Datatilsynet (Denmark) - 2023-832-0081: Difference between revisions
(Created page with "{{DPAdecisionBOX |Jurisdiction=Denmark |DPA-BG-Color= |DPAlogo=LogoDK.png |DPA_Abbrevation=Datatilsynet |DPA_With_Country=Datatilsynet (Denmark) |Case_Number_Name=2023-832-0081 |ECLI= |Original_Source_Name_1=Datatilsynet |Original_Source_Link_1=https://www.datatilsynet.dk/afgoerelser/afgoerelser/2023/sep/koebmand-i-meny-faar-alvorlig-kritik-for-at-videregive-oplysninger-om-strafbare-forhold |Original_Source_Language_1=Danish |Original_Source_Language__Code_1=DA |Origi...") |
m (→Holding) |
||
(One intermediate revision by the same user not shown) | |||
Line 64: | Line 64: | ||
=== Facts === | === Facts === | ||
The data subject worked in a bakery located within a supermarket. The management of the supermarket – the controller – recorded the data subject while | The data subject worked in a bakery located within a supermarket. The management of the supermarket – the controller – recorded the data subject while they were committing a criminal offence. Therefore, the data subject was banned from the supermarket’s premises. At the same time, the controller shared with the data subject’s employer - the manager of the bakery – personal data concerning the data subject, including information about their criminal conduct. | ||
As a consequence, the data subject was also dismissed from their job in the bakery. | As a consequence, the data subject was also dismissed from their job in the bakery. | ||
The data subject filed a complaint with the Danish DPA, claiming that the disclosure to third parties was unlawful. | The data subject filed a complaint with the Danish DPA, claiming that the disclosure to third parties was unlawful. | ||
=== Holding === | === Holding === | ||
The Danish DPA upheld the data subject’s complaint. | The Danish DPA upheld the data subject’s complaint. | ||
First, the DPA found that ‘criminal information’ does not necessarily require | |||
First, the DPA found that ‘criminal information’ does not necessarily require a criminal liability. As a matter of fact, it is sufficient that the data subject suffers or may suffer deprivation of rights due to their unlawful conduct, such as in a disciplinary procedure. | |||
However, the DPA found that the description of the criminal offence was not necessary to achieve the controller’s legitimate interest. The controller could have informed the data subject’s employer about the ban without sharing criminal details, even if | |||
Second, the DPA took into account that the disclosure to the data subject’s employer occurred by means of an oral notification to the latter and that the controller refrained from sharing videos where the data subject actually performed the criminal offence at issue. According to the controller, the oral communication was necessary to inform the recipient that the data subject was banned from the supermarket. | |||
However, the DPA found that the description of the criminal offence was not necessary to achieve the controller’s legitimate interest. The controller could have informed the data subject’s employer about the ban without sharing criminal details, even if the disclosure took place in oral form. | |||
Therefore, the DPA reprimanded the controller. | Therefore, the DPA reprimanded the controller. | ||
Latest revision as of 08:02, 27 September 2023
Datatilsynet - 2023-832-0081 | |
---|---|
Authority: | Datatilsynet (Denmark) |
Jurisdiction: | Denmark |
Relevant Law: | Article 10 GDPR |
Type: | Complaint |
Outcome: | Upheld |
Started: | 06.03.2023 |
Decided: | |
Published: | 25.09.2023 |
Fine: | n/a |
Parties: | n/a |
National Case Number/Name: | 2023-832-0081 |
European Case Law Identifier: | n/a |
Appeal: | Unknown |
Original Language(s): | Danish |
Original Source: | Datatilsynet (in DA) |
Initial Contributor: | mg |
The Danish DPA found that national law implementing Article 10 GDPR does not allow the disclosure of criminal information to the data subject’s employer if such a processing is not necessary to achieve the legitimate interests of the controller.
English Summary
Facts
The data subject worked in a bakery located within a supermarket. The management of the supermarket – the controller – recorded the data subject while they were committing a criminal offence. Therefore, the data subject was banned from the supermarket’s premises. At the same time, the controller shared with the data subject’s employer - the manager of the bakery – personal data concerning the data subject, including information about their criminal conduct.
As a consequence, the data subject was also dismissed from their job in the bakery.
The data subject filed a complaint with the Danish DPA, claiming that the disclosure to third parties was unlawful.
Holding
The Danish DPA upheld the data subject’s complaint.
First, the DPA found that ‘criminal information’ does not necessarily require a criminal liability. As a matter of fact, it is sufficient that the data subject suffers or may suffer deprivation of rights due to their unlawful conduct, such as in a disciplinary procedure.
Second, the DPA took into account that the disclosure to the data subject’s employer occurred by means of an oral notification to the latter and that the controller refrained from sharing videos where the data subject actually performed the criminal offence at issue. According to the controller, the oral communication was necessary to inform the recipient that the data subject was banned from the supermarket.
However, the DPA found that the description of the criminal offence was not necessary to achieve the controller’s legitimate interest. The controller could have informed the data subject’s employer about the ban without sharing criminal details, even if the disclosure took place in oral form.
Therefore, the DPA reprimanded the controller.
Comment
The decision (press release) does not specifically mention GDPR provisions. However, the case is based on the concept of ‘criminal information’, which is regulated by Article 10 GDPR. This provision allows for processing of ‘data relating to criminal convictions and offences’ when such a processing is authorised by EU or national law. In this case, the DPA found that Section 8 of the Danish Data Protection Act, applicable in the abstract, did not cover the facts at issue. Therefore, the processing was unlawful.
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Danish original. Please refer to the Danish original for more details.
Købmand i Meny receives serious criticism for passing on information about criminal matters Date: 25-09-2023 Decision Private companies Serious criticism Complaint Basis of processing Penalties TV surveillance The Danish Data Protection