Persónuvernd (Iceland) - nr. 2020082238

From GDPRhub
Persónuvernd (Iceland) - nr. 2020082238
LogoIS.png
Authority: Persónuvernd (Iceland)
Jurisdiction: Iceland
Relevant Law: Article 5(1)(a) GDPR
Article 6(1)(f) GDPR
Article 9(2)(f) GDPR
Type: Complaint
Outcome: Upheld
Decided: 30.09.2021
Published:
Fine: None
Parties: MAGNA Lögmenn (law firm)
National Case Number/Name: nr. 2020082238
European Case Law Identifier: n/a
Appeal: n/a
Original Language(s): Icelandic
Original Source: Icelandic DPA (in IS)
Initial Contributor: Florence D'Ath

The Icelandic DPA ruled that the disclosure, by a law firm, of an individual's sensitive personal data is unlawful when the law firm fails to demonstrate that such a disclosure was necessary for the defence of its client's legal claim under Article 9(2)(f) GDPR.

English Summary[edit | edit source]

Facts[edit | edit source]

In the context of a legal dispute, Magna Lögmen - an Icelandic law firm - disclosed the personal data of an individual (the Complainant) by sending a formal notice to (i) the Complainant's private Gmail address, and to (ii) the general email address of a Municipality. Several documents were attached to this email as exhibits, including a copy of the Complainant's previous employment contract, in which information relating to the salary and trade union membership of the Complainant could be found.

The Complainant considered that, by sending this email, and in particular the copy of his previous employment contract, Magna Lögmen had disclosed sensitive personal data to the Municipality, and also to Google (the latter being the service provider of the Complainant's private email address).

On this basis, the Complainant filed a complaint against Magna Lögmen with the Icelandic DPA, arguing that Magna Lögmen had breached the applicable data protection law. Magna Lögmen argued, for its part, that the processing of the Complainant's personal data was lawful because (i) necessary for the purposes of the legitimate interests pursued by the client of Magna Lögmen (Article 6(1)(f) GDPR) and, as far as sensitive personal data were concerned, (ii) necessary for the establishment, exercise and defence of a legal claim (Article 9(2)(f) GDPR).

Holding[edit | edit source]

The Icelandic DPA, after reviewing the facts of the case and the applicable law, considered that Magna Lögmen was acting as a controller in the sense of the GDPR. In that respect, the Icelandic DPA pointed in particular that the law firm enjoyed a high level of independence and decision-making power when representing its client. In particular, the Icelandic DPA noted that the client did not specifically instruct the law firm as to how or why the personal data of the Complainant should be processed. As a result of this broad mandate, the Icelandic DPA concluded that Magna Lögmen should be considered as a 'controller' of the personal data, and was therefore responsible for the disclosure of the personal data.

Furthermore, given that the previous employment contract of the Complainant contained information relating to the trade union membership of the Complainant, the Icelandic DPA considered that sensitive personal data had been disclosed. The Icelandic DPA then recalled that the processing of sensitive personal data requires a specific legal basis under Article 9 GDPR.

As far as the lawfulness of such disclosure was concerned, the Icelandic DPA party upheld the claim of the Complainant. More particularly:

  • regarding the disclosure of the Complainant's personal data to Google: in the opinion of the Icelandic DPA, the fact that Magna Lögmenn sent the email to the private Gmail address of the Complainant does not amount to a disclosure of personal data to Google. Rather, the Icelandic DPA considered that the personal data were shared with the Complainant himself, regardless of the identity of the email service provider. Quite disappointingly, however, the Icelandic DPA did not specify why Google should not be considered as a recipient of the personal data because of the storage of such data by Google. Rather, the Icelandic DPA just pointed out the fact that such an action (i.e. the dissemination of data per email) could be contrary to data protection law insofar as data security is concerned. Since the Complainant had not made any specific claim in this respect, however, the Icelandic DPA did not review the compliance of such processing with provisions on data security and confidentiality;
  • regarding the disclosure of the personal data to the Municipality: the Icelandic DPA first agreed that, in general, parties to a legal dispute are given a broad margin of appreciation when determining which personal data is 'necessary' in order to resolve a legal dispute (cf. Article 9(2)(f) GDPR). Hence, the Icelandic DPA was of the opinion that the concept of necessity, within the meaning of the mentioned provision, must be broadly interpreted. The Icelandic DPA however also noted that Magna Lögmenn had not made any attempt to substantiate the need for disclosing a (non-redacted) copy of the previous employment contract of the Complainant to the municipality's, for the purpose of resolving the legal dispute between the law firm's client and the Complainant. Furthermore, the Icelandic DPA noted the fact that the Municipality itself had not been a party to the dispute.

