Persónuvernd (Iceland) - nr. 2020123070

From GDPRhub
Persónuvernd (Iceland) - nr. 2020123070
Authority: Persónuvernd (Iceland)
Jurisdiction: Iceland
Relevant Law: Article 15 GDPR
Type: Complaint
Outcome: Rejected
Decided: 26.11.2021
Fine: None
Parties: n/a
National Case Number/Name: nr. 2020123070
European Case Law Identifier: n/a
Appeal: Unknown
Original Language(s): Icelandic
Original Source: Icelandic DPA (in IS)
Initial Contributor: Florence D'Ath

The Icelandic DPA rejected a data subject's claim that their employer failed to comply with an access request they made, because of a lack of evidence of a breach and the fact that labour law should be applied instead of data protection law.

English Summary


In 2017, an employee (the Complainant) had been subject to a formal reprimand by his employer (the Company), but had allegedly not been informed about it. Two years later, after being subject to a second reprimand, the Complainant learned about the first formal reprimand against him, and orally requested the Company to provide him with a written copy of it. The Company, however, did not provide him with a written copy of the first reprimand.

In that context, the Complainant filed a complaint with the Icelandic DPA against the Company, arguing that the Company had never provided him with a copy of the first formal reprimand against him, despite his (alleged) oral request. The Complainant considered in particular that the Company had acted in violation of the principle of transparency and fairness set in Article 5(1)(a) GDPR, and of his right to access set in Article 15 GDPR.

In the course of the proceedings, the Company argued that the Complainant had never personally requested a copy of the reprimand, but that his union had done so in January 2021. The Company further explained to the Icelandic DPA that it had complied with that request on the same day, providing as evidence a copy of the e-mail communication between the Company and the union.


Regarding the potential violation of Article 5(1)(a) GDPR, the Icelandic DPA considered that the question whether the Company should have more diligently informed the Complainant about the first reprimand was a matter of labour law rather than a matter of data protection law. Hence, the Icelandic DPA declared itself incompetent to assess whether the (absence of) communication of the first reprimand to the Complainant was violating the principle of transparency and fairness.

Regarding the potential violation of Article 15 GDPR, the Icelandic DPA noted that the Company was disputing the fact that the Complainant had ever submitted an oral request for receiving a written copy of the first reprimand. The Complainant, for his part, was unable to demonstrate that such oral request was ever made. In view of the situation (i.e. the Complaint's word against the Company's word), the Icelandic DPA decided that it was not in a position to appreciate whether there had been a violation of Article 15 GDPR on the part of the Company.

As a result, the Icelandic DPA did not find any violation of the applicable data protection law and closed the case.


Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Icelandic original. Please refer to the Icelandic original for more details.

                    Individuals FAQ complete FAQ electronic monitoring general privacy right to be forgotten right to information about their genotype What is processing? A new privacy legislation 2018Almennt the new legislation other interesting stuff educational booklet: Privacy children's booklet: Private youth booklet: public companies and administration asked and answered all the questions and answers electronic monitoring general privacy access right controllers, processors and vinnslusamningarÁbyrgðarskyldaVinnsluskrárNý Privacy legislation 2018FræðsluefniLög and reglurLög privacy rules and regulations other sacrificed rules and guidelines operating international and European law Solutions Solutions Reviews Licensing Various letters Privacy function Privacy News Mega political process personal data my campaign? How to process personal data in election campaigns? Staff and management for media requests for promotional events policy and gi ldiAnnual Reports201620152014201320122011201020092008200720062005200420032002200120001999Other ContentPrivacy PolicyLegal DisclaimerAccessibilityService DeskTwitterEnglishDecisions in EnglishContactLearningTo reportTopic
    Enter keywords
                    SolutionsReviewsLicensingMiscellaneous letters
            Search for solutions
                Year from:
                Year to:



take a position on a complaint regarding access to personal information - complaint above
lack of reprimand information dismissed
      Case no. 2020123070






      Privacy received a complaint about processing
of a company at the request of an individual who had worked for the company for access
to a reprimand that should have been given to him. In addition, it was complained about
that the employee had not received information about the reprimand until about two
years after it was supposed to have been granted. Privacy dismissed that part
of the complaint that the employee had not been notified
the reprimand, in view of the fact that there were issues of employment law that were not
fell within the scope of the Privacy Act and the authority of the agency.Where the employee and the company
did not agree on whether the complainant had made an oral request for access to
their personal information or not, the Data Protection Authority did not consider itself to have grounds
to take a position on whether the complainant's rights have been violated
in this respect.


