Datatilsynet (Denmark) - 2020-432-0047: Difference between revisions
(Changed "Data Protection Authority" to DPA) |
No edit summary |
||
(3 intermediate revisions by one other user not shown) | |||
Line 51: | Line 51: | ||
}} | }} | ||
The Danish DPA | The Danish DPA held that the Næstved Municipality violated [[Article 5 GDPR|Article 5(1)(a) GDPR]] by mistakenly announcing on their privacy statement that processing of data for marketing purposes would take place, although it actually wouldn't. | ||
== English Summary == | == English Summary == | ||
=== Facts === | === Facts === | ||
In February 2020, the Danish DPA published a guide on the processing of personal data | In February 2020, the Danish DPA published a guide on the processing of personal data of website visitors. As a follow-up to this, and to focus on whether the rules in this area were complied with, the DPA decided in October 2020 to investigate the website www.naestved.dk, which is administered by the Næstved Municipality. The cookie banner on the website stated "''The website uses cookies to improve your experience, assess the use of the individual elements of the website and to support the marketing of our services. By clicking on the website, you accept the website's use of cookies.''" Visitors could then choose between "OK" or "Show details". | ||
The website uses cookies to improve your experience, assess the use of the individual elements | |||
=== Holding === | === Holding === | ||
First, the DPA found that the Næstved Municipality violated the principle of lawfulness, fairness, and transparency, [[Article 5 GDPR|Article 5(1)(a) GDPR]]. It emphasised that "''the texts on the website led visitors to believe that the municipality processed personal data for marketing purposes, even if this was not the case''". | |||
Second, the DPA found that Næstved Municipality's processing of website visitors' personal data for statistical purposes took place in the scope of the municipality's public authority, and thus within the framework of [[Article 6 GDPR#1e|Article 6(1)(e) GDPR]]. The DPA considered that the processing of personal data for statistics was related directly to its duty to guide and assist citizens, since the website's efficiency and ease were optimised through the statistics. In this regard, the DPA found it important that these statistics were provided by a third party who anonymised the statistics irreversibly. Lastly, the DPA considered that the sub-processing that was carried out by AWS, did not lead to an international data transfer because this was laid down in an agreement and "''publicly guaranteed''". | |||
== Comment == | == Comment == | ||
''Share your comments here!'' | ''Share your comments here!'' |
Latest revision as of 18:38, 16 February 2022
Datatilsynet (Denmark) - 2020-432-0047 | |
---|---|
Authority: | Datatilsynet (Denmark) |
Jurisdiction: | Denmark |
Relevant Law: | Article 5(1)(a) GDPR Article 6(1)(e) GDPR |
Type: | Investigation |
Outcome: | Violation Found |
Started: | 01.10.2020 |
Decided: | |
Published: | 17.11.2021 |
Fine: | None |
Parties: | Næstved Municipality |
National Case Number/Name: | 2020-432-0047 |
European Case Law Identifier: | n/a |
Appeal: | n/a |
Original Language(s): | Danish |
Original Source: | Datatilsynet (in DA) |
Initial Contributor: | Sara Horvat |
The Danish DPA held that the Næstved Municipality violated Article 5(1)(a) GDPR by mistakenly announcing on their privacy statement that processing of data for marketing purposes would take place, although it actually wouldn't.
English Summary
Facts
In February 2020, the Danish DPA published a guide on the processing of personal data of website visitors. As a follow-up to this, and to focus on whether the rules in this area were complied with, the DPA decided in October 2020 to investigate the website www.naestved.dk, which is administered by the Næstved Municipality. The cookie banner on the website stated "The website uses cookies to improve your experience, assess the use of the individual elements of the website and to support the marketing of our services. By clicking on the website, you accept the website's use of cookies." Visitors could then choose between "OK" or "Show details".
Holding
First, the DPA found that the Næstved Municipality violated the principle of lawfulness, fairness, and transparency, Article 5(1)(a) GDPR. It emphasised that "the texts on the website led visitors to believe that the municipality processed personal data for marketing purposes, even if this was not the case".
Second, the DPA found that Næstved Municipality's processing of website visitors' personal data for statistical purposes took place in the scope of the municipality's public authority, and thus within the framework of Article 6(1)(e) GDPR. The DPA considered that the processing of personal data for statistics was related directly to its duty to guide and assist citizens, since the website's efficiency and ease were optimised through the statistics. In this regard, the DPA found it important that these statistics were provided by a third party who anonymised the statistics irreversibly. Lastly, the DPA considered that the sub-processing that was carried out by AWS, did not lead to an international data transfer because this was laid down in an agreement and "publicly guaranteed".
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Danish original. Please refer to the Danish original for more details.
Self-employment case about the municipality's processing of information about website visitors Date: 17-11-2021 Decision Public authorities Næsted Municipality's processing of personal data about website visitors for statistical purposes could take place on the basis of the municipality's exercise of authority, reads the conclusion in a new decision from the Danish Data Protection Agency. Journal number: 2020-432-0047 Summary In October 2020, the Danish Data Protection Agency initiated a self-operation case against Næstved Municipality regarding the municipality's processing of personal data about website visitors. After the Danish Data Protection Agency initiated the investigation of Næstved Municipality, the municipality chose to change its approach to the processing of personal data about visitors to the municipality's website. With this decision, the Danish Data Protection Agency has not taken a position on the municipality's new approach. The procedure for processing personal data about visitors, which Næstved Municipality used in October 2020, presented the website visitor with information that the website used cookies for e.g. to improve the user experience and to support the marketing of the municipality's services. Website visitors then had the option to select "OK" or "Show details". Næstved Municipality further stated in the case that information about website visitors was collected for statistical purposes in order to ensure a high level of citizen and user friendliness. The Data Inspectorate found - after the case had been processed at a meeting of the Data Council - an opportunity to express criticism that Næstved Municipality in connection with the processing of personal data about website visitors did not observe the basic processing principle that personal data must be processed legally, fairly and in a transparent manner. The Danish Data Protection Agency also found that Næstved Municipality's processing of personal data about website visitors for statistical purposes took place as part of the municipality's exercise of authority and thus within the framework of the data protection rules. In its decision, the Danish Data Protection Agency assumed that there was no transfer of information to countries outside the EU. Decision The Danish Data Protection Agency hereby returns to the case, which the Danish Data Protection Agency initiated on 9 October 2020 of its own motion regarding Næstved Municipality's processing of personal data about website visitors (in the form of cookies) on the municipality's website (www.naestved.dk). The Danish Data Protection Agency notes that after the Authority's launch of the investigation, Næstved Municipality has chosen to change the municipality's procedure regarding the processing of personal data about visitors to the municipality's website. With this decision, the Danish Data Protection Agency does not take a position on the new procedure at www.naestved.dk. The Danish Data Protection Agency's decision only concerns whether Næstved Municipality's processing of personal data in its previous procedure on www.naestved.dk was in accordance with the data protection law rules. In this connection, the Danish Data Protection Agency notes that the decision therefore does not deal with matters that fall within the scope of Executive Order no. 1148 of 9 December 2011 on requirements for information and consent when storing or accessing information in the end user's terminal equipment (the cookie executive order), which under the Danish Business Authority's area of competence. Decision The Data Inspectorate finds - after the case has been discussed at a meeting of the Data Council - an opportunity to express criticism that Næstved Municipality in connection with the processing of personal data about website visitors has not complied with Article 5 (1) of the Data Protection Regulation [1]. 1, letter a, that personal data must be processed legally, fairly and in a transparent manner in relation to the data subject. The Danish Data Protection Agency also finds that Næstved Municipality's processing of personal data about website visitors for statistical purposes has taken place within the framework of the Data Protection Ordinance, Article 6 (1). 1, letter e. Below is a more detailed review of the case and a justification for the Danish Data Protection Agency's decision. 2. Case presentation In February 2020, the Danish Data Protection Agency published a guide on the processing of personal data about website visitors [2]. As a follow-up to this and to focus on whether the rules in this area are complied with, the Danish Data Protection Agency decided in October 2020 to investigate the website www.naestved.dk in more detail on its own initiative. At the time, the following text about visits to the website appeared on the website, which belongs to and is administered by Næstved Municipality: The website uses cookies to improve your experience, assess the use of the individual elements on the website and to support the marketing of our services. By clicking on the website, you accept the website's use of cookies. ” On the website, website visitors were then presented with a choice between pressing "OK" or "Show details". By clicking "Show details", the website visitor was taken to the following text: "Cookies are small text files that can be used by websites to make a user's experience more efficient. The law states that we may store cookies on your device if they are strictly necessary to ensure the delivery of the service you have expressly requested to use. For all other types of cookies, we must obtain your consent. This website uses different types of cookies. Some cookies are set by third-party services displayed on our pages. ” In connection with the website visitor's acceptance or continued use of www.naestved.dk, in addition to some technically necessary cookies, three statistical cookies were placed. On 9 October 2020, 10 December 2020, 22 February 2021, 21 May 2021 and 21 September 2021, the Danish Data Protection Agency requested opinions from Næstved Municipality on the matter. Næstved Municipality issued statements on the matter on 17 November 2020, 15 January 2021, 9 March 2021, 26 May 2021 and 12 October 2021. 2.1. Næstved Municipality's comments In the municipality's statement of 6 November 2020, Næstved Municipality has generally stated that the municipality processes information about website visitors which is covered by the scope of the Data Protection Ordinance. Næstved Municipality has also stated that the processing takes place on the basis of Article 6 (1) of the Data Protection Regulation. 1, letter e, for the purpose of performing a task in the interest of society or which falls under the exercise of public authority, including to take care of the need to provide information about the municipality's solution of municipal tasks. In the statement of 13 January 2021, Næstved Municipality stated that at the time of the Data Inspectorate's hearing of 9 October 2020, the municipality used 11 cookies on the website, of which three cookies were used for statistical purposes. With regard to Næstved Municipality's processing of information about website visitors for statistical purposes, the municipality has argued that the processing helps to ensure a high level of citizen and user friendliness at www.naestved.dk, including by: to optimize citizens' user journeys to relevant public information on the basis of statistical data on the use of the website to track interrupted user journeys, to maintain general security on the website, eg by identifying illegal and malicious traffic, to measure the effect of the communication effort on the basis of data on which pages and links the citizens use, to optimize appointment systems and physical contact points using statistics to see how much of the inquiries take place via physical self-service screens or through links from the website, and to help find the balance point in personal inquiries and self-service solutions, which is a wish of politicians. In relation to the legality of the processing, Næstved Municipality has stated that the municipality has emphasized that the use of cookies is set up so that the data set from the individual cookies is collected from a supplier who generates irreversible anonymised statistics to Næstved Municipality. Information collected through the use of cookies is thus processed as limited as possible and solely for the purpose of providing statistics that can ensure the municipality knowledge about the user journey. Næstved Municipality has in its statement of 12 October 2021 clarified that the information collected in this connection is the users' IP addresses. The collection does not take place via the cookie itself, which is placed, but from a script which is triggered in the visitor's browser, and which sends statistical data to Siteimprove after the visitor has accepted Siteimprove's cookie. However, this does not change either the legality or the basis of treatment in this regard. Næstved Municipality has also stated that digital communication with citizens is a prerequisite for the municipality's solution of municipal tasks, and that the municipality as part of its task solution is thus dependent on having effective, contemporary and citizen-friendly communication channels for citizens. In this connection, the municipality must use information about how the website is used, and this information is provided through statistics cookies. As examples of what Næstved Municipality has of available information on its website, the municipality has pointed to information about contacts and opening hours, corona information, health services, city council meetings, policies and strategies as well as consultations. Næstved Municipality has claimed that the municipality thereby solves some of its tasks through www.naestved.dk, just as the municipality communicates to and including the citizens via the website. The information that Næstved Municipality collects using statistical cookies contributes to the relevant information being in the right places on the website, and that the municipality has current and concrete information about the use of the website. At the same time, the use of cookies means that it is not necessary to carry out user surveys of the website, which is time and cost saving for the municipality and time saving for the citizen. In addition, the data base from the placed statistics cookies is considered to contribute with more current and concrete knowledge about the citizens' use of the website than user surveys could produce. Furthermore, Næstved Municipality has stated that statistics cookies contribute to monitoring whether unintentional files and / or files with unintentional content are posted on Næstved Municipality's website. In the municipality's statement of 9 March 2021, Næstved Municipality has stated that the personal data that Næstved Municipality processes using the analysis tool Siteimprove Analytics is not passed on to third parties. Siteimprove Analytics is part of a data processor agreement with Næstved Municipality, and as a result is obliged to process personal data only in accordance with documented instructions from the municipality. The municipality has also stated in its statement of 12 October 2021 that the municipality has obtained an in-depth report from Siteimprove on how personal data is processed in connection with the solution of tasks for the municipality. In this connection, Næstved Municipality has supplemented by the fact that Amazon Web Service (AWS) Frankfurt is the sub-processor for Siteimprove, which is also stated in the data processor agreement between Næstved Municipality and Siteimprove. The agreement ensures that personal data is only stored in the EU. In this connection, AWS Frankfurt has in the agreements and publicly given guarantees that this restriction will be maintained and that there will be no transfer to countries