A Danish municipality (redacted) – Violation Found (Denmark, 2022)

A data subject had informed the team leader at her job that due to a fertility treatment, she would need some of her work tasks facilitated in the coming period. At work the following day, she read an email which had been sent to the entire department with 51 of her coworkers, where the team leader had informed everyone of her care needs and the reason why (fertility treatment). Following this, the data subject lodged a complaint with the Danish DPA (Datatilsynet), stating she had not given her consent to the sharing of this sensitive information. The municipality admitted to having shared the information in question, but said it was due to a misunderstanding. They had also realised that the consent they thought they had obtained did not satisfy the GDPR requirements. Because of this, they had offered a monetary compensation to the data subject. The DPA noted that the municipality had admitted the mistake and apologised for sharing the sensitive information without a valid consent, and that it was not necessary to inform the data subject's colleagues about the reason for her care needs. The DPA held that the municipality's processing was in violation of Article 5(1)(c) GDPR. Because of the personal data's sensitive nature and the group of people who received the information, the DPA concluded that there were reasons to issue a reprimand against the municipality.