Belgian Data Protection Authority (APD)-Company (4/1/2022)

A former managing director had filed a complaint against the company with the DPA. In the context of being dismissed, the former managing director deleted all data on the work laptop before handing over the technical equipment.
According to the managing director, only the private data, such as the private e-mail inbox, had been deleted. However, the company stated that the managing director had deleted both private and work-related data. The company then restored the data that had previously been on the laptop.

For this reason, the former managing director requested to exercise their right to delete, restrict the processing of their personal data and object.

However, the company refused the request. In the course of its investigation, the DPA found that the company had breached its obligation under the GDPR to grant the former managing director the exercise of these rights.

In addition, the DPA found that due to the lack of a valid legal basis at the time of the restoration, the company unlawfully processed the data.