APD/GBA (Belgium) – 10/2026

6 February 2026

Dt:

{{DPAdecisionBOX

|Case_Number_Name=10/2026
|ECLI=

|EU_Law_Name_1=
|EU_Law_Link_1=
|EU_Law_Name_2=
|EU_Law_Link_2=

|National_Law_Name_1=
|National_Law_Link_1=
|National_Law_Name_2=
|National_Law_Link_2=

|Party_Name_1=
|Party_Link_1=
|Party_Name_2=
|Party_Link_2=

|Appeal_To_Body=
|Appeal_To_Case_Number_Name=
|Appeal_To_Status=Unknown
|Appeal_To_Link=

|Initial_Contributor=
|
}}

The DPA issued a warning to an employer to ensure compliance of its processing activities after one of its managers shared an employee’s resignation in a work-related group chat.

== English Summary ==

=== Facts ===
A student (the data subject) sent her manager via WhatsApp her resignation from the company where she worked. Subsequently, the manager forwarded screenshots of that conversation to a work-related WhatsApp group.

The data subject argued that the screenshots contained her name and revealed the content of her conversation with the manager, and that she did not consent to the sharing of the information.

Therefore, the data subject filed a complaint with the DPA.

=== Holding ===
The DPA pointed out that, although an employee of the controller shared the screenshots, in line with [[Article 29 GDPR]] the assumption may be that the processing of personal data by employees in the context of an organisation’s activities takes places under the authority and supervision of that organisation.

In spite of the actions taken and reported by the controller regarding the technical and organisational measures aimed at preventing such incidents and at ensuring compliance with the GDPR, the DPA found that the controller breached [[Article 6 GDPR#1|Article 6(1) GDPR]].

Furthermore, the DPA considered that the controller was at risk of violating [[Article 5 GDPR#2|Article 5(2) GDPR]] and [[Article 24 GDPR#1|Article 24(1) GDPR]] due to the insufficient technical and organisational measures.

Therefore, the DPA warned the controller to ensure compliance in the future with [[Article 5 GDPR#2|Article 5(2) GDPR]] and [[Article 24 GDPR#1|Article 24(1) GDPR]].

== Comment ==
”Share your comments here!”

== Further Resources ==
”Share blogs or news articles here!”

== English Machine Translation of the Decision ==
The decision below is a machine translation of the Dutch original. Please refer to the Dutch original for more details.

<pre>
1/7

Dispute Resolution Chamber

Decision 10/2026 of 27 January 2026

File number: DOS-2025-00927

Subject: Complaint concerning the alleged unlawful sharing of private messages in a

work-related WhatsApp group

The Dispute Resolution Chamber of the Data Protection Authority,

Having regard to Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016

on the protection of natural persons with regard to the processing of

personal data and on the free movement of such data, and repealing

Directive 95/46/EC (General Data Protection Regulation), hereinafter “GDPR”;

Having regard to the Act of 3 December 2017 establishing the Data Protection Authority,

hereinafter “WOG”;

In view of the internal rules of procedure, as approved by the Executive Committee of the

Data Protection Authority on 25 April 2024 and published in the Belgian Official Gazette on

31 May 2024;

In view of the documents in the case;

Has taken the following decision regarding:

Complainant: X, hereinafter “the complainant”

Defendant: Y, with registered office at […], with company number […], hereinafter “the

defendant” Decision 10/2026 — 2/7

I. Facts and procedure

1. The subject of the complaint concerns the alleged unlawful sharing of private messages

in a work-related WhatsApp group.

2. The complainant is a student and was employed in that capacity by the defendant. The

complainant exchanged messages with her manager via WhatsApp, after which she

announced her resignation via WhatsApp. The manager, employed by the

respondent, forwarded screenshots of the aforementioned conversation to

a work-related WhatsApp group on January 7, 2025.

3. On March 3, 2025, the complainant filed a complaint with the Data Protection Authority

against the respondent.

4. The complainant stated that she learned from a third party that her manager had shared private messages

about her in a WhatsApp group. The complainant stated that the

forwarded screenshots showed her surname, first name, and the content of these

private messages. She stated that she had not given permission for this.

5. On March 10, 2025, the complaint was declared admissible by the First Line Service on

the basis of Articles 58 and 60 of the Dutch Data Protection Act (WOG), and the complainant was informed of this

in accordance with Article 61 of the WOG.

