Datatilsynet (Denmark) - Decision of 2 December 2022
|Datatilsynet - Decision of 2 December 2022
|Article 83 GDPR
Article 83(1) GDPR
§ 8, sub. 3 DDPA
§ 8, sub. 4 DDPA
|National Case Number/Name:
|Decision of 2 December 2022
|European Case Law Identifier:
|Datatilsynet (in DA)
The Danish DPA investigated the disclosure by a company of its former employee's criminal offences to the company's clients. A fine of €20,000 was proposed to the court by the Danish DPA.
English Summary[edit | edit source]
Facts[edit | edit source]
A company (the controller) had informed a number of its customers via e-mail that a former employee (the data subject) had committed criminal offences during their employment period and, as a result, had been dismissed. The data subject then issued a complaint with the Danish DPA alleging that the controller had passed on said information to a number of the company's customers without any due reason.
Holding[edit | edit source]
First, the Danish DPA stated that a detailed description of the criminal offence by the controller in the sent email meant that the recipient of the information had to consider it to be true. According to Section 8 Subsection 3 of the Danish Data Protection Act, such information may only be shared if the controller had the authority to do so. This might be the case, if the disclosure is made to further personal interests that clearly exceed the reasons for maintaining confidentiality.
Second, the DPA assessed that the controller had a legitimate interest in passing on information about the dismissal of the data subject to its customers and in informing them that the data subject could, therefore, not enter into agreements on behalf of the company anymore.
Third, the DPA made a concrete assessment of the seriousness of the offence pursuant to Article 83(1) GDPR when assessing which sanction should be adopted. In assessing that a fine should be imposed, the DPA emphasised that criminal offences were at stake as sensitive information. Besides that, the description of the criminal offence, which was the reason for the dismissal, was not necessary for the company to safeguard its legitimate interests. Moreover, the controller has not proven that it only informed customers with whom the data subject had been in contact.
In Denmark, fines according to the GDPR must be decided by the courts. The Danish DPA can recommend to impose fines on both private actors and public authorities. In connection with the notification of the case to the police, the DPA assesses the amount of the fine, and it is then up to the police and the prosecution to bring charges and conduct the criminal case court. In this case, the DPA proposed a fine of DKK 150,000 on the controller for unlawfully passing on information about criminal offences to third parties.
Comment[edit | edit source]
In most European countries the DPA can issue fines for violations of the GDPR, however, in Denmark fines are to be decided by the national courts. In the absence of a full text of the decision, this summary was written on the basis of a press release uploaded on the website of the Danish DPA.
Further Resources[edit | edit source]
Share blogs or news articles here!
English Machine Translation of the Decision[edit | edit source]
The decision below is a machine translation of the Danish original. Please refer to the Danish original for more details.
The Danish Data Protection Authority has reported a company to the police for having unjustifiably passed on information about criminal offenses about a former employee to a number of the company's customers. The Danish Data Protection Authority has proposed a fine of DKK 150,000. Earlier this year, the Danish Data Protection Authority was contacted by the former employee, who complained that his former employer had unjustifiably passed on information about criminal offenses committed by the employee to a number of the company's customers. The company had informed a number of the company's customers by e-mail that the former employee had committed criminal offenses during employment and as a result had been dismissed. Balancing of interests Part of the information that was passed on must be assessed as information about criminal offences, as the company has passed on specific information about criminal offenses committed by the former employee in connection with the employment. The detailed description of the criminal offense meant that the recipient of the information had to consider the information to be true. Such information can only be passed on if there is authority to do so pursuant to section 8, subsection of the Data Protection Act. 4, cf. subsection 3. This may, for example, be the case if the disclosure takes place to serve private interests that clearly exceed consideration for the interests that justify secrecy. The Danish Data Protection Authority has assessed that the company had a legitimate interest in passing on information about the dismissal of the former employee to its customers and in informing the customers that the employee could therefore not enter into agreements on behalf of the company. "It is legitimate to inform one's customers that an employee is no longer employed, and thus can no longer enter into agreements on behalf of the company, but more detailed descriptions of the charges against the former employee are not necessary to fulfill this objective," states office manager Astrid Mavrogenis, Data Protection Authority. Why report to the police? The Danish Data Protection Authority always makes a concrete assessment of the seriousness of the case pursuant to Article 83, paragraph 1 of the Data Protection Regulation. 2, when assessing which sanction is the correct one in the opinion of the supervisory authority. In assessing that a fine should be imposed, the Danish Data Protection Authority has, among other things, emphasis has been placed on the fact that it is a matter of passing on information about criminal offenses relating to a former employee, and that the description of the criminal offence, which was the reason for the dismissal, was not necessary for the company to safeguard its legitimate interest, and that the company has not proven that it was only customers with whom the former employee had contact who were informed. For the sake of the former employee of the company and the circumstances of the case - including in particular the information about criminal offenses - the Data Protection Authority cannot provide further details about the name of the complainant or the company.