Controller – Court Ruling (Belgium, 2022)
General GDPR enforcement action
This case relates to broader data protection obligations, not specifically to cookie or consent banner compliance. It is not included in cookie statistics or the Risk Calculator.
A Belgian court ruled that a company could keep data from a former manager's work laptop for up to five years due to ongoing legal cases. The court found the company's interest in defending itself in court was a valid reason to keep the data. This case helps businesses understand when they can retain former employees' data.
What happened
A Belgian court allowed a company to retain data from a former manager's work laptop for up to five years due to ongoing legal proceedings.
Who was affected
The former managing director of the company who had his work laptop data retained.
What the authority found
The court decided that the company had a legitimate interest in keeping the data for legal defense purposes, which justified the retention under GDPR.
Why this matters
This ruling clarifies that companies can keep former employees' data if they have a legitimate interest, such as ongoing legal cases. It highlights the importance of balancing data retention with privacy rights.
GDPR Articles Cited
The data subject was a former managing director of the controller. Following a complaint from the data subject accusing the controller of restoring data on his work laptop after termination, and thus violating his rights to access, erasure, restriction, and objection. In its decision, the DPA held that, in principle, an employer could not consult private emails of his employees, even if the company forbade the use of its tools for personal use. The DPA outlined that there were exceptions to this principle, for example in the case of pending legal proceedings and that the legitimate interest in defending itself in court constituted a valid legal basis for the processing of data. The DPA therefore considered that the controller had a legitimate interest for the processing of the data subject's data for the five previous years. In conclusion, the Belgian DPA ordered the controller to comply with the GDPR and imposed a €7,500 fine. The controller filed an appeal with the Belgian Court of Appeal arguing that the DPA’s decision was not reasonable and proportionate and, thus, had to be annulled. The controller firstly pointed out that the DPA did not specify if the data targeted was exclusively the data relating to the data subject’s private life or the professional data. Furthermore, it stated that the DPA did not justify the choice of a five years time period for the validity of the legitimate interest. It considered that it continued to have a legal interest in the processing since two other proceedings were pending between the controller and the data subject. In its defense, the DPA argued that its choice of setting the time limit for the legal basis of legitimate interests at five years was reasoned and based on a balancing test. It however left open the starting point of this period, which would be determined during the implementation of the corrective measures. The Court noted that the contested decision did not fix the starting point for the five year
Outcome
Court Ruling
A ruling by a national court on a data-protection matter.
Related Cases (0)
No other cases found for Controller in BE
This is the only recorded case for this entity in this jurisdiction.
Details
About this data
Cite as: Cookie Fines. Controller - Belgium (2022). Retrieved from cookiefines.eu
Last updated: