Datatilsynet (Denmark) - 2023-421-0015: Difference between revisions
No edit summary |
No edit summary |
||
(6 intermediate revisions by 2 users not shown) | |||
Line 67: | Line 67: | ||
}} | }} | ||
The DPA issued a reprimand | The DPA issued a reprimand against the Ministry of Immigration and Integration for a violation of the storage limitation principle caused by the ministry’s failure to ensure adherence to its own deletion policy. | ||
== English Summary == | == English Summary == | ||
Line 74: | Line 74: | ||
On 11 December 2023, the DPA initiated an investigation concerning the processing of personal data in relation to the Visa Information System (VIS), carried out by the Ministry of Immigration and Integration (''Udlændinge- og Integrationsminister'' – UIM) through its system IVR-VIS. | On 11 December 2023, the DPA initiated an investigation concerning the processing of personal data in relation to the Visa Information System (VIS), carried out by the Ministry of Immigration and Integration (''Udlændinge- og Integrationsminister'' – UIM) through its system IVR-VIS. | ||
The DPA focused its investigation on the deletion practices of the controller. The DPA noted that, according to the deletion policy, visa cases | The DPA focused its investigation on the deletion practices of the controller. The DPA noted that, according to the deletion policy, visa cases should be automatically deleted after 5 years from, for example, the expiration of a visa, date of refusal, confirmation, etc. | ||
However, | However, the investigation showed that the controller had so far not monitored compliance with its own deletion policy. Moreover, there was no policy for premature deletion when a visa applicant obtains Danish citizenship by naturalization in accordance with [https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=celex%3A32008R0767 Article 25(1) VIS Regulation (EC) 767/2008]. According to this article, when a visa applicant obtains the citizenship of a Member State, data relating to their application file must be deleted without delay from the VIS even if the normal data retention period of 5 years, set by [https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=celex%3A32008R0767 Article 23(1) VIS Regulation (EC) 767/2008], has not expired yet. | ||
=== Holding === | === Holding === | ||
First, the DPA noted that [https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=celex%3A32008R0767 Recital 17 of the VIS Regulation (EC) 767/2008] states that [https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A31995L0046 Directive 95/46/EC] (now GDPR) applies to the processing of data by Member States pursuant to the VIS Regulation. | |||
Second, the DPA recalled that, according to the storage limitation principle, personal data must not be stored for longer than is necessary for the purposes for which they are processed. This follows from [[Article 5 GDPR#1e|Article 5(1)(e) GDPR]] and, in the specific case, also from [https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=celex%3A32008R0767 Article 30(1) VIS Regulation (EC) 767/2008]. | |||
Third, the DPA noted that the controller was not monitoring the deletion of personal data in the IVR-VIS system. The DPA held that ongoing monitoring of the controller's established deletion practices working as intended is a prerequisite for the controller under [[Article 5 GDPR#2|Article 5(2) GDPR]] to demonstrate compliance with the principle of storage limitation under [[Article 5 GDPR#1e|Article 5(1)(e) GDPR]]. Therefore, the DPA found that the controller was unable to demonstrate compliance with [[Article 5 GDPR#1e|Article 5(1)(e) GDPR]] and [https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=celex%3A32008R0767 Article 30(1) VIS Regulation (EC) 767/2008]. | |||
Fourth, the DPA found that the controller does not immediately delete data if a data subject becomes a citizen as is required by [https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=celex%3A32008R0767 Article 25(1) VIS Regulation (EC) 767/2008]. On the contrary, citizens must contact the controller to have their data deleted. The DPA held that this procedure does not fulfil the required premature erasure and is therefore also a violation of [[Article 5 GDPR|Article 5(1)(e) GDPR]]. | |||
== Comment == | == Comment == |
Latest revision as of 08:07, 23 July 2024
Datatilsynet - 2023-421-0015 | |
---|---|
Authority: | Datatilsynet (Denmark) |
Jurisdiction: | Denmark |
Relevant Law: | Article 5(1)(e) GDPR Article 5(2) GDPR Article 25(1) Regulation (EC) 767/2008 Article 30(1) Regulation (EC) 767/2008 |
Type: | Investigation |
Outcome: | Violation Found |
Started: | 11.12.2023 |
Decided: | |
Published: | 10.07.2024 |
Fine: | n/a |
Parties: | Udlændinge- og Integrationsminister |
National Case Number/Name: | 2023-421-0015 |
European Case Law Identifier: | n/a |
Appeal: | Unknown |
Original Language(s): | Danish |
Original Source: | Datatilsynet (in DA) |
Initial Contributor: | fb |
The DPA issued a reprimand against the Ministry of Immigration and Integration for a violation of the storage limitation principle caused by the ministry’s failure to ensure adherence to its own deletion policy.
