Datatilsynet (Denmark) - 2024-32-0283

From GDPRhub
Revision as of 11:44, 30 July 2024 by Mba (talk | contribs) (→‎Facts)
Datatilsynet - 2024-32-0283
LogoDK.png
Authority: Datatilsynet (Denmark)
Jurisdiction: Denmark
Relevant Law: Article 15(1) GDPR
Article 23(1) GDPR
Databeskyttelsesloven § 22
Type: Complaint
Outcome: Upheld
Started:
Decided: 06.06.2024
Published:
Fine: n/a
Parties: Indenrigs- og Sundhedsministeriet
National Case Number/Name: 2024-32-0283
European Case Law Identifier: n/a
Appeal: Unknown
Original Language(s): Danish
Original Source: Datatilsynet (in DA)
Initial Contributor: fb

The DPA held that, in light of the CJEU judgement C-579/21, Pankki S, the Ministry of the Interior and Health must provide the data subject with information about the security logs of the Civil Registration System.

English Summary

Facts

On 3 October 2023, the DPA received a complaint by a data subject. He complained about the fact that the Ministry of the Interior and Health (Indenrigs- og Sundhedsministeriet) had refused to give him access to the security log of the Civil Registration System (Centrale Personregister - CPR). This log contains information about the date and time of searches and also an ID associated to the natural person performing the search.

On 20 November 2023 the DPA forwarded the complaint to the controller, so that it could reconsider its refusal in light of the CJEU case C-579/21, Pankki S.

On 4 January 2024 the controller upheld the refusal. It argued that § 22 of the Data Protection Act, the national legislation implementing Article 23 GDPR, introduces an exception to the right to access in this case. More specifically, the controller argued that considerations relating, among others, to the protection of national security, including the prevention, investigation, detection or prosecution of criminal offences outweighed the data subject’s right to access information that can be derived from the CPR security log. For example, the controller pointed out that granting such an access would mean revealing information relating to searches made by the Police.

Moreover, the controller argued that the refusal is particularly justified by the resources that would be involved in processing and responding to an access request to the CPR security log.

Finally, the controller emphasised that the CPR security log on itself cannot be used to check whether a given processing of personal data is lawful as it does not contain information about the authority's or company's purpose for processing the data subject's data.

Holding

First of all, the DPA agreed with the controller about the fact that § 22 of the Data Protection Act contains a number of exceptions to Article 15 GDPR. However, the DPA pointed out that the special notes to § 22(2) of the Data Protection Act state that a restriction of the right to access can be made only on the basis of a concrete weighing of the conflicting interests and only if there is an obvious risk that the public interest will suffer significant harm.

Moreover, as for the argument related to the lack of resources, the DPA held that § 22 of the Data Protection Act aims to prevent information that is of importance to the public interest, and which must therefore be kept secret, from being disclosed. On the other hand, the (financial) interest of the data controller in not using significant resources to respond to a request for access cannot be considered to be covered by the provision.

Therefore, the DPA held that the controller cannot rely on this provision to refuse to provide the data subject with this information.

Secondly, the DPA recalled that the CJEU, in case C-579/21, Pankki S, ruled that Article 15(1) GDPR implies that information relating to consultation operations carried out on a data subject’s personal data and concerning the dates and purposes of those operations constitutes information which that person has the right to obtain under Article 15(1) GDPR.

Thirdly, the DPA held that even if it may not be possible to use the CPR security log in isolation to verify the lawfulness of the processing, access to it may contribute to this. For example, by gaining access to the CPR security log, the data subject will be able to contact the authority or company in question.

However, the DPA noted that its own opinion changed after the CJEU judgement in case C-579/21, Pankki S, as, before that, it had held that there was no right of access to security logs. Therefore, the DPA decided not to issue a reprimand.

On the other hand, it considered that the Ministry of the Interior and Health will need to process the access requests it will receive in the future in accordance with this decision.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Danish original. Please refer to the Danish original for more details. 

What applies to insight into log files?

Date: 06-06-2024

Decision Public authorities No criticism Complaint Logging The right to access

On 22 June 2023, the European Court of Justice ruled on the issue of access to logs. The EU Court's judgment means that there is a new practice for insight into logs.

Journal number: 2024-32-0283.

The Danish Data Protection Authority hereby returns to the case where, on 3 October 2023 - from the Parliamentary Ombudsman - the Danish Data Protection Authority received a complaint from (complainant) that the Ministry of the Interior and Health had refused to give him access to the CPR's security log.

1. Decision

The Danish Data Protection Authority finds – after the case has been dealt with at a meeting of the Data Council – that the Ministry of the Interior and Health could not, on the grounds stated, refuse the complainant's request for access pursuant to Article 15 of the Data Protection Regulation.

Below follows a closer review of the case and a rationale for the Data Protection Authority's decision.

2. Case presentation

On 3 October 2023, the Danish Data Protection Authority received - from the Ombudsman of the Folketing - a complaint from the complainant that the Ministry of the Interior and Health - citing the Danish Data Protection Authority's previous practice, according to which there was no right to access security logs - had refused to give him access to the CPR's security log .

On 20 November 2023, the Danish Data Protection Authority decided to forward the complaint to the Ministry of the Interior and Health, so that the ministry – in light of the EU Court's decision in case C-579/21 of 22 June 2023 – had the opportunity to review its refusal. 

On 4 January 2024, the Ministry of the Interior and Health reassessed its decision and upheld the refusal. The Ministry of the Interior and Health stated in this connection, among other things to:

"You have requested insight into historical data about personal subscriptions in CPR that relate to you.

As the Ministry of the Interior and Health has previously informed you, the data content in CPR, cf. Annex 1, No. 14, to the CPR Act, only includes information on current subscriptions. Historical subscriptions are not stored in CPR. When a register insight into the CPR is requested, insight is thus only given into the current information about subscriptions in the CPR.

Information about historical subscriptions relating to a specific person can, however, be derived for a limited period via CPR's security log. Your request for insight is therefore treated as a request for insight into CPR's security log

The purpose of CPR's security log

CPR's security log is a system facility that is derived from the actual processing of personal data in CPR. Logging of incidents in CPR is done to meet security logging requirements, e.g. the data protection regulation's article 32 on processing security, and instructions on logging, e.g. instructions on logging from the Center for Cybersecurity. The registrations in the log are thus made for system technical reasons and serve internal administrative purposes.

Information processed in CPR's security log

CPR's security log contains, among other things, information about the date and time of postings, searches and subscription phrases (subscription creations or deletions) in CPR, which social security number(s) have been the subject of the search, posting or subscription phrase, as well as information about any personal identification code (username) and program (information type) used . The personal code is assigned to a specific authority or company and often associated with certain personal data, such as the user's possible name and email address, which can be used to identify the natural persons who have completed the searches etc. CPR's security log does not contain information about the purpose of a specific search, subscription creation or – deletion etc.

Relevant legal basis

Article 15 of the Data Protection Regulation implies that the data subject, among other things, has the right to see the personal data processed about the person concerned.

According to section 22 of the Data Protection Act, subsection 2, an exception to the provision in Article 15 of the Data Protection Regulation can be made if the data subject's interest in gaining knowledge of the information is found to be overriding decisive considerations of public interest, including in particular to

1) state security,

2) the defence,

3) public safety,

4) prevention, investigation, detection or prosecution of criminal acts or enforcement of criminal sanctions, including protection against and prevention of threats to public safety,

5) other important objectives in connection with the protection of the general public interests of the European Union or a Member State, in particular the essential economic or financial interests of the European Union or a Member State, including currency, budget and tax matters, public health and social security,

6) protection of the independence of the judiciary and legal proceedings,

7) prevention, investigation, disclosure and prosecution in connection with breaches of ethical rules for legally regulated professions,

8) control, supervisory or regulatory functions, including tasks of a temporary nature that are connected to the exercise of public authority in the cases referred to in nos. 1-5 and 7,

9) protection of the rights and freedoms of the data subject or others and

10) enforcement of civil law claims.

Assessment of your right to access in relation to e.g. society's interests

It is the opinion of the Ministry of the Interior and Health that the consideration of the exercise of public authority, general societal interests and economic interests – including the consideration of the state's security, the possibility of prevention, investigation, detection or prosecution of criminal offenses and control, supervision or regulation functions – weigh more heavily than your right to access information that can be derived from CPR's security log.

The Ministry of the Interior and Health emphasizes that granting your request for insight into the CPR's security log will open up general access to insight into information that can be derived from the CPR's security log, which will invariably result in a resource drain at the ministry that will far exceed the ministry's ability and available resources for this.

In this connection, the Ministry of the Interior and Health emphasizes that the CPR's safety log, i.a. shows activities at authorities where it may be decisive for the exercise of authority that there is confidentiality regarding the authority's postings and searches in the CPR. This applies in particular in relation to the National Police and the Tax Administration, but can also apply to other authorities.

The Ministry of the Interior and Health also emphasizes that the CPR, as a central basic data register, is the subject of a very significant number of postings, searches and subscription statements annually, and that processing requests for access to the security log in each individual case will require a manual review and case processing - and in certain cases also an assessment of the need for protection of confidentiality and observance of employees' rights and freedoms. It is noted that 30-40,000 people each month request access to information in the CPR about themselves through digital self-service, cf. the data protection regulation, article 15, subsection 1.

The Ministry of the Interior and Health also emphasizes that the CPR's security log cannot be used in isolation to check whether a given processing of information by the authority or company responsible for the data has been lawful, as the CPR's security log does not contain information about the authority's or company's purpose for the processing of the relevant person's information.

Finally, the Ministry of the Interior and Health emphasizes that your opportunity to check the legality of a processing of your information must be considered to be taken care of through the data responsible authorities' and companies' obligation to provide you with information according to the data protection regulation 13 and 14, which i.a. must include information about the purpose of the processing.

It is noted in this connection that the establishment of personal subscriptions in the CPR requires that the data responsible authority or company can uniquely identify the individual persons who are subscribed to the CPR, e.g. using name and address, and that the authority's or company's registration and processing of this information takes place on a legal basis in accordance with Article 6 of the Data Protection Regulation.”

On 29 April 2024, the Danish Data Protection Authority asked the Ministry of the Interior and Health by telephone whether the Ministry had anything else to add to the case in relation to the Ministry's refusal and justification for this of 4 January 2024. The Ministry of the Interior and Health has not made any further comments.

3. Reason for the Data Protection Authority's decision

3.1. General information on the right to access

It follows from the data protection regulation's article 15, subsection 1, that the data subject has the right to obtain confirmation from the data controller as to whether personal data relating to the person in question is being processed, and, if applicable, access to the personal data and the following information:

the purposes of the processing the categories of personal data concerned the recipients or categories of recipients to whom the personal data is or will be disclosed, in particular recipients in third countries or international organizations if possible the intended period of time during which the personal data will be stored or if this is not possible, the criteria used to determine this period of time the right to request the data controller to correct or delete personal data or limit the processing of personal data concerning the data subject or to object to such processing the right to lodge a complaint with a supervisory authority any available information on where the personal data originates from, if they are not collected at the registered occurrence of automatic decisions, including profiling, as referred to in Article 22, paragraph 1 and 4, and at least meaningful information about the logic therein as well as the meaning and expected consequences of such processing for the data subject.

Of the data protection regulation, article 15, subsection 3, it follows that the data controller provides a copy of the personal data that is processed. The right to receive a copy as referred to in subsection 3, must not infringe the rights and freedoms of others, cf. the regulation's article 15, subsection 4.

3.2. Section 22 of the Data Protection Act

Section 22 of the Data Protection Act contains a number of exceptions to Article 15. It appears from Section 22 of the Data Protection Act, subsection 2, that exception to the provisions of the data protection regulation, article 13, subsection 1-3, Article 14, subsection 1-4, Article 15 and Article 34 can be done if the data subject's interest in getting to know the information is found to give way to decisive considerations of public interest, including in particular to

1) state security,

2) the defence,

3) public safety,

4) prevention, investigation, detection or prosecution of criminal offenses or enforcement of criminal sanctions, including protection against and prevention of threats to public safety,

5) other important objectives in connection with the protection of the general public interests of the European Union or a Member State, in particular the essential economic or financial interests of the European Union or a Member State, including currency, budget and tax matters, public health and social security,

6) protection of the independence of the judiciary and legal proceedings,

7) prevention, investigation, disclosure and prosecution in connection with breaches of ethical rules for legally regulated professions,

8) control, supervisory or regulatory functions, including tasks of a temporary nature that are connected to the exercise of public authority in the cases referred to in nos. 1-5 and 7,

9) protection of the rights and freedoms of the data subject or others and

10) enforcement of civil law claims.

Of the special comments to the Data Protection Act § 22, subsection 2, it appears that:

"The provision stipulates - like the provision in subsection 1 – that the data controller's or his representative's obligation to provide information can only be reduced on the basis of a concrete balancing of the conflicting interests mentioned in the provision. On the basis of such a balance, an exception can be made if there is a imminent danger that the public interests will suffer significant damage.

In the provision, it is also determined to what extent the data controller can refrain from giving the data subject the right of access. According to the provision, the restriction of the data subject's access to be made aware of the information mentioned in Article 15 of the regulation can only be done on the basis of a concrete weighing of the opposing interests. There may also be an exception to the right of access pursuant to Article 15, subsection 1, letter h, which deals with insight in connection with automatic decisions, including profiling, as referred to in the regulation's article 22, subsection 1 and 4.

As mentioned, on the one hand, the interest of the data subject in getting to know the information is included in the consideration of a special exception from the right of access according to the regulation's Article 15. This is not only aimed at the data subject's interest in knowing the information in connection with considerations about bringing a case in which the collected information is included before the courts, a higher administrative authority, the relevant supervisory authority or the Parliamentary Ombudsman, but also to the interest of the data subject in being able to check the correctness of the information with a view to the data controller's use of the information.

With the use of the term "crucial" in the provision, it is indicated that an exception to the duty to provide information and the right of access can only be made where there is an imminent danger that public interests will suffer significant damage.

The expression "decisive consideration" is intended to be congruent with the corresponding balancing of opposing considerations, which must be carried out according to Section 8 of the Public Information Act on self-access and Section 15, Section 15 a and Section 15 b of the Public Administration Act, on the exception of information from access to documents.

In accordance with the regulation's article 23, subsection 2, the data controller shall, to the extent possible and relevant extent – when concrete exceptions are made to the obligation to provide information and the right of access pursuant to both subsection 1 and 2 – try to take into account the considerations that follow from Article 23, subsection 2, within the area of life that the data controller wants to limit.

This means, for example, that the data controller is obliged to consider which risks are associated with an exception from the duty to provide information or the right of access for the data subject, cf. the data protection regulation, article 23, subsection 2, letter g. Thus, for example whether there will be a risk that the information collected is incorrect.

Furthermore, the data controller will be able, for example, in connection with an exception from the right of access for reasons of the freedoms of others, to notify the data subject of this restriction, cf. the data protection regulation, article 23, subsection 2, letter h.

Finally, it is directly incumbent upon the provisions of subsection 1 and 2 the data controller to take into account the scope of the restrictions introduced, cf. the data protection regulation article 23, subsection 2, letter c, as the data controller must make a concrete assessment of whether there are decisive considerations for each individual piece of information.

3.3. Judgment of the European Court of Justice in case C-579/21

On 22 June 2023, the Court of Justice of the European Union delivered judgment in case C-579/21. In the case, the European Court of Justice was asked to decide whether log files – including the identity of the persons who have accessed the information in the log – are covered by the right of access in Article 15 of the Data Protection Regulation. The European Court of Justice stated the following in this regard:

"37. With the first and second questions, which must be dealt with together, the referring court specifically wants information on whether the data protection regulation's article 15, subsection 1, shall be interpreted as meaning that information relating to searches of a person's personal data, regarding the dates and purpose of these searches and regarding the identity of the natural persons who have carried out the searches in question constitutes information which the person concerned pursuant to this provision have the right to obtain from the data controller pursuant to this provision.

