Datatilsynet (Denmark) - 2021-31-5542: Difference between revisions

From GDPRhub
m (Adding GDPR articles to the short summary)
Line 76: Line 76:


=== Facts ===
=== Facts ===
In July 2021, the Danish Conservative People's Party (controller) hired a law firm Plesner (processor), to investigate information published in the press about potential sexual violence by its high-profile member toward several women. As part of the legal investigation, the processor collected information through interviews with the women who reported the violence and the data subject himself. Later, in September 2021, after being excluded from the party and the parliamentary group, the data subject complained to the DPA.
In July 2021, the Danish Conservative People's Party (controller) hired a law firm (processor) to investigate information published in the press about potential sexual violence by one of its high-profile members toward several women. As part of the legal investigation, the processor collected information through interviews with the women who reported the violence and the data subject himself. Later, in September 2021, after being excluded from the party and the parliamentary group, the data subject complained to the DPA.


The processor explained to the DPA that it processed the data subject's information on several legal bases:
The processor explained to the DPA that it processed the data subject's information on several legal bases:
Line 91: Line 91:


=== Holding ===
=== Holding ===
The DPA agreed that the controller had a legitimate interest in assessing whether the data subject could continue to be a member of the party and the parliamentary group in light of the allegations published in the press. In addition, processing the complaints was necessary for the investigation, and the data subject's rights and freedoms did not precede the controller's legitimate interest. In its reasoning, the DPA took into account that the controller initiated the investigation right after the allegations were published in the press, the nature of the claims and that the data subject was a high-profile member of the parliamentary group representing the party and the Danish society at large.
The DPA agreed that the controller had a legitimate interest in assessing whether the data subject could continue to be a member of the party and the parliamentary group in light of the allegations published in the press. In addition, processing the complaints was necessary for the investigation, and the data subject's rights and freedoms did not precede the controller's legitimate interest. In its reasoning, the DPA took into account that the controller initiated the investigation right after the allegations were published in the press, the nature of the claims and that the data subject was a high-profile member of the parliamentary group representing the party and the Danish society at large. The DPA also held that the controller could process information about the (possible) criminal offence for the same legitimate interest under Article 8(3)(2) of the Danish Data Protection Act because it clearly exceeded the interests of the data subject.


The DPA also held that the controller could process information about the (possible) criminal offence for the same legitimate interest under Article 8(3)(2) of the Danish Data Protection Act because it clearly exceeded the interests of the data subject.
However, the controller could not rely on [[Article 9 GDPR#2d|Article 9(2)(d) GDPR]] in processing information about the data subject's sexual relationships because carrying out a legal investigation cannot be considered part of the controller's legitimate activities. In this regard, the DPA held that there must be a connection between the organization's purpose and the personal data. Therefore, an organization will not necessarily be able to process all information listed in [[Article 9 GDPR#1|Article 9(1) GDPR]] on the basis of [[Article 9 GDPR#2d|Article 9(2)(d)]]. Nonetheless, the DPA agreed that the controller could process information about sexual relationships under [[Article 9 GDPR#2f|Article 9(2)(f) GDPR]] because of the possible legal claim arising from the data subject's subsequent exclusion from the Conservative Party.
 
However, the controller could not rely on [[Article 9 GDPR#2d|Article 9(2)(d) GDPR]] in processing information about the data subject's sexual relationships because carrying out a legal investigation cannot be considered part of the controller's legitimate activities. In this regard, the DPA held that there must be a connection between the organization's purpose and the personal data. Therefore, an organization will not necessarily be able to process all information listed in [[Article 9 GDPR#1|Article 9(1) GDPR]] on the basis of [[Article 9 GDPR#2d|Article 9(2)(d)]].
 
Nonetheless, the DPA agreed that the controller could process information about sexual relationships under [[Article 9 GDPR#2f|Article 9(2)(f) GDPR]] because of the possible legal claim arising from the data subject's subsequent exclusion from the Conservative Party.


Finally, the DPA held that the privacy policies could neither independently nor collectively be considered to contain sufficient information about processing information in connection with the legal investigation. According to the DPA, the scope and nature of the investigation impose stricter requirements on processing transparency. Thus, the data subject should have received more precise information about the processing, particularly the legitimate interests under [[Article 14 GDPR#2b|Article 14(2)(b) GDPR]], and so get the possibility to exercise their right under [[Article 21 GDPR#1|Article 21(1) GDPR]]. Therefore, the DPA reprimanded the controller and processor for not providing the data subject with sufficient information under [[Article 14 GDPR]].
Finally, the DPA held that the privacy policies could neither independently nor collectively be considered to contain sufficient information about processing information in connection with the legal investigation. According to the DPA, the scope and nature of the investigation impose stricter requirements on processing transparency. Thus, the data subject should have received more precise information about the processing, particularly the legitimate interests under [[Article 14 GDPR#2b|Article 14(2)(b) GDPR]], and so get the possibility to exercise their right under [[Article 21 GDPR#1|Article 21(1) GDPR]]. Therefore, the DPA reprimanded the controller and processor for not providing the data subject with sufficient information under [[Article 14 GDPR]].