6. On March 10, 2025, the Dispute Resolution Chamber will be seized pursuant to Article 92, 1° of the Dutch Judicial Code (WOG).

7. On October 31, 2025, the Dispute Resolution Chamber will inform the parties, in accordance with Article 95, §2

of the Dutch Judicial Code, of the fact that this file has been filed, the content

of the complaint, and the possibility of consulting and copying the file at the

registry of the Dispute Resolution Chamber. The parties are invited to submit any comments they may have on this matter to the Dispute Resolution Chamber no later than December 2,

2025.

8. On November 20, 2025, the Dispute Resolution Chamber will receive the respondent’s comments

on this notification.

II. Reasons

9. In its response of November 20, 2025, the respondent states that it does not dispute the facts that gave rise

to the complaint. The respondent admits that the sharing of

the complainant’s personal data with other employees by her manager

was unlawful. The respondent emphasizes that copying

private messages in a professional WhatsApp group is not in line with the expectations

she has of her managerial staff. Decision 10/2026 — 3/7

10. The Dispute Resolution Chamber thus finds that the complainant’s personal data

were unlawfully shared, given that the processing could not be based on one of the

legal grounds listed in Article 6.1 GDPR. While the Dispute Resolution Chamber understands that

the present complaint arises from actions taken by an individual member of staff,

it points out that, in accordance with Article 29 GDPR, it may in principle be assumed that

any processing of personal data by employees that occurs in the context of the

activities of an organization takes place under the authority and supervision of that

organization. 11. In this regard, the Litigation Chamber points out that the accountability obligation laid down in Article 5.2 of the GDPR implies that every controller is responsible

for compliance with data protection principles and must also be able to

demonstrate compliance. This accountability obligation is concretized, among other things, in

Article 24 of the GDPR. This article obliges the controller, taking into account

the nature, scope, context and purposes of the processing, as well as

the risks of varying severity for the rights and freedoms

of natural persons, to implement appropriate technical and organizational measures

to ensure and be able to demonstrate that the processing is carried out in accordance with the

GDPR.

12. Consequently, Articles 5.2 and 24 of the GDPR impose general obligations on the controller regarding

accountability and compliance. More specifically,

these provisions require controllers to take appropriate

measures to prevent any breaches of the GDPR rules

and to safeguard the right to data protection.

13. The Litigation Chamber notes that the technical and

organizational measures referred to in Article 24.1 of the GDPR in a context such as the present one may, among other things,

include establishing and implementing clear internal policies or

providing targeted training and awareness-raising for employees on

data protection. Such measures would indeed be appropriate to

prevent the defendant’s employees from unauthorizedly sharing the personal data of

other employees, which is the issue in the present case.

14. In its response of November 20, 2025, the defendant explains which technical and

organizational measures it has taken to prevent incidents such as the present

and to ensure compliance with the GDPR. It refers, for example, to its

1European Data Protection Board, Guidelines 07/2020 on the concepts of controller and processor in the GDPR – Version
2.1, p. 10, https://www.edpb.europa.eu/our-work-tools/our-documents/guidelines/guidelines-072020-concepts-controller-
and-processor-gdpr en.

2 CJEU Judgment of 27 October 2022, Proximus NV, C-129/21, EU:C:2022:833, para. 81 Decision 10/2026 — 4/7

established rules of conduct stipulating that employees must treat each other with dignity,

respect, fairness, and inclusion, and emphasizing that the

defendant respects the privacy of its employees and protects their data. It

argues that all its employees participate in a mandatory e-learning course every two years to remind them of these

principles. Specifically with regard to the protection of

personal data, the defendant further states that a globally applicable internal Data

Protection Policy has been implemented, supplemented with an informative brochure and

a guideline on the “Do’s and Don’ts” to be followed. In addition, the defendant provides

an annual mandatory Data Protection and Privacy Training, which must be completed through e-learning

by every employee with a professional email account. Furthermore, the defendant offers an intranet platform for all its

employees that contains various information, such as information on key concepts of the

GDPR, a GDPR toolbox, practical tips, as well as explanations of the individual

responsibilities of employees under the GDPR.

15. Finally, and in accordance with the facts giving rise to this complaint,

the defendant has decided to issue an informational memo in the future for

its operational management staff with specific instructions and clarifications

regarding the use of work-related WhatsApp groups, and a reminder of the

data protection rules that must be observed in this regard.