It should be noted at the outset that it is clear from established practice that when interpreting an EU legal provision, account must not only be taken of its wording, but also of the context in which it forms part and the goals pursued with that arrangement , of which it forms part (judgment of 12.1.2023, Österreichische Post (Information on recipients of personal data), C-154/21, EU:C:2023:3, paragraph 29). As regards, firstly, the wording of the data protection regulation, Article 15, paragraph 1, it should be noted that this provision stipulates that the data subject has the right to obtain the data controller's confirmation as to whether personal data relating to the person in question is being processed, and, if applicable, access to the personal data and information about e.g. the purposes of the processing and about the recipients or categories of recipients to whom the personal data is or will be disclosed. In this connection, it must be emphasized that the terms referred to in the data protection regulation's article 15, subsection 1, is defined in Article 4 of this Regulation. Firstly, with regard to Article 4, No. 1 of the Data Protection Regulation, this provision states that personal data means "any type of information about an identified or identifiable natural person", and it clarifies , that "identifiable natural person" means a natural person who can be directly or indirectly identified, in particular by an identifier such as a name, an identification number, location data, an online identifier or one or more elements specific to the physical, physiological, genetic, psychological, economic, cultural or social identity of that natural person'. The use of the term 'any form of information' in the definition of the term 'personal data', which appears in this provision, reflects the intention of the EU legislator to give the term a broad meaning, so that it potentially includes any form of information, both objective and subjective in the form of opinions or assessments, provided that the information is "about" the person in question (judgment of 4.5.2023, Österreichische Datenschutzbehörde and CRIF, C-487/21, EU:C:2023:369, paragraph 23). In this regard, it has been established that information relates to an identified or identifiable natural person if, due to its content, purpose or effect, it is linked to an identifiable person (judgment of 4.5.2023, Österreichische Datenschutzbehörde and CRIF, C- 487/21, EU:C:2023:369, paragraph 24). As far as the characterization of information about a person as "identifiable" is concerned, recital 26 of the data protection regulation states that "all means [should] be taken into account that can reasonably be thought to be used by the data controller or another person to directly or indirectly identify, including designate, the person in question'. It follows from this that the broad definition of the term "personal data" includes not only the information collected and stored by the data controller, but also all information resulting from the processing of personal data relating to an identified or identifiable person (cf. in this regard, judgment of 4.5.2023, Österreichische Datenschutzbehörde and CRIF, C-487/21, EU:C:2023:369, paragraph 26). Secondly, with regard to the concept of "processing" as defined in Article 4, No. 2 of the Data Protection Regulation, it must be stated that the EU legislator, by using the expression "any activity", intended to give this concept a wide scope, which is expressed by a non-exhaustive nature of any activity or series of activities to which personal data or a collection of personal data is made the subject, e.g. collection, registration, storage or search (see in this regard judgment of 4.5.2023, Österreichische Datenschutzbehörde and CRIF, C-487/21, EU:C:2023:369, paragraph 27). As regards, thirdly, Article 4, No. 9 of the Data Protection Regulation), it is clarified here that "recipient" means "a natural or legal person, a public authority, an institution or another body to which personal data is disclosed, regardless of whether is a third party or not'. In this regard, the Court has held that the data subject has the right to obtain information from the data controller about the specific recipients to whom the personal data relating to the person concerned is or will be passed on (judgment of 12.1.2023, Österreichische Post (Information on recipients of personal data ), C-154/21, EU:C:2023:3, paragraph 46). It therefore follows from an analysis of the wording of the data protection regulation, Article 15, subsection 1, and of the concepts referred to in the provision, that the right of access that the data subject has pursuant to this provision is characterized by the broad scope of the information that the data controller must provide to the data subject. Next, regarding the context in which the data protection regulation's article 15, paragraph 1, is included, it must first be noted that it follows from Recital 63 of this regulation that the data subject should have the right to know and be informed about, in particular, the purposes for which the personal data is processed, if possible the period during which the personal data is processed , and about the recipients of the personal data. Secondly, it should be noted that recital 60 of the Data Protection Regulation states that the principles of fair and transparent processing require the data subject to be informed of the existence of processing activities and their purpose, emphasizing that the data controller should provide the data subject with any additional information necessary to ensure fair and transparent processing, taking into account the specific circumstances and conditions under which the personal data is processed. It also follows from the principle of transparency referred to by the referring court, which appears in recital 58 of the data protection regulation, and which is expressly stated in Article 12(1) of that regulation. 1, that all information sent to the data subject must be concise, easily accessible, easy to understand and formulated in clear and simple language. In this regard, it is clarified in the data protection regulation article 12, paragraph 1, that the information is given in writing or by other means, including, if appropriate, electronically and, when the data subject requests it, orally. This provision is an expression of the principle of transparency and aims to enable the data subject to obtain a full understanding of the information transmitted (judgment of 4.5.2023, Österreichische Datenschutzbehörde and CRIF, C-487/21, EU:C:2023: 369, paragraph 38 and the case law mentioned therein). It follows from the above analysis of the context that the data protection regulation's article 15, subsection 1, constitutes one of the provisions which aim to ensure transparency in connection with the processing of personal data in relation to the registered person. Finally, this interpretation is supported by the extent of the right to access, which is set out in the data protection regulation's article 15, subsection 1, of the objectives pursued by this regulation. Firstly, and as is clear from the 10th and 11th recitals of this regulation, it aims to ensure a uniform and high level of protection for natural persons within the EU and to strengthen and clarify the rights of the persons concerned. In addition, it appears from the 63rd recital to the data protection regulation that a person's right to access personal data that has been collected about him and to that in this regulation's article 15, paragraph 1, the information referred to, primarily aims to make it possible for this person to ascertain and check the legality of a processing. It follows from this consideration and from what was stated in paragraph 50 of this judgment that every data subject should have the right to know and be informed about, in particular, the purposes for which the personal data is processed, if possible the period during which the personal data is processed, about the recipients of the personal data and about the logic behind processing the personal data. In this regard, secondly, it should be noted that the Court of Justice has already established that the right of access laid down in Article 15 of the Data Protection Regulation must enable the data subject to ensure that the personal data concerning him or her are correct and that the processed lawfully (judgment 4.5.2023, Österreichische Datenschutzbehörde and CRIF, C-487/21, EU:C:2023:369, paragraph 34). This right of access is particularly necessary for the data subject to exercise his right to rectification, the right to erasure ("right to be forgotten") and the right to restriction of processing, which are granted to the data subject in the respective articles of the Data Protection Regulation 16 and Article 18, and the right to, in accordance with Article 21 of the Data Protection Regulation, object to the processing of his personal data, as well as, see Articles 79 and 82 of the Data Protection Regulation, the right to initiate legal remedies if he has suffered damage (judgment 4.5.2023, Österreichische Datenschutzbehörde and CRIF, C-487/21, EU:C:2023:369, paragraph 35 and the case-law cited therein). Article 15, subsection of the Data Protection Regulation. 1, therefore constitutes one of the provisions aimed at ensuring the transparency of the procedure for processing personal data in relation to the data subject (judgment of 12.1.2023, Österreichische Post (Information on recipients of personal data), C-154/21, EU:C:2023:3, paragraph 42), without which the data subject would not be able to assess the lawfulness of the processing of his data and exercise the powers that, among other things, is stipulated in this regulation's articles 16-18, 21, 79 and 82. In the present case, it appears from the reference decision that J.M. requested Pankki S to be provided with information about the searches to which his personal data had been subject between 1 November 2013 and 31 December 2013 and information about the dates of these searches, their purpose and the identity of the persons who had carried out the searches. The referring court stated that the transmission of the log files generated in connection with those searches made it possible to respond to J.M.'s request. In the present case, it is undisputed that the searches to which the personal data of the plaintiff in the main proceedings have been subject constitute a "processing" within the meaning of Article 4, No. 2 of the Data Protection Regulation), which implies that the plaintiff in the main proceedings, pursuant to this regulation article 15, subsection 1, not only has the right to access this personal data, but also the right to obtain the information referred to in the latter provision about the searches in question. As for the information that J.M. has requested, the notification of the dates of the searches first makes it possible for the data subject to get confirmation that his personal data at a given time has actually been the subject of processing. Furthermore, since the conditions for legality laid down in Articles 5 and 6 of the Data Protection Regulation must be met at the time of the processing itself, the date of the processing constitutes an element that makes it possible to verify its legality. Next, it should be noted that information about the purpose of the processing expressly falls under the data protection regulation's article 15, subsection 1, letter a). Finally, this regulation's article 15, paragraph 1, letter c), that the data controller informs the data subject of the recipients to whom the data subject's information has been disclosed. As regards more specifically a communication of this information through the provision of log files relating to the processing activities referred to in the main case, it should be noted that the data protection regulation's article 15, paragraph 3, first sentence, stipulates that the data controller "provides a copy of the personal data that is processed". In this regard, the Court has already established that the term "copy" used in this way denotes an exact reproduction or copy of an original, so that a purely general description of the data that is the subject of processing or a reference to categories of personal data does not corresponds to this definition. It also appears from the wording of this regulation's article 15, subsection 3, first sentence, that the obligation to provide information relates to the personal data that is the subject of the processing in question (cf. in this regard judgment of 4.5.2023, Österreichische Datenschutzbehörde and CRIF, C-487/21, EU:C:2023:369, paragraph 21). The copy to be provided by the data controller must contain all the personal data processed, exhibit all the characteristics that enable the data subject to effectively exercise his rights under this Regulation, and must therefore reproduce this information completely and exactly (see in this regard judgment of 4.5.2023, Österreichische Datenschutzbehörde and CRIF, C-487/21, EU:C:2023:369, paragraphs 32 and 39). In order to ensure that the information thus provided is easy to understand, as required by the data protection regulation, article 12, paragraph 1, together with the 58th recital hereto, it may be necessary to reproduce extracts of documents as well as entire documents or extracts from databases which, among other things, contains the personal data that is the subject of processing, when a contextualization of the processed data is necessary to ensure their comprehensibility. In particular, when personal data is generated on the basis of other information, or when such information originates from free fields, i.e. failure to provide information about the data subject, the context in which this information is processed is a necessary element to provide the data subject with transparent access to and an easy-to-understand presentation of this information (judgment 4.5.2023, Österreichische Datenschutzbehörde and CRIF, C- 487/21, EU:C:2023:369, paragraphs 41 and 42). As the attorney general has stated in points 90-88 of the proposed decision, the log files which contain the information that J.M. has requested, for records of processing activities as referred to in Article 30 of the Data Protection Regulation. They shall be considered to be covered by the measures mentioned in Recital 74 of this Regulation, which are carried out by the data controller in order to demonstrate that the processing activities are compatible with this regulation. Article 30, subsection of the same regulation. 4, specifies in particular that these lists must be made available to the supervisory authority upon request. Insofar as these records of processing activities do not contain information about an identified or identifiable natural person as referred to in the jurisprudence mentioned in paragraphs 42 and 43 of this judgment, these records only enable the data controller to fulfill its obligations towards the supervisory authority that requests them to be handed over. More specifically, with regard to the data controller's log files, it may be necessary to send a copy of the information referred to in these files in order to fulfill the obligation to give the data subject access to all the information referred to in Article 15 of the Data Protection Regulation. 1, and to ensure fair and transparent processing that enables the data subject to fully exercise his rights under the Data Protection Regulation. Firstly, such files show that the information has been processed, which constitutes information to which the data subject must have access in accordance with Article 15, paragraph 1 of the Data Protection Regulation. 1. The files also provide information on how often and to what extent searches have been made, so that the data subject can ensure that the processing carried out is actually justified by the purposes stated by the data controller. Second, these files contain information about the identity of the people who made the search. In the present case, it appears from the referral decision that the persons who have carried out the searches referred to in the main case are employees of Pankki S, who have acted under Pankki S's management and on instructions from the bank. Although it is true that it appears from the data protection regulation's article 15, paragraph 1, letter c), that the data subject has the right to obtain from the data controller information about the recipients or categories of recipients to whom the personal data is or will be passed on, the data controller's employees cannot, as stated in paragraphs 47 and 48 of this judgment, be considered to be "recipients" as referred to in the data protection regulation, article 15, subsection 1, letter c), when they process personal data under the direction of the said data controller and on instructions from that person, as stated by the general counsel in point 63 of the proposed decision. In this regard, it must be emphasized that according to Article 29 of the Data Protection Regulation, anyone who performs work for the data controller and who has access to personal data only processes this information on instructions from the data controller. Having said this, the information contained in the logs relating to the persons who have carried out searches of the data subject's personal data may constitute information such as that referred to in Article 4(1) of the Data Protection Regulation and as that which is referred to in paragraph 41 of the present judgment, which enables the data subject to check the lawfulness of the processing to which his personal data has been subject, and in particular to ensure that the processing activities have actually been carried out under the authority of the data controller and after instructions from this. Nevertheless, first of all, it appears from the decision for reference that such information in log files as those at issue in the main proceedings make it possible to identify the employees who have carried out the processing activities and contain such personal data about the employees in question as those referred to in the Data Protection Regulation Article 4(1). In this regard, it should be noted that with regard to the right of access pursuant to Article 15 of the Data Protection Regulation, it is specified in the 63rd recital to this regulation that "[this right] may not [...] infringe on the rights or freedoms of others". According to the fourth recital to the data protection regulation, the right to the protection of personal data is not an absolute right, but must be seen in the context of its function in society and weighed in relation to other fundamental rights (cf. in this regard judgment of 16.7.2020, Facebook Ireland and Schrems, C-311/18, EU:C:2020:559, paragraph 172). Although the disclosure of information about the identity of the data controller's employees to the person who is the subject of the processing may prove necessary for the latter to ensure that the processing of that person's personal data is lawful, this may nevertheless infringe the rights of the employees and freedoms. In the event of a conflict between, on the one hand, the exercise of a right of access, which ensures the effective effect of the rights that the data protection regulation confers on the data subject, and on the other hand, the rights or freedoms of others, it is necessary in such circumstances to carry out a balancing the rights or freedoms in question. If possible, methods must be chosen which do not infringe the rights or freedoms of others, taking into account – as stated in recital 63 of the data protection regulation – that these assessments must not "result in a refusal to provide all information to the registered' (see in this regard judgment of 4.5.2023, Österreichische Datenschutzbehörde and CRIF, C-487/21, EU:C:2023:369, paragraph 44). However, it must be noted, secondly, that it appears from the referral decision that J.M. has not requested information about the identity of the employees of Pankki S who have searched his personal data on the grounds that they did not actually act under the direction of the data controller and according to the person's instructions, but that J.M. seems to have doubts about the accuracy of the information that Pankki S has passed on about the purpose of the searches in question. If, under such circumstances, the data subject is of the opinion that the information provided by the data controller is insufficient for the data subject to disprove the doubts that he or she harbors regarding the legality of the processing of the data subject's personal data been the subject of, the registered person has, in accordance with this regulation's article 77, subsection 1, the right to lodge a complaint with the supervisory authority, which in accordance with the same regulation's article 58, subsection 1, letter a), has the power to request the data controller to forward all information that the supervisory authority needs to process the data subject's complaint. It follows from the above considerations that the data protection regulation's article 15, subsection 1, shall be interpreted as meaning that information regarding searches of a person's personal data and regarding the dates and purpose of these searches constitute information which the person concerned has the right to obtain from the data controller in accordance with this provision. This provision, on the other hand, does not prescribe such a right with regard to information about the identity of the data controller's employees who have carried out the searches under the direction of the data controller and on instructions from the latter, unless this information is necessary for the data subject to effectively exercise his rights according to this regulation, and provided that the employees' rights and freedoms are observed."

