Belgium: Belgian DPA issues reprimand for failure to demonstrate excessive nature of DSAR from former employee
The Belgian Data Protection Authority ('Belgian DPA') issued, on 3 April 2023, its decision No. 40/2023, in which it issued a reprimand against an unnamed entity, which provides support and guidance for adults with disabilities, for violation of Article 12(5) of the General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR'), following the receipt of a complaint.
Background to the decision
In particular, the Belgian DPA reported that the complainant had been employed by the respondent for 13 years and that, in the exercise of their functions and duties, the complainant had used an email address, both for personal and professional purposes, during a period of at least eight years. Thereafter, the Belgian DPA noted that the complainant's employment had been terminated, further to which the complainant had requested access to their personal data, and that the respondent had provided some documents, but had refused to give access to the mailbox linked with the email address formerly used by the complainant.
Findings of the Belgian DPA
In examining the complaint, the Belgian DPA specified that according to the respondent, the complainant's request to access the mailbox was not an access request, as the request only enquired about what had happened to the mailbox. Further to this, the Belgian DPA reasoned that the GDPR does not provide for any requirements as to the format of an access request and that unless otherwise stated, an access request covers all personal data of a data subject. However, the Belgian DPA pointed out that the right of access is not absolute, and that a balance must be struck between the right of access of the complainant and the burden placed on the respondent by the obligation to comply with such right. In the case at hand, the Belgian DPA found that searching through emails concerning the complainant, covering a period of eight years, would impose a disproportionate workload on the respondent, considering that:
- the professional mailbox was used by different persons for several years;
- the complainant did not produce any evidence showing the presence of private emails in the mailbox;
- the complainant did not provide specific parameters on the basis of which targeted searches of the mailbox could be carried out; and
- it would not be acceptable to give access to all emails containing the complainant's personal data, as the mailbox contained sensitive information about the users of the respondent's services.
In light of the above, the Belgian DPA concluded that the complainant's access request was excessive and that the respondent's rejection was lawful. Nevertheless, the Belgian DPA found that the respondent had breached Article 12(5) of the GDOR, in that it had failed to sufficiently demonstrate in a timely manner the manifestly excessive or unfounded nature of the complainant's access request.
In conclusion, the Belgian DPA issued a reprimand to the respondent and noted that the decision may be appealed within 30 days.
You can read the decision, only available in Dutch, here.