Company fined for restoring data on a former managing director’s work laptop Summary Final decision of the Court of Appeal A former managing director of a private company The Court annulled the decision of the DPA. filed a complaint with the Belgian Data Protection Our remarks Authority (DPA) against his former employer. After being dismissed by the employer, the employee had • After the end of employment, the employer erased a substantial amount of data on his work maintains a legitimate interest in storing personal laptop before returning it to his former employer. The data about the former employee. This can be for employee claimed to have only erased his private several reasons: data, whereas the employer claimed that both private ° First and foremost, the employer may be required and professional data had been erased. During the by law, such as tax law, to retain certain personal investigation, the employer presented two employee data. Additionally (as in this case), the employer may testimonies stating that the former employee had have a legitimate interest in storing personal data deleted both private and professional email accounts. that could be relevant to potential legal proceedings, Due to a possible civil case between the former such as a claim for damages. employee and the employer, the employer restored • When deciding on the appropriate duration for the deleted data, resulting in the former employee retaining personal data about a former employee, invoking his right to erasure, restricting the processing a data controller should consider the time limits of his personal data, and objecting to the processing specified in existing laws. For example, in tort law, of personal data. The employer refused to comply with there is often a limitation period that defines the these requests based on the employment contract timeframe in which a claim can be made. between the parties, as well as referring to GDPR, After this period, there is no reason to store the Article 6(1)(f), which, in the employer’s opinion, justified personal data any longer. the processing of the personal data of the former • Data controllers should have practices and policies employee. in place for how to handle former employees’ The Belgian DPA Imposed a fine of 7,500 EUR on the data. It is advisable for companies to regulate the employer for processing the personal data of the scenario of resignation, dismissal, or any other former employee without sufficient legal basis. The form of termination of employee activity and its case was later appealed to the Court of Appeal. consequences in an internal instruction relating to the use of electronic devices. For example, The Court of Appeal found that the DPA had not fixed prohibiting the employees from using work e-mails the start date of the processing and failed to assess from sending personal mail. Thereby, one is not the legitimate interest of the employer in restoring and in doubt if the e-mails stored are work-related or processing personal data about the former director entirely private. Implementing a policy removes due to the possibility of a civil claim. any potential confusion around the classification of The Court found that the employer had a legitimate stored emails as either work-related or private. interest in restoring and processing the personal data • If e-mails are kept after the end of employment, of the former employee. access to them should be limited to a selected few trusted employees. Published: 07-04-2022 Journal number: DOS-2020-02892 (overturned by 2022/AR/549) Tags: 01 Legal basis and principles 88 of processing, 02 Right of access and obligation to provide information, 03 Right to erasure and rectification