3.4. The specific case

A log is a file in which an IT system stores information about its operation and use. Depending on the nature of the log, a log may contain personal data.

In his request, which was sent to the Ministry of the Interior and Health on 20 November 2013 with a view to the ministry's position, the complainant has requested insight into the companies and authorities that have historically subscribed to information about him in the CPR register. This is thus a limited request in the aforementioned.

Based on the information provided by the Ministry of the Interior and Health, the Danish Data Protection Authority assumes that the CPR's security log contains information about (historical) subscriptions for a certain period of time after they have ceased to be active.

Article 15, subsection of the Data Protection Regulation 1, implies that the data subject has the right to obtain the data controller's confirmation as to whether personal data relating to the person in question is being processed, and, if applicable, access to the personal data and the information that appears in points a-h of the provision, including in accordance with point c, information about the recipients or categories of recipients to whom the personal data is or will be disclosed.

When it comes to access to log files, it follows from the European Court of Justice's decision in case C-579/2 – specifically its paragraph 83 – that the right to access according to the Data Protection Regulation, Article 15, paragraph 1, implies that information regarding searches of a person's personal data and regarding the dates and purpose of these searches constitutes information which the person concerned has the right to obtain from the data controller in accordance with this provision.

On this basis, the Danish Data Protection Authority finds that the right to access according to the data protection regulation, article 15, subsection 1, including its letter c, implies that the complainant has the right to the information about which companies and authorities which (historically) have subscribed to information about him in the CPR register, which appears in the CPR's security log.

The Danish Data Protection Authority notes in this connection that the data subject's purpose in requesting access cannot be given importance in relation to whether personal data is covered by the right to access according to Article 15 of the Data Protection Regulation. In addition, even though the CPR's security log, as stated by the Interior and The Ministry of Health, may not be used in isolation to check the legality of the treatment, insight into this could contribute to this. By gaining insight into CPR's security log, the registered person will be able to contact the relevant authority or company to find out more about the background for a subscription.

As can be seen from the Ministry of the Interior and Health's refusal of access to complaints, however, the ministry is of the opinion that – regardless of the fact that there is basically a right to access the information – an exception can be made to the right to access with reference to Section 22, subsection of the Data Protection Act . 2.

The Norwegian Data Protection Authority understands from the Ministry of the Interior and Health that the refusal is mainly based on the resources that would be associated with processing and responding to a request for access to the CPR's security log, including because the log will have to be reviewed for any confidential postings.

In this connection, the Danish Data Protection Authority is of the opinion that the provision in the Data Protection Act § 22, subsection 2, aims to avoid that information which is of importance to the interests stated in the provision, and which must therefore be kept secret, must be disclosed in connection with the response to a request for access. On the other hand, consideration of the data controller's (financial) interest in not spending significant resources on answering a request for insight cannot be considered covered by the provision. 

Furthermore, a general reference to the fact that it will be (too) resource-intensive to respond to a request for access as a reason for rejecting a request for access would be contrary to the requirement that the data controller must make a concrete assessment of whether there is a decisive consideration for each individual piece of information. This is because it will typically be this specific assessment that requires resources.

On that basis, the Danish Data Protection Authority finds that the Ministry of the Interior and Health does not, with the stated justification, with reference to section 22, subsection of the Data Protection Act. 2, may refuse to give the complainant information about the companies and authorities that have historically subscribed to information about him in the CPR register.

The Danish Data Protection Authority notes in this connection that the Danish Data Protection Authority has not taken a decision on whether there may be specific subscriptions etc. which should be kept secret.

In light of the Norwegian Data Protection Authority's long-standing practice that there was no right of access to security logs, which has been changed with this decision, there is no basis for expressing criticism.

If the Ministry of the Interior and Health receives a renewed request for access from complainants, the Danish Data Protection Authority assumes that the Ministry of the Interior and Health will process the request in accordance with the decision in the present case.

The Norwegian Data Protection Authority

Carl Jacobsens Vej 35
2500 Valby
Tel. 33 19 32 00
dt@datatilsynet.dk

About us

About the Norwegian Data Protection AuthorityPresseHome pagePrivacy policyAvailability statement

Shortcuts

Guidance on GDPRCall usNewsletterThe National Whistleblower Scheme

follow us

The Norwegian Data Protection Authority on LinkedIn

What applies to insight into log files?

Date: 06-06-2024

Decision Public authorities No criticism Complaint Logging The right to access

On 22 June 2023, the European Court of Justice ruled on the issue of access to logs. The EU Court's judgment means that there is a new practice for insight into logs.

Journal number: 2024-32-0283.

The Danish Data Protection Authority hereby returns to the case where, on 3 October 2023 - from the Parliamentary Ombudsman - the Danish Data Protection Authority received a complaint from (complainant) that the Ministry of the Interior and Health had refused to give him access to the CPR's security log.

1. Decision

The Danish Data Protection Authority finds – after the case has been dealt with at a meeting of the Data Council – that the Ministry of the Interior and Health could not, on the grounds stated, refuse the complainant's request for access pursuant to Article 15 of the Data Protection Regulation.

Below follows a closer review of the case and a rationale for the Data Protection Authority's decision.

2. Case presentation

On 3 October 2023, the Danish Data Protection Authority received - from the Ombudsman of the Folketing - a complaint from the complainant that the Ministry of the Interior and Health - citing the Danish Data Protection Authority's previous practice, according to which there was no right to access security logs - had refused to give him access to the CPR's security log .

On 20 November 2023, the Danish Data Protection Authority decided to forward the complaint to the Ministry of the Interior and Health, so that the ministry – in light of the EU Court's decision in case C-579/21 of 22 June 2023 – had the opportunity to review its refusal. 

On 4 January 2024, the Ministry of the Interior and Health reassessed its decision and upheld the refusal. The Ministry of the Interior and Health stated in this connection, among others to:

"You have requested insight into historical data about personal subscriptions in CPR that relate to you.

As the Ministry of the Interior and Health has previously informed you, the data content in the CPR, cf. Annex 1, No. 14, to the CPR Act, only includes information about current subscriptions. Historical subscriptions are not stored in CPR. When a register insight into the CPR is requested, insight is thus only given into the current information about subscriptions in the CPR.

Information about historical subscriptions relating to a specific person can, however, be derived for a limited period via CPR's security log. Your request for insight is therefore treated as a request for insight into CPR's security log

The purpose of CPR's security log

CPR's security log is a system facility that is derived from the actual processing of personal data in CPR. Logging of incidents in CPR is done to meet security logging requirements, e.g. the data protection regulation's article 32 on processing security, and instructions on logging, e.g. instructions on logging from the Center for Cybersecurity. The registrations in the log are thus made for system technical reasons and serve internal administrative purposes.

Information processed in CPR's security log

CPR's security log contains, among other things, information about the date and time of postings, searches and subscription phrases (subscription creations or deletions) in CPR, which social security number(s) have been the subject of the search, posting or subscription phrase, as well as information about any personal identification code (username) and program (information type) used . The personal code is assigned to a specific authority or company and often associated with certain personal data, such as the user's possible name and email address, which can be used to identify the natural persons who have completed the searches etc. CPR's security log does not contain information about the purpose of a specific search, subscription creation or – deletion etc.

Relevant legal basis

Article 15 of the Data Protection Regulation implies that the data subject i.a. has the right to see the personal data processed about the person concerned.

According to section 22 of the Data Protection Act, subsection 2, an exception to the provision in Article 15 of the Data Protection Regulation can be made if the data subject's interest in gaining knowledge of the information is found to be overriding decisive considerations of public interest, including in particular to

1) state security,

2) the defence,

3) public safety,

4) prevention, investigation, detection or prosecution of criminal offenses or enforcement of criminal sanctions, including protection against and prevention of threats to public safety,

5) other important objectives in connection with the protection of the general public interests of the European Union or a Member State, in particular the essential economic or financial interests of the European Union or a Member State, including currency, budget and tax matters, public health and social security,

6) protection of the independence of the judiciary and legal proceedings,

7) prevention, investigation, disclosure and prosecution in connection with breaches of ethical rules for legally regulated professions,

8) control, supervisory or regulatory functions, including tasks of a temporary nature that are connected to the exercise of public authority in the cases referred to in nos. 1-5 and 7,

9) protection of the rights and freedoms of the data subject or others and

10) enforcement of civil law claims.

Assessment of your right to access in relation to e.g. society's interests

It is the opinion of the Ministry of the Interior and Health that the consideration of the exercise of public authority, general societal interests and economic interests – including the consideration of the state's security, the possibility of prevention, investigation, detection or prosecution of criminal offenses and control, supervisory or regulatory functions – weigh more heavily than your right to access information that can be derived from CPR's security log.

The Ministry of the Interior and Health emphasizes that granting your request for insight into the CPR's security log will open up general access to insight into information that can be derived from the CPR's security log, which will invariably result in a resource drain at the ministry that will far exceed the ministry's ability and available resources for this.

In this connection, the Ministry of the Interior and Health emphasizes that the CPR's safety log, i.a. shows activities at authorities where it may be decisive for the exercise of authority that there is confidentiality regarding the authority's postings and searches in the CPR. This applies in particular in relation to the National Police and the Tax Administration, but can also apply to other authorities.

The Ministry of the Interior and Health also emphasizes that the CPR, as a central basic data register, is the subject of a very significant number of postings, searches and subscription statements annually, and that processing requests for access to the security log in each individual case will require a manual review and case processing - and in certain cases also an assessment of the need for protection of confidentiality and observance of employees' rights and freedoms. It should be noted that 30-40,000 people each month request access to information in the CPR about themselves through digital self-service, cf. the data protection regulation, article 15, subsection 1.

The Ministry of the Interior and Health also emphasizes that the CPR's security log cannot be used in isolation to check whether a given processing of information by the authority or company responsible for the data has been legal, as the CPR's security log does not contain information about the authority's or company's purpose for the processing of the relevant person's information.

Finally, the Ministry of the Interior and Health emphasizes that your opportunity to check the legality of a processing of your information must be considered taken care of through the data responsible authorities' and companies' obligation to provide you with information according to the data protection regulation 13 and 14, which i.a. must include information about the purpose of the processing.

It is noted in this connection that the establishment of personal subscriptions in the CPR requires that the data responsible authority or company can uniquely identify the individual persons who are subscribed to the CPR, e.g. using name and address, and that the authority's or company's registration and processing of this information takes place on a legal basis in accordance with Article 6 of the Data Protection Regulation.”

On 29 April 2024, the Danish Data Protection Authority asked the Ministry of the Interior and Health by telephone whether the Ministry had anything else to add to the case in relation to the Ministry's refusal and justification for this of 4 January 2024. The Ministry of the Interior and Health has made no further comments.

3. Reason for the Data Protection Authority's decision

3.1. General information on the right to access

It follows from the data protection regulation article 15, subsection 1, that the data subject has the right to obtain confirmation from the data controller as to whether personal data relating to the person in question is being processed, and, if applicable, access to the personal data and the following information:

the purposes of the processing the categories of personal data concerned the recipients or categories of recipients to whom the personal data is or will be disclosed, in particular recipients in third countries or international organizations if possible the intended period of time during which the personal data will be stored or if this is not possible, the criteria used to determine this period of time the right to request the data controller to correct or delete personal data or limit the processing of personal data concerning the data subject or to object to such processing the right to lodge a complaint with a supervisory authority any available information on where the personal data originates from, if they are not collected at the registered occurrence of automatic decisions, including profiling, as referred to in Article 22, paragraph 1 and 4, and at least meaningful information about the logic therein as well as the meaning and expected consequences of such processing for the data subject.

Of the data protection regulation, article 15, subsection 3, it follows that the data controller provides a copy of the personal data that is processed. The right to receive a copy as referred to in subsection 3, must not infringe the rights and freedoms of others, cf. the regulation's article 15, subsection 4.

3.2. Section 22 of the Data Protection Act

Section 22 of the Data Protection Act contains a number of exceptions to Article 15. It appears from Section 22 of the Data Protection Act, subsection 2, that exception to the provisions of the data protection regulation, article 13, subsection 1-3, Article 14, subsection 1-4, Article 15 and Article 34 can be done if the data subject's interest in getting to know the information is found to give way to decisive considerations of public interest, including in particular to

1) state security,

2) the defence,

3) public safety,

4) prevention, investigation, detection or prosecution of criminal acts or enforcement of criminal sanctions, including protection against and prevention of threats to public safety,

5) other important objectives in connection with the protection of the general public interests of the European Union or a Member State, in particular the essential economic or financial interests of the European Union or a Member State, including currency, budget and tax matters, public health and social security,

6) protection of the independence of the judiciary and legal proceedings,

7) prevention, investigation, disclosure and prosecution in connection with breaches of ethical rules for legally regulated professions,

8) control, supervisory or regulatory functions, including tasks of a temporary nature that are connected to the exercise of public authority in the cases referred to in nos. 1-5 and 7,

9) protection of the rights and freedoms of the data subject or others and

10) enforcement of civil law claims.

Of the special comments to the Data Protection Act § 22, subsection 2, it appears that:

"The provision stipulates - like the provision in subsection 1 – that the limitation of the data controller's or his representative's duty to provide information can only be done on the basis of a concrete balancing of the conflicting interests mentioned in the provision. On the basis of such a balance, an exception can be made if there is a imminent danger that the public interests will suffer significant damage.

In the provision, it is also determined to what extent the data controller can refrain from giving the data subject the right of access. According to the provision, the limitation of the data subject's access to be made aware of the information mentioned in Article 15 of the regulation can only be done on the basis of a concrete weighing of the opposing interests. There may also be an exception to the right of access pursuant to Article 15, subsection 1, letter h, which deals with insight in connection with automatic decisions, including profiling, as referred to in the regulation's article 22, subsection 1 and 4.

As mentioned, on the one hand, the interest of the data subject in getting to know the information is included in the consideration of a special exception from the right of access according to Article 15 of the regulation. This is not only aimed at the data subject's interest in knowing the information in connection with considerations about bringing a case in which the collected information is included before the courts, a higher administrative authority, the relevant supervisory authority or the Parliamentary Ombudsman, but also to the data subject's interest in being able check the correctness of the information with a view to the data controller's use of the information.

With the use of the term "crucial" in the provision, it is indicated that an exception to the duty to provide information and the right of access can only be made where there is a imminent danger that public interests will suffer significant damage.

The expression "decisive consideration" is intended to be congruent with the corresponding balancing of opposing considerations, which must be carried out according to section 8 of the Public Information Act on self-access and section 15, section 15 a and section 15 b of the Public Administration Act, on the exception of information from access to documents.

In accordance with the regulation's article 23, subsection 2, the data controller shall, to the extent possible and relevant extent – when concrete exceptions are made to the obligation to provide information and the right of access pursuant to both subsection 1 and 2 – try to take into account the considerations that follow from Article 23, subsection 2, within the area of life that the data controller wants to limit.

This means, for example, that the data controller is obliged to consider which risks are associated with an exception from the duty to provide information or the right of access for the data subject, cf. the data protection regulation, article 23, subsection 2, letter g. Thus, for example whether there will be a risk that the information collected is incorrect.

Furthermore, the data controller will be able, for example, in connection with an exception from the right of access for the sake of the freedoms of others, to notify the data subject of this restriction, cf. the data protection regulation, article 23, subsection 2, letter h.

Finally, it is directly incumbent upon the provisions of subsection 1 and 2 the data controller to take into account the scope of the restrictions introduced, cf. the data protection regulation article 23, subsection 2, letter c, as the data controller must make a concrete assessment of whether there are decisive considerations for each individual piece of information.

3.3. Judgment of the European Court of Justice in case C-579/21

On 22 June 2023, the Court of Justice of the European Union delivered judgment in case C-579/21. In the case, the European Court of Justice was asked to decide whether log files – including the identity of the persons who have accessed the information in the log – are covered by the right of access in Article 15 of the Data Protection Regulation. The European Court of Justice stated the following in this regard:

"37. With the first and second questions, which must be dealt with together, the referring court specifically wants information on whether the data protection regulation's article 15, subsection 1, shall be interpreted as meaning that information regarding searches of a person's personal data, regarding the dates and purpose of these searches and regarding the identity of the natural persons who have carried out the searches in question constitutes information that the person concerned pursuant to this provision have the right to obtain from the data controller pursuant to this provision.

It should be noted at the outset that it is clear from established practice that when interpreting an EU legal provision, account must not only be taken of its wording, but also of the context in which it forms part and the goals pursued with that arrangement , of which it forms part (judgment of 12.1.2023, Österreichische Post (Information on recipients of personal data), C-154/21, EU:C:2023:3, paragraph 29). As regards, firstly, the wording of the data protection regulation, Article 15, paragraph 1, it should be noted that this provision stipulates that the data subject has the right to obtain the data controller's confirmation as to whether personal data relating to the person in question is being processed, and, if applicable, access to the personal data and information about e.g. the purposes of the processing and about the recipients or categories of recipients to whom the personal data is or will be disclosed. In this connection, it must be emphasized that the concepts referred to in the data protection regulation's article 15, subsection 1, is defined in Article 4 of this Regulation. Firstly, with regard to Article 4, No. 1 of the Data Protection Regulation, this provision states that personal data means "any type of information about an identified or identifiable natural person", and it clarifies , that "identifiable natural person" means a natural person who can be directly or indirectly identified, in particular by an identifier such as e.g. a name, an identification number, location data, an online identifier or one or more elements specific to the physical, physiological, genetic, psychological, economic, cultural or social identity of that natural person'. The use of the term 'any form of information' in the definition of the term 'personal data', which appears in this provision, reflects the EU legislator's intention to give the term a broad meaning, so that it potentially includes any form of information, both objective and subjective in the form of opinions or assessments, provided that the information is "about" the person concerned (judgment of 4.5.2023, Österreichische Datenschutzbehörde and CRIF, C-487/21, EU:C:2023:369, paragraph 23). In this regard, it has been established that information relates to an identified or identifiable natural person if, due to its content, purpose or effect, it is linked to an identifiable person (judgment of 4.5.2023, Österreichische Datenschutzbehörde and CRIF, C- 487/21, EU:C:2023:369, paragraph 24). As far as the characterization of information about a person as "identifiable" is concerned, recital 26 of the data protection regulation states that "all means [should] be taken into account that can reasonably be thought to be used by the data controller or another person to directly or indirectly identify, including designate, the person in question'. It follows from this that the broad definition of the term "personal data" includes not only the information collected and stored by the data controller, but also all information resulting from the processing of personal data relating to an identified or identifiable person (cf. in this regard, judgment of 4.5.2023, Österreichische Datenschutzbehörde and CRIF, C-487/21, EU:C:2023:369, paragraph 26). Secondly, with regard to the concept of "processing" as defined in Article 4, No. 2 of the Data Protection Regulation, it must be stated that the EU legislator, by using the term "any activity", intended to give this concept a wide scope, which is expressed by a non-exhaustive nature of any activity or series of activities to which personal data or a collection of personal data is made subject, e.g. collection, registration, storage or search (see in this regard judgment of 4.5.2023, Österreichische Datenschutzbehörde and CRIF, C-487/21, EU:C:2023:369, paragraph 27). As regards, thirdly, Article 4, No. 9 of the Data Protection Regulation), it is clarified here that "recipient" means "a natural or legal person, a public authority, an institution or another body to which personal data is disclosed, regardless of whether is a third party or not'. In this regard, the Court has held that the data subject has the right to obtain information from the data controller about the specific recipients to whom the personal data concerning the person concerned is or will be passed on (judgment of 12.1.2023, Österreichische Post (Information on recipients of personal data ), C-154/21, EU:C:2023:3, paragraph 46). It therefore follows from an analysis of the wording of the data protection regulation, Article 15, subsection 1, and of the concepts referred to in the provision, that the right to access that the data subject has pursuant to this provision is characterized by the broad scope of the information that the data controller must provide to the data subject. Next, regarding the context in which the data protection regulation's article 15, paragraph 1, is included, it should firstly be noted that it follows from the 63rd recital to this regulation that the data subject should have the right to know and be informed about, in particular, the purposes for which the personal data is processed, if possible the period during which the personal data is processed , and about the recipients of the personal data. Secondly, it should be noted that recital 60 of the Data Protection Regulation states that the principles of fair and transparent processing require the data subject to be informed of the existence of processing activities and their purpose, emphasizing that the data controller should provide the data subject with any additional information necessary to ensure fair and transparent processing, taking into account the specific circumstances and conditions under which the personal data is processed. It also follows from the principle of transparency referred to by the referring court, which appears in recital 58 of the data protection regulation, and which is expressly stated in Article 12(1) of that regulation. 1, that all information sent to the data subject must be concise, easily accessible, easy to understand and formulated in clear and simple language. In this regard, it is clarified in the data protection regulation article 12, paragraph 1, that the information is given in writing or by other means, including, if appropriate, electronically, and, when the data subject requests it, orally. This provision is an expression of the principle of transparency and aims to enable the data subject to obtain a full understanding of the information transmitted (judgment of 4.5.2023, Österreichische Datenschutzbehörde and CRIF, C-487/21, EU:C:2023: 369, paragraph 38 and the case law mentioned therein). It follows from the above analysis of the context that the data protection regulation's article 15, subsection 1, constitutes one of the provisions which aim to ensure transparency in connection with the processing of personal data in relation to the registered person. Finally, this interpretation is supported by the scope of the right to access, which is set out in the data protection regulation's article 15, subsection 1, of the objectives pursued by this regulation. Firstly, and as is clear from the 10th and 11th recitals of this regulation, it aims to ensure a uniform and high level of protection for natural persons within the EU and to strengthen and clarify the rights of the persons concerned. In addition, it appears from the 63rd recital to the data protection regulation that a person's right to access personal data that has been collected about him and to that in this regulation's article 15, paragraph 1, the information referred to, primarily aims to make it possible for this person to ascertain and check the legality of a processing. It follows from this consideration and from what was stated in paragraph 50 of this judgment that every data subject should have the right to know and be informed about, in particular, the purposes for which the personal data is processed, if possible the period during which the personal data is processed, about the recipients of the personal data and about the logic behind processing the personal data. In this regard, secondly, it should be noted that the Court of Justice has already established that the right of access laid down in Article 15 of the Data Protection Regulation must enable the data subject to ensure that the personal data concerning him or her are correct and that the processed lawfully (judgment 4.5.2023, Österreichische Datenschutzbehörde and CRIF, C-487/21, EU:C:2023:369, paragraph 34). This right of access is in particular necessary for the data subject to exercise his right to rectification, the right to erasure ('right to be forgotten') and the right to restriction of processing, which are granted to the data subject in the respective articles of the Data Protection Regulation 16 and Article 18, and the right to, in accordance with Article 21 of the Data Protection Regulation, object to the processing of his personal data, as well as, see Articles 79 and 82 of the Data Protection Regulation, the right to initiate legal remedies if he has suffered damage (judgment 4.5.2023, Österreichische Datenschutzbehörde and CRIF, C-487/21, EU:C:2023:369, paragraph 35 and the case-law cited therein). Article 15, subsection of the Data Protection Regulation 1, therefore constitutes one of the provisions aimed at ensuring the transparency of the procedure for processing personal data in relation to the data subject (judgment of 12.1.2023, Österreichische Post (Information on recipients of personal data), C-154/21, EU:C:2023:3, paragraph 42), without which the data subject would not be able to assess the lawfulness of the processing of his data and exercise the powers that, among other things, is laid down in this regulation's articles 16-18, 21, 79 and 82. In the present case, it appears from the referral decision that J.M. requested Pankki S to be provided with information about the searches to which his personal data had been subject between 1 November 2013 and 31 December 2013, and information about the dates of these searches, their purpose and the identity of the persons who had carried out the searches. The referring court stated that the transmission of the log files generated in connection with those searches made it possible to respond to J.M.'s request. In the present case, it is undisputed that the searches to which the personal data of the plaintiff in the main proceedings have been subject constitute a "processing" within the meaning of Article 4, No. 2 of the Data Protection Regulation), which implies that the plaintiff in the main proceedings, pursuant to this regulation article 15, subsection 1, not only has the right to access this personal data, but also the right to obtain the information referred to in the latter provision about the searches in question. As for the information that J.M. has requested, the notification of the dates of the searches first makes it possible for the data subject to get confirmation that his personal data at a given time has actually been the subject of processing. Furthermore, since the conditions for legality laid down in Articles 5 and 6 of the Data Protection Regulation must be met at the time of the processing itself, the date of the processing constitutes an element that makes it possible to verify its legality. Next, it should be noted that information about the purpose of the processing expressly falls under the data protection regulation's article 15, subsection 1, letter a). Finally, this regulation's article 15, paragraph 1, letter c), that the data controller informs the data subject of the recipients to whom the data subject's information has been disclosed. As regards more precisely a communication of this information through the provision of log files relating to the processing activities referred to in the main case, it should be noted that the data protection regulation's article 15, paragraph 3, first sentence, stipulates that the data controller "provides a copy of the personal data that is processed". In this regard, the Court has already established that the term "copy" used in this way denotes an exact reproduction or copy of an original, so that a purely general description of the data that is the subject of processing or a reference to categories of personal data does not corresponds to this definition. It also appears from the wording of this regulation's article 15, subsection 3, first sentence, that the obligation to provide information relates to the personal data that is the subject of the processing in question (see in this regard judgment of 4.5.2023, Österreichische Datenschutzbehörde and CRIF, C-487/21, EU:C:2023:369, paragraph 21). The copy to be provided by the data controller must contain all the personal data processed, exhibit all the characteristics that enable the data subject to effectively exercise his rights under this Regulation, and must therefore reproduce this information completely and exactly (see in this regard judgment of 4.5.2023, Österreichische Datenschutzbehörde and CRIF, C-487/21, EU:C:2023:369, paragraphs 32 and 39). In order to ensure that the information thus provided is easy to understand, as required by the data protection regulation, Article 12, paragraph 1, together with the 58th recital hereto, it may be necessary to reproduce extracts of documents as well as entire documents or extracts from databases which, among other things, contains the personal data that is the subject of processing, when a contextualization of the processed data is necessary to ensure their comprehensibility. In particular, when personal data is generated on the basis of other information, or when such information originates from free fields, i.e. failure to provide information about the data subject, the context in which this information is processed is a necessary element to provide the data subject with transparent access to and an easy-to-understand presentation of this information (judgment 4.5.2023, Österreichische Datenschutzbehörde and CRIF, C- 487/21, EU:C:2023:369, paragraphs 41 and 42). As the attorney general has stated in points 90-88 of the proposed decision, the log files which contain the information that J.M. has requested, for records of processing activities as referred to in Article 30 of the Data Protection Regulation. They shall be considered to be covered by the measures mentioned in Recital 74 of this Regulation, which are carried out by the data controller in order to demonstrate that the processing activities are compatible with this Regulation. Article 30, subsection of the same regulation. 4, specifies in particular that these lists must be made available to the supervisory authority upon request. Insofar as these records of processing activities do not contain information about an identified or identifiable natural person as referred to in the jurisprudence mentioned in paragraphs 42 and 43 of this judgment, these records only enable the data controller to fulfill its obligations towards the supervisory authority that requests their release. More specifically, with regard to the data controller's log files, it may be necessary to send a copy of the information referred to in these files in order to fulfill the obligation to give the data subject access to all the information referred to in Article 15 of the Data Protection Regulation. 1, and to ensure fair and transparent processing that enables the data subject to fully exercise his rights under the Data Protection Regulation. Firstly, such files show that the information has been processed, which constitutes information to which the data subject must have access in accordance with Article 15, paragraph 1 of the Data Protection Regulation. 1. The files also provide information on how often and to what extent searches have been made, so that the data subject can ensure that the processing carried out is actually justified by the purposes stated by the data controller. Second, these files contain information about the identity of the people who made the search. In the present case, it appears from the referral decision that the persons who have carried out the searches referred to in the main case are employees of Pankki S, who have acted under Pankki S's management and on instructions from the bank. Although it is true that it appears from the data protection regulation's article 15, paragraph 1, letter c), that the data subject has the right to obtain from the data controller information about the recipients or categories of recipients to whom the personal data is or will be passed on, the data controller's employees cannot, as stated in paragraphs 47 and 48 of this judgment, be considered to be "recipients" as referred to in the data protection regulation, Article 15, subsection 1, letter c), when they process personal data under the direction of the said data controller and on instructions from that person, as stated by the general counsel in point 63 of the proposed decision. In this regard, it must be emphasized that according to Article 29 of the Data Protection Regulation, anyone who performs work for the data controller and who has access to personal data only processes this information on instructions from the data controller. Having said this, the information contained in the logs relating to the persons who have carried out searches of the data subject's personal data may constitute information such as that referred to in Article 4(1) of the Data Protection Regulation and as that which is referred to in paragraph 41 of the present judgment, which enables the data subject to check the lawfulness of the processing to which his personal data has been subject, and in particular to ensure that the processing activities have actually been carried out under the authority of the data controller and after instructions from this. Nevertheless, first of all, it appears from the decision for reference that such information in log files as those at issue in the main proceedings make it possible to identify the employees who have carried out the processing activities and contain such personal data about the employees in question as those referred to in the Data Protection Regulation Article 4(1). In this regard, it should be noted that with regard to the right of access pursuant to Article 15 of the Data Protection Regulation, it is specified in the 63rd recital to this regulation that "[this right] may not [...] infringe on the rights or freedoms of others". According to the fourth recital to the data protection regulation, the right to the protection of personal data is not an absolute right, but must be seen in the context of its function in society and weighed in relation to other fundamental rights (cf. in this regard judgment of 16.7.2020, Facebook Ireland and Schrems, C-311/18, EU:C:2020:559, paragraph 172). Although the disclosure of information about the identity of the data controller's employees to the person who is the subject of the processing may prove necessary for the latter to ensure that the processing of that person's personal data is lawful, this may nevertheless violate the rights of the employees and freedoms. In the event of a conflict between, on the one hand, the exercise of a right of access, which ensures the effective effect of the rights that the data protection regulation confers on the data subject, and on the other hand, the rights or freedoms of others, it is necessary in such circumstances to carry out a balancing the rights or freedoms in question. If possible, methods must be chosen which do not infringe the rights or freedoms of others, taking into account – as stated in recital 63 of the data protection regulation – that these assessments must not "result in a refusal to provide all information to the registered' (cf. in this regard judgment of 4.5.2023, Österreichische Datenschutzbehörde and CRIF, C-487/21, EU:C:2023:369, paragraph 44). However, it must be noted, secondly, that it appears from the referral decision that J.M. has not requested information about the identity of the employees of Pankki S who have searched his personal data on the grounds that they did not actually act under the direction of the data controller and according to the person's instructions, but that J.M. seems to have doubts about the accuracy of the information that Pankki S has passed on about the purpose of the searches in question. If, under such circumstances, the data subject is of the opinion that the information provided by the data controller is insufficient for the data subject to disprove the doubts he or she harbors regarding the legality of the processing of the data subject's personal data been the subject of, the registered person has, in accordance with this regulation's article 77, subsection 1, the right to lodge a complaint with the supervisory authority, which in accordance with the same regulation's article 58, subsection 1, letter a), has the power to request the data controller to forward all information that the supervisory authority needs to process the data subject's complaint. It follows from the above considerations that the data protection regulation's article 15, subsection 1, shall be interpreted as meaning that information regarding searches of a person's personal data and regarding the dates and purpose of these searches constitute information which the person concerned has the right to obtain from the data controller in accordance with this provision. This provision, on the other hand, does not prescribe such a right as regards information about the identity of the data controller's employees who have carried out the searches under the direction of the data controller and on instructions from the latter, unless this information is necessary for the data subject to effectively exercise his rights in accordance with this regulation, and provided that the employees' rights and freedoms are observed."