English Summary
Facts
On 11 December 2023, the DPA initiated an investigation concerning the processing of personal data in relation to the Visa Information System (VIS), carried out by the Ministry of Immigration and Integration (Udlændinge- og Integrationsminister – UIM) through its system IVR-VIS.
The DPA focused its investigation on the deletion practices of the controller. The DPA noted that, according to the deletion policy, visa cases should be automatically deleted after 5 years from, for example, the expiration of a visa, date of refusal, confirmation, etc.
However, the investigation showed that the controller had so far not monitored compliance with its own deletion policy. Moreover, there was no policy for premature deletion when a visa applicant obtains Danish citizenship by naturalization in accordance with Article 25(1) VIS Regulation (EC) 767/2008. According to this article, when a visa applicant obtains the citizenship of a Member State, data relating to their application file must be deleted without delay from the VIS even if the normal data retention period of 5 years, set by Article 23(1) VIS Regulation (EC) 767/2008, has not expired yet.
Holding
First, the DPA noted that Recital 17 of the VIS Regulation (EC) 767/2008 states that Directive 95/46/EC (now GDPR) applies to the processing of data by Member States pursuant to the VIS Regulation.
Second, the DPA recalled that, according to the storage limitation principle, personal data must not be stored for longer than is necessary for the purposes for which they are processed. This follows from Article 5(1)(e) GDPR and, in the specific case, also from Article 30(1) VIS Regulation (EC) 767/2008.
Third, the DPA noted that the controller was not monitoring the deletion of personal data in the IVR-VIS system. The DPA held that ongoing monitoring of the controller's established deletion practices working as intended is a prerequisite for the controller under Article 5(2) GDPR to demonstrate compliance with the principle of storage limitation under Article 5(1)(e) GDPR. Therefore, the DPA found that the controller was unable to demonstrate compliance with Article 5(1)(e) GDPR and Article 30(1) VIS Regulation (EC) 767/2008.
Fourth, the DPA found that the controller does not immediately delete data if a data subject becomes a citizen as is required by Article 25(1) VIS Regulation (EC) 767/2008. On the contrary, citizens must contact the controller to have their data deleted. The DPA held that this procedure does not fulfil the required premature erasure and is therefore also a violation of Article 5(1)(e) GDPR.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Danish original. Please refer to the Danish original for more details.
