Persónuvernd (Iceland) - 2021061419

From GDPRhub
Persónuvernd (Iceland) - 2021061419
LogoIS.png
Authority: Persónuvernd (Iceland)
Jurisdiction: Iceland
Relevant Law: Article 5 GDPR
Article 6 GDPR
Article 33 GDPR
Type: Complaint
Outcome: Upheld
Decided: 27.09.2021
Published:
Fine: None
Parties: Directorate of Labor of Iceland
National Case Number/Name: 2021061419
European Case Law Identifier: n/a
Appeal: n/a
Original Language(s): Icelandic
Original Source: Icelandic DPA (in IS)
Initial Contributor: Florence D'Ath

The Icelandic DPA ruled that disclosing by mistake the email addresses of recipients of a bulk email was contrary to the GDPR. Given however that the controller took corrective measures to prevent such incident from happening again, no fine was imposed.

English Summary[edit | edit source]

Facts[edit | edit source]

On June 24, 2021, the Icelandic DPA received a complaint from [A] (hereinafter the Complainant) about the fact that his email address had been disclosed by the Directorate of Labour in the 'cc' section of an email sent to hundreds of individuals (hereafter, the bulk email). The bulk email in question concerned the resumption of applications for quarantine payments in the context of the COVID-19 pandemic.

The fact that the email addresses of the recipients were visible to other recipients of the bulk email was the result of a human error. The next day, the Directorate of Labor apologized for this error and took measures to prevent such incident from happening again. In particular, the Directorate of Labor reviewed and changed the procedures for mass mailings, so that two employees must now review such emails before they are sent, in order to ensure that personal data are not disclosed by errors. Furthermore, the Directorate of Labor decided to adapt the regular training of its employees so that it would include information on how to prevent such incidents from taking place.


Holding[edit | edit source]

The Icelandic DPA ruled that the disclosure, by the Directorate of Labor, of the Complainant's e-mail address to other recipients of the bulk email was not compliant with the Icelandic data protection law or the GDPR. However, taking into account the fact that it was the result of a human error, given that the Directorate of Labor took corrective measures to prevent such incident from happening again, the Icelandic DPA decided not to impose any fine.


Comment[edit | edit source]

Share your comments here!

Further Resources[edit | edit source]

Share blogs or news articles here!

English Machine Translation of the Decision[edit | edit source]

The decision below is a machine translation of the Icelandic original. Please refer to the Icelandic original for more details.


                    Individuals FAQ complete FAQ electronic monitoring general privacy right to be forgotten right to information about their genotype What is processing? A new privacy legislation 2018Almennt the new legislation other interesting stuff educational booklet: Privacy children's booklet: Private youth booklet: public companies and administration asked and answered all the questions and answers electronic monitoring general privacy access right controllers, processors and vinnslusamningarÁbyrgðarskyldaVinnsluskrárNý Privacy legislation 2018FræðsluefniLög and reglurLög privacy rules and regulations other sacrificed rules and guidelines operating international and European law Solutions Solutions Reviews Licensing Various letters Privacy function Privacy News Mega political process personal data my campaign? How to process personal data in election campaigns? Staff and management for media requests for promotional events policy and gi ldiAnnual Reports201620152014201320122011201020092008200720062005200420032002200120001999Other ContentPrivacy PolicyLegal DisclaimerAccessibilityService DeskTwitterEnglishDecisions
             
                
    
    Enter keywords
    
    
      
    
    
  
  
                    SolutionsReviewsLicensingMiscellaneous letters
             
                
                
                                
            Search for solutions
            
        
                
            
                Year from:
                
            
            
                Year to:
                
            
        
                
            Search
        
    
    



    


    


    
      Dissemination
email with bulk mail not in accordance with the law
      Case no. 2021061419
    

    

     
      
      
        9/27/2021
        
      
      
      
     

    

  

  

  
      The Data Protection Authority received a complaint that the Directorate of Labor had provided an e-mail address
complainant to unauthorized persons by mass mail. It was clear that the sharing of the e-mail address involved
sees a security breach that occurred when email addresses, which should be in duplicate (bcc),
were mistakenly placed in a visible copy (cc). The Directorate of Labor has failed
by informing those affected by the security breach and changing procedures
to try to prevent a recurrence of the same security breach.

