IAB Europe receives GDPR fine of €250,000
for violating the principles of legality, fairness , transparency and non-compliance with its transparency and information obligations
The former employer of those involved received an email regarding an invoice payable to obtain a supplemental pension.
Since the employment contract had already ended, the former employer asked the individuals to contact the supplemental pension insurer to understand the reason for issuing the invoice.
The insurance company states that it was not informed of the end of the employment contract between the individuals and his former employer and therefore issued a new invoice.
In this regard, data subjects believe that their personal data should not have been disclosed since the Respondent is not an insurance broker or policyholder.
The question at hand is whether the personal data of those involved could be disclosed to the insurance company by his employer. This question was handled by the Belgian Data Protection Authority.
In accordance with article 6.1.f AVG and the case law of the CJEU1 three cumulative conditions must be met for personal data to be processed on the basis of legitimate interests:
1. Purpose criterion: pursuing a legitimate interest;
2. Necessity criterion: demonstrating the necessity of the processing to achieve the purpose;
3. Balance of interests: the rights and freedoms of the data subject must not override the legitimate interest pursued by the controller.
The dispute chamber Belgian data protection authority has examined each criterion in its analysis:
1. Target criterion: the GBA alleges that the plaintiff’s personal information was transmitted to the insurance company as part of an assignment entrusted to the defendant by the plaintiff’s former employer. So the first condition is met.
2. Balancing interests (Recital 47 AVG): It is important to consider the expectations of data subjects. After sending the said invoice, it appeared that the insurance company had not been notified of the termination of the complainant’s employment contract. In this context, it is reasonable to expect the defendant to provide the insurance company with the personal information that reveals the origin of the invoice. These data were also limited to the elements necessary to determine the origin of the invoice to understand.
3.Necessity criterion: To meet the second condition, it must be shown that the same result cannot be achieved by other, less intrusive means of processing personal data. The Disputes Chamber considers that with regard to the above-mentioned purpose , which found the origin of the invoice received in the name of the complainant, could not be achieved in any other way than through e-mail exchanges. The dispute room Belgian Data Protection Authority in its analysis each criterion examined:
For these reasons, the litigation chamber of the Belgian data protection authority decided that the employer had satisfied met the cumulative conditions prescribed in Article 6 GDPR and decided it decided not to not follow up further.
