Belgian Data Protection Authority Prohibits Use in Arbitration Proceedings of Personal Data Received in Breach of GDPR
This article has been co-authored by Thibaut D’hulst (Counsel at Van Bael & Bellis) and Justine Van den Bon and Margot Vogels (Associates at Van Bael & Bellis)
By a decision of 29 January 2021, the Litigation Chamber of the Belgian Data Protection Authority (the DPA) prohibited a controller from passing on personal data obtained in breach of data protection rules to its legal counsel. The Litigation Chamber did not issue a fine, but the decision serves as a clear message that further processing of such unlawfully obtained personal data, even in the context of legal proceedings, is prohibited.
The dispute before the DPA involved an individual practising as a notary (the Plaintiff), her accountant (the First Defendant) and her former business partner also practising as a notary (the Second Defendant). The case at hand takes place in the broader context of arbitration proceedings relating to the winding-up of a notary practice due to financial issues and the refusal to submit certain accounting documents and other information.
The First Defendant mistakenly forwarded an e-mail with 32 annexes, which contained personal data relating to the Plaintiff, to the Second Defendant. This resulted in the disclosure of data relating to the Plaintiff’s personal activities, finances, and other personal data to the Second Defendant, without the Plaintiff’s consent. In turn, the Second Defendant forwarded the e-mail and its annexes to his legal counsel, who then used the e-mail and its annexes as an exhibit within the context of the pending arbitration proceedings between the Second Defendant and the Plaintiff.READ MORE