Belgian Data Protection Authority Prohibits Use in Arbitration Proceedings of Personal Data Received in Breach of GDPR
This article has been co-authored by Thibaut D’hulst (Counsel at Van Bael & Bellis) and Justine Van den Bon and Margot Vogels (Associates at Van Bael & Bellis)
By a decision of 29 January 2021, the Litigation Chamber of the Belgian Data Protection Authority (the DPA) prohibited a controller from passing on personal data obtained in breach of data protection rules to its legal counsel. The Litigation Chamber did not issue a fine, but the decision serves as a clear message that further processing of such unlawfully obtained personal data, even in the context of legal proceedings, is prohibited.
The dispute before the DPA involved an individual practising as a notary (the Plaintiff), her accountant (the First Defendant) and her former business partner also practising as a notary (the Second Defendant). The case at hand takes place in the broader context of arbitration proceedings relating to the winding-up of a notary practice due to financial issues and the refusal to submit certain accounting documents and other information.
The First Defendant mistakenly forwarded an e-mail with 32 annexes, which contained personal data relating to the Plaintiff, to the Second Defendant. This resulted in the disclosure of data relating to the Plaintiff’s personal activities, finances, and other personal data to the Second Defendant, without the Plaintiff’s consent. In turn, the Second Defendant forwarded the e-mail and its annexes to his legal counsel, who then used the e-mail and its annexes as an exhibit within the context of the pending arbitration proceedings between the Second Defendant and the Plaintiff.
Processing by the First Defendant
In the proceedings before the Litigation Chamber, the First Defendant argued that the communication of the e-mail and its annexes to the Second Defendant resulted from his habit of sending e-mails to both the Plaintiff and the Second Defendant. As this transfer was unintentional, the First Defendant argued that it could not constitute a violation of General Data Protection Regulation (EU) 2016/679 (the GDPR). In this respect, the Litigation Chamber noted that the transfer of personal data constituted processing within the meaning of the GDPR and that the intent was irrelevant.
The Litigation Chamber went on to assess whether the processing could be justified by the pursuit of a legitimate interest of the First Defendant. Pursuant to Article 6(1)(f) of the GDPR, personal data may be processed where it is necessary for the purpose of the legitimate interests pursued by the controller, the third party or parties to whom the data are disclosed, except where such interests are overridden by the interests or fundamental rights of the data subject. In this respect, the Litigation Chamber found that, although the processing was carried out in the pursuit of a legitimate interest of the First Defendant, the latter could have sent an e-mail to both the Plaintiff and the Second Defendant concerning the notary practice and a separate e-mail to the Plaintiff only concerning her personal company. As a result, the First Defendant did not apply the data minimisation principle. Additionally, the Litigation Chamber found that the Plaintiff had resorted to the First Defendant’s services for the preparation and maintenance of the accounting documents relating to her personal company, and could not have expected the First Defendant to share data processed in this context to the Second Defendant.
Therefore, the Litigation Chamber concluded that the transfer of the e-mail and its annexes by the First Defendant to the Second Defendant could not be justified by the legitimate interests of the First Defendant, nor on any other distinct legal basis under Article 6 of the GDPR. Accordingly, it found that the First Defendant had infringed Articles 5(1)(a) in combination with 6(1), 5(1)(b) in combination with 6(4), as well as 5(1)(c) of the GDPR. Nonetheless, in view of the fact that the First Defendant demonstrated that he immediately took steps to have the Second Defendant delete the e-mail and to inform the Plaintiff’s counsel of such deletion, and that this was his first infringement of the GDPR, the Litigation Chamber decided not to impose an administrative fine, but instead merely reprimanded the First Defendant.
Processing by the Second Defendant and his legal counsel
The Second Defendant alleged that he was a mere recipient of the e-mail and its annexes and, as such, could not be considered to have processed the Plaintiff’s personal data. However, before deleting the email and its annexes as requested by the First Defendant, the Second Defendant transferred the e-mail and its annexes to his legal counsel. The Litigation Chamber explained that the consultation of the annexes and the transfer of the e-mail and its annexes to his legal counsel constituted processing within the meaning of the GDPR. The Litigation Chamber also noted that the Second Defendant did not show that his legal counsel had also deleted the e-mail and its annexes.
In this respect, the Second Defendant attempted to justify the transfer of the e-mail and its annexes to his legal counsel by the privileged and confidential character of attorney-client correspondence. The Litigation Chamber did not accept this argument, stating that, although clients must be able to make confidential communications to their lawyers, such communications must still comply with the GDPR if it contains a third party’s personal data. Accordingly, a client cannot communicate unlawfully obtained personal data to a legal counsel and justify its further processing for use in pending or future legal proceedings, without violating the principle of lawfulness, loyalty and transparency.
Consequently, the Litigation Chamber concluded that the processing of the e-mail and its annexes by the Second Defendant infringed Articles 5(1)(a) and 6(1) of the GDPR. Considering that this was the Second Defendant’s first infringement of the GDPR, the Litigation Chamber decided not to impose an administrative fine. However, it prohibited the processing of the illegally obtained personal data and ordered the Second Defendant to inform its legal counsel that the use of the relevant personal data was prohibited.
The DPA’s decision can be appealed. The decision is available in Dutch (here).