Revision as of 14:01, 21 September 2022

Datatilsynet - 2021-31-5542
LogoDK.png
Authority: Datatilsynet (Denmark)
Jurisdiction: Denmark
Relevant Law: Article 6(1)(f) GDPR
Article 9(2)(d) GDPR
Article 9(2)(f) GDPR
Article 14 GDPR
§8(3)(2) Danish Data Protection Act
Type: Complaint
Outcome: Partly Upheld
Started: 20.09.2021
Decided: 06.09.2022
Published: 13.09.2022
Fine: n/a
Parties: The Conservative People’s Party
Plesner
National Case Number/Name: 2021-31-5542
European Case Law Identifier: n/a
Appeal: n/a
Original Language(s): Danish
Original Source: Datatilsynet (in DA)
Initial Contributor: Vadym Kublik

The Danish DPA held that a political party had a sufficient legal basis under Article 6(1)(f) GDPR to investigate its member for alleged sexual violence. However, it reprimanded the controller and processor for not informing the data subject about the processing as obliged by Article 14(2)(b) GDPR.

English Summary

Facts

In July 2021, the Danish Conservative People's Party (controller) hired a law firm (processor) to investigate information published in the press about potential sexual violence by one of its high-profile members toward several women. As part of the legal investigation, the processor collected information through interviews with the women who reported the violence and the data subject himself. Later, in September 2021, after being excluded from the party and the parliamentary group, the data subject complained to the DPA.

The processor explained to the DPA that it processed the data subject's information on several legal bases:

  1. Information about the accusations:
    • Article 6(1)(f) GDPR. Investigating the allegations was necessary for the controller's legitimate interest in deciding whether the data subject could continue to be the party and the parliamentary group member.
  2. Information about (possible) criminal offences:
  3. Information about sexual relationships:
    • Article 9(2)(d) GDPR. The controller is a not-for-profit political party and, therefore, can internally process information covered by Article 9 GDPR about its members for its legitimate activities.
    • Article 9(2)(f) GDPR. Processing was necessary to establish, exercise or defend a legal claim. In this regard, the processor argued that the term "legal claim" should not be limited to current legal proceedings and may relate to actual or prospective court proceedings, obtaining legal advice, or establishing, exercising or defending legal rights in any other way.

The processor also pointed out that the data subject received a general privacy policy from the controller when joining the political party and from the processor at the beginning of the investigation.

Holding

The DPA agreed that the controller had a legitimate interest in assessing whether the data subject could continue to be a member of the party and the parliamentary group in light of the allegations published in the press. In addition, processing the complaints was necessary for the investigation, and the data subject's rights and freedoms did not precede the controller's legitimate interest. In its reasoning, the DPA took into account that the controller initiated the investigation right after the allegations were published in the press, the nature of the claims and that the data subject was a high-profile member of the parliamentary group representing the party and the Danish society at large. The DPA also held that the controller could process information about the (possible) criminal offence for the same legitimate interest under Article 8(3)(2) of the Danish Data Protection Act because it clearly exceeded the interests of the data subject.

However, the controller could not rely on Article 9(2)(d) GDPR in processing information about the data subject's sexual relationships because carrying out a legal investigation cannot be considered part of the controller's legitimate activities. In this regard, the DPA held that there must be a connection between the organization's purpose and the personal data. Therefore, an organization will not necessarily be able to process all information listed in Article 9(1) GDPR on the basis of Article 9(2)(d). Nonetheless, the DPA agreed that the controller could process information about sexual relationships under Article 9(2)(f) GDPR because of the possible legal claim arising from the data subject's subsequent exclusion from the Conservative Party.

Finally, the DPA held that the privacy policies could neither independently nor collectively be considered to contain sufficient information about processing information in connection with the legal investigation. According to the DPA, the scope and nature of the investigation impose stricter requirements on processing transparency. Thus, the data subject should have received more precise information about the processing, particularly the legitimate interests under Article 14(2)(b) GDPR, and so get the possibility to exercise their right under Article 21(1) GDPR. Therefore, the DPA reprimanded the controller and processor for not providing the data subject with sufficient information under Article 14 GDPR.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Danish original. Please refer to the Danish original for more details.