    Ruling On November 11, 2021, the Data Protection Authority announced
the following ruling in case no. 2020123070: I. Proceedings On December 14, 2020, the Data Protection Authority received
complaint [A] (hereinafter referred to as the complainant) which related to it
that [X] had not shown him or provided him
a copy of a written reprimand that the company had given him in 2017, to
in accordance with his request.By letter, dated. June 10, 2021, informed
Privacy [X] on the complaint and granted the company
opportunity to comment on it. Answered
was on behalf of the company's lawyer by letter dated. 22. s.m. In the letter comes
among other things, stated that the complainant had never requested a copy of the reprimand
but that was what his union did on January 14, 2021 and
the company complied with that request on the same day. The letter was accompanied by a copy
e-mail communication between the company and the union to confirm this. By letter dated June 26, 2021, var
the complainant invited to comment on answers [X]. The complainant replied by letter dated
July 15, s.á. The letter states, among other things, that the complainant had on 11 March
2020 presented his request orally, following another reprimand to him
had been granted on the same day. The letter also states that the complaint concerns in particular
that the complainant had first been informed of the warning from 2017
more than two years after it was supposed to have been granted and to the complainant
considers that it is contrary to the principle of privacy law on transparency and
fairness in the processing of personal information.II.Conclusion The Data Protection Authority considers that this must be considered
This case concerns, first of all, the fact that the complainant did not receive information
on a written reprimand that should have been given to him in 2017 by [X]. At that time were in force
Act no. 77/2000 on personal protection and handling of personal information that applied to
any electronic processing of personal data and manual processing
personal information were or were to become part of a register, cf. Paragraph 1 Article 3
of the Act.In the opinion of the Data Protection Authority should be proposed
grounds that this subject of the complaint is in fact related to whether the complainant has
has been given a reprimand by [X] and is in that respect an issue of labor law, but does not protect sources
employer to record personal information about its employees. Privacy
points out that the publication of the reminder may have significance in terms of value
its resolution, but resolution on that issue does not fall under Privacy. Like
the complaint is presented, it will not be seen that it concerns processing
personal information that fell within the scope of Act no. 77/2000 as it was
delimited in the first paragraph. Article 3 their. As a result, its solution falls outside
jurisdiction of the Data Protection Authority according to para. Article 37 of the Act, cf. now the second paragraph. 39.
gr. Act no. 90/2018, and should accordingly dismiss this issue. This case concerns, secondly, the statement
complainant that [X] had not complied with his request for access to the reprimand in question as
he claims to have presented on 11 March 2020. Act no.
90/2018, on personal protection and the processing of personal information, which prescribes rights
registered individuals for access to their own personal information from
guarantors, cf. Paragraph 2 Article 17 of them, cf. also Article 15. of the Regulation
(EU) 206/679 which was implemented by law. The right of access includes
to obtain a copy of the personal information held by the responsible party
processing, cf. Paragraph 3 of the Regulation. The party shall discuss whether the complainant has
on 11 March 2020 submitted a request for access to the reprimand in question, but
according to the complainant, the request was made orally. According to it stands a word
against word on this point. The Data Protection Authority therefore has no grounds to take
a position on whether [X] has violated the complainant's right of access according to Act no. 90/2018
and Regulation (EU) 2016/679. Then it will not be seen that it is possible to investigate it further
with the remedies that the Data Protection Authority has by law, or that there is reason to do so
that the agency exercise the powers conferred on it by law
to investigate it further. In this connection, however, the Data Protection Authority points out that
According to the case file, the complainant has now received a copy of the reprimand in question
from [X]. for use
of his trade union
the part of [A]'s complaint that [X] did not notify him of a written reprimand given to him
in 2017.Not lying
for [X] having violated [A]'s right to access the reprimand in question according to Act no. 90/2018 um
privacy and processing of personal data and Regulation (EU) 2016/679. Helga Þórisdóttir Helga
Sigríður Þórhallsdóttir


                    Privacy PolicyLegal DisclaimerAccessibilityService DeskTwitter