By Dave McKay | May 22, 2022
Restoring a Laptop From a Backup Leads to €7500 Fine
The Belgian DPA has issued a €7500 fine against a company for restoring personal data onto a company laptop. The data belonged to a former employee. After their termination from the company the ex-employee wiped his personal data from the computer.
He said he had deleted his personal mailbox. The company say he wiped the entire laptop. Either way, the company restored the laptop from a backup, which restored the former employee’s personal data along with everything else.
On learning of this, the data subject tried to exercise his rights to information, erasure, and restriction of processing as well as his right to object.
However, the company ignored his requests and did nothing. They continued to process the data both by themselves and also by engaging with a third-party data processor.
The Litigation Document reads:
On February 28, 2020, the defendant refused to respond to the plaintiff’s requests, on the basis of the employment contract that bound them, as well as on the basis of article 6.1.f of the GDPR (legitimate interest) justifying in its view the processing of the complainant’s personal data.
First, the belgian DPA found a breach of GDPR Articles 5(1)(a) “data must be processed lawfully, fairly and in a transparent manner”, and 6(1)(f) “processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject”. Their verdict was the processing failed to meet the balancing of interests necessary under Article 6(1)(f).
The DPA also said that if there was work that was required to be done sorting through emails and deleting personal email, that the data subject should have been permitted to do this before termination.
They also said the company was in violation of Articles 15 (right to access), 17 (right to erasure), 18 (right to restriction of processing) and 21 (right to object). Basically, they ignored all of the data subject’s requests.
The DPA also found that there was no processing agreement between the company and the third-party data processor.
The moral of the story: don’t ignore data subject’s requests to exercise their rights under GDPR.