A care home (the controller) – Complaint Upheld (Belgium, 2023)
General GDPR enforcement action
This case relates to broader data protection obligations, not specifically to cookie or consent banner compliance. It is not included in cookie statistics or the Risk Calculator.
A Belgian care home wrongly shared an employee's personal complaint about workplace harassment with the entire staff. The Belgian DPA upheld the employee's complaint, stating there was no legal reason to disclose her name. This case shows that employers must be careful about sharing personal employee information.
What happened
A care home publicly shared an employee's harassment complaint details, including her name, with all staff.
Who was affected
The employee who filed a harassment complaint and had her identity disclosed to coworkers.
What the authority found
The Belgian DPA ruled that the care home had no legal basis to publish the employee's name in connection with her harassment complaint.
Why this matters
Employers should be cautious about sharing personal details of employee complaints, as this case highlights the importance of respecting privacy even in internal communications. It reinforces the need for clear policies on handling sensitive employee information.
GDPR Articles Cited
Entities Involved
A nursing home employee (the data subject) made a request for psychosocial intervention for abuse and harassment by the employer's management. Psychosocial intervention is a procedure, under Belgian labor law, aiming to address psychosocial issues raised by employees in workplaces with the help of a neutral and external advisor. In this case, the external advisor issued an opinion recommending to take individual and collective measures. The employer (controller) subsequently posted a note on a wall of the workplace entitled "Information for our staff following the formal complaint for violence and moral harassment lodged by Mrs X against the board + collective measures for the improvement of relations and general organisation" indicating that the employee made that request. The controller also wrote an open letter to its staff mentioning her name, explaining that she made that request. On 16 January 2023, the data subject requested access to her data in order to know what the legal basis was for processing her personal data. The controller explained that it had an obligation to share to external advisor's recommendation regarding the collective measures and that the identity of the originator of the request was anyways publicly available. The data subject contested the controller's right to publish her personal data and, therefore, filed a complaint with the Belgian DPA on 23 January 2023. The DPA argued that there was no legal obligation for an employer to publish the collective or individual measures included in an opinion issued by the external advisor. The note posted by the controller on the wall mentioned the name and surname of the data subject. The DPA noted that these data were not communicated for the purpose of publishing the collective or individual measure but for information purposes. The controller could not, therefore, rely on a request, or even an obligation, from the external advisor to publish the data subject's first and last name and, thus,
Outcome
Complaint Upheld
A data subject complaint that was upheld by the DPA.
Related Enforcement Actions (0)
No other enforcement actions found for A care home (the controller) in BE
This is the only recorded action for this entity in this jurisdiction.
Details
About this data
Cite as: Cookie Fines. A care home (the controller) - Belgium (2023). Retrieved from cookiefines.eu
Last updated: