Datatilsynet (Denmark) - 2019-32-0639: Difference between revisions
m (Ar moved page Datatilsynet - 2019-32-0639 to Datatilsynet (Denmark) - 2019-32-0639) |
|||
(One intermediate revision by one other user not shown) | |||
Line 1: | Line 1: | ||
{ | {{DPAdecisionBOX | ||
|Jurisdiction=Denmark | |||
|DPA-BG-Color= | |||
|DPAlogo=LogoDK.png | |||
|DPA_Abbrevation=Datatilsynet (Denmark) | |||
|DPA_With_Country=Datatilsynet (Denmark) | |||
|Case_Number_Name=2019-32-0639 | |||
|ECLI= | |||
|Original_Source_Name_1=Datatilsynet | |||
|Original_Source_Link_1=https://www.datatilsynet.dk/tilsyn-og-afgoerelser/afgoerelser/2019/dec/arbejdsmarkedets-feriefonds-iagttagelse-af-oplysningspligt-og-brug-af-samtykke/ | |||
|Original_Source_Language_1=Danish | |||
|Original_Source_Language__Code_1=DA | |||
|Type=Complaint | |||
|Outcome=Upheld | |||
|Date_Started= | |||
|Type | |Date_Decided= | ||
|Date_Published=20.12.2019 | |||
|Outcome | |Year= | ||
| | |Fine=None | ||
| | |Currency= | ||
| | |||
|GDPR_Article_1=Article 5(1)(a) GDPR | |||
| | |GDPR_Article_Link_1=Article 5 GDPR#1a | ||
|Fine | |GDPR_Article_2=Article 12(1) GDPR | ||
| | |GDPR_Article_Link_2=Article 12 GDPR#1 | ||
| | |GDPR_Article_3=Article 14(1)(c) GDPR | ||
| | |GDPR_Article_Link_3=Article 14 GDPR#1c | ||
| | |GDPR_Article_4=Article 14(2) GDPR | ||
| | |GDPR_Article_Link_4=Article 14 GDPR#2 | ||
| | |GDPR_Article_5=Article 14(3) GDPR | ||
| | |GDPR_Article_Link_5=Article 14 GDPR#3 | ||
| | |||
| | |||
| | |||
| | |Party_Name_1=Arbejdsmarkedets Feriefond | ||
| | |Party_Link_1= | ||
|}The ''Datatilsynet'' issued severe criticism of ''Arbejdsmarkedets Feriefond'', a Danish self-governing institution, for not providing a data subject with sufficient information in a timely manner, thereby breaching Articles 12(1), 14(1)(c), 14(2) and 14(3) GDPR. In addition, Datatilsynet also issued criticism in relation to Article 5(1)(a) GDPR for the controller’s attempt to collect consent for the processing of the personal data after the data subject contacted the controller, as another legal basis was already relied upon to process the data. | |Party_Name_2=Anonymous | ||
|Party_Link_2= | |||
|Party_Name_3= | |||
|Party_Link_3= | |||
|Party_Name_4= | |||
|Party_Link_4= | |||
|Party_Name_5= | |||
|Party_Link_5= | |||
|Appeal_To_Body= | |||
|Appeal_To_Case_Number_Name= | |||
|Appeal_To_Status= | |||
|Appeal_To_Link= | |||
|Initial_Contributor= | |||
| | |||
}} | |||
The ''Datatilsynet'' issued severe criticism of ''Arbejdsmarkedets Feriefond'', a Danish self-governing institution, for not providing a data subject with sufficient information in a timely manner, thereby breaching Articles 12(1), 14(1)(c), 14(2) and 14(3) GDPR. In addition, Datatilsynet also issued criticism in relation to Article 5(1)(a) GDPR for the controller’s attempt to collect consent for the processing of the personal data after the data subject contacted the controller, as another legal basis was already relied upon to process the data. | |||
==English Summary== | ==English Summary== | ||
===Facts=== | ===Facts=== |
Latest revision as of 16:23, 6 December 2023
Datatilsynet (Denmark) - 2019-32-0639 | |
---|---|
Authority: | Datatilsynet (Denmark) |
Jurisdiction: | Denmark |
Relevant Law: | Article 5(1)(a) GDPR Article 12(1) GDPR Article 14(1)(c) GDPR Article 14(2) GDPR Article 14(3) GDPR |
Type: | Complaint |
Outcome: | Upheld |
Started: | |
Decided: | |
Published: | 20.12.2019 |
Fine: | None |
Parties: | Arbejdsmarkedets Feriefond Anonymous |
National Case Number/Name: | 2019-32-0639 |
European Case Law Identifier: | n/a |
Appeal: | n/a |
Original Language(s): | Danish |
Original Source: | Datatilsynet (in DA) |
Initial Contributor: | n/a |
The Datatilsynet issued severe criticism of Arbejdsmarkedets Feriefond, a Danish self-governing institution, for not providing a data subject with sufficient information in a timely manner, thereby breaching Articles 12(1), 14(1)(c), 14(2) and 14(3) GDPR. In addition, Datatilsynet also issued criticism in relation to Article 5(1)(a) GDPR for the controller’s attempt to collect consent for the processing of the personal data after the data subject contacted the controller, as another legal basis was already relied upon to process the data.