The Ministry of Immigration and Integration receives criticism in the supervisory case regarding the visa information system Date: 10-07-2024 Decision Public authorities Criticism Supervision / self-operating case Basic principles During an inspection by the Ministry of Immigration and Integration, the Danish Data Protection Authority has made a decision to criticize the ministry for, among other things, not to carry out ongoing checks with own set deletion deadlines in the national visa information system and not to immediately delete information when a visa applicant obtains citizenship in an EU member state before the expiry of the deletion period. Journal number: 2023-421-0015. Summary During the inspection, it was, among other things, ascertained that the Ministry of Immigration and Integration has established a deletion practice in the national visa information system, where visa cases are automatically deleted as a starting point 5 years from e.g. the expiry of a visa, the date of notification of a refusal, etc. At the same time, however, it was established that there is no control that the automatic deletion practice works as intended. It is the Danish Data Protection Authority's assessment that continuous monitoring of compliance with the data controller's erasure deadlines is a prerequisite for the data controller, in accordance with the principle of accountability according to the Data Protection Regulation, Article 5, subsection 2, can prove to fulfill the principle of storage limitation in Article 5, subsection 1, letter e. During the inspection, the Danish Data Protection Authority also found that the Ministry of Immigration and Integration does not immediately delete information when a registered visa applicant obtains citizenship in an EU member state before the end of the 5-year period. According to the VIS Regulation, Article 25, subsection 1, the information in a visa application case must be immediately deleted from the visa information system if the visa applicant acquires citizenship in a Member State before the expiry of the deletion period. However, the Ministry of Immigration and Integration has a practice where the registered person is guided to contact the Danish Immigration Service themselves with a view to having their information deleted from the system, instead of the ministry deleting the information on its own initiative. It is the Danish Data Protection Authority's assessment that this approach does not meet the VIS regulation's requirement for early deletion in the regulation's article 25, subsection 1. Against this background, the Danish Data Protection Authority criticized the Ministry of Immigration and Integration. Decision The Norwegian Data Protection Authority hereby returns to the case regarding the supervision of the Ministry of Immigration and Integration's (UIM) processing of personal data in relation to the visa information system (VIS) (Data Protection Authority's reference number: 2023-421-0015). 1. Supervision By letter of 11 December 2023, the Data Protection Authority initiated an inspection of UIM regarding the deletion of visa cases in IVR-VIS by sending a number of questions. By letter of 23 January 2024, UIM answered the Danish Data Protection Authority's questions with the accompanying annex. After reviewing the submitted material, by letter of 5 April 2024, the Danish Data Protection Authority requested UIM for additional information about the ministry's deletion practice and control of the deletion of cases in IVR-VIS. By letter of 25 April 2024, UIM forwarded additional information to the Danish Data Protection Authority. On the basis of the information submitted, the Danish Data Protection Authority has noted, among other things, that UIM has a deletion practice in IVR-VIS, which is set up to automatically follow the deletion deadlines set out in the "Guidelines for the Danish Immigration Service, the Immigration Board and the Department for the use of the element "Information on special reasons””. This means that cases are automatically deleted after 5 years from e.g. the expiry of a visa, the date of notification of a refusal, confirmation etc. In special cases, visa cases are only deleted after 8 years, if they are marked with the element "orientation on special grounds", which is also explained in more detail in the submitted material and in "Guidelines for the Danish Immigration Service, the Immigration Board and the Department for the use of the element "Orientation on special grounds””. The Danish Data Protection Authority has also noted that UIM has so far not carried out checks on compliance with erasure deadlines. In addition, the Danish Data Protection Authority has noted that UIM does not have a practice of early deletion when a visa applicant obtains Danish citizenship by naturalization in accordance with Article 25, subsection 2 of the VIS Regulation. 1. In addition, it appears from UIM's supplementary statement that a visa holder who obtains Danish citizenship is advised that deletion of the information in the VIS can be requested. The Danish Data Protection Authority has finally noted that UIM has not answered the Danish Data Protection Authority's question about whether information is provided to the responsible visa authority in accordance with Article 25, paragraph 2 of the VIS regulation. 2. 