The Conservative People's Party had a legal basis for conducting a bar investigation

Date: 06-09-2022

Decision Private companies Criticism Complaint Basis of processing Obligation to disclose Sensitive information Criminal matters

The Danish Data Protection Authority has made a decision in yet another case where a complainant has complained about the processing of information about him in a lawyer's investigation.

Journal number: 2021-31-5542

Summary

In September 2021, complainants complained to the Data Protection Authority that the Conservative People's Party and Plesner Advokatpartnerselskab had processed information about him in a legal investigation.

The investigation was carried out by Plesner Advokatpartnerselskab on behalf of the Conservative People's Party with the aim of uncovering the course of action regarding several accusations of alleged sexual abuse and assault, which were made against complaints in the daily press.

The Danish Data Protection Authority has found in the case that the Conservative People's Party and Plesner Advokatpartnerselskab's processing of information about complaints - including information about possible criminal offenses and information about sexual relations - took place within the framework of the Data Protection Regulation and the Data Protection Act.

However, the Danish Data Protection Authority has found grounds for criticizing that neither the Conservative People's Party nor Plesner Advokatpartnerselskab sufficiently fulfilled the duty to provide information under data protection law to complaints in connection with the conduct of the legal investigation.

The Danish Data Protection Authority has not dealt with this

The case is - like one of the authority's previous decisions from February 2022 - part of a debate that goes far beyond data protection law. In assessing the case, the Danish Data Protection Authority has exclusively considered the legal aspect in relation to the collection and further processing of information about complaints.

The Danish Data Protection Authority has therefore also not dealt with whether the Conservative People's Party had a legal basis for excluding complaints, as this is outside the authority's competence.

Decision

The Danish Data Protection Authority hereby returns to the case where [X] (hereafter complainant) complained to the authority on 16 September 2021 that the Conservative People's Party (hereafter KF) and Plesner Advokatpartnerselskab (hereafter Plesner) have processed information about him in a legal investigation.

The Norwegian Data Protection Authority notes that this decision is a position on the cases with the Data Protection Authority's j.nr. 2021-31-5542 and 2021-31-5543.

1. Decision

After a review of the case, the Danish Data Protection Authority finds that KF's and Plesner's processing of information about complaints has taken place within the framework of the rules in the data protection regulation[1], cf. article 6 and article 9 and section 8 of the data protection act[2].

The Danish Data Protection Authority, however, finds grounds to express criticism that KF and Plesner have not sufficiently fulfilled the obligation to provide information pursuant to Article 14 of the Data Protection Regulation.

Below follows a closer review of the case and a rationale for the Data Protection Authority's decision.

2. Case presentation

It appears from the case that Danmarks Radio (DR) carried an article on 2 July 2021 in which five women accused the complainants of sexual abuse.

As a result, on July 2, 2021, KF requested Plesner to conduct a legal investigation.

On 5 July 2021, a terms of reference for the legal investigation was agreed between KF and Plesner. This revealed, among other things:

1 BACKGROUND

On 2 July 2021, the Conservative People's Party has decided to initiate an external lawyer's investigation into the serious accusations of alleged sexual abuse and assault that have been made in the daily press against [X].

2 THE LIMITATION OF THE LAWYER'S EXAMINATION

Plesner must carry out a factual investigation of the complaints made in the daily press regarding [X's] alleged sexual violations and abuse. In this connection, Plesner must also investigate whether it is possible to obtain more information from the anonymous complainants and whether they wish to disclose their identity.

Plesner must further process any subsequent supplementary complaints or reports.

3 CONDUCT OF THE LAWYER EXAMINATION

Plesner has the opportunity to obtain written documentation and hold interviews. All interviews will be based on voluntariness, and the interviewees will be given the opportunity to meet with co-sitters. All interviews will begin with instructions to the interviewees that at any point during the interview they have the opportunity to ask for a break or indicate that they do not wish to continue the interview.

Minutes will be written of all interviews, and the interviewees will have the opportunity to review and comment on the minutes from their own interview. The minutes constitute Plesner's internal working documents and will not be sent to the Conservative People's Party together with Plesner's report.

If an interviewed person announces that they wish to remain anonymous, the interview will still be carried out, but in that case the person concerned will initially be advised that, as a result of the anonymity, Plesner will possibly fail to attach the usual weight to the information, if a normal evidentiary use of the information will give rise to legal certainty concerns.

[X] will also be offered an interview. In addition, when all planned interviews have been completed, [X] will be offered the opportunity to participate in an interview, where he will have the opportunity to be made aware of and comment on the most significant matters that Plesner has uncovered through the investigation. Participation in the investigation will be conditional on [X] signing a declaration of confidentiality beforehand while the investigation is in progress, and that he refrains from contacting persons he becomes aware of who have provided information to Plesner. […]”

On 7 July 2021, the complainant's lawyer received an email with an invitation to an interview from Plesner. The email stated, among other things, following:

“[…]

The interviewee's rights

In addition to the above […], we can state that the legal investigation generally intends to determine the course of action regarding the serious accusations of alleged sexual abuse and assault that have been made in the daily press against [X].

[…]

Obligation to provide information

As an investigating lawyer, I must ensure that the duty to provide information is observed according to the data protection legal regulations. This implies that I hereby inform you that, e.g. emails and other correspondence from and to [X] will be collected and reviewed as part of the purpose of the investigation.”

The interview with complainants was held on 9 July 2021.

Plesner then conducted interviews with the women who had made reports, after which an interview with complainants was again conducted on 23 July 2021. In connection with the interview, the complainants were presented with the most significant matters that Plesner had uncovered, including through interviews with the women who had made reports.

On 12 August 2021, a final meeting was held with the complainant and the complainant's lawyer.

The investigation was then completed on 16 August 2021, when Plesner reported to KF, whereby KF received a statement and an appendix A with associated sub-appendices. Annex A contained a description of the individual reports, the complainant's comments and additional information on the individual reports. According to Plesner, Annex A contained strictly confidential information and, to a certain extent, also sensitive personal data.

The complainant then complained to the Danish Data Protection Authority on 16 September 2021, after which the Danish Data Protection Authority sent the complaint to a hearing on 20 September 2021 and requested KF and Plesner, respectively, for an opinion on the matter.

On 16 November 2021, Plesner appeared on behalf of KF and Plesner himself with statements on the matter.

The statements were sent to complainants on 18 November 2021. Complainants have not made any comments on this.

3. KF's and Plesner's processing of personal data

3.1. The parties' comments

KF and Plesner have generally stated that Plesner, on behalf of KF, has carried out a legal investigation. In addition, KF and Plesner have referred to the Danish Bar Association's practical guidance for conducting bar examinations, in which different types of bar examinations are described. The following appears on page 2 of the instructions:

"The concept of legal investigations has been used and continues to be used in practice for a number of different types of investigations. It can be extensive lawyer investigations that are used as an alternative to setting up a commission of inquiry. But it can also be a lawyer's investigation of facts, e.g. in the company for which the lawyer is an adviser, or an investigation of the factual and legal circumstances of a public authority or a private company, including more politically focused investigations. Lawyer investigations thus cover investigations as part of ordinary legal work for impartial investigations and for actual investigations."

The investigation in relation to the complainants was agreed as an investigation that had the purpose of elucidating the factual circumstances regarding the accusations that had been made publicly against the complainants, so that KF was given the opportunity to make an assessment of whether the complainant could continue to be a member of KF and the conservative parliamentary group.

KF did not initiate the investigation itself, as the party does not have the resources and experience with such investigations, and the party therefore decided to use its lawyer – Plesner – for this.

The investigation was not public, and it was thus a question of confidential advice by the party in the form of an elucidation of factual matters.

As part of the investigation, KF and Plesner collected and processed information about complaints. This information constituted information covered by Article 6 and Article 9 of the Data Protection Regulation and Section 8 of the Data Protection Act.

KF and Plesner have explained in detail that a large part of the information that was collected about complaints constituted information covered by Article 6 of the Data Protection Regulation. In addition, information was processed about the complainant's sexual relationship covered by Article 9 of the Data Protection Regulation as well as information that could be characterized as information about possible criminal offenses according to Section 8 of the Data Protection Act.

Processing of the information in question is, as far as KF is concerned, based on Article 6, subsection of the Data Protection Regulation. 1, letter f, Section 8, subsection of the Data Protection Act. 3, 2nd sentence, and the data protection regulation, article 9, subsection 2, letter d.

In relation to the data protection regulation's article 6, subsection 1, letter f, KF and Plesner have stated that KF had a legitimate interest in clarifying the factual circumstances in relation to the alleged sexual violations and assaults committed by the complainants. This clarification of the factual circumstances was of decisive importance for KF's ability to assess whether the complainant could continue to be a member of KF and the conservative parliamentary group.

KF and Plesner have stated in this connection that it appears from § 26 of KF's statutes that the main board can exclude a member of the party if the member opposes the party's policy and acts or violates the party's statutes in crucial matters. KF and Plesner have also stated that the facts that were highlighted in the lawyer's investigation led to KF notifying complaints on 18 August 2021 that he could no longer be a member of KF and the party's parliamentary group.