Since nothing in the facts of the case indicated that the disclosure of the Complainant's sensitive personal data to the Municipality was necessary for the defense of the legal claim of Magna Lögmen's client, the Icelandic DPA came to the conclusion that such processing did not have any legal basis under Article 9 GDPR and was therefore unlawful.

Comment[edit | edit source]

An identical conclusion was reached by the Icelandic DPA in case nr. 2020082239 (identical facts, identical controller, different data subject). The original of decision nr. 2020082239 can be found here.

Further Resources[edit | edit source]

Share blogs or news articles here!

English Machine Translation of the Decision[edit | edit source]

The decision below is a machine translation of the Icelandic original. Please refer to the Icelandic original for more details.


                    Individuals FAQ complete FAQ electronic monitoring general privacy right to be forgotten right to information about their genotype What is processing? A new privacy legislation 2018Almennt the new legislation other interesting stuff educational booklet: Privacy children's booklet: Private youth booklet: public companies and administration asked and answered all the questions and answers electronic monitoring general privacy access right controllers, processors and vinnslusamningarÁbyrgðarskyldaVinnsluskrárNý Privacy legislation 2018FræðsluefniLög and reglurLög privacy rules and regulations other sacrificed rules and guidelines operating international and European law Solutions Solutions Reviews Licensing Various letters Privacy function Privacy News Mega political process personal data my campaign? How to process personal data in election campaigns? Staff and management for media requests for promotional events policy and gi ldiAnnual Reports201620152014201320122011201020092008200720062005200420032002200120001999Other ContentPrivacy PolicyLegal DisclaimerAccessibilityService DeskTwitterEnglishDecisions
             
                
    
    Enter keywords
    
    
      
    
    
  
  
                    SolutionsReviewsLicensingMiscellaneous letters
             
                
                
                                
            Search for solutions
            
        
                
            
                Year from:
                
            
            
                Year to:
                
            
        
                
            Search
        
    
    



    


    


    
      The law firm's disclosure of personal information did not comply with the law on personal data protection
      Case no. 2020082238
    

    

     
      
      
        9/30/2021
        
      
      
      
     

    

  

  

  
      The Data Protection Authority has ruled in a case concerning the disclosure of personal information about the complainant by Magna Lögmanna ehf., Incl. information on the complainant's trade union membership, on the complainant's e-mail address and on the general e - mail address of the municipality. In the ruling, the Data Protection Authority came to the conclusion that the law firm was considered to be responsible for the processing. In light of the fact that the law firm had not demonstrated the need to disseminate the information to the municipality, the conclusion of the Data Protection Authority was that neither the processing had been authorized under the data protection legislation nor that the conditions for processing sensitive personal data had been met. The processing would therefore not have complied with the legislation.

    