2. The Data Protection Authority's decision On the basis of UIM's statements, the Data Protection Authority finds grounds to conclude: That UIM does not live up to the principle of accountability in the data protection regulation, Article 5, subsection 2, cf. Article 5, subsection 1, letter e, as there is no control of the automatic deletion in IVR-VIS. That UIM does not comply with the requirements of the VIS Regulation, Article 25, subsection 1, as information in IVR-VIS is not immediately deleted if a registered person obtains citizenship. That UIM does not comply with the requirements of the VIS regulation, article 25 paragraph 2, as the responsible visa authority is not notified when a registered person obtains Danish citizenship. Overall, the Danish Data Protection Authority finds grounds for expressing criticism that UIM has not complied with the requirements of the VIS regulation. 3. The legal basis The VIS Regulation[1] regulates the exchange of information between member states on applications for short-stay visas and on decisions made in connection with a visa application. It follows from recital 17 of the VIS regulation that the personal data directive applies to the Member States' processing of information pursuant to the VIS regulation. It follows from the data protection regulation[2] article 94, subsection 2, that any reference to the personal data directive applies as a reference to the data protection regulation. Storage of information in the VIS is regulated in the VIS regulation, article 30, subsection 1. It follows from this that information retrieved from the VIS may only be stored in national registers when necessary in a specific case in accordance with the relevant legal provisions, including the rules for data protection. This appears from the data protection regulation's article 5, subsection 1, letter e, that you may not store personal data for longer than is necessary for the purposes for which they are processed. It follows from the data protection regulation's article 5, subsection 2, that the data controller is responsible for and must be able to demonstrate that subsection 1 is observed. Article 25 of the VIS Regulation regulates the deletion of information before time. It follows from the provision subsection 1, that information pursuant to Article 8, subsection 3 and 4, shall be deleted immediately if the visa applicant obtains citizenship in the Member State. The information must be deleted by the authority that created the applications in question. It appears from the provision's paragraph 2, that the Member State immediately informs the responsible Member State or Member States if a citizen has acquired citizenship in the Member State. 4. The Data Protection Authority's reasoning 4.1. Lack of control over automatic deletion Based on the information provided, the Danish Data Protection Authority can ascertain that UIM does not control the deletion of personal data in IVR-VIS. It is the Danish Data Protection Authority's assessment that continuous monitoring of the data controller's established deletion practices is a prerequisite for the data controller, in accordance with the data protection regulation's article 5, subsection 2, can demonstrate compliance with the principle of storage limitation according to Article 5, subsection 1, letter e. It is therefore the Danish Data Protection Authority's assessment that, due to the lack of control over the deletion of information in IVR-VIS, it is not possible for UIM to demonstrate that the automatic deletion mechanism complies with Article 5, paragraph 1 of the Data Protection Regulation. 1, letter e, and the VIS regulation, article 30, subsection 1. 4.2. Failure to delete pursuant to Article 25, subsection 1 Based on the information provided, the Danish Data Protection Authority can ascertain that UIM does not immediately delete information if a registered person obtains citizenship. It follows from UIM's answer to question 3 in the opinion of 25 April 2024 that "everyone who becomes a Danish citizen by naturalization is advised that they can contact the Danish Immigration Service with a view to having their data in the VIS, if any, deleted. " It is the Danish Data Protection Authority's assessment that this approach does not sufficiently meet the conditions for early deletion. 4.3. Failure to notify the responsible Member State(s). The Danish Data Protection Authority asked in its consultation letter of 5 April 2024 whether notification is currently being made to the responsible visa authority or authorities. UIM has not answered this question in its statement of 25 April 2024. It appears from UIM's statement of 23 January that a procedure for notification is being drawn up. On this basis, the Danish Data Protection Authority assumes that UIM does not inform responsible Member States if an applicant obtains citizenship. UIM therefore does not meet the requirements of the VIS Regulation, Article 25, subsection 2. [1] REGULATION (EC) OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL No. 767/2008 of 9 July 2008 on the Visa Information System (VIS) and exchange of information between Member States on short-stay visas (VIS Regulation) [2] REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC (general data protection regulation) The Norwegian Data Protection Authority Carl Jacobsens Vej 35 2500 Valby Tel. 33 19 32 00 dt@datatilsynet.dk About us About the Norwegian Data Protection AuthorityPresseHome pagePrivacy policyAvailability statement Shortcuts Guidance on GDPRCall usNewsletterThe National Whistleblower Scheme follow us The Norwegian Data Protection Authority on LinkedIn The Ministry of Immigration and Integration receives criticism in the supervisory case regarding the visa information system Date: 10-07-2024 Decision Public authorities Criticism Supervision / self-operating case Basic principles During an inspection by the Ministry of Immigration and Integration, the Danish Data Protection Authority has made a decision to criticize the ministry for, among other things, not to carry out ongoing checks with own set deletion deadlines in the national visa information system and not to immediately delete information when a visa applicant obtains citizenship in an EU member state before the expiry of the deletion period. Journal number: 2023-421-0015. Summary During the inspection, it was, among other things, ascertained that the Ministry of Immigration and Integration has established a deletion practice in the national visa information system, where visa cases are automatically deleted as a starting point 5 years from e.g. the expiry of a visa, the date of notification of a refusal, etc. At the same time, however, it was found that no checks are carried out to ensure that the automatic deletion practice works as intended. It is the Danish Data Protection Authority's assessment that continuous monitoring of compliance with the data controller's erasure deadlines is a prerequisite for the data controller, in accordance with the principle of accountability according to the Data Protection Regulation, Article 5, subsection 2, can prove to fulfill the principle of storage limitation in Article 5, subsection 1, letter e. During the inspection, the Danish Data Protection Authority also found that the Ministry of Immigration and Integration does not immediately delete information when a registered visa applicant obtains citizenship in an EU member state before the end of the 5-year period. According to the VIS Regulation, Article 25, subsection 1, the information in a visa application case must be immediately deleted from the visa information system if the visa applicant acquires citizenship in a Member State before the expiry of the deletion period. However, the Ministry of Immigration and Integration has a practice where the registered person is guided to contact the Danish Immigration Service themselves with a view to having their information deleted from the system, instead of the ministry deleting the information on its own initiative. It is the Danish Data Protection Authority's assessment that this approach does not meet the VIS regulation's requirement for early deletion in the regulation's article 25, subsection 1. Against this background, the Danish Data Protection Authority criticized the Ministry of Immigration and Integration. Decision The Danish Data Protection Authority hereby returns to the case regarding the supervision of the Ministry of Immigration and Integration's (UIM) processing of personal data in relation to the visa information system (VIS) (Data Danish Data Protection Authority's reference number: 2023-421-0015). 1. Supervision By letter of 11 December 2023, the Danish Data Protection Authority initiated an inspection of UIM regarding the deletion of visa cases in IVR-VIS by sending a number of questions. By letter of 23 January 2024, UIM answered the Danish Data Protection Authority's questions with the accompanying annex. After reviewing the submitted material, by letter of 5 April 2024, the Norwegian Data Protection Authority requested UIM for additional information about the ministry's deletion practice and control of the deletion of cases in IVR-VIS. By letter of 25 April 2024, UIM sent additional information to the Danish Data Protection Authority. On the basis of the information submitted, the Danish Data Protection Authority has noted, among other things, that UIM has a deletion practice in IVR-VIS, which is set up to automatically follow the deletion deadlines set out in the "Guidelines for the Danish Immigration Service, the Immigration Board and the Department for the use of the element "Information on special reasons””. This means that cases are automatically deleted after 5 years from e.g. the expiry of a visa, the date of notification of a refusal, confirmation etc. In special cases, visa cases are only deleted after 8 years, if they are marked with the element "orientation on special grounds", which is also explained in more detail in the submitted material and in "Guidelines for the Danish Immigration Service, the Immigration Board and the Department for the use of the element "Orientation on special grounds””. The Danish Data Protection Authority has also noted that UIM has so far not carried out checks on compliance with erasure deadlines. In addition, the Danish Data Protection Authority has noted that UIM does not have a practice of early deletion when a visa applicant obtains Danish citizenship by naturalization in accordance with Article 25, subsection 2 of the VIS Regulation. 1. In addition, it appears from UIM's supplementary statement that a visa holder who obtains Danish citizenship is advised that deletion of the information in the VIS can be requested. The Danish Data Protection Authority has finally noted that UIM has not answered the Danish Data Protection Authority's question about whether information is provided to the responsible visa authority in accordance with Article 25, subsection 2 of the VIS Regulation. 