outside the EU - including the USA. It is Næstved Municipality's opinion that there is no real risk that information will be transferred to the USA in violation of these guarantees in connection with online support or the like. Næstved Municipality has further stated that with the wording "By clicking on the website, you accept the website's use of cookies" was not the intention to provide a processing basis in the data protection regulation, but was only presented to the website visitors to obtain consent to place the relevant cookies as prescribed in the cookie order. Næstved Municipality has stated that the municipality has subsequently changed the text on the website. Finally, Næstved Municipality has stated that it was an error that it appeared from the text that the municipality processed the information for marketing purposes. The error occurred because the default text that came with the cookie pop-up was not modified before it was used. Justification for the Danish Data Protection Agency's decision 3.1. The basic principles for the processing of personal data, as set out in Article 5 of the Data Protection Regulation, must in all cases be observed when processing personal data. This means, among other things, that personal data must be processed legally, fairly and in a transparent manner in relation to the data subject, in accordance with Article 5 (1) of the Data Protection Regulation. 1, letter a. Næstved Municipality presented website visitors for the following text in connection with visits to www.naestved.dk: The website uses cookies to improve your experience, assess the use of the individual elements on the website and to support the marketing of our services. By clicking on the website, you accept the website's use of cookies. ” In addition, the following was stated on the website: "Cookies are small text files that can be used by websites to make a user's experience more efficient. The law states that we may store cookies on your device if they are strictly necessary to ensure the delivery of the service you have expressly requested to use. For all other types of cookies, we must obtain your consent. This website uses different types of cookies. Some cookies are set by third-party services displayed on our pages. ” The Danish Data Protection Agency finds that Næstved Municipality has not complied with the basic principle of legality, reasonableness and transparency in Article 5 (1) of the Data Protection Regulation. 1, letter a. In the assessment, the Danish Data Protection Agency has emphasized that the texts on the website led visitors to believe that the municipality processed personal data for marketing purposes, even though this was not the case. Against this background, the Danish Data Protection Agency finds grounds for expressing criticism that Næstved Municipality has not complied with Article 5 (1) of the Data Protection Ordinance. 1, letter a, in connection with the municipality's processing of personal information about the website visitors at www.naestved.dk. 3.2. The Danish Data Protection Agency finds that Næstved Municipality's processing of personal data about website visitors for statistical purposes must be assessed according to whether the processing can be accommodated within the municipality's exercise of authority pursuant to Article 6 (1) of the Data Protection Ordinance. 1, letter e. It follows from Article 6 (1) of the Regulation 1, letter e, that the processing of personal data is lawful if the processing is necessary for the purpose of performing a task in the interest of society or which falls within the exercise of public authority, which the data controller has been instructed to do. After a review of the case, the Danish Data Protection Agency finds that Næstved Municipality's processing of personal data for statistical purposes has taken place within the framework of Article 6 (1) of the Data Protection Regulation. 1, letter e. The Danish Data Protection Agency has emphasized that Næstved Municipality, as a public authority, has a duty to guide and help citizens, which i.a. can be done by using www.naestved.dk. In this connection, Næstved Municipality has a factual reason to collect and process information with a view to providing statistics on website visitors 'behavior, which enables Næstved Municipality to optimize the efficiency and user-friendliness in connection with citizens' visits to www.naestved.dk. The Danish Data Protection Agency has also emphasized what Næstved Municipality stated that digital communication with citizens is a prerequisite for the municipality's solution of municipal tasks, as the municipality's website contains important information for citizens, which citizens must be able to access effectively. In the assessment, the Danish Data Protection Agency has also assumed that the municipality's processing is set up in such a way that the data set from the individual cookies is collected from a supplier, which generates irreversible anonymised statistics for the municipality. The Danish Data Protection Agency notes that the Authority has not verified whether the anonymisation carried out is irreversible. Finally, the Danish Data Protection Agency has emphasized that AWS, which is used as a sub-data processor for the processing of personal data for statistical purposes, has by agreement and publicly guaranteed that there is no transfer of data to countries outside the EU, and that the processing therefore takes place under Siteimprove's controlled framework. Against this background, the Danish Data Protection Agency assesses that Næstved Municipality's processing of personal data about website visitors on www.naestved.dk has taken place as part of the municipality's exercise of authority and thus within the framework of the Data Protection Ordinance, Article 6 (1). 1, letter e. [1] Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46 / EC (General data protection regulation). [2] The Danish Data Protection Agency's guide on the processing of personal data on website visits from February 2020