Must the Data Protection Agency be notified in case of an “internal” personal data breach?
The Data Protection Agency has expressed criticism of a municipality, inter alia, because the municipality had failed to notify a personal data breach to the Agency or communicate the breach to the affected employee.
A personal data breach must be notified to the Data Protection Agency within 72 hours, unless the breach is unlikely to result in a risk to the rights of the affected persons. If there is a high risk to the affected persons’ rights, they must be informed without undue delay. In this case, the Agency had to decide if it was in conflict with the GDPR that a municipality did not notify the Agency or inform the affected employee of a personal data breach.
Due to an error, the municipality had sent a letter regarding contemplated dismissal via e-Boks, which is an online digital mailbox, to a co-worker of the employee that the municipality was contemplating dismissing. The letter contained, among other things, health information and information on trade union membership. Once the municipality became aware of the error, the municipality immediately asked – and on the day of the error occurring – the co-worker to delete the letter, but the municipality did not notify the Data Protection Agency or inform the affected employee of the personal data breach.
The co-worker told the affected employee about the incident approx. 3 months later. The employee contacted the municipality which then communicated the personal data breach to the employee. After that, the employee filed a complaint to the Data Protection Agency.
In its response to the complaint, the municipality stated, inter alia, that the reason why the municipality had not previously notified the Agency was that the municipality regarded the incident as being an internal mail to the wrong employee and that all of the municipality’s employees were subject to a duty of confidentiality.
An ”internal” personal data breach may also, depending on the circumstances, constitute a risk
The Data Protection Agency initially made reference to its guidance on the handling of a personal data breach, which provides an example of an “internal” breach that does not necessarily require notification to the Agency. In this example, an HR employee mistakenly sends pay slips and employment contracts to the wrong, but highly trusted, employee who is immediately instructed to delete the documents received.
According to the Data Protection Agency, this case was not equivalent to the example stated in the guidance and the personal data breach should have been notified to the Agency. The Agency attached importance to the fact that the letter regarding contemplated dismissal was of a confidential staff-related nature and contained health information and information on the employee’s trade union membership. Such an incident posed a particular risk of loss of reputation and confidentiality for the employee.
The Data Protection Agency stated that a personal data breach involving such information must generally be notified to the Agency, unless special circumstances apply. This may, inter alia, be the case if the information has been sent to a highly trusted employee.
For the same reasons, the Data Protection Agency found that the municipality should have communicated the personal data breach to the employee, and since such information had not been given to the employee until three months after the municipality became aware of the breach – and also after the employee had contacted the municipality – the municipality had failed to communicate the breach to the employee without undue delay.
The Data Protection Agency further found that the municipality had not met the requirement of appropriate security measures based on its failure to carry out appropriate checks on the contents of the documents and to ensure that the email was sent to the right recipient.
Overall, the Data Protection Agency therefore expressed criticism of the municipality’s handling of personal data.
Norrbom Vinding notes
- that the decision provides a concrete example from the realm of HR of when a personal data breach constitutes such a risk to the affected person(s) that the breach must be notified to the Data Protection Agency and communicated to the affected person(s); and
- that in these situations it is important that the employer evaluates the type of information involved in the personal data breach, to whom the information was (mistakenly) given and, finally, what risk the breach posed to the affected person(s).
The content of the above is not, and should not be a substitute for legal advice.
Ius Laboris recently received the prestigious Global Network of the Year award at The Lawyer European Awards 2023.
The long-awaited bill, which introduces a requirement for registration of working time for each individual employee and provides the opportunity to derogate from the 48-hour rule for certain employee groups, has been submitted to the Parliament. The effective date has been postponed to 1 July 2024.
In a new article, Ius Laboris takes a closer look at the issue of whether employers can monitor employees’ social media posts.
On the first Tuesday of October, the parliamentary year kicked off and, as usual, the Government announced its legislative programme for the parliamentary year 2023/2024.
The opportunities associated with AI are immense, but right now it is necessary to address a number of concerns about the use and potential of AI in the workplace.
In a recent judgment, the Supreme Court held that a retention bonus was not remuneration within the meaning of the Insolvency Act. The judgment is likely to have an impact on the question of whether retention bonuses are covered by section 17a of the Salaried Employees Act.