Must the Data Protection Agency be notified in case of an “internal” personal data breach?

The Data Protection Agency has expressed criticism of a municipality, inter alia, because the municipality had failed to notify a personal data breach to the Agency or communicate the breach to the affected employee.

Norrbomvinding 10237

A personal data breach must be notified to the Data Protection Agency within 72 hours, unless the breach is unlikely to result in a risk to the rights of the affected persons. If there is a high risk to the affected persons’ rights, they must be informed without undue delay. In this case, the Agency had to decide if it was in conflict with the GDPR that a municipality did not notify the Agency or inform the affected employee of a personal data breach.

Due to an error, the municipality had sent a letter regarding contemplated dismissal via e-Boks, which is an online digital mailbox, to a co-worker of the employee that the municipality was contemplating dismissing. The letter contained, among other things, health information and information on trade union membership. Once the municipality became aware of the error, the municipality immediately asked – and on the day of the error occurring – the co-worker to delete the letter, but the municipality did not notify the Data Protection Agency or inform the affected employee of the personal data breach.

The co-worker told the affected employee about the incident approx. 3 months later. The employee contacted the municipality which then communicated the personal data breach to the employee. After that, the employee filed a complaint to the Data Protection Agency.

In its response to the complaint, the municipality stated, inter alia, that the reason why the municipality had not previously notified the Agency was that the municipality regarded the incident as being an internal mail to the wrong employee and that all of the municipality’s employees were subject to a duty of confidentiality.

An ”internal” personal data breach may also, depending on the circumstances, constitute a risk
The Data Protection Agency initially made reference to its guidance on the handling of a personal data breach, which provides an example of an “internal” breach that does not necessarily require notification to the Agency. In this example, an HR employee mistakenly sends pay slips and employment contracts to the wrong, but highly trusted, employee who is immediately instructed to delete the documents received.

According to the Data Protection Agency, this case was not equivalent to the example stated in the guidance and the personal data breach should have been notified to the Agency. The Agency attached importance to the fact that the letter regarding contemplated dismissal was of a confidential staff-related nature and contained health information and information on the employee’s trade union membership. Such an incident posed a particular risk of loss of reputation and confidentiality for the employee.

The Data Protection Agency stated that a personal data breach involving such information must generally be notified to the Agency, unless special circumstances apply. This may, inter alia, be the case if the information has been sent to a highly trusted employee.

For the same reasons, the Data Protection Agency found that the municipality should have communicated the personal data breach to the employee, and since such information had not been given to the employee until three months after the municipality became aware of the breach – and also after the employee had contacted the municipality – the municipality had failed to communicate the breach to the employee without undue delay.

The Data Protection Agency further found that the municipality had not met the requirement of appropriate security measures based on its failure to carry out appropriate checks on the contents of the documents and to ensure that the email was sent to the right recipient.

Overall, the Data Protection Agency therefore expressed criticism of the municipality’s handling of personal data.

Norrbom Vinding notes

  • that the decision provides a concrete example from the realm of HR of when a personal data breach constitutes such a risk to the affected person(s) that the breach must be notified to the Data Protection Agency and communicated to the affected person(s); and
  • that in these situations it is important that the employer evaluates the type of information involved in the personal data breach, to whom the information was (mistakenly) given and, finally, what risk the breach posed to the affected person(s).

The content of the above is not, and should not be a substitute for legal advice.

More about the subject