2. 2. The Data Protection Authority's decision On the basis of UIM's statements, the Data Protection Authority finds grounds to conclude: That UIM does not live up to the principle of responsibility in the data protection regulation, Article 5, subsection 2, cf. Article 5, subsection 1, letter e, as there is no control of the automatic deletion in IVR-VIS. That UIM does not comply with the requirements of the VIS Regulation, Article 25, subsection 1, as information in IVR-VIS is not immediately deleted if a registered person obtains citizenship. That UIM does not comply with the requirements of the VIS Regulation, Article 25 paragraph 2, as the responsible visa authority is not notified when a registered person obtains Danish citizenship. Overall, the Danish Data Protection Authority finds grounds for expressing criticism that UIM has not complied with the requirements of the VIS regulation. 3. The legal basis The VIS Regulation[1] regulates the exchange of information between member states on applications for short-stay visas and on decisions made in connection with a visa application. It follows from recital 17 of the VIS regulation that the personal data directive applies to the Member States' processing of information pursuant to the VIS regulation. It follows from the data protection regulation[2] article 94, subsection 2, that any reference to the personal data directive applies as a reference to the data protection regulation. Storage of information in the VIS is regulated in the VIS regulation, article 30, subsection 1. It follows from this that information retrieved from the VIS may only be stored in national registers when necessary in a specific case in accordance with the relevant legal provisions, including the rules for data protection. This appears from the data protection regulation's article 5, subsection 1, letter e, that you may not store personal data for longer than is necessary for the purposes for which they are processed. It follows from the data protection regulation's article 5, subsection 2, that the data controller is responsible for and must be able to demonstrate that subsection 1 is observed. Article 25 of the VIS Regulation governs the premature deletion of information. It follows from the provision subsection 1, that information pursuant to Article 8, subsection 3 and 4, shall be deleted immediately if the visa applicant obtains citizenship in the Member State. The information must be deleted by the authority that created the applications in question. It appears from the provision's paragraph 2, that the Member State immediately informs the responsible Member State or Member States if a citizen has acquired citizenship in the Member State. 4. The Data Protection Authority's reasoning 4.1. Lack of control over automatic deletion Based on the information provided, the Danish Data Protection Authority can ascertain that UIM does not control the deletion of personal data in IVR-VIS. It is the Danish Data Protection Authority's assessment that continuous monitoring that the data controller's established erasure practices are working as intended is a prerequisite for the data controller, in accordance with the data protection regulation's article 5, subsection 2, can demonstrate compliance with the principle of storage limitation according to Article 5, subsection 1, letter e. It is therefore the Danish Data Protection Authority's assessment that, due to the lack of control over the deletion of information in IVR-VIS, it is not possible for UIM to demonstrate that the automatic deletion mechanism complies with Article 5, paragraph 1 of the Data Protection Regulation. 1, letter e, and the VIS regulation, article 30, subsection 1. 4.2. Failure to delete pursuant to Article 25, subsection 1 Based on the information provided, the Danish Data Protection Authority can ascertain that UIM does not immediately delete information if a registered person obtains citizenship. It follows from UIM's answer to question 3 in the opinion of 25 April 2024 that "everyone who becomes a Danish citizen by naturalization is advised that they can contact the Danish Immigration Service with a view to having their data in the VIS, if any, deleted. " It is the Danish Data Protection Authority's assessment that this approach does not sufficiently meet the conditions for early deletion. 4.3. Failure to notify the responsible Member State(s). The Danish Data Protection Authority asked in its consultation letter of 5 April 2024 whether notification is currently being made to the responsible visa authority or authorities. UIM has not answered this question in its statement of 25 April 2024. It appears from UIM's statement of 23 January that a procedure for notification is being drawn up. On this basis, the Danish Data Protection Authority assumes that UIM does not notify responsible Member States if an applicant obtains citizenship. UIM therefore does not meet the requirements of the VIS Regulation, Article 25, subsection 2. [1] REGULATION (EC) OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL No. 767/2008 of 9 July 2008 on the Visa Information System (VIS) and exchange of information between Member States on short-stay visas (VIS Regulation) [2] REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC (general data protection regulation)