To Section 8 of the Data Protection Act, subsection 3, 2nd point, KF and Plesner have explained in detail that the processing of information about possible criminal offenses has been necessary in order for KF to safeguard a legitimate interest in clarifying the factual circumstances in relation to the alleged sexual violations and assaults .

KF's interest in clarifying the factual circumstances in relation to the alleged sexual violations and assaults committed by the complainant - in order to be able to make an assessment of whether the complainant could continue to be a member of KF and the party's parliamentary group - clearly exceeds, in KF's assessment, the consideration of complaints.

Finally, KF and Plesner have, in relation to the data protection regulation, article 9, subsection 2, letter d, stated that KF is a political party which does not work with profit in mind, and that the party can therefore internally process information covered by Article 9 of the Data Protection Regulation about its members when it is done as part of the party's legitimate activities.

In KF's view, it is a legitimate activity for the party to carry out a thorough internal investigation of the complainant's circumstances, including sexual circumstances, when he is accused in public of having committed sexual violations and assaults - especially when the complainant is a high-profile member of parliament.

The complainant's possible actions committed in work-related and/or private contexts can thus – if not investigated and handled correctly – have a direct impact on KF, including in relation to the party's reputation among the population. It is therefore legitimate for KF to process information about the complainant's sexual relationship for use in an internal assessment of whether the complainant can continue to be a member of KF and the party's parliamentary group.

In conclusion, KF and Plesner have noted that, when carrying out the legal investigation for KF, Plesner has continuously assessed what information it was necessary to collect in order to shed light on the relevant facts in the case. Through these ongoing assessments, Plesner has thereby ensured that the basic principles in Article 5 of the Data Protection Regulation, including Article 5, subsection 1, letter c, on data minimization, has been observed.

In relation to Plesner's processing basis, Plesner has explained that Plesner has only processed information about complaints with the aim of preparing a legal investigation for KF in accordance with the agreed terms of reference. Plesner, as a lawyer for KF, has therefore "entered" KF's processing authority, whereby Plesner has been able to process the same personal data as his client KF.

The processing basis for ordinary, non-sensitive personal data has been the Data Protection Regulation, Article 6, subsection 1, letter f, as Plesner's client, KF, has had a legitimate interest in clarifying the factual circumstances in relation to the alleged sexual violations and assaults committed by the complainant.

Plesner has also processed information about possible criminal offenses pursuant to section 8, subsection of the Data Protection Act. 3, 2nd point, since processing the information in question was necessary in order for KF to pursue a legitimate interest in clarifying the factual circumstances in relation to the alleged sexual violations and assaults.

Finally, it is stated that the processing basis for Plesner's processing of information about the complainant's sexual relationship has been the data protection regulation's article 9, subsection 2, letters d and f.

In relation to this, Plesner has stated that with regard to Article 9, subsection 2, letter d, Plesner enters into KF's processing basis.

To the extent that the Data Protection Authority finds that Plesner cannot enter into KF's basis for processing, it is Plesner's assessment that Plesner could process information about the complainant's sexual relationship, cf. the data protection regulation, article 9, subsection 2, letter f, since Plesner's processing of the information in question was necessary for KF to make an assessment of whether the complainant could continue to be a member of KF and the conservative parliamentary group. In this connection, Plesner assisted KF with confidential advice in the form of elucidation of factual matters.

In this connection, it is Plesner's opinion that the term "legal claim" in Article 9, subsection 2, letter f, should not be interpreted restrictively, and that the term should thus also be able to accommodate situations other than classic disputes that will often be brought before the courts, such as e.g. authority decisions and decisions from insurance companies on payment of compensation etc.

As support for this, Plesner has referred to the English Data Protection Authority (ICO), which writes the following on its website about the concept of "legal claim":

"Legal claims

You must show that the purpose of the processing is to establish, exercise or defend legal claims. `legal claims' in this context is not limited to current legal proceedings. It includes processing necessary for:

actual or prospective court proceedings; obtaining legal advice; or establishing, exercising or defending legal rights in any other way.”

The complainant has generally stated that he has been the subject of a legal investigation carried out by Plesner on behalf of KF.

He participated in the study alone because he had no real choice. This is because very serious accusations had already been made against him in the media, and that these accusations would go unchallenged if he had not participated in the investigation.

For these reasons, the complainant has therefore not consented to the extensive processing of information about his sexual relationship, which has been carried out by Plesner on behalf of KF.