3.4. The specific case

A log is a file in which an IT system stores information about its operation and use. Depending on the nature of the log, a log may contain personal data.

In his request, which was sent to the Ministry of the Interior and Health on 20 November 2013 with a view to the ministry's position, the complainant has requested insight into the companies and authorities that have historically subscribed to information about him in the CPR register. This is thus a limited request in the aforementioned.

Based on the information provided by the Ministry of the Interior and Health, the Danish Data Protection Authority assumes that the CPR's security log contains information about (historical) subscriptions for a certain period of time after they have ceased to be active.

Article 15, subsection of the Data Protection Regulation 1, implies that the data subject has the right to obtain confirmation from the data controller as to whether personal data relating to the person in question is being processed, and, if applicable, access to the personal data and the information set out in points a-h of the provision, including in accordance with point c, information about the recipients or categories of recipients to whom the personal data is or will be disclosed.

When it comes to access to log files, it follows from the European Court of Justice's decision in case C-579/2 – specifically its paragraph 83 – that the right to access according to the Data Protection Regulation, Article 15, paragraph 1, implies that information regarding searches in a person's personal data and regarding the dates and purpose of these searches constitutes information which the person concerned has the right to obtain from the data controller in accordance with this provision.

On this basis, the Danish Data Protection Authority finds that the right to access according to the data protection regulation, article 15, subsection 1, including its letter c, implies that the complainant has the right to the information about which companies and authorities which (historically) have subscribed to information about him in the CPR register, which appears in the CPR's security log.

The Danish Data Protection Authority notes in this connection that the data subject's purpose in requesting access cannot be given importance in relation to whether personal data is covered by the right to access according to Article 15 of the Data Protection Regulation. In addition, even though the CPR's security log, as stated by the Interior and The Ministry of Health, may not be used in isolation to check the legality of the treatment, insight into this could contribute to this. By gaining insight into the CPR's security log, the registered person will be able to contact the relevant authority or company to find out more about the background for a subscription.

As is evident from the Ministry of the Interior and Health's refusal of access to complaints, however, the ministry is of the opinion that – regardless of the fact that there is basically a right to access the information – an exception to the right to access can be made with reference to section 22, subsection of the Data Protection Act . 2.

The Danish Data Protection Authority understands at the Ministry of the Interior and Health that the refusal is mainly based on the resources that would be associated with processing and responding to a request for access to the CPR's security log, including because the log will have to be reviewed for any confidential postings.

In this connection, the Danish Data Protection Authority is of the opinion that the provision in the Data Protection Act § 22, subsection 2, aims to avoid that information which is of importance to the interests stated in the provision, and which must therefore be kept secret, must be disclosed in connection with the response to a request for access. On the other hand, consideration of the data controller's (financial) interest in not spending significant resources on answering a request for insight cannot be considered covered by the provision. 

Furthermore, a general reference to the fact that it will be (too) resource-intensive to respond to a request for access as a reason for rejecting a request for access would be contrary to the requirement that the data controller must make a concrete assessment of whether there is a decisive consideration for each individual piece of information. This is because it will typically be this specific assessment that requires resources.

On that basis, the Danish Data Protection Authority finds that the Ministry of the Interior and Health does not, with the stated justification, with reference to section 22, subsection of the Data Protection Act. 2, may refuse to give the complainant information about the companies and authorities that have historically subscribed to information about him in the CPR register.

The Danish Data Protection Authority notes in this connection that the Danish Data Protection Authority has not taken a decision on whether there may be specific subscriptions etc. which should be kept secret.

In light of the Norwegian Data Protection Authority's long-standing practice that there was no right of access to security logs, which has been changed with this decision, there is no basis for expressing criticism.

If the Ministry of the Interior and Health receives a renewed request for access from complainants, the Danish Data Protection Authority assumes that the Ministry of the Interior and Health will process the request in accordance with the decision in the present case.
Retrieved from "https://gdprhub.eu/index.php?title=Datatilsynet_(Denmark)_-_2024-32-0283&oldid=42414"
Creative Commons Attribution-NonCommercial-ShareAlike
Powered by MediaWiki