English Summary
Facts
Datatilsynet examined a complaint regarding the processing of personal data by the self-governing institution Arbejdsmarkedets Feriefond. Arbejdsmarkedets Feriefond processed a claim of overpayment of vacation pay to the complainant. The basis of the claim was personal data provided by a governing body under the Ministry of Employment.
Arbejdsmarkedets Fond informed the complainant by letter that they processed information about the complainant’s personal governmental number, name, address, account number, and information about the debt (in this case, owed money for overpayment). Further information was provided, stating that the personal data could be shared with a lawyer, and that the information would be shared with the Danish National Archives. In a later exchange, the complainant was directed to the privacy policy of Arbejdmarkedets Feriefond.
In addition, there was a question regarding the legal basis being used. When contacting the data protection officer by a standard formula on their webpage, it provided information that contacting the data protection officer would result in personal data being processed, and that contacting the data protection officer was seen as constituting consent for this processing.
Dispute
The question for Datatilsynet was whether the information given by the controller was enough to comply with its duty to inform the data subject about the processing taking place.
Holding
Datatilsynet found that the information given did not provide information about the legal basis of the processing operation (Article 14(1)(c) GDPR) and the recipients of the personal data (Article 14(1) and (2) GDPR). As such, Datatilsynet found that the controller did not fulfil its duty to inform under Article 14 GDPR and thus Article 12(1) GDPR.
Furthermore, Datatilsynet found that the information should have been provided in the first letter on the 28 January. Instead, part of the information was provided in letters dated on 14 February and 28 March. As such, Datatilsynet found this to be a breach of Article 14(3) GDPR.
With regards to the consent, Datatilsynet stated that the apparent reliance on consent – even if consent was not in fact relied upon, constituted a breach of Article 5(1)(a) GDPR.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the original. Please refer to the Danish original for more details.
