Commissariat Général aux Réfugiés et Apatrides (CGRA) – Dismissed (Belgium, 2023)
General GDPR enforcement action
This case relates to broader data protection obligations, not specifically to cookie or consent banner compliance. It is not included in cookie statistics or the Risk Calculator.
A Belgian data authority dismissed a complaint about an employee taking photos of an asylum applicant's social media during a hearing. The authority found no GDPR breach but noted that using personal devices for work can pose risks. This case highlights the importance of clear policies on device use at work.
What happened
An employee took photos of an asylum applicant's social media with a personal phone during a hearing.
Who was affected
An asylum applicant whose social media images were photographed by an employee during a hearing.
What the authority found
The Belgian data authority found no GDPR breach but emphasized the need for risk assessments when using personal devices for work-related activities.
Why this matters
This case highlights the importance of having clear policies on using personal devices for work, especially in sensitive contexts. Organizations should conduct risk assessments to ensure data protection compliance.
GDPR Articles Cited
National Law Articles
During a hearing as part of an asylum application, an employee of the Office of the Commissioner General for Refugees and Stateless Persons (controller) took photographs with his private phone of social networks of the applicant (data subject). The photographs were added to his file. The data subject was concerned whether this was standard practice and what happened with the pictures on the mobile phone. The CGRA responded to the data subject that the employee only had his best interests at heart, i.e. an effective and swift procedure. Unsatisfied, the data subject filed a complaint with the Belgian DPA. In its defense, the controller stressed that it provides its employees with work equipment and that there is no BYOD (Bring Your Own Device) policy. The usage of a private mobile phone was thus not allowed. It emphasised that this practice is neither widespread nor official and this has been communicated to the employee in question, as well as all other employees to prevent similar situations from occurring. The controller also added that the pictures were deleted immediately after the interviews. The Belgian DPA established that the taking of photographs with a private phone constituted processing of personal data according to Article 4(1) and Article 4(2) and that the employer was the controller according to Article 4(7), regardless of the employee acting in breach or in compliance of internal procedures. The DPA noted that the awareness measures to prevent further incidents constituted a good practice. Concerning the use of private phone, the DPA stated that the implementation of BYOD for work related activities is not a problem per se but can present certain risks, a risk assessment is thus required, especially when dealing with personal data in a sensitive context, such as an asylum application. In this case, the DPA concluded that nothing pointed towards a breach of the GDPR, regardless of the usage of personal equipment being against the controll
Outcome
Dismissed
The complaint or investigation was dismissed.
Related Enforcement Actions (0)
No other enforcement actions found for Commissariat Général aux Réfugiés et Apatrides (CGRA) in BE
This is the only recorded action for this entity in this jurisdiction.
Details
About this data
Cite as: Cookie Fines. Commissariat Général aux Réfugiés et Apatrides (CGRA) - Belgium (2023). Retrieved from cookiefines.eu
Last updated: