The Danish Data Protection Authority has ruled in two cases where complaints have been filed about lawyers’ disclosure and subsequent use of data.
The Danish Data Protection Authority has dealt with two appeals from the same complaints about the disclosure of personal data between two self-employed lawyers, Lawyer A and Lawyer B.
Lawyer A represented the complainant’s former spouse, and Lawyer B represented a friend of the complainant’s former spouse.
One complaint concerned the fact that Lawyer A had disclosed confidential information about the complainant to Lawyer B for use in a libel action brought by the complainant against Lawyer B’s client.
The second complaint concerned Lawyer B’s use of the information in the libel case.
For the case, the Data Protection Authority has obtained an opinion from the Norwegian Association of Lawyers.
As the Danish Data Protection Authority has not previously considered the legality of disclosing and subsequently using personal data between independent lawyers, including the interaction between the data protection rules and the rules of professional ethics, the decisions in the two cases were made by the Data Council.
Lawyer A’s disclosure of the data
With regard to the case concerning Attorney A’s disclosure of data to Attorney B, the Data Council assessed, among other things, that the basis for processing for the disclosure in the specific case was the balancing of interests rule (Article 6(1)(f)). At the same time, the Data Council found that the complainant’s interest in not having his data disclosed outweighed the interest of Attorney A’s client’s interest in having the data disclosed.
In addition, the Data Council found that the complainant’s interest in not having the information about him disclosed also outweighed the interest of Attorney B’s client being able to safeguard his interests in connection with the pending libel case – brought by the complainant against her.
On this basis, the Danish Data Protection Agency found that the disclosure could not take place within the framework of the General Data Protection Regulation.
The Danish Data Protection Agency then criticised Lawyer A.
Lawyer B’s subsequent processing of the data
As far as Lawyer B was concerned, the Data Protection Board found that his processing of information about complainants had taken place within the framework of the balancing of interests rule (Article 6(1)(f)).
The Data Council emphasised that Attorney B’s processing of data about the complainant had taken place in his capacity as a lawyer for his client in the libel case in question, and that the processing of the data must be considered to have taken place as part of a legitimate safeguarding of the client’s interest in defending himself in the said case.