The Labor Market Holiday Fund's observance of the obligation to provide information and the use of consent Published 20-12-2019 Decision Private companies The Data Inspectorate is seriously criticizing the Labor Market Holiday Fund, because did not adequately comply with its disclosure requirements in connection with the Fund's handling of a specific case for the payment of holiday pay. Journal number 2019-32-0639 CV The Data Inspectorate found that the processing of personal data by the Labor Market Holiday Fund did not comply with the rules of Article 12 (2) of the Data Protection Regulation. 1 and Article 14. As part of the processing of a case concerning holiday pay, the Labor Market Holiday Fund had, over several months, provided the registered information covered by the fund's disclosure obligation in accordance with Article 14 of the Data Protection Regulation. The Data Inspectorate found that the Labor Market Holiday Fund had therefore not fulfilled its disclosure obligation within the time limit set by Article 14 (2) of the Regulation. Third In addition, the Data Inspectorate found that the Labor Market Holiday Fund had not observed Article 12 (2) of the Regulation. 1 as the Fund had not provided the information in a unified form and in a concise, transparent, easily accessible and easily understood form. In addition, the Data Inspectorate criticized that the Labor Market Holiday Fund had requested complaints whose personal data were already processed by the Labor Market Holiday Fund in connection with the specific holiday money case, to give consent to the processing of personal data, as complaints sought to contact the Fund's data protection adviser. The Data Inspectorate found that obtaining the complainant's consent did not comply with Article 5 (1) of the Regulation. 1 (a) (the principle of "legality, reasonableness and transparency"), since the processing of the complainant's personal data was already carried out on a basis other than consent. Decision The Danish Data Protection Authority hereby returns to the case where XX (hereafter complained) on 17 February 2019 complained to the Supervisory Authority that the Labor Market Holiday Fund has not sufficiently fulfilled its disclosure obligation and the Fund's obtaining consent. 1. Decision Following a review of the case, the Data Inspectorate finds that there is reason to express serious criticism that the Labor Market Holiday Fund's processing of personal data did not comply with the rules of Article 12 (1) of the Data Protection Regulation [1]. 1 and Article 14. Furthermore, the Data Inspectorate finds a basis for criticizing the fact that the Labor Market Holiday Fund's processing of personal data has not taken place in accordance with Article 5 (1) of the Data Protection Regulation. 1, point a. The following is a detailed examination of the case and a justification for the Danish Data Protection Agency's decision. 2. Case making It is apparent from the case file that on 28 January 2019, the complainant received a letter from the Labor Market Holiday Fund, qui a été fundé en toute transparency, a été modified, à the Board of Labor Market and Recruitment, to avoir des truffes de qualité, à Complainant unjustly, pour the avoir of the holiday money paid out, a pour avoir un ciel bleu les les bétons jusqu'à The Labor Market Holiday Fund. The letter from the Labor Market Holiday Fund for complaints also stated: "We would like to note that the Labor Market Holiday Fund has registered your social security number, name, address, account number and information regarding this debt ratio in the Fund's case management system and financial system, respectively." On February 8, 2019, complaints were addressed to the Labor Market Holiday Fund via the Fund's regular mailbox and the Fund's DPO, respectively. In this connection, the complainant stated that she was critical of the Labor Market Holiday Fund's handling of her personal data, including regarding the Fund's compliance with the disclosure obligation and the Fund's use of consent. In a letter of 14 February 2019 to complaints, the Labor Market Holiday Fund stated that in the letter of 28 January 2019, the Fund's decision to place a place on the Holiday Fund, as a system of management of the Marques de Fabrics and Marques de Commerce , in terms of the system of registration of the person's names, addresses and names of the domain, in the case of the fund and the systems of management of the marque of the factory of the cadre of economic system. The Labor Market Holiday Fund stated that the Fund, on the basis of this, believed to have provided complaints about registration of personal data with the Fund, including the purpose of registration. The Labor Market Holiday Fund also stated complaints that the Fund would relay her personal information to the Fund's permanent lawyer and to the bailiff should the court need to go to recover the claim. Le Fund Holiday Fund and a crèche for aider les persones à se sentir plus à laise et à se sentir plus accountables. Summary The Data Inspectorate found that the processing of personal data by the Labor Market Holiday Fund did not comply with the rules of Article 12 (2) of the Data Protection Regulation. 1 and Article 14. As part of the processing of a case concerning holiday pay, the Labor Market Holiday Fund had, over several months, provided the registered information covered by the fund's disclosure obligation in accordance with Article 14 of the Data Protection Regulation. The Data Inspectorate found that the Labor Market Holiday Fund had therefore not fulfilled its disclosure obligation within the time limit set by Article 14 (2) of the Regulation. Third In addition, the Data Inspectorate found that the Labor Market Holiday Fund had not observed Article 12 (2) of the Regulation. 