16. The Litigation Chamber concludes prima facie that, despite the measures taken by the respondent

of which it is aware, a violation of Article 6.1 GDPR has occurred

as a result of the actions of a person acting under the authority of the

controller. The Litigation Chamber considers prima facie that this

may indicate that the technical and

organizational measures taken by the respondent are insufficient or insufficiently implemented

in light of Articles 5.2 and 24.1 of the GDPR. More specifically, the Litigation Chamber establishes prima

facie that the respondent has not yet established a policy for its

operational management staff. It thus encourages the

respondent’s intention to inform its management staff of

their obligations under the GDPR by means of an information memo. The Litigation Chamber will take these intended positive

steps into account when deciding whether to impose a corrective measure.

17. In accordance with Article 95, § 1, 4° of the Dutch Data Protection Act (WOG) and Article 58.2.a) of the GDPR, the

Dispute Resolution Chamber has the authority to warn a controller or processor

that the intended processing activities may violate the

provisions of the GDPR. Decision 10/2026 — 5/7

18. Based on the above facts, the Dispute Resolution Chamber finds that the defendant

is in danger of violating Articles 5.2 and 24.1 of the GDPR due to insufficient

implementation of technical and organizational measures. This justifies

issuing a warning so that the defendant ensures in the future

that it develops and

enforces a data protection policy for managers to prevent similar incidents in the future.

19. This warning decision is intended to remind the defendant, who is presumably

responsible for the processing, of its obligation to comply with the

above-mentioned provisions of the GDPR, so that it can comply with these

provisions in the future in the context of the processing activities at issue in this case.

20. This decision is a prima facie decision taken by the Dispute Resolution Chamber

in accordance with Article 95 of the Dutch Data Protection Act (WOG) on the basis of the complaint submitted by the complainant,

in the context of the “procedure prior to the decision on the merits” and not a

decision on the merits by the Dispute Resolution Chamber within the meaning of Article 100 of the WOG.

21. If the defendant disagrees with the contents of this prima facie

decision and believes that they can present factual and/or legal arguments that

could lead to a new decision, they may submit a request for reconsideration

to the Litigation Chamber according to the procedure established in Articles 98 and

99 of the WOG, known as a “trial on the merits.” This request must be

sent to the email address litigationchamber@apd-gba.be within 30

days of notification of this prima facie decision. If applicable, the

execution of this decision will be suspended for the aforementioned period.

22. In the event of a continuation of the hearing of the case on the merits, the

Dispute Chamber will, pursuant to Articles 98, paragraphs 2 and 3, in conjunction with Article 99 of the

WOG, invite the parties to submit their defenses and to add all documents they deem useful

to the file. In that case, the present decision will be definitively

suspended.

23. Finally, for the sake of completeness, the Dispute Chamber points out that a hearing on the merits

of the case may lead to the imposition of the measures referred to in Article 100 of the

WOG.4

3
Section 3, Subsection 2 of the WOG (Articles 94 through 97).
4Article 100, § 1. The Dispute Chamber has the authority to:

1° dismiss a complaint;

2° order that no prosecution be prosecuted;
3° to order the suspension of the judgment;
4° to propose a settlement;
5° to issue warnings and reprimands;
6° to order that the data subject’s requests to exercise their rights be complied with; Decision 10/2026 — 7/7

Article 1034ter of the Judicial Code (Judicial Code) must contain the listed elements. The 5

application for intervention must be submitted to the registry of the Market Court

in accordance with Article 1034quinquies of the Judicial Code, or via the Deposit Information System of

the Ministry of Justice (Article 32ter of the Judicial Code).

(Government). Hielke H IJMANS

Director of the Litigation Chamber

5
The application must state, under penalty of nullity:

1° the day, month, and year;

2° the surname, first name, and place of residence of the applicant and, where applicable, their capacity and national register or company number;

3° the surname, first name, and place of residence and, where applicable, the capacity of the person to be summoned;

4° the subject matter and a brief summary of the grounds for the action;

5° the judge before whom the action is brought;

6° the signature of the applicant or their lawyer.

6
The application and its attachment, in as many copies as there are parties involved, shall be sent by registered mail
to the clerk of the court or lodged with the clerk of the court.
</pre>

APD/GBA (Belgium) – 11/2026

FTC Issues Second Report to Congress on its Work to Fight Ransomware and other Cyberattacks