    
    Ruling On 22 September 2021, the Data Protection Authority issued a ruling in case no. 2020082238: I. Proceedings 1. Outline of the caseOn 27 August 2020, the Data Protection Authority received a complaint from [A] (hereinafter the complainant) about the processing of his personal information by Magna Lögmann ehf. The complaint was that the law firm had sent a letter of claim, along with supporting documents, to the complainant's personal email address at Gmail and to the municipality's general email address [X]. Among the supporting documents was an employment contract with the complainant's previous employer, which had stored personal information of a sensitive nature, ie. on the complainant's salary and the utilization of labor market measures by the Directorate of Labor. The employment contract had also included information on the complainant's trade union membership. The complaint was accompanied by a copy of the e-mail and the employment contract. By letter dated November 18, 2020, Magna Lögmönnar ehf. notified of the complaint and given an opportunity to comment on it. The law firm responded by letter dated. December 10, 2020. Among other things, it was stated in the law firm's reply letter that it considered itself to process personal information on behalf of its clients. In this respect, the Data Protection Authority informed Magna Lögmenn ehf., In a letter dated. 15 June 2012, that it was possible to consider the Office responsible for the processing in question and gave it the opportunity to comment again on the content of the complaint with that in mind. That letter was not answered by the law firm. All the above documents have been taken into account in resolving the case, although not all of them are specifically stated in the following ruling.2. The complainant's views party. First, the information was sent to his own Gmail email address. As a result, the personal information has fallen into the hands of Google, but it is uncertain what rights the company reserves regarding its use. Secondly, the personal information has been sent to the municipality's general e-mail address [X]. It cannot be seen that the employees of the municipality who had access to the e-mail address needed the information or that it had any significance for the resolution of the complainant's dispute with the client of Magna Lögmanna ehf. It is stated in the e-mail in question that a copy of it was sent to the municipality [X] for information.3. The views of Magna Lögmann ehf. to the Data Protection Authority, dated December 10, 2020, describes the law firm's general procedures for handling personal information. It states, among other things, that it follows from its role vis-à-vis clients that all measures to safeguard the interests of a particular client, incl. measures concerning the processing of personal data for the benefit of such advocacy, are made on behalf of the client and in accordance with his instructions to the relevant lawyer of the law firm. Magna Lögmenn ehf. is not authorized to process personal information provided by the principal to the Office in any other way than as a result of the decisions made by the principal regarding the disposition of his interests. Accordingly, the law firm does not make any independent decisions on the processing of personal information about third parties in connection with the protection of the interests of clients, in the sense of point 6. Article 3 Act no. 90/2018 on personal protection and the processing of personal information. The letter also states that the processing of Magna Lögmanna ehf. with personal information about a third party, in connection with safeguarding the interests of the law firm's clients, is generally based on an authorization according to point 6. Article 9 Act no. 90/2018. The processing of sensitive personal information fulfills the conditions of point 6. Paragraph 1 Article 11 of the Act. Magna Lögmenn ehf. considers that in assessing whether certain processing of personal data is necessary in order to safeguard the legitimate interests of clients and in order to establish, maintain or defend legal claims, consideration must be given to what legal remedies are available for this purpose at any given time and what their probable results are. in each case. However, the scope for processing personal information in connection with legal disputes is not unrestricted. Some caution must be exercised in assessing the need for specific processing that takes place in connection with the resolution of the dispute, so that the possibilities for the parties to defend their interests and follow up on claims will not be considered.II.Conditions and conclusion that Magna Lögmenn ehf. has provided personal information about the complainant to the general e-mail address of the municipality [X] by e-mail and, on the other hand, that the law firm has sent the same personal information to the complainant's e-mail address and thus to the service provider, ie. The company that hosts the e-mail address, which is Google in this case. In the opinion of the Data Protection Authority, it cannot be considered that Magna Lögmenn ehf. has, through the above conduct, disclosed personal information to Google, despite the fact that the complainant uses the company's e-mail service. It will therefore be assumed that the personal information about the complainant in this case was shared with him, as it was his personal e-mail account, regardless of which service provider he used. When disseminating personal information by e-mail, however, the rules of the Data Protection