In a decision of 10 March 2022, the dispute resolution chamber of the Data Protection Authority (DPA) confirmed that sending an e-mail containing a former employee’s personal data to an official authority may constitute a breach of the principles of finality, data minimisation, integrity and confidentiality. The decision came in response to a complaint filed by a former employee against her former employer, who had mentioned and disclosed some of her personal data in an e-mail to the municipality and several former colleagues. The employer was reprimanded by the DPA.
The decision is adopted in the context of a conflict between an employer and his former employee. When the former employee was still employed by the employer, she committed an environmental infringement with her company car. The report of the infringement was first sent to the employer, who asked his employee to follow it up. The employee then reported her identity to the municipality and paid the administrative fine.
A year later, the employer received another payment request from the municipality for the same infringement, but for a considerably higher amount. In the meantime, the employee concerned was now working elsewhere, thus the employer was forced to inform the municipality that it was a former employee who had committed the infringement. In an e-mail to the municipality, the employer mentioned not only the name and address of the former employee concerned, but also her new professional e-mail address and her profession. A draft letter was also attached to the e-mail that the employee concerned previously intended to send to the municipality (with included, among others, an admission of the offence). The employer had obtained this draft letter via a former colleague of the former employee who had helped her with the translation at that time. The e-mail in question was addressed to three different e-mail addresses of the municipality, with three employees of the employer and the former employee herself (both with her private e-mail address and with her new professional e-mail address) in copy.
The former employee raised serious questions about the employer’s way of working: had her former employer acted correctly in processing her personal data? She therefore filed a complaint with the DPA.
Defence of the employer
The employer argued that he had a legitimate interest to disclose various personal data of the former employee. In particular, he argued that the purpose of the e-mail was to prevent the infringement being attributed to the wrong person. From this perspective, the employer found it necessary to disclose various personal data. Also, according to the employer, sending the e-mail to various e-mail addresses (both with regard to the municipality and with regard to three of his employees) was necessary to guarantee the follow‑up of his file.
Assessment of the DPA
In examining the complaint, the DPA checked whether the various principles provided for in the General Data Protection Regulation (GDPR) were correctly complied with by the employer. The principles of legality, finality, data minimisation, but also integrity and confidentiality were checked.
Although the DPA considered the follow-up of “procedures, infringements and administrative fines” as a legitimate interest on the part of the employer, the DPA was at the same time of the opinion that the employer had overstepped the mark.
In particular, the DPA agreed that communicating the former employee’s residence and her personal e-mail address was necessary for the administrative processing of the file. However, using the new professional e‑mail address and mentioning the profession of the former employee was going too far. Also, the employer should have been more selective when choosing the recipients: the fact that the e-mail concerned was also sent to the general e-mail address of the municipality and to the former responsible person of the employee was found not to be correct by the DPA. Finally, the DPA decided that the employer had also gone too far in sending the letter in question that the former employee had prepared in the past: the former employee had shared this “confession” confidentially with her colleague at that time.
Reprimand for the employer
The DPA therefore ruled that the employer had been responsible for a breach of the General Data Protection Regulation. However, a fine was, according to the DPA, not an appropriate sanction, since the breach was clearly not intentional, but merely the consequence of a misjudgement by the employer. The DPA therefore limited itself to reprimanding the employer.
It remains important to always consider the general principles of the GDPR, even when the aim is to follow up an administrative or a procedural matter. When mentioning personal data in communications to third parties, always ensure that only the strictly necessary data are mentioned. Although the decision of the DPA concerned the disclosure by the employer of data about a former employee, in our opinion the considerations may also apply to the disclosure of personal data of employees who are still employed: caution is therefore required.