Company – €7,500 Fine (Belgium, 2022)

The data subject is a former managing director of the controller. When the data subject was dismissed, he deleted the data on the work laptop before handing it in to the former employer. According to the data subject, he had only deleted the private data, such as his private e-mail inbox. The controller, however, stated that he had deleted all data. Therefore, the controller restored all data that had previously been on the laptop, including the data subject's personal data. After finding out about the restoration, the data subject tried to exercise his rights to information, deletion and restriction of processing as well as his right to object. However, his requests were not followed by the controller. The controller did not only process the data on its own but also used a processor. The Belgian DPA fined the controller €7500 and ordered the controller to comply with the data subject's requests. Because of the numerous shortcomings of the controller, the DPA was of the opinion that such a sanction was necessary even though the controller argued that it was prepared to comply with the data subject's request after the proceedings. First, it found a breach of Articles 5(1)(a) and 6(1)(f) GDPR due to the partial absence of a legal basis for processing. The processing failed to meet the balancing of interests necessary under Article 6(1)(f) GDPR. It explained that, in case of dismissal, the employer must delete the e-mail addresses when these constitute personal data, after having informed their holders and third parties of the e-mail closing date. This obligation is also intended to allow holders to sort and transfer any private messages to their personal mailbox. If part of the content must be retrieved to ensure the smooth running of the business (as argued by the controller in this case), this must be done before the dismissal and with his or her assistance. Second, the DPA found a violation of Articles 15 (right to access), 17 (right to erasure), 18 (right to r