Act on information security may be challenged.2 Scope - Responsible Scope of Act no. 90/2018, on personal data protection and the processing of personal data, and Regulation (EU) 2016/679, cf. Paragraph 1 Article 4 of the Act, and thereby the authority of the Data Protection Authority, cf. Paragraph 1 Article 39 of the Act, covers the processing of personal data that is partly or wholly automatic and the processing by other methods than automatic of personal data that are or should become part of a file. identify him, directly or indirectly, with reference to his identity or one or more factors that are characteristic of him, cf. 2. tölul. Article 3 of the Act and point 1. Article 4 of the Regulation. Processing refers to an action or series of actions where personal information is processed, whether the processing is automatic or not, cf. Number 4 Article 3 of the Act and point 2. Article 4 of the Regulation. As stated earlier, the resolution of this case relates to the mediation of Magna Lögmanna ehf. on the complainant's personal information to the municipality [X] by e-mail. In this respect and with regard to the above provisions, this case concerns the processing of personal data which falls within the competence of the Data Protection Authority. The person responsible for the processing of personal data complies with Act no. 90/2018 and Regulation (EU) 2016/679 is called the responsible party. According to point 6. Article 3 of the Act refers to an individual, legal entity, government authority or other party who decides alone or in collaboration with other purposes and methods of processing personal information, cf. 7. tölul. Article 4 of the Regulation. In delimiting liability according to the cited provision, provisions in other laws may need to be considered. In the second paragraph. Article 21 Act no. 77/1998 on lawyers, there are provisions on measures that lawyers are authorized on behalf of their clients. The provision states that unless otherwise demonstrated, the power of attorney of a party to a lawyer includes the authority to do anything that may be considered normal to protect the interests in court. Within those limits, the client is bound by the lawyer's measures, even if he goes beyond the authorization granted to him by the client. The Data Protection Authority considers it clear from the cited provisions of Act no. 77/1998 that lawyers are given scope for independence and decision-making on measures in the interest of protecting the interests of their clients. As a result, lawyers may need to make decisions about the methods and purpose of processing personal information, e.g. on the other party. In delimiting responsibility for the processing of personal data, reference should also be made to the guidelines of the European Data Protection Council no. 07/2020, Coll. point e of the first paragraph. Article 70 Regulation (EU) 2016/679. The guidelines discuss, among other things, when a person who works with personal information is considered a responsible party and when he or she can be considered a processing party, based on the parties' roles and position, decision-making, expertise and other matters that may be relevant. Article 27 of the guidelines mentions, for example, that a law firm may need to process personal information in connection with advocacy in disputes. The basis for processing is the power of attorney that does not specifically concern the processing of personal information. The law firm is largely independent in its work, such as in deciding which personal information is used, without the client's instructions on how processing should be arranged. Processing takes place for the benefit of the law firm's role as the client's advocate and is therefore related to its active role. Consequently, the law firm should be considered the responsible party for the processing of personal information in connection with litigation. From the answers of Magna Lögmanna ehf. it can be assumed that the law firm considers its client responsible for the processing of personal information that is being discussed in the case. However, the law firm has not shown that a decision on the processing was made by its client, e.g. by submitting a production contract or other written instructions on the processing for confirmation. The Data Protection Authority therefore considers that it must be assumed that the processing was carried out by virtue of the law firm's independence and its authority for its own decision - making in the interest of safeguarding the client's interests. The processing was in the interest of the law firm's role as the client's advocate and was thus linked to its active role. The answers of Magna Lögmanna ehf. but that the processing of personal information, in the interest of safeguarding the interests of its clients, is carried out by the law firm and not by individual lawyers. Accordingly, it will not be assumed that individual lawyers of the law firm are considered responsible parties within the meaning of point 6. Article 3 Act no. 90/2018, Coll. 7. tölul. Article 4 of all the above prestigious, Magna Lögmenn ehf. responsible for the processing of personal information that is discussed here, according to point 6. Article 3 Act no. 90/2018, Coll. 7. tölul. Article 4 of the Regulation.3. Legality of processing All processing of personal data must be covered by one of the authorization provisions of Art. Act no. 90/2018, Coll. Article 6 Regulation (EU) 2016/679. In addition, the processing of sensitive personal data must comply with one of the additional conditions of the