MAGNA Lögmenn (law firm) – Complaint Upheld (Iceland, 2021)
General GDPR enforcement action
This case relates to broader data protection obligations, not specifically to cookie or consent banner compliance. It is not included in cookie statistics or the Risk Calculator.
An Icelandic law firm, Magna Lögmen, was found to have improperly shared a person's sensitive data, including salary and union membership, by emailing it to a municipality and a Gmail address. The Icelandic DPA upheld the complaint, emphasizing the firm's responsibility in handling personal data.
What happened
Magna Lögmen disclosed sensitive personal data by emailing it to a municipality and a Gmail address without proper justification.
Who was affected
The individual whose employment contract, including salary and union membership, was shared without proper safeguards.
What the authority found
The Icelandic DPA determined that Magna Lögmen acted independently and should be considered responsible for the improper data disclosure.
Why this matters
This decision underscores the responsibility of law firms and similar entities to protect sensitive data, even when acting on behalf of clients. It serves as a warning to ensure proper data handling and legal justification for sharing personal information.
GDPR Articles Cited
In the context of a legal dispute, Magna Lögmen - an Icelandic law firm - disclosed the personal data of an individual (the Complainant) by sending a formal notice to (i) the Complainant's private Gmail address, and to (ii) the general email address of a Municipality. Several documents were attached to this email as exhibits, including a copy of the Complainant's previous employment contract, in which information relating to the salary and trade union membership of the Complainant could be found. The Complainant considered that, by sending this email, and in particular the copy of his previous employment contract, Magna Lögmen had disclosed sensitive personal data to the Municipality, and also to Google (the latter being the service provider of the Complainant's private email address). On this basis, the Complainant filed a complaint against Magna Lögmen with the Icelandic DPA, arguing that Magna Lögmen had breached the applicable data protection law. Magna Lögmen argued, for its part, that the processing of the Complainant's personal data was lawful because (i) necessary for the purposes of the legitimate interests pursued by the client of Magna Lögmen (Article 6(1)(f) GDPR) and, as far as sensitive personal data were concerned, (ii) necessary for the establishment, exercise and defence of a legal claim (Article 9(2)(f) GDPR). The Icelandic DPA, after reviewing the facts of the case and the applicable law, considered that Magna Lögmen was acting as a controller in the sense of the GDPR. In that respect, the Icelandic DPA pointed in particular that the law firm enjoyed a high level of independence and decision-making power when representing its client. In particular, the Icelandic DPA noted that the client did not specifically instruct the law firm as to how or why the personal data of the Complainant should be processed. As a result of this broad mandate, the Icelandic DPA concluded that Magna Lögmen should be considered as a 'controller' of the personal data, a
Outcome
Complaint Upheld
A data subject complaint that was upheld by the DPA.
Related Enforcement Actions (0)
No other enforcement actions found for MAGNA Lögmenn (law firm) in IS
This is the only recorded action for this entity in this jurisdiction.
Details
About this data
Cite as: Cookie Fines. MAGNA Lögmenn (law firm) - Iceland (2021). Retrieved from cookiefines.eu
Last updated: