Persónuvernd (Iceland) - nr. 2020082238
|Persónuvernd (Iceland) - nr. 2020082238
|Article 5(1)(a) GDPR
Article 6(1)(f) GDPR
Article 9(2)(f) GDPR
|MAGNA Lögmenn (law firm)
|National Case Number/Name:
|European Case Law Identifier:
|Icelandic DPA (in IS)
The Icelandic DPA ruled that the disclosure, by a law firm, of an individual's sensitive personal data is unlawful when the law firm fails to demonstrate that such a disclosure was necessary for the defence of its client's legal claim under Article 9(2)(f) GDPR.
English Summary[edit | edit source]
Facts[edit | edit source]
In the context of a legal dispute, Magna Lögmen - an Icelandic law firm - disclosed the personal data of an individual (the Complainant) by sending a formal notice to (i) the Complainant's private Gmail address, and to (ii) the general email address of a Municipality. Several documents were attached to this email as exhibits, including a copy of the Complainant's previous employment contract, in which information relating to the salary and trade union membership of the Complainant could be found.
The Complainant considered that, by sending this email, and in particular the copy of his previous employment contract, Magna Lögmen had disclosed sensitive personal data to the Municipality, and also to Google (the latter being the service provider of the Complainant's private email address).
On this basis, the Complainant filed a complaint against Magna Lögmen with the Icelandic DPA, arguing that Magna Lögmen had breached the applicable data protection law. Magna Lögmen argued, for its part, that the processing of the Complainant's personal data was lawful because (i) necessary for the purposes of the legitimate interests pursued by the client of Magna Lögmen (Article 6(1)(f) GDPR) and, as far as sensitive personal data were concerned, (ii) necessary for the establishment, exercise and defence of a legal claim (Article 9(2)(f) GDPR).
Holding[edit | edit source]
The Icelandic DPA, after reviewing the facts of the case and the applicable law, considered that Magna Lögmen was acting as a controller in the sense of the GDPR. In that respect, the Icelandic DPA pointed in particular that the law firm enjoyed a high level of independence and decision-making power when representing its client. In particular, the Icelandic DPA noted that the client did not specifically instruct the law firm as to how or why the personal data of the Complainant should be processed. As a result of this broad mandate, the Icelandic DPA concluded that Magna Lögmen should be considered as a 'controller' of the personal data, and was therefore responsible for the disclosure of the personal data.
Furthermore, given that the previous employment contract of the Complainant contained information relating to the trade union membership of the Complainant, the Icelandic DPA considered that sensitive personal data had been disclosed. The Icelandic DPA then recalled that the processing of sensitive personal data requires a specific legal basis under Article 9 GDPR.
As far as the lawfulness of such disclosure was concerned, the Icelandic DPA party upheld the claim of the Complainant. More particularly:
- regarding the disclosure of the Complainant's personal data to Google: in the opinion of the Icelandic DPA, the fact that Magna Lögmenn sent the email to the private Gmail address of the Complainant does not amount to a disclosure of personal data to Google. Rather, the Icelandic DPA considered that the personal data were shared with the Complainant himself, regardless of the identity of the email service provider. Quite disappointingly, however, the Icelandic DPA did not specify why Google should not be considered as a recipient of the personal data because of the storage of such data by Google. Rather, the Icelandic DPA just pointed out the fact that such an action (i.e. the dissemination of data per email) could be contrary to data protection law insofar as data security is concerned. Since the Complainant had not made any specific claim in this respect, however, the Icelandic DPA did not review the compliance of such processing with provisions on data security and confidentiality;
- regarding the disclosure of the personal data to the Municipality: the Icelandic DPA first agreed that, in general, parties to a legal dispute are given a broad margin of appreciation when determining which personal data is 'necessary' in order to resolve a legal dispute (cf. Article 9(2)(f) GDPR). Hence, the Icelandic DPA was of the opinion that the concept of necessity, within the meaning of the mentioned provision, must be broadly interpreted. The Icelandic DPA however also noted that Magna Lögmenn had not made any attempt to substantiate the need for disclosing a (non-redacted) copy of the previous employment contract of the Complainant to the municipality's, for the purpose of resolving the legal dispute between the law firm's client and the Complainant. Furthermore, the Icelandic DPA noted the fact that the Municipality itself had not been a party to the dispute.
Since nothing in the facts of the case indicated that the disclosure of the Complainant's sensitive personal data to the Municipality was necessary for the defense of the legal claim of Magna Lögmen's client, the Icelandic DPA came to the conclusion that such processing did not have any legal basis under Article 9 GDPR and was therefore unlawful.
Comment[edit | edit source]
An identical conclusion was reached by the Icelandic DPA in case nr. 2020082239 (identical facts, identical controller, different data subject). The original of decision nr. 2020082239 can be found here.
Further Resources[edit | edit source]
Share blogs or news articles here!
English Machine Translation of the Decision[edit | edit source]
The decision below is a machine translation of the Icelandic original. Please refer to the Icelandic original for more details.