1 as the Fund had not provided the information in a unified form and in a concise, transparent, easily accessible and easily understood form. In addition, the Data Inspectorate criticized that the Labor Market Holiday Fund had requested complaints whose personal data were already processed by the Labor Market Holiday Fund in connection with the specific holiday money case, to give consent to the processing of personal data, as complaints sought to contact the Fund's data protection adviser. The Data Inspectorate found that obtaining the complainant's consent did not comply with Article 5 (1) of the Regulation. 1 (a) (the principle of "legality, reasonableness and transparency"), since the processing of the complainant's personal data was already carried out on a basis other than consent. Decision The Danish Data Protection Authority hereby returns to the case where, on 17 February 2019, XX (hereafter) complains to the Supervisory Authority that the Labor Market Holiday Fund has not sufficiently fulfilled its disclosure obligation and the Fund's obtaining consent. 1. Decision Following a review of the case, the Data Inspectorate finds that there is reason to express serious criticism that the Labor Market Holiday Fund's processing of personal data did not comply with the rules of Article 12 (1) of the Data Protection Regulation [1]. 1 and Article 14. Furthermore, the Data Inspectorate finds a basis for criticizing the fact that the Labor Market Holiday Fund's processing of personal data has not taken place in accordance with Article 5 (1) of the Data Protection Regulation. 1, point a. The following is a detailed examination of the case and a justification for the Danish Data Protection Agency's decision. 2. Case making It is apparent from the case file that on January 28, 2019, complaints were received by a letter from the Labor Market Holiday Fund, in which the Fund stated complaints that it had received notification that the Agency for Labor Market and Recruitment had decided that complaints had been unlawfully paid holiday pay, and that the amount owed should be paid into the Labor Market Holiday Fund. The letter from the Labor Market Holiday Fund for complaints also stated: “We note that the Labor Market Holiday Fund has registered your social security number, name, address, account number. as well as information regarding the debt ratio in question in the Fund's case management system and financial system, respectively. " On February 8, 2019, complaints were addressed to the Labor Market Holiday Fund via the Fund's regular mailbox and the Fund's DPO, respectively. In this connection, the complainant stated that she was critical of the Labor Market Holiday Fund's handling of her personal data, including regarding the Fund's compliance with the disclosure obligation and the Fund's use of consent. In a letter of 14 February 2019 to complaints, the Labor Market Holiday Fund stated that, in the letter of 28 January 2019, the Fund had informed her that the Fund had received notification from the Danish Labor Market and Recruitment Agency and that the Fund had registered her social security number, name, address and information on the debt ratio in question in the Fund's case management system and financial system, respectively. The Labor Market Holiday Fund stated that the Fund, on the basis of this, believed to have provided complaints about registration of personal data with the Fund, including the purpose of registration. The Labor Market Holiday Fund also stated complaints that the Fund would relay her personal information to the Fund's permanent lawyer and to the bailiff should the court need to go to recover the claim. The Labor Market Holiday Fund referred complaints to read more on the fund's website about how the fund processes personal data. The Labor Market Holiday Fund also stated that it does not require consent when the Labor Market Holiday Fund registers personal data in order to pursue a claim that a higher authority has decided to pay to the Fund. As a result, consent cannot be revoked either. In addition, the Labor Market Holiday Fund stated in its letter of complaint of February 14, 2019 that she had applied to the Labor Market Holiday Fund both through the Fund's regular contact form and through the Fund's contact form to DPO, which stated on both forms: "When you as a citizen apply to the Labor Market Holiday Fund, you consent to the Fund having to register your personal information (name, address, CPR number) in the Fund's case management system and / or financial system, depending on what is necessary for the Fund to process your inquiry." Subsequently, the complainant entered into an agreement on repayment of holiday money, which the Labor Market Holiday Fund confirmed in a letter of 6 March 2019. In the letter, the Labor Market Holiday Fund again stated that the fund had registered her social security number, name, address, account number and information regarding the debt ratio in the fund's case management system and financial system. The complainant subsequently settled the claim of the fund, which the fund acknowledged in a letter of March 28, 2019. In this connection, the fund stated that her personal information would be disclosed to the National Archives in accordance with the archive rules. By letter of 19 March 2019, the Danish Data Protection Agency requested the Labor Market Holiday Fund for an opinion in the case, which the Authority received on 28 March 2019. 