Persónuvernd (Iceland) - 2021061419
|Persónuvernd (Iceland) - 2021061419
|Article 5 GDPR
Article 6 GDPR
Article 33 GDPR
|Directorate of Labor of Iceland
|National Case Number/Name:
|European Case Law Identifier:
|Icelandic DPA (in IS)
The Icelandic DPA ruled that disclosing by mistake the email addresses of recipients of a bulk email was contrary to the GDPR. Given however that the controller took corrective measures to prevent such incident from happening again, no fine was imposed.
English Summary[edit | edit source]
Facts[edit | edit source]
On June 24, 2021, the Icelandic DPA received a complaint from [A] (hereinafter the Complainant) about the fact that his email address had been disclosed by the Directorate of Labour in the 'cc' section of an email sent to hundreds of individuals (hereafter, the bulk email). The bulk email in question concerned the resumption of applications for quarantine payments in the context of the COVID-19 pandemic.
The fact that the email addresses of the recipients were visible to other recipients of the bulk email was the result of a human error. The next day, the Directorate of Labor apologized for this error and took measures to prevent such incident from happening again. In particular, the Directorate of Labor reviewed and changed the procedures for mass mailings, so that two employees must now review such emails before they are sent, in order to ensure that personal data are not disclosed by errors. Furthermore, the Directorate of Labor decided to adapt the regular training of its employees so that it would include information on how to prevent such incidents from taking place.
Holding[edit | edit source]
The Icelandic DPA ruled that the disclosure, by the Directorate of Labor, of the Complainant's e-mail address to other recipients of the bulk email was not compliant with the Icelandic data protection law or the GDPR. However, taking into account the fact that it was the result of a human error, given that the Directorate of Labor took corrective measures to prevent such incident from happening again, the Icelandic DPA decided not to impose any fine.
Comment[edit | edit source]
Share your comments here!
Further Resources[edit | edit source]
Share blogs or news articles here!
English Machine Translation of the Decision[edit | edit source]
The decision below is a machine translation of the Icelandic original. Please refer to the Icelandic original for more details.