3.2. The Danish Data Protection Authority's assessment of KF's and Plesner's processing of personal data

3.2.1. Processing of information about complaints according to Article 6 of the Data Protection Regulation

KF and Plesner have stated in the case that information about complaints covered by Article 6 of the Data Protection Regulation is processed on the basis of Article 6, subsection 1, letter f.

Pursuant to this provision, personal data may be processed if processing is necessary for the data controller or a third party to pursue a legitimate interest, unless the data subject's interests or fundamental rights and freedoms that require the protection of personal data take precedence.

The provision thus sets out three conditions, all of which must be met for the provision to apply:

The processing must pursue the legitimate interest of the data controller or a third party. The treatment must be necessary in relation to the purpose. The data subject's interests or fundamental rights and freedoms, which require the protection of personal data, must be weighed against the legitimate interest of the data controller, and must not precede this interest.

The Danish Data Protection Authority is of the opinion that KF pursued a legitimate interest when KF – with assistance from Plesner – decided to carry out a closer investigation of the allegations made against complainants with the aim of providing a factual basis for decision-making in relation to the assessment of whether complainants could continue be a member of KF and KF's parliamentary group.

The Danish Data Protection Authority has found no basis for overriding the assessment that the processing of the information about complaints was necessary in relation to the purpose of the investigation, and it is the Danish Data Protection Authority's opinion that the complainant's interests or fundamental rights and freedoms did not precede KF's legitimate interest in processing the relevant information in connection with the completion of the investigation.

When assessing this, there are, among other things, emphasis was placed on the fact that at the time of the initiation of the investigation, allegations had been publicly made against complainants; the nature of the allegations made; and that the complainant at the time of the investigation was a high-profile member of the conservative parliamentary group, who thus represented KF in the Folketing and externally in Danish society.

In summary, it is the Danish Data Protection Authority's assessment that KF's and Plesner's processing of information about complaints in connection with the legal investigation in question has been carried out within the framework of Article 6, paragraph 1 of the Data Protection Regulation. 1, letter f.

3.2.2. Processing of information about (possible) criminal offenses according to Section 8 of the Data Protection Act

KF and Plesner have stated that the processing of information about possible criminal offenses relating to complaints has taken place pursuant to section 8, subsection of the Data Protection Act. 3, 2nd point

It appears from the provision that private individuals can process information about criminal matters if it is necessary to safeguard a legitimate interest and this interest clearly exceeds the consideration of the data subject.

Section 8 of the Data Protection Act, subsection 3, 2nd point, thus contains a stricter assessment in relation to the data protection regulation's article 6, subsection 1, letter f, as the legitimate interest must clearly exceed consideration for the registered person - in this case the complainant.

It is as stated above under section 3.2.1. The Danish Data Protection Authority's view is that KF pursued a legitimate interest when KF decided to carry out an investigation into the accusations made against the complainant, in order to assess whether the complainant could continue to be a member of KF and the conservative parliamentary group. Furthermore, the Danish Data Protection Authority is of the opinion that the interest in processing information about complaints was justified.

The Danish Data Protection Authority has found no basis for overriding KF's and Plesner's assessment of the need to include information about possible criminal offenses relating to complaints in the investigation.

Furthermore, given the nature of the accusations and the complainant's position as a member of KF and the conservative parliamentary group, it is the Danish Data Protection Authority's assessment that KF's legitimate interest in processing information about possible criminal matters relating to complaints in connection with the investigation in question clearly exceeds consideration for complaints. In this connection, emphasis has been placed on the same factors as stated above under section 3.2.1,

As a result, it is the Danish Data Protection Authority's assessment that KF's and Plesner's processing of information about possible criminal offenses relating to complaints in connection with the lawyer's investigation could take place within the framework of section 8, subsection of the Data Protection Act. 3, 2nd point

3.2.3. Processing of information about sexual relationships, cf. Article 9 of the Data Protection Regulation

KF and Plesner have stated, in relation to information about the complainant's sexual relationship, that the processing basis for this is the data protection regulation's article 9, subsection 2, letter d.

From this provision it appears that processing of information covered by Article 9 can take place if the processing is carried out by a foundation, an association or another body which does not work for profit and whose purpose is political, philosophical, religious or of a trade union nature, as part of the body's legitimate activities and with the necessary guarantees, and on the condition that the processing only concerns the body's members, former members or persons who, due to the body's purpose, are in regular contact with it, and that the personal data is not passed on outside the body without the data subject's consent.