2.1. The complainant's remarks The complainant has generally stated that the Labor Market Holiday Fund did not comply with its duty of disclosure by informing her only of what personal data the Fund processes about her. The complainant adds that the duty of disclosure implies that the data controller - in addition to informing the data subject about the information being processed about the data subject - must also provide the data subject with a number of information about the data processing. In addition, complainants state that the Labor Market Holiday Fund's request for consent to processing personal data in connection with her request to the Fund's data protection adviser did not comply with the data protection rules, including that the consent was not voluntarily given, as the complainant could not really decide whether she would give consent or not. 2.2. Comments from the Labor Market Holiday Fund 2.2.1. The Labor Market Holiday Fund has stated that the Fund is a self-governing institution under the state administration and that it is incumbent on the Labor Market Holiday Fund to recover the Fund's (state's) claim for unduly paid holiday allowance as a result of decisions taken by the Danish Labor Market and Recruitment Agency or by the Ankur. In relation to the specific case, the Labor Market Holiday Fund stated that on January 28, 2019, the Fund received information on complaints from the Board of Labor and Recruitment in the form of a copy of the Board's decision of 18 May 2018 to complaints about unjustified payment of holiday pay, which subsequently was confirmed by the National Board of Appeal on January 25, 2019. Furthermore, the Labor Market Holiday Fund states that by letter of 28 January 2019, the Fund stated complaints that the Fund had registered information on her social security number, name, address, account number and information on the debt ratio in question in the Fund's case management system and financial system. In addition, in a letter dated February 14, 2019 to the complainant, the fund stated that the fund would forward the complainant's personal information to the fund's permanent lawyer and to the bailiff should the court need to go to recover the claim. In the letter, the Labor Market Holiday Fund also referred complaints to read more about the Fund's personal data policy on the Fund's website. The Labor Market Holiday Fund has stated that the purpose of the Fund's treatment of complainant's personal data is clearly stated in the context, as complaints in the Board of Labor Market and Recruitment's decision of 18 May 2018 were informed that the case would be transferred to the Labor Market Holiday Fund for the purpose of recovery of the claim. The Labor Market Holiday Fund has also stated that in its letter of 28 March 2019 to complaints the Fund informed her that her personal information would be disclosed to the National Archives. The Labor Market Holiday Fund has stated that on this basis it is the Fund's view that the Fund's handling of information duty has been in accordance with Articles 13 and 14 of the Data Protection Regulation. 2.2.2. The Labor Market Holiday Fund states that the Fund has processed non-sensitive personal data on complaints under Article 6 (2) of the Data Protection Regulation. Article 11 (1) (c) and (e). Information on the complainant's social security number has been processed on the basis of section 11 (1) of the Data Protection Act [2]. First The Labor Market Holiday Fund has stated that complaints in the specific case subsequently applied to the Fund through the Fund's standard contact form and standard DPO contact form, which are forms that can be used by citizens who apply, regardless of whether the fund has already registered personal information about those concerned. Against this background, the Labor Market Holiday Fund, by default, states on the forms that an inquiry will entail registration of personal data and that the person submitting the contact form gives consent for this. The Labor Market Holiday Fund has stated that complaints in the specific case did not appear with personal data that the Fund had not already registered as part of the processing of the pending complaint regarding the payment of holiday pay. Thus, the complainant's personal information was not processed on the basis of consent. 3. Justification for the Danish Data Protection Agency's decision 3.1. It follows from Article 14 (1) of the Data Protection Regulation. 1 and 2, that the data controller - if the information is not collected from the data subject - must provide the data subject with a number of information, including: to ensure fair and transparent treatment of the data subject. Pursuant to Article 14 (1) of the Data Protection Regulation. 3, the data controller shall provide the information referred to in paragraph 1. 