Workplace privacy: Employers should consider carefully before sharing information about the reason their employees have left

A private company has been referred for a fine of DKK 150.000 by the Danish Data Protection Agency for sharing information about alleged criminal offenses in relation to its former employee.

In Denmark, contrary to some other European countries, the national data supervisory authority cannot issue administrative fines for violations of the common European rules in the General Data Protection Regulation (GDPR). In Denmark, fines must ultimately be decided by the courts and the Danish Data Protection Agency therefore has reported the company to the police and put forward, in this case, a proposed fine of DKK 150.000. It is then up to the prosecution authority to bring charges and conduct the case by the relevant court. 

In this case, the company had informed a number of its customers by e-mail that the former employee had committed alleged criminal offenses during employment and as a result had been dismissed from the company.

In its assessment of the nature of the information shared the Danish Data Protection Agency emphasized how the recipients had to consider the information to be true because of the detailed descrip-tion of the alleged criminal offense contained in the e-mail. However such information could only be passed on if there was a legal basis to do so pursuant to section 8(4), cf. subsection 3 of the Danish Data Act. 

The Danish Data Protection Agency concluded that the company had a legitimate interest in passing on information about the dismissal of the former employee to its customers and in informing the customers that the employee could thus not enter into agreements on behalf of the company. 

However the more detailed descriptions of the criminal charges against the former employee were not necessary to fulfill this objective and hence the sharing of such detailed information with customers was unlawful according to the Danish Data Protection Agency.

The Court has yet to decide on this matter. 

This case does align with former practice of the Danish Data Protection Agency.

In a similar case from 2021, the Danish Data Protection Agency proposed a fine of DKK 400.000 to another private company.

In that case the Court found that the company had unjustifiably disclosed details about criminal offenses concerning a former employee to two of its customers. The e-mails from the company to the customers stated that the employee had been fired with immediate effect and reported to the police for fraud. The e-mails also included a detailed description of the manner in which the fraud had taken place according to the company. 

The Court found that the disclosure of special categories of personal data constituted a violation and that the disclosure was intentional. Further, the Court emphasized that it likely affected the work opportunities of the employee in the local area.

The Court, however, decided to lower the proposed fine to DKK 100.000. The Court stressed that emphasis should be placed on the fact that this was a first-time breach of the data protection regula-tion. Further, the case only concerned disclosure of information relating to one person, the infor-mation had only been passed on to two business partners, and the company had a legitimate interest in informing their business partners that the employee was no longer employed by the company. 

The Court found that the disclosure of information of criminal circumstances was non-compliant with the obligation to minimize data.

Both these cases are good examples of private companies not having in place sufficient systems and awareness regarding the rules by which the sharing of grounds on which an employee is dis-missed may be given. This applies not only to (alleged) criminal offenses, but also to other reasons for employee resignation, especially if sensitive or confidential information is involved.

Our employment and data protection team advise clients on all aspects of employment and labour law issues, as well as the GDPR and local data privacy legislation. We provide legal advice to Scandinavian and international corporations, as well as private and public entities and individuals. We have extensive experience in assisting clients in dismissals, terminations, employment disputes and worklife data privacy.

Do you have questions related to employment and data protection? Contact us to hear more about your options.