Details:

Summary The Danish DPA ( Datatilsynet) has imposed a fine of EUR 53,800 on Nordbornholms Byggeforretning Aps.

In 2018, the DPA was contacted by a data subject who complained that his former employer Nordbornholms Byggeforretning ApS, had disclosed information about him to the company’s customers.

The controller had emailed two of the company’s customers informing them that the former employee had committed crimes in the course of employment and had admitted to committing them, as well as describing in detail the alleged course of events.

According to the DPA, the controller in such a case had a
legitimate interest in disclosing information about the former employee’s dismissal to its customers and in informing the customers that, as a result, the employee could not enter into any contracts on behalf of the company. However, such a detailed description of the allegations was not necessary and thus unlawful.
Link: link
Related articles:  Art. 5 GDPR, Art. 6 GDPR
Type: Insufficient legal basis for data processing
Fine: EUR 53,800
Sector Employment

 

All data is based on The CMS’s Law GDPR Enforcement Tracker Source: https://www.enforcementtracker.com/

Tags: case law