Directorate of Labor of Iceland – Complaint Upheld (Iceland, 2021)

On June 24, 2021, the Icelandic DPA received a complaint from [A] (hereinafter the Complainant) about the fact that his email address had been disclosed by the Directorate of Labour in the 'cc' section of an email sent to hundreds of individuals (hereafter, the bulk email). The bulk email in question concerned the resumption of applications for quarantine payments in the context of the COVID-19 pandemic. The fact that the email addresses of the recipients were visible to other recipients of the bulk email was the result of a human error. The next day, the Directorate of Labor apologized for this error and took measures to prevent such incident from happening again. In particular, the Directorate of Labor reviewed and changed the procedures for mass mailings, so that two employees must now review such emails before they are sent, in order to ensure that personal data are not disclosed by errors. Furthermore, the Directorate of Labor decided to adapt the regular training of its employees so that it would include information on how to prevent such incidents from taking place. The Icelandic DPA ruled that the disclosure, by the Directorate of Labor, of the Complainant's e-mail address to other recipients of the bulk email was not compliant with the Icelandic data protection law or the GDPR. However, taking into account the fact that it was the result of a human error, given that the Directorate of Labor took corrective measures to prevent such incident from happening again, the Icelandic DPA decided not to impose any fine.