first paragraph. Article 11 of the Act, cf. Paragraph 2 Article 9 of the Regulation. According to item a of point 3. Article 3 of the Act, information on membership in a trade union is considered sensitive, but from the complaint and its supporting documents, it can be concluded that Magna Lögmenn ehf. has provided information on the complainant's trade union membership, which appeared in his employment contract with the guarantor's employer, to the municipality [X]. Furthermore, the processing of personal information must always be in accordance with the principles of the first paragraph. Article 8 of the Act and the first paragraph. Article 5 of the Regulation, which relate, among other things, to the processing of personal data in a lawful, fair and transparent manner towards the data subject, cf. 1. tölul. of the legal provision and point a of the regulatory provision. The responsible party is responsible for ensuring that the processing of personal information always complies with the principles and shall be able to demonstrate this, cf. Paragraph 2 Article 8 of the Act and para. Article 5 of the Regulation. On behalf of Magna Lögmanna ehf. is based on the fact that the processing of personal information is necessary for the law firm in the interest of safeguarding the interests of its clients. According to point 6. Article 9 Act no. 90/2018 and item f of the first paragraph. Article 6 of Regulation (EU) 2016/679, personal data may be processed if this is necessary due to the legitimate interests of the responsible party or a third party, unless the interests or fundamental rights and freedoms of the data subject that require the protection of personal data outweigh. The processing of sensitive personal information is permitted if it is necessary to establish, maintain or defend legal claims, according to point 6. Paragraph 1 Article 11 of the Act and item f of the second paragraph. Article 9 of the Regulation. Magna Lögmenn ehf. considers that the processing in question was permitted on the basis of the above provisions, provided that it fulfilled their conditions, including necessity. In the opinion of the Data Protection Authority, it can be agreed that the parties to disputes are given scope to assess which personal information is necessary to work with in order to resolve legal disputes and in what way. The concept of necessity, within the meaning of the above provisions, must therefore be broadly explained when personal information is processed for that purpose. Article 8 Act no. 90/2018 and the second paragraph. Article 5 Regulation (EU) 2016/679 means that the responsible party must be able to demonstrate the legitimacy of processing, e.g. á m. that it relies on appropriate processing authorizations. This means that the responsible party must be able to demonstrate that all the conditions of a specific processing permit are met, including the need for processing. In this connection, e.g. to the ruling of the Data Protection Authority from 2 June 2021 in case no. 2020061849. Magna Lögmenn ehf. has not made any attempt to substantiate the need for the processing of personal data under discussion here, ie. their dissemination to the municipality's general e-mail address [X], for the purpose of resolving the legal dispute between the law firm's client and the complainant. It is also to be considered that it appears in the e-mail of Magna Lögmanna ehf. that a copy of it has been sent to the municipality for information. In the opinion of the Data Protection Authority, this presentation does not indicate that the mediation was necessary for the purpose of resolving the legal dispute between the law firm's client and the complainant. There is also no evidence that the municipality was involved in the dispute. With reference to the above, it cannot be seen that the processing of personal information that is discussed here was necessary for the resolution of a legal dispute by the client of Magna Lögmann ehf. and the complainant. It follows that there is no reason to accept that the processing in question was Magna Lögmönnar ehf. permitted according to point 6. Article 9 Act no. 90/2018 and item f of the first paragraph. Article 6 of Regulation (EU) 2016/679 nor that the conditions of point 6 have been met. Paragraph 1 Article 11 of the Act and item f of the second paragraph. Article 9 of the Regulation, in so far as it concerned the dissemination of information on the complainant's trade union membership. For that reason alone, it is the conclusion of the Data Protection Authority that the processing was not in accordance with Act no. 90/2018 and Regulation (EU) 2016/679. In view of this conclusion, it is not examined whether the processing has complied with the principles of the first paragraph. Article 8 Act no. 90/2018 and the first paragraph. Article 5 Regulation (EU) 2016/679, i.a. whether the disclosure of sensitive personal information by e-mail has fulfilled the requirement of point 6. of the legal provision and item f of the regulatory provision that personal information shall be processed in such a way that its appropriate security is ensured. on personal information about [A], which consisted of disseminating it to the general e-mail address of the municipality [X], did not comply with Act no. 90/2018, on personal protection and processing of personal information, and Regulation (EU) 2016 / 679. Ólafur Garðarsson ChairmanBjörn Geirsson Vilhelmína HaraldsdóttirÞorvarður Kári Ólafsson


    





















  
                    Privacy PolicyLegal DisclaimerAccessibilityService DeskTwitter