1 and 2, at the latest at the time of the first communication with the data subject if the information is to be used to communicate with the data subject, and otherwise within one month after the collection of the information. The information can be given to the data subject, for example in a direct link. In addition, pursuant to Article 12 (2), the data controller must: 2. In accordance with paragraph 1, appropriate measures shall be taken to provide any information referred to in Articles 13 and 14 on treatment to the data subject in a concise, transparent, easily understandable and easily accessible form and in a clear and simple language. The Data Inspectorate assumes that personal data on complaints were not collected from the registered self, but were received from the Danish Labor Market and Recruitment Agency on January 28, 2019. In addition, the Data Inspectorate assumes that the Labor Market Holiday Fund, in a letter of 28 January 2019, stated complaints that the Fund processed information on the complainant's social security number, name, address, account number and information on the current debt ratio, that the Labor Market Holiday Fund in a letter of 14 February 2019 stated at the request of the complainant that the information could be disclosed to a lawyer and that in the letter of 28 March 2019, the Labor Market Holiday Fund stated complaints that the information would be disclosed to the National Archives. In addition, the Data Inspectorate assumes that in the letter of 14 February 2019, the Labor Market Holiday Fund - in response to inquiries from complaints - referred complaints to read more about the Fund's personal data policy on the Fund's website. The version of the Fund's personal data policy in force at the time stated: identity and contact information of the data controller contact information for any data protection adviser the purposes of the Fund's processing of information the categories of personal data concerned how long the information was stored information on the rights of data subjects the right to lodge a complaint with a supervisory authority (which was incorrectly stated to be the Danish Labor and Employment Agency) where the information came from Thus, the personal data policy included not information on the legal basis for the processing (Article 14 (1) (c)) and information on possible recipients of personal data (Article 14 (1) (e)). Accordingly, the Data Inspectorate finds that the Labor Market Holiday Fund did not sufficiently comply with its duty of disclosure towards complaints, in accordance with Article 14 (1) of the Data Protection Regulation. 1 and 2. The Data Inspectorate further finds that the Labor Market Holiday Fund did not fulfill its disclosure obligation within the time limit set by Article 14 (2) of the Regulation. 3. The Data Inspectorate hereby emphasizes that in its first letter of 28 January 2019, the Labor Market Holiday Fund should have given complaints all the information covered by the disclosure obligation, but that a number of the information was first communicated to complaints on 14 February 2019 and 28. March 2019. In addition, the Data Inspectorate finds that the Labor Market Holiday Fund has not complied with Article 12 (2) of the Data Protection Regulation. 1, in connection with the processing of the complainant's personal data. The Data Inspectorate has hereby emphasized that, by communicating complaints, the Labor Market Holiday Fund, step by step, in the course of the case processing rather than in a single communication, has not taken appropriate measures to provide any information referred to in Article 14 in a concise, transparent, easily understandable and easily accessible form. Against this background, the Data Inspectorate finds a basis for expressing serious criticism of the Labor Market Holiday Fund's processing of complainant's personal data. 3.2. As regards the part of the complaint relating to obtaining consent, the Data Inspectorate notes that Article 5 of the Data Protection Regulation contains general principles for the processing of personal data. It appears, among other things, of Article 5 (2); 2. Paragraph 1 (a) requires that personal data be legally, reasonably and transparently processed. The Labor Market Holiday Fund has stated that the processing of the information at issue is based on Article 6 (2) of the Data Protection Regulation. 1, c and e, and section 11 (1) of the Data Protection Act. 1, cf. section 2.2.2. above. The processing is thus conducted on a basis other than consent, which is why obtaining the complainant's consent is not in accordance with Article 5 (2). 1, point a. Against this background, the Data Inspectorate finds a basis for criticizing the Labor Market Holiday Fund. 4th It is added that if the Labor Market Holiday Fund also processes personal data which the Labor Market Holiday Fund believes can only be done on the basis of consent, the Data Inspectorate must point out that it follows from Article 4 (11) of the Data Protection Regulation that consent is understood as any voluntary, specific, informed and unambiguous disclosure by the data subject, whereby the data subject, by declaration or clear confirmation, consents to the processing of personal data relating to the data subject. It also follows from Article 7 (1) of the Data Protection Regulation. 3 that the data subject has the right at any time to withdraw his consent. It is the opinion of the Data Inspectorate that the consent that the complainant made in connection with his inquiries to the Labor Market Holiday Data Protection Advisor does not meet the conditions for a valid consent, i.a. because it cannot be considered voluntary, as complainants had no alternative but to consent to the treatment if complainants would contact the Data Protection Advisor. [1] Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such information and repealing Directive 95/46 / EC (general data protection regulation). [2] Act No 502 of 23 May 2018 on additional provisions for a regulation on the protection of individuals with regard to the processing of personal data and on the free exchange of such information (Data Protection Act).