Upon cross-checking an employee’s time registration with the geographic data of his professional vehicle, an employer identified certain inconsistencies which ultimately led to the conclusion of fraud. The employer, a public authority, issued a note to the employee describing the suspicions. Following the receipt of such note, the employee filed a complaint with the Belgian data protection authority, arguing he was not made aware of the location tracking performed by the employer.
In its decision of 21 February 2023, the litigation chamber concludes that the employer had violated article 6 GDPR by not specifying a legal basis for the processing of the personal data in its first notice to employees upon the entering into force of the GDPR on 25 May 2018, as the notice was issued in 2009. Following a change of the notice in 2021, the employer had specified the legal basis was its legitimate interest (art. 6.1 (f) GDPR). In this regard, the litigation chamber refers to the second paragraph of article 6.1 (f) GDPR, which prevents public authorities from relying on the legitimate interest basis in the performance of their tasks. Instead, the litigation chamber examines whether the legal basis for the performance of a task in public interest in article 6.1 (e) GDPR could apply. By referring to guidance provided by the Belgian DPA’s knowledge center published in 2020 on the public interest legal basis, the litigation chamber concludes that such legal basis could be used for processing activities relating to staff management by public authorities, to the extent such processing is necessary, i.e (i) limited to working hours with a professional vehicle and (ii) limited to the personal data necessary to achieve the envisaged purposes of combatting fraud and optimizing efficiency of public means.
Secondly, on the basis of the examination by the inspection service of the employer’s website, the litigation chamber concludes that the employer violated the applicable rules concerning cookie consent. The cookie banner on the employer’s website merely contained the options “proceed” and “more information”, without offering the possibility to reject non-essential cookies. By referring to the recent “Task Force Cookie Banner” report of the European Data Protection Board, the litigation chamber noted that the cookie banner should contain a button to generally reject the activation of non-essential cookies. In addition, no explanation was provided regarding the withdrawing of consent. The decision illustrates that the Belgian data protection authority proves to take its ambition to prioritize cookie compliance seriously, and will thereby adhere to the principles described in the recent Task Force Cookie Banner report.
Finally, the litigation chamber raises various concerns regarding the privacy notice of the employer. Most notably, the litigation chamber argues that, while the employer did mention legal bases and purposes for the processing in its privacy notice, the notice did not specify the legal basis and categories of personal data per specific purpose. Merely listing different purposes (e.g. sending of direct marketing, recruiting, payment of suppliers, etc.) does therefore not suffice to comply with article 13 and 14 GDPR if no additional information is provided per purpose.
The full decision can be consulted here.
The data protection and privacy specialists at Stibbe can assist you with any data protection- or privacy-related matters, ranging from advisory and compliance work, contracting, M&A implications to dispute resolution and domestic and international (administrative or judicial) procedures.