IDPC (Malta) - CDP/COMP/577/2023

From GDPRhub
IDPC - CDP/COMP/577/2023
LogoMT.jpg
Authority: IDPC (Malta)
Jurisdiction: Malta
Relevant Law: Article 4(1) GDPR
Article 77 GDPR
Type: Complaint
Outcome: Rejected
Started:
Decided:
Published:
Fine: n/a
Parties: n/a
National Case Number/Name: CDP/COMP/577/2023
European Case Law Identifier: n/a
Appeal: n/a
Original Language(s): English
Original Source: IDPC (in EN)
Initial Contributor: Sainey Belle

The Maltese DPA rejected a complaint due to a lack of concrete evidence of an infringement of data protection rights

English Summary

Facts

The data subject lodged a complaint with the Commissioner, alleging that his employer (the controller) accessed his work email account and failed to provide him with the option to delete all personal documents contained in such account after terminating his employment.

The controller sought to argue that, although the data subject was not permitted to use his work email for his own private purposes, access to the account had been granted after the termination, precisely to allow deletion of personal data unrelated to work. The work email was later wiped, and this was confirmed by the data subject a few months after.

Nevertheless, the data subject was of the opinion that the controller had already snooped into his mailbox.

Holding

The Commissioner held that the work email account contained the data subjects personal data, as defined in Article 4(1) GDPR, as it contained their name and surname. Consequently, when the controller processes personal data, such processing operation must comply with the appropriate legal criteria and principles established under the Regulation.

In addition, following a termination of an employment relationship, the controller shall provide the data subject the opportunity to keep a copy of any personal emails stored in the mailbox and delete them accordingly.

The data subject failed to put forward any concrete evidence to support their claim that third parties accessed his mailbox. In accordance with Article 77 GDPR, data subjects are entitled to lodge a complaint with a supervisory authority if they consider that a particular processing relating to them infringes the GDPR. The Commissioner held here that a mere suspicion that someone has infringed your rights is not enough to lodge a complaint. Other than the webmaster hosting the email accounts, it cannot be proved that any other person accessed his email accounts.

On the above basis, the Commissioner found no grounds to unequivocally state that the controller infringed the GDPR and dismissed the complaint.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the English original. Please refer to the English original for more details.