Datatilsynet (Denmark) - 2021-32-2132

From GDPRhub
Revision as of 10:38, 13 April 2022 by Ea (talk | contribs) (reprimand instead of serious criticism, minor edits)
Datatilsynet (Denmark) - 2021-32-2132
LogoDK.png
Authority: Datatilsynet (Denmark)
Jurisdiction: Denmark
Relevant Law: Article 5(1)(c) GDPR
Type: Investigation
Outcome: Violation Found
Started: 09.03.2021
Decided: 18.03.2022
Published: 18.03.2022
Fine: None
Parties: A Danish municipality (redacted)
National Case Number/Name: 2021-32-2132
European Case Law Identifier: n/a
Appeal: n/a
Original Language(s): Danish
Original Source: Datatilsynet (in DA)
Initial Contributor: Rie Aleksandra Walle

The Danish DPA reprimanded a municipality for sharing unnecessary and sensitive personal data about an employee with over 50 of her coworkers, thus breaching Article 5(1)(c) GDPR.

English Summary

Facts

A data subject had informed the team leader at her job that due to a fertility treatment, she would need some of her work tasks facilitated in the coming period. At work the following day, she read an email which had been sent to the entire department with 51 of her coworkers, where the team leader had informed everyone of her care needs and the reason why (fertility treatment).

Following this, the data subject lodged a complaint with the Danish DPA (Datatilsynet), stating she had not given her consent to the sharing of this sensitive information. The municipality admitted to having shared the information in question, but said it was due to a misunderstanding. They had also realised that the consent they thought they had obtained did not satisfy the GDPR requirements. Because of this, they had offered a monetary compensation to the data subject.

The DPA noted that the municipality had admitted the mistake and apologised for sharing the sensitive information without a valid consent, and that it was not necessary to inform the data subject's colleagues about the reason for her care needs.

Holding

The DPA held that the municipality's processing was in violation of Article 5(1)(c) GDPR. Because of the personal data's sensitive nature and the group of people who received the information, the DPA concluded that there were reasons to express serious criticism of the municipality.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Danish original. Please refer to the Danish original for more details.

The Danish Data Protection Agency expresses serious criticism of a municipality for passing on unnecessary information about an employee

Date: 18-03-2022

Decision Public authorities

The Danish Data Protection Agency has made a decision in an appeal case where an employer in a municipality passed on information about an employee's fertility treatment to the employee's department with more than 50 people.

Journal number: 2021-32-2132

Summary

The Danish Data Protection Agency has made a decision in a complaint case in which an employer sent an e-mail about an employee's consideration due to fertility treatment to the employee's department with more than 50 people.

The Danish Data Protection Agency found in the case that it had not been necessary to inform the complainant's colleagues about the reason for her consideration. Against this background, the Danish Data Protection Agency expressed serious criticism of the employer's disclosure of the information on the complainant's fertility treatment. In this connection, the Danish Data Protection Agency emphasized the confidential nature of the information and the group of persons to whom the information had been passed on.

Decision

The Danish Data Protection Agency hereby returns to the case where [complainants] (hereinafter "complainants") on 9 March 2021 complained to the Authority that [X] Municipality has passed on information about complainants' fertility treatment to all employees in her department at her workplace.

After reviewing the case, the Danish Data Protection Agency finds that there are grounds for expressing serious criticism that [X] Municipality's processing of personal data has not taken place in accordance with the rules in Article 5 (1) of the Data Protection Regulation. 1, letter c.

Below is a more detailed review of the case and a justification for the Danish Data Protection Agency's decision.

2. Case presentation

It appears from the case that the complainant had discussed his need for care by telephone as a result of fertility treatment with his team leader. The need for protection meant that complainants needed neighbor help for a citizen.

The day after the phone call, complainants met at work, where she read the following email sent out to her entire department (51 recipients):

"Dear All

In connection with [complaints] in team E being in facility treatment, she must lift a maximum of 10 kg in the coming period. This means that when [citizen] needs two helpers with the personal care, she can not be part of that help.

Therefore, when [complaints] are on working in team E, there will be a need for neighbor help for that task.

Team E and [complainants] are responsible for asking for help. ”

Complainant subsequently sent an email to his two managers, his shop steward and health and safety representative:

"Hi

I have this morning responded to this email and I am really sorry that my entire workplace has been involved in my private life.

I otherwise had a perception that I had a really good phone conversation with [team leader] yesterday. Where I explained that when I had to ask people for help to [citizen] and if they questioned, I would say I was in a course of treatment as I would not involve others in what kind of treatment I was in.

I have at no time given acceptance or permission for it to be written that I am in fertility treatment. I'm very sorry that my privacy has been exhibited that way. I honestly do not feel like being at work right now at all. Already this morning, there has been talk behind my back where people are asking others in to if I am pregnant. It has started some unpleasant (for me) conversations in the house and now I have to go and be afraid that people will talk about them and that the citizens will overhear parts of my private life. "

2.1. Complainant's remarks

Complainants have stated that she has not at any time given consent - orally or in other forms - to any announcement about the fertility treatment. The sole purpose of the telephone conversation with the team leader was to inform the leader that complaints had a prudent consideration, and also aimed to try to find a common solution to this.

Complainants have further pointed out that during the telephone conversation with her team leader, she expressed a desire not to involve her colleagues in her course of treatment.

2.2. [X] Municipal comments

[X] The municipality has confirmed that the municipality passed on the information in question. In this connection, the municipality has stated that the transfer took place on the basis of misunderstood communication between the team leader and complaints.

The team leader has been of the opinion that complainants during the telephone conversation had verbally consented to the disclosure of the information in question about complaints. [X] The municipality has stated in its statement to the supervision that the municipality only subsequently became aware that the consent did not meet the data protection law requirements for a valid consent, and that the municipality has offered to pay compensation for complaints based on the error committed.

Justification for the Danish Data Protection Agency's decision

The Danish Data Protection Agency notes that [X] Municipality has acknowledged and regretted that the transfer took place without a valid consent, and that it was not necessary to inform colleagues about the reasons for the complainant's consideration.

It follows from Article 5 (1) of the Data Protection Regulation 1, letter c, that personal data must be sufficient, relevant and limited to what is necessary in relation to the purposes for which they are processed ("data minimization").

The Danish Data Protection Agency then finds that [X] Municipality's processing has not taken place in accordance with the rules in Article 5 (1) of the Data Protection Regulation. 1, letter c

Due to the confidentiality of the information and the group of persons to whom the information has been passed on, the Authority finds grounds for expressing serious criticism of [X] Municipality.

[1] Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46 / EC (General data protection regulation).