Datatilsynet (Denmark) - Decision of 2 December 2022

Datatilsynet - Decision of 2 December 2022

Authority:	Datatilsynet (Denmark)
Jurisdiction:	Denmark
Relevant Law:	Article 83 GDPR Article 83(1) GDPR § 8, sub. 3 DDPA § 8, sub. 4 DDPA
Type:	Other
Outcome:	n/a
Started:
Decided:
Published:	02.12.2022
Fine:	n/a
Parties:	n/a
National Case Number/Name:	Decision of 2 December 2022
European Case Law Identifier:	n/a
Appeal:	Unknown
Original Language(s):	Danish
Original Source:	Datatilsynet (in DA)
Initial Contributor:	Iman Coric

The Danish DPA filed a police report against a company for improperly disclosing information about a former employee's criminal offences to the company's clients. A fine of €20,000 (DKK 150,000) has been proposed by the Danish DPA.

English Summary

Facts

The company, the data controller, had informed a number of the company's customers via e-mail that the former employee had committed criminal offences during employment and as a result had been dismissed. An employee, the data subject, then issued a complaint with the Danish DPA alleging that his former employer had passed on information about criminal offences committed by the employee to a number of the company's customers without any due reason.

Holding

The Danish DPA stated that the detailed description of the criminal offence meant that the recipient of the information had to consider the information to be true. According to section 8 subsection 3 of the Data Protection Act, such information may only be shared with permission. This might be the case, if the disclosure is made to further personal interests that clearly exceed the reasons for maintaining confidentiality.

The Danish Data Protection Authority has assessed that the company had a legitimate interest in passing on information about the dismissal of the former employee to its customers and in informing the customers that the employee could therefore not enter into agreements on behalf of the company.

The Danish DPA makes a concrete assessment of the seriousness of the case pursuant to Article 83, paragraph 1 of the GDPR when assessing which sanction is the correct one in the opinion of the supervisory authority.

In assessing that a fine should be imposed, the DPA has placed emphasis on the fact that it is a matter of passing on information about criminal offences relating to a former employee, and that the description of the criminal offence, which was the reason for the dismissal, was not necessary for the company to safeguard its legitimate interest, and that the company has not proven that it was only customers with whom the former employee had contact who were informed.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Danish original. Please refer to the Danish original for more details.

The Danish Data Protection Authority has reported a company to the police for having unjustifiably passed on information about criminal offenses about a former employee to a number of the company's customers. The Danish Data Protection Authority has proposed a fine of DKK 150,000.

Earlier this year, the Danish Data Protection Authority was contacted by the former employee, who complained that his former employer had unjustifiably passed on information about criminal offenses committed by the employee to a number of the company's customers.

The company had informed a number of the company's customers by e-mail that the former employee had committed criminal offenses during employment and as a result had been dismissed.

Balancing of interests
Part of the information that was passed on must be assessed as information about criminal offences, as the company has passed on specific information about criminal offenses committed by the former employee in connection with the employment. The detailed description of the criminal offense meant that the recipient of the information had to consider the information to be true. Such information can only be passed on if there is authority to do so pursuant to section 8, subsection of the Data Protection Act. 4, cf. subsection 3. This may, for example, be the case if the disclosure takes place to serve private interests that clearly exceed consideration for the interests that justify secrecy.

The Danish Data Protection Authority has assessed that the company had a legitimate interest in passing on information about the dismissal of the former employee to its customers and in informing the customers that the employee could therefore not enter into agreements on behalf of the company.

"It is legitimate to inform one's customers that an employee is no longer employed, and thus can no longer enter into agreements on behalf of the company, but more detailed descriptions of the charges against the former employee are not necessary to fulfill this objective," states office manager Astrid Mavrogenis, Data Protection Authority.

Why report to the police?
The Danish Data Protection Authority always makes a concrete assessment of the seriousness of the case pursuant to Article 83, paragraph 1 of the Data Protection Regulation. 2, when assessing which sanction is the correct one in the opinion of the supervisory authority.

In assessing that a fine should be imposed, the Danish Data Protection Authority has, among other things, emphasis has been placed on the fact that it is a matter of passing on information about criminal offenses relating to a former employee, and that the description of the criminal offence, which was the reason for the dismissal, was not necessary for the company to safeguard its legitimate interest, and that the company has not proven that it was only customers with whom the former employee had contact who were informed.

For the sake of the former employee of the company and the circumstances of the case - including in particular the information about criminal offenses - the Data Protection Authority cannot provide further details about the name of the complainant or the company.