access to the account had been granted desppite the termination of employment. This access had been granted because the data subject had highlighted the personal documents contained on the account. The controller submitted an email of this grant of access as evidence. The data subject was informed that after he had accessed what he required, the account would be deleted permanently. | ||
The data subject rebutted these claims by only claiming that he was 'suspicious' that the government has already 'snooped' into all his mail. | |||
The controller was given one final chance to rebutt the data subject's arguments. The controller gave evidence that at no point had they accessed the data subject's personal data within his work email. In fact, when they did access it in order to delete it, they noted that everything had already been erased within the account. This fact was confirmed by the data subject himself in an email. | |||
=== Holding === | === Holding === | ||
The Commissioner | The Commissioner dismissed the complaint. | ||
As a preliminary point, the DPA noted that the work email account contained the data subjects personal data, as defined in [[Article 4 GDPR#1|Article 4(1) GDPR.]] Consequently, processing operations by the contoller must be GDPR compliant. | |||
As to whether the controller accessed the data subject's work account, the DPA noted that the data subject failed to put forward any concrete evidence to support their claim that third parties accessed his mailbox. The Commissioner held here that a mere suspicion that someone has infringed your rights is not enough to lodge a complaint under [[Article 77 GDPR|Article 77 GDPR.]] Other than the deletion of the account, it cannot be proved that any other person accessed his email accounts. | |||
The | The DPA analysed the evidence given by the controller. They noted that the data subject himself admitted that he had been given access to delete information on the account. | ||
On the above basis, the Commissioner found no grounds to unequivocally state that the controller infringed the GDPR and dismissed the complaint. | On the above basis, the Commissioner found no grounds to unequivocally state that the controller infringed the GDPR and dismissed the complaint. | ||
Revision as of 09:36, 7 November 2023
| IDPC - CDP/COMP/577/2023 | |
|---|---|
 | |
| Authority: | IDPC (Malta) |
| Jurisdiction: | Malta |
| Relevant Law: | Article 4(1) GDPR Article 77 GDPR |
| Type: | Complaint |
| Outcome: | Rejected |
| Started: | |
| Decided: | |
| Published: | |
| Fine: | n/a |
| Parties: | n/a |
| National Case Number/Name: | CDP/COMP/577/2023 |
| European Case Law Identifier: | n/a |
| Appeal: | n/a |
| Original Language(s): | English |
| Original Source: | IDPC (in EN) |
| Initial Contributor: | Sainey Belle |
The Maltese DPA rejected a complaint due to a lack of concrete evidence of an infringement of data protection rights
English Summary
Facts
On the 14th of May 2023 a data subject lodged a complaint with the Maltese DPA. He complained that when terminating his employment, his employer (the controller) accessed his work emails and failed to provide him with a right to clear his mailbox. The data subject highlighted that he had personal documents on the account such as electricity bills.
The controller defended himself against these allegations to the DPA under when given the opportunity under Article 58(1)(a) GDPR. The controller stated that the access to the account had been granted desppite the termination of employment. This access had been granted because the data subject had highlighted the personal documents contained on the account. The controller submitted an email of this grant of access as evidence. The data subject was informed that after he had accessed what he required, the account would be deleted permanently.
The data subject rebutted these claims by only claiming that he was 'suspicious' that the government has already 'snooped' into all his mail.
The controller was given one final chance to rebutt the data subject's arguments. The controller gave evidence that at no point had they accessed the data subject's personal data within his work email. In fact, when they did access it in order to delete it, they noted that everything had already been erased within the account. This fact was confirmed by the data subject himself in an email.
Holding
The Commissioner dismissed the complaint.
As a preliminary point, the DPA noted that the work email account contained the data subjects personal data, as defined in Article 4(1) GDPR. Consequently, processing operations by the contoller must be GDPR compliant.
As to whether the controller accessed the data subject's work account, the DPA noted that the data subject failed to put forward any concrete evidence to support their claim that third parties accessed his mailbox. The Commissioner held here that a mere suspicion that someone has infringed your rights is not enough to lodge a complaint under Article 77 GDPR. Other than the deletion of the account, it cannot be proved that any other person accessed his email accounts.
The DPA analysed the evidence given by the controller. They noted that the data subject himself admitted that he had been given access to delete information on the account.
On the above basis, the Commissioner found no grounds to unequivocally state that the controller infringed the GDPR and dismissed the complaint.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the English original. Please refer to the English original for more details.