    

    
    Ruling On 16 September 2021, the Data Protection Authority issued a ruling in case no. 2021061419: I. Proceedings 1. Outline of the case On 24 June 2021, the Data Protection Authority received a complaint from [A] (hereinafter the complainant) about the Directorate of Labour's dissemination of its e-mail address by mass mail. The complaint was accompanied by a copy of the mass e-mail, which was sent on the same day. By letter of 22 July 2021, the Directorate of Labor was invited to provide explanations regarding the complaint. The Directorate of Labour's reply was received by the Data Protection Authority by letter on 17 August of the same year. The reply letter was accompanied by a copy of the mass e-mail, an e-mail from the Directorate of Labor on 25 June 2021 apologizing for the mistakes and procedures for registering safety deficiencies and safety deviations. 2. Complainant's views The complaint states that the Directorate of Labor provided the complainant's e-mail address to one hundred individuals without permission by mass mail on 24 June 2021. Payments from the Directorate of Labor for wages in quarantine 3. The Directorate of Labour's views The Directorate of Labour's reply letter states that on the same day as the mass e - mail was sent, the Directorate of Labour's privacy officer received information that the e - mail address (cc) had been sent to the recipients. Upon closer inspection, it was revealed that by default, standard e-mail had been sent to about 900 e-mail addresses in three separate transmissions and that instead of having recipients in a hidden copy (bcc), they had been placed in a visible copy (cc). The e-mails in question were for the most part the e-mail addresses of companies' contacts. The reply letter states that they were human errors and that they were discovered shortly after the e-mails were sent. The staff of Vinnumálastofnun's IT department had tried to cancel the consignments, which had not yet been received by the recipients, but had not succeeded in all cases. The conclusion of his inspection was that there was no need to report the security breach to the Data Protection Authority, cf. Paragraph 2 Article 27 Act no. 90/2018 on personal protection and processing of personal information. This conclusion was based, among other things, on the fact that the e-mail addresses were mostly e-mail addresses of companies, in addition to which information that individuals had applied for or used resources for quarantine payments would not, in the opinion of the Directorate of Labor, be considered sensitive. personal information according to the definition of Act no. 90/2018. The number of recipients and the fact that this was a unique event that was discovered quickly were also taken into account. Account was also taken of the fact that the Directorate of Labor had sent an e-mail to all recipients of the mass e-mail apologizing for the mistakes that had been made in its transmission and requesting that the recipients delete the e-mail addresses in question. mass mailings in such a way that now two employees must review such shipments before they are sent to ensure that e-mail addresses are not made accessible. The incident will also be taken into account in regular training for employees. Act no. 90/2018 and Article 6. Regulation (EU) 2016/679 or complies with the principles of privacy legislation.II.Conditions and conclusion1. Scope and guarantor Scope of Act no. 90/2018 on personal data protection and the processing of personal data and Regulation (EU) 2016/679, cf. Paragraph 1 Article 4 of the Act, and thereby the authority of the Data Protection Authority, cf. Paragraph 1 Article 39 of the Act, covers the processing of personal data that is partly or wholly automatic and the processing by other methods than automatic of personal data that are or should become part of a file. identify him, directly or indirectly, with reference to his identity or one or more factors that are characteristic of him, cf. 2. tölul. Article 3 of the Act and point 1. Article 4 of the Regulation. Processing refers to an action or series of actions where personal information is processed, whether the processing is automatic or not, cf. Number 4 Article 3 of the Act and point 2. Article 4 of this Regulation. This case concerns the dissemination by the Directorate of Labor of the complainant's e-mail address by e-mail. In this respect and with regard to the above provisions, this case concerns the processing of personal information which falls within the competence of the Data Protection Authority. As such, the Directorate of Labor is considered to be responsible for the processing in question, cf. 6. tölul. Article 3 Act no. 90/2018 and point 7. Article 4 of the Regulation.2.Conclusion All processing of personal data must be covered by one of the authorization provisions of Art. Act no. 90/2018, Coll. Paragraph 1 Article 6 of Regulation (EU) 2016/679, and comply with all the principles of para. Article 8 of the Act, cf. Paragraph 1 Article 5 of the Regulation, which stipulates, inter alia, that personal data shall be processed in such a way that their appropriate security is ensured. has an adequate authorization under the Privacy Act. In view of this, the processing did not comply with Act no. 90/2018 and Regulation (EU) 2016 / 679. As is the case here, it will not be considered that the Directorate of Labor was obliged to report the security breach to the Data Protection Authority, cf. Paragraph 2 Article 27 Act no. 90/2018, Coll. Paragraph 1 Article 33 of the Regulation. According to the answers of the Directorate of Labor, it is also clear that the Directorate has changed its procedures to try to prevent the same kind of security breach from recurring. Therefore, there is no reason to issue instructions to the Directorate in this regard. 90/2018 on personal protection and processing of personal information, cf. Regulation (EU) 2016 / 679.In Privacy, 16 September 2021, Helga Þórisdóttir Valborg Steingrímsdóttir


    





















  
                    Privacy PolicyLegal DisclaimerAccessibilityService DeskTwitter