The following appears from the Ministry of Justice's report no. 1565[3] on the provision:

"3.8.2.4. Section 7 of the Personal Data Act, subsection 4 (corresponding to Article 9, paragraph 2, letter d of the Data Protection Regulation)

This follows from § 7, subsection of the Personal Data Act. 4, that a foundation, an association or another non-profit organisation, whose aim is of a political, philosophical, religious or professional nature, within the framework of its business, may process the data in subsection 1 mentioned information about the organization's members or persons who, due to the organization's purpose, are in regular contact with it. Dissemination of such information can only take place, however, if the data subject has given his express consent to this, or the processing is covered by subsection 2, Nos. 2-4, or subsection 3.

Section 7 of the Personal Data Act, subsection 4, is based on the data protection directive's article 8, subsection 2, letter d, from which it follows that the prohibition in subsection 1 does not apply if the processing is carried out by a foundation, an association or another non-profit body whose aim is of a political, philosophical, religious or professional nature, as part of the body's legitimate activities and with the necessary guarantees, on the condition that the processing only concerns the body's members or persons who, due to the body's purpose, are in a regular contract with it, and that the information is not passed on to third parties without the data subject's consent.

It appears from preamble no. 33 to the data protection directive that information which, according to its nature, may infringe fundamental freedoms or privacy may not be processed without the express consent of the data subject; however, exemptions from this prohibition must be explicitly allowed to meet certain needs, e.g. in particular in connection with the legitimate activities of certain associations or foundations whose purpose is to ensure the exercise of fundamental freedoms.

It appears from the comments to the Personal Data Act that the organisation's aim must be understood broadly. Covered by the provision will thus be non-commercial organisations, which must be considered to have societal significance. This will, among other things, could be the case as far as associations of people with the same sexual background or disease or associations dealing with e.g. immigrant or refugee issues.

[…]

Finally, it appears from the comments to the Personal Data Act that the requirement that the processing of information must be within the scope of the organisation's business means that it must be a matter of processing information that does not conflict with the organisation's purpose, such as this had to appear from, among other things the organization's statutes. […]”

The same appears in the Data Protection Regulation and the Data Protection Act with comments[4].

Whether information covered by Article 9 of the Data Protection Regulation can be processed on the basis of Article 9, subsection 2, letter d, thus depends on whether the processing of the personal data in question takes place as part of the organisation's legitimate activities.

The assessment of what can be considered to fall under an organisation's legitimate activities must be made on the basis of the organisation's purpose, including e.g. how the purpose is expressed in the organisation's articles of association.

Application of the data protection regulation, article 9, subsection 2, letter d, thus presupposes, in the Data Protection Authority's view, a certain connection between the organization's purpose - and thus what is considered to fall under an organization's legitimate activities - and the personal data that is intended to be processed. An example of such a connection is e.g. a political organization's processing of information about its members' political beliefs.

It is the opinion of the Danish Data Protection Authority that organizations - as understood according to the regulation's article 9, subsection 2, letter d – can only process the personal data listed in the regulation's article 9, subsection 1, to the extent that there is a connection between the organization's purpose and the personal data in question. An organization will therefore not necessarily be able to process all information listed in Article 9, paragraph 1, on the basis of the regulation's article 9, subsection 2, letter d.

In this connection, the Data Protection Authority notes that KF - according to the party's statutes, which are publicly available on the party's website - aims to "bring together everyone who joins the party's program and to work for the spread of conservative attitudes."

Carrying out the lawyer's investigation - and the consequent processing of information about the complainant's sexual relationship - based on KF's purpose, in the opinion of the Data Protection Authority, cannot be considered to have taken place as part of KF's legitimate activities, and processing of information about the complainant's sexual relationship could therefore not take place on the basis of the data protection regulation, article 9, subsection 2, letter d.

However, it is the supervisory authority's assessment that KF's and Plesner's processing of information about the complainant's sexual relationship could take place within the framework of Article 9, paragraph 1 of the Data Protection Regulation. 2, letter f.

According to this provision, information about e.g. sexual relations are processed if processing is necessary for legal claims to be established, asserted or defended, or when the courts act in their capacity as courts.

It also follows from preamble consideration no. 52 to the data protection regulation that Article 9, subsection 2, letter f, can be used, regardless of whether it is in connection with a court case or an administrative or extrajudicial procedure.

This appears from section 26, subsection 1, in KF's statutes, that the main board can exclude one or more members of the party, if the person in question opposes the party's policy in decisive matters and acts or violates the party's statutes.

The (possible) legal claim, which in the Data Protection Authority's opinion could form the basis for processing information about the complainant's sexual relationship, stems from the complainant's membership of KF, combined with the possibilities of reaction in relation to the party's members, which KF's statutes contain.

