Landsbankinn hf. – Dismissed (Iceland, 2022)
General GDPR enforcement action
This case relates to broader data protection obligations, not specifically to cookie or consent banner compliance. It is not included in cookie statistics or the Risk Calculator.
The Icelandic data protection authority dismissed a complaint against Landsbankinn hf. regarding access to employee emails. The authority decided the bank wasn't responsible for the emails in question, which were related to union activities.
What happened
Landsbankinn hf. was not found responsible for providing access to employee emails related to union activities.
Who was affected
The case involved a former union member seeking access to emails about him, sent through the bank's email system.
What the authority found
The authority decided that Landsbankinn hf. was not the controller for the email communications requested, as they pertained to union activities.
Why this matters
This decision clarifies that companies are not always responsible for all data processed through their systems, especially when it involves third-party activities. Businesses should understand their role and responsibilities in data processing to handle access requests appropriately.
GDPR Articles Cited
On 27 April 2021, Landsbankinn hf., a bank and the alleged controller, received an access request from the complainant, the data subject, regarding personal data which the bank may have. More specifically, the data subject requested access to the email communication of the bank's employees that had him as a subject. The communication took place through office email addresses but did not concern the bank's operations. The bank provided the data subject with a copy of all the personal information processed in the bank's activities. However, it rejected the request to the extent that it concerned the e-mail communication of its employees, stating that another controller is concerned, namely, a workers' union. The data subject is a former member of the union and, in the bank's opinion, the data subject's request for access to the emails of employees of the bank, related to their confidential duties for the union, is not made in good faith. The bank speculated that the complainant is trying to access personal information from the activities of a third party through the bank. The data subject responded that the bank's arguments for refusing his access request do not stand up to scrutiny. The data request is directed to the bank because it is known that the bank's email address was used for the processing and distribution of information about the data subject and, therefore, the request is rightly directed to it. In the opinion of the data subject, it is unreasonable that he was advised to contact an unrelated non-governmental organization in order to gain access to data stored in a mailbox operated by the bank. The Icelandic DPA held that the bank was not the controller for the purposes of the email communication requested by the data subject. According to Article 4(7) GDPR, "controller" refers to an individual, legal entity, government or other entity that alone or in cooperation with others determines the purposes and methods of processing personal data. In the dat
Outcome
Dismissed
The complaint or investigation was dismissed.
Related Enforcement Actions (0)
No other enforcement actions found for Landsbankinn hf. in IS
This is the only recorded action for this entity in this jurisdiction.
Details
About this data
Cite as: Cookie Fines. Landsbankinn hf. - Iceland (2022). Retrieved from cookiefines.eu
Last updated: