On 22 September 2021, the Icelandic data protection authority (“Persónuvernd“) issued a ruling against a law firm, Magna Lögmanna ehf (“Magna“), in which it determined that the law firm’s disclosure of complainant’s personal data to the general e-mail address of an Icelandic municipality did not comply with GDPR.
The complainant was in a dispute with a client of Magna, the law firm. Magna sent to the municipality an e-mail containing a couple of attachments, including a copy of the complainant’s previous employment agreement. Information relating to the salary and trade union membership of the complainant was included in the agreement.
The parties’ view
The complainant argued that Magna disclosed sensitive personal data, about his salary and trade union membership, to both the municipality and Google (since Google was the complainant’s e-mail service provider). This way, as the complainant claims, the information became available to: (i) the employees of the municipality, without proof that those who had access to the general e-mail address of the municipality needed the information, or that the employment agreement had any significance for the resolution of the complainant’s dispute with the client of Magna; and to (ii) Google.
Magna’s position was that e-mail was sent on behalf of Magna’s client and in accordance with client’s instructions, so the client – and not Magna – was the data controller. The law firm did not make any independent decisions on the processing of personal information about third parties in connection with the protection of the interests of clients. In addition, Magna claimed, the processing of the complainant’s data was in connection with safeguarding the interests of the law firm’s client, and the legal basis for such processing was the legitimate interests pursued by the a third person (client) (Article 9(6) of the Act on Data Protection and the Processing of Personal Data). As for the processing of sensitive personal data, it met the conditions of Article 11(1)(6) of the same Act (the processing is necessary for the establishment, exercise or defence of legal claims).
Law firm acts with a significant degree of independence – ergo data controller
Persónuvernd concluded that Magna was a data controller because: (i) the law firm enjoys a high level of independence and decision-making power when representing its client; (ii) Magna’s client did not specifically instruct the law firm as to how or why the personal data of the complainant should be processed. As the data controller, Magna, and not its client, is responsible for the disclosure of personal data.
To back-up this conclusion, Persónuvernd invoked the Guidelines of the European Data Protection Board no. 07/2020 which say that a law firm typically acts with a significant degree of independence, for example in deciding what personal data to use and how to use it, without receiving the client’s instructions regarding the personal data processing. The processing takes place in the fulfilment of the law firm’s task as legal representative for the client. Therefore, a law firm is typically a data controller.
If processing is not necessary for the purposes of the legitimate interests, GDPR Art. 6(1)(f) is unavailable
Having in mind that the employment agreement contained sensitive personal data (information about the complainant’s trade union membership), Magna had to meet one of the conditions of under Article 9(2) of the GDPR (Article 11(1) of the Icelandic Act on Data Protection and the Processing of Personal Data). However, Magna failed to prove that disclosure of sensitive data to the municipality was necessary for defence of the client’s legal claims, which is an applicable condition under Article 9(2)(f) of GDPR (Article 11(1)(6) of the Icelandic Act).
Therefore, as Persónuvernd concluded, there was no reason to accept that the processing in question was lawful according to Article 6(1)(f) of GDPR (Article 9(6) of the Icelandic Act) (processing necessary for the purposes of the legitimate interests pursued by the controller or a third person, provided that such interests are not overridden by the interests or fundamental rights and freedoms of the data subject). Persónuvernd did not go into weighing the interests pursued by the controller or the third person against the interests or fundamental rights and freedoms of data subject, because the previous condition for applicability of GDPR Article 6(1)(f) (Article 9(6) of the Icelandic Act) – necessity of the processing – was not fulfilled.
Persónuvernd did not consider that sending e-mail to complainant’s e-mail address amounted to disclosure of the personal data to Google, but rather to sharing of personal data with the complainant himself.
Conclusion
The decision of the Icelandic data protection authority confirms the position expressed by the EDPB that law firms act as data controllers when the client provides personal data but does not give specific instructions to the law firm regarding the processing of personal data. For the processing of sensitive data on the part of the law firm to be lawful, the disclosure of such data has to be necessary for the purpose of resolving client’s dispute.
[Note: Serbian Data Protection Act and the current draft of Montenegrin Data Protection Act mirror the provisions of GDPR. The decisions of supervisory authorities and courts in EU and EFTA member states may therefore serve as an instructive guidance for compliance with local regulations.]