On 1 April 2022, the Belgian DPA rendered a decision against an employer for restoring in an indiscriminate manner personal data on a former employee’s work laptop.
The case involves a Belgian employer who restored all e-mails that had previously been on the laptop of its ex-employee, both his private and professional e-mail messages.
The data subject was a former shareholder, managing director, and subsequently an employee at the employer. At the time the restoration of e-mails took place, and at the time the DPA rendered the decision, there was a litigation pending between the data subject and the data controller. The litigation concerned claim of the employee for unpaid balance following the sale of his shares, while the employer counter-claimed compensation of damages from the employee for the debts of an acquired company.
The parties‘ view
The data controller claimed that it processed the data to ensure (i) the defence in court; (ii) potential determination by a court of the complainant’s liability in his capacity as a former director, and (iii) the continuity of controller’s business services. The basis for processing was legitimate interest.
The data subject claimed that there was no legitimate interest for the processing of his personal data that were more than five years old, five years being statute of limitations for director’s liability. He also claimed that the data controller did not carry out a balance of interests test in the context of the assessment of the legitimate interest.
The DPA’s reasoning
The DPA commenced its analysis by positing that an employer cannot freely consult private e-mails of its employees even if it had prohibited the use of company tools for personal purposes.
Legitimate interest as basis for processing
The recourse to legitimate interest as basis for processing is subject to a balancing test, i.e. the legitimate interest must be weighed against the interest or the fundamental rights and freedoms of the data subject. To be able to invoke the legitimate interest from article 6.1.(f) of the GDPR, the controller must demonstrate the following:
- the interests it pursues can be recognized as legitimate (the “purpose test”);
- the processing is necessary to achieve those interests (the “necessity test”); and
- when measured against the interests, fundamental rights and freedoms of data subjects, the legitimate interests of the controller weigh in his favour (the “balancing test”).
The DPA said that “defence in court” could indeed be considered a lawful legitimate interest, considering that legal defence is a fundamental right enshrined in Article 48 of the Charter of Fundamental Rights of the European Union. At the time of the restoration of e-mails a litigation between the data subject and the data controller had already been pending.
Nevertheless, under the necessity test the processing of data must be “necessary” for the defence in court. It would be excessive and contrary to the requirements of necessity and proportionality to allow all previous employers of an employee to process all personal data relating to the former employee. The data controller refused to comply with the complainant’s request to process only his personal data not older than five years. The DPA agreed with the complainant that the company should have limited the processing by applying the five-year time limit, corresponding to the statute of limitation of the data subject’s liability as a director.
As for the defendant’s next argument, that the processing was justified by the potential filing of a criminal complaint, the DPA held that such argument was in principle acceptable. Recital 47 of the GDPR states that the processing of personal data strictly necessary for the purposes of preventing fraud constitutes a legitimate interest of the data controller concerned. However, in this regard again, the company violated the law by failing to limit the restoration to e-mails not older than five years.
The data controller could justify the processing based on continuation of business services, but only for data not older than five years. The DPA took the five years’ period as the appropriate time frame for the reasons of consistency with the duration of the period relevant for judicial determination of the data subject’s potential liability as director.
The manner of the processing of the e-mails of the departing employee
The DPA reasoned that, just as the data subject must be allowed to take back his personal belongings, he should be free to take over or delete his private e-mails before his departure. If the employer wishes to ensure preservation of employee’s e-mails which are relevant for the business continuity, the employer must do that before the departure of employee and in his presence. The employer should have in place an internal policy which regulates the manner under which an employer can check the e-mail folders of the departing employees. The employer is allowed to involve a third party with whom the employee could sort out, in the presence of the employer, the relevant e-mails. In other words, employer should take less invasive measures than restoring all the complainant’s e-mail folders, both private and professional.
In addition, the employee must be informed in advance of the processing and its purposes, the legal basis for processing, the duration of data retention period, the right to object, access and rectification, and the possibility of lodging a complaint with the supervisory authority.
Takeaways for employers
Employers should adopt internal policies which regulate the processing of departing employees’ data. It is possible to involve a third party with whom the employee could sort out, in the presence of the employer, the relevant e-mails. During this process, the employee should be informed of his GDPR rights.
[Note: Serbian Data Protection Act and the current draft of Montenegrin Data Protection Act mirror the provisions of GDPR. The decisions of supervisory authorities and courts in EU and EFTA member states may therefore serve as an instructive guidance for compliance with local regulations.]