Against this background, the Danish Data Protection Authority finds no basis for overriding the assessment of the need to process information about the complainant's sexual relationship in order to investigate more closely the accusations that were made against the complainant and, as a result, assess whether the complainant could continue to be a member of KF and the conservative parliamentary group.

4. KF's and Plesner's fulfillment of the obligation to provide information

4.1.

KF and Plesner have stated that when you join KF, you must, among other things, accept the party's Membership and Trading Terms and Conditions, which are linked to when registering.

The privacy policy is part of the Membership and Trading Terms and Conditions, and complaints have thus been presented to the privacy policy in connection with registration in the party. A copy of the privacy policy has been submitted to the Danish Data Protection Authority.

Furthermore, KF and Plesner have stated that, at the start of the legal investigation, complainants were invited to an interview via e-mail. The email contained a link to Plesner's general privacy policy, which Plesner has presented to the Danish Data Protection Authority.

4.2. The Danish Data Protection Authority's assessment of KF's and Plesner's fulfillment of the obligation to provide information

It appears from Article 14 of the Data Protection Regulation that if personal data has not been collected from the data subject, the data controller must provide the data subject with the information that follows from Article 14, subsection 1, letters a-f.

According to Article 14, paragraph 2, the data controller must also provide the data subject with the information set out in letter a-g of the provision, to the extent necessary to ensure fair and transparent processing as far as the data subject is concerned.

The Danish Data Protection Authority is of the opinion that KF and Plesner have not sufficiently observed the obligation to provide information in accordance with Article 14 of the Data Protection Regulation.

The Danish Data Protection Authority has emphasized that, in the opinion of the Danish Data Protection Authority, the complainant did not receive sufficient information for KF and Plesner's obligations under Article 14 to be considered fulfilled.

During the assessment, emphasis has been placed on the fact that KF's privacy policy, which the complainant has reportedly accepted in connection with his registration with KF, does not contain information on how information about complaints is processed in connection with the legal investigation in question.

The privacy policy is generally and overall drawn up based on KF's general processing activities and thus does not contain sufficient information for the obligation to provide information to be considered observed in relation to complainants - as far as the processing of information about him that is carried out in connection with the legal investigation is concerned.

The Danish Data Protection Authority has also emphasized that neither the information that appeared in Plesner's email of 7 July 2021, nor the information that appears in Plesner's privacy policy (which is similarly general and generally drawn up) that was linked to in the email in question autosignature, constitutes sufficient information for the obligation under Article 14 of the Data Protection Regulation to be considered fulfilled.

The privacy policies can thus neither independently nor collectively be considered to contain sufficient information about the processing of information about complaints that was carried out in connection with the legal investigation.

As a result, complainants received e.g. insufficient information about the different processing bases on which KF and Plesner based its processing of information about complaints, cf. Article 14, paragraph 1, letter c.

In addition, the Danish Data Protection Authority is of the opinion that the scope and nature of the investigation imposes stricter requirements on the transparency of the processing, and thus also on the clarity of the information that complainants should have received in connection with the initiation of the investigation.

For that reason, the complainant should – in addition to a direct reference to the processing grounds on which the processing of information about him was based – i.a. have received information about the legitimate interests on which the investigation was based, cf. Article 14, subsection 2, letter b, so that the complainant was given the opportunity to familiarize himself with and assess the legitimacy of the processing and, if necessary, to make use of his rights according to the data protection regulation, article 21, subsection 1.

Based on the above, the Danish Data Protection Authority therefore finds grounds to express criticism that KF and Plesner have not sufficiently observed the duty to provide information pursuant to Article 14 of the Data Protection Regulation.

5. Summary

In summary, the Danish Data Protection Authority finds that KF's and Plesner's processing of information about complaints has taken place in accordance with Article 6 and Article 9 of the Data Protection Regulation and Section 8 of the Data Protection Act.

However, the Danish Data Protection Authority finds grounds to express criticism that KF and Plesner have not sufficiently observed the obligation to provide information pursuant to Article 14 of the Data Protection Regulation.



[1] Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons in connection with the processing of personal data and on the free exchange of such data and on the repeal of Directive 95/46/EC (general regulation on data protection).

[2] Act No. 502 of 23 May 2018 on supplementary provisions to the regulation on the protection of natural persons in connection with the processing of personal data and on the free exchange of such information (the Data Protection Act).

[3] The Ministry of Justice's Report on the Data Protection Regulation (2016/679) – and the legal framework for Danish legislation, 2017.

[4] The Data Protection Regulation and the Data Protection Act with comments by Kristian Korfits Nielsen and Anders Lotterup, 2020, pages 430-431.