Company spilled the tea and got reported to the police
Clients and business partners may start raising questions when an employee suddenly is absent due to leave or termination. However, information on sick leave or a reason for termination is often sensitive or confidential data. The Danish Data Protection Agency has confirmed just that in a new case, where it ended up reporting a company to the police and proposing a fine of DKK 150,000.
After being summarily dismissed, a previous employee submitted a complaint to the Danish Data Protection Agency against the company. The complaint came after the company had shared details about an alleged criminal offense committed by the employee.
Several clients had received an e-mail from the company describing how the employee had committed a criminal offense during the employment. The description was so detailed that the clients had no choice but to assume that the story was true. Moreover, the company also shared how it had summarily dismissed the employee due to the actions.
Less is more
It can be entirely legitimate to share that an employee is no longer employed. Companies may consider it necessary to share the information to avoid rumours or commotion at the workplace. Other reasons may also justify the need to share the information. However, there is a clear difference between sharing the fact that a colleague is no longer employed and sharing additional details.
In this case, the Danish Data Protection Agency stated that the company clearly had a legitimate interest in informing clients that the employee was no longer employed. It was also legitimate for the company to emphasize that, as a result, the employee could no longer conclude agreements on the company’s behalf.
Nonetheless, the Danish Data Protection Agency stressed that it had been unnecessary for the company to share why the employee was no longer employed. Also, the Danish Data Protection Agency found that there had been no need for the company to share the confidential information surrounding the allegations of the criminal offense committed by the employee. It only made matters worse that the company could not prove that the information only had been shared with clients with whom the employee had been in contact. Consequently, the Danish Data Protection Agency proposed to fine the company DKK 150,000.
IUNO’s opinion
This case is a clear example of why companies should be careful when sharing information relating to an employee’s absence. This is relevant when cases involve criminal offenses, but also for other reasons for termination, especially where sensitive or confidential data is involved.
IUNO considers that companies should have general guidelines for how to handle off-boarding internally. Having clear guidelines reduces the risk of disclosing the wrong information. That said, companies can share more details depending on the circumstances in each case. For example, other considerations are in play when employees are subject to a competition clause or when employees are in management positions.
[The Danish Data Protection Agency’s decision of 2 December 2022]
After being summarily dismissed, a previous employee submitted a complaint to the Danish Data Protection Agency against the company. The complaint came after the company had shared details about an alleged criminal offense committed by the employee.
Several clients had received an e-mail from the company describing how the employee had committed a criminal offense during the employment. The description was so detailed that the clients had no choice but to assume that the story was true. Moreover, the company also shared how it had summarily dismissed the employee due to the actions.
Less is more
It can be entirely legitimate to share that an employee is no longer employed. Companies may consider it necessary to share the information to avoid rumours or commotion at the workplace. Other reasons may also justify the need to share the information. However, there is a clear difference between sharing the fact that a colleague is no longer employed and sharing additional details.
In this case, the Danish Data Protection Agency stated that the company clearly had a legitimate interest in informing clients that the employee was no longer employed. It was also legitimate for the company to emphasize that, as a result, the employee could no longer conclude agreements on the company’s behalf.
Nonetheless, the Danish Data Protection Agency stressed that it had been unnecessary for the company to share why the employee was no longer employed. Also, the Danish Data Protection Agency found that there had been no need for the company to share the confidential information surrounding the allegations of the criminal offense committed by the employee. It only made matters worse that the company could not prove that the information only had been shared with clients with whom the employee had been in contact. Consequently, the Danish Data Protection Agency proposed to fine the company DKK 150,000.
IUNO’s opinion
This case is a clear example of why companies should be careful when sharing information relating to an employee’s absence. This is relevant when cases involve criminal offenses, but also for other reasons for termination, especially where sensitive or confidential data is involved.
IUNO considers that companies should have general guidelines for how to handle off-boarding internally. Having clear guidelines reduces the risk of disclosing the wrong information. That said, companies can share more details depending on the circumstances in each case. For example, other considerations are in play when employees are subject to a competition clause or when employees are in management positions.
[The Danish Data Protection Agency’s decision of 2 December 2022]
Similar
Expensive right of access requests
Seven commandments when closing the business e-mail account
Unfair design practices resulted in a 345 million euro fine
Accessible personnel files resulted in a data breach
Deadline to establish whistleblower schemes for medium-sized companies approaching
New guidance from the Danish Data Protection Agency on direct marketing