|||
FR NL EN
-
Regulations
02 May 2025

GDPR: employees are considered "data controllers" if they are not acting under the authority of their employer

The Data Protection Authority is investigating a complaint lodged for unjustified consultation of a medical file.

Context 

A hospital association dismisses an employee. Following her dismissal, the employee discovered that her line manager had consulted her medical records the day before her employment contract was terminated. The purpose of the access was to verify whether the employee was in an "adequate state" to be informed of her dismissal. 

On this basis, a complaint was lodged with the DPA. 

Decision 

According to the court, the hospital association is not "responsible for the treatment".  

The accused line manager acted alone in this capacity: she did not consult the medical file under the authority of the association, nor in the course of her duties. She consulted the file at around 10:50 pm, outside her working hours. Moreover, she admitted that she had accessed the file in a wrongful manner.  

The court emphasized that when an employee processes data in excess of the powers conferred on them by their employer, they may be deemed solely responsible for the processing.  

In this case, consultation of the medical file constitutes a breach of a specific category of data. In accordance with the GDPR, the hospital association should have notified the DPA of this breach. However, as a mitigating circumstance, it is taken into account that at the time of the events, GDPR had been in force for less than two years. The level of knowledge of data management was "lower" than it is today. 

With regard to the technical and organisational measures to be adopted: employees had too easy access to medical files. However, it was noted that the association had since adopted new measures to further control and restrict access. 

For these reasons, the court dismissed the case against the employer. 

Takeaway 

The employer is not a "data controller" when an employee acts beyond the powers conferred upon them. The employer remains bound by several obligations, including those of informing the DPA of any data breach committed by an employee and of taking all necessary measures to protect the data. 

Source: DPA, decision 64/2025 of 1st April 2025, available at www.autoriteprotectiondonnees.be 

We use cookies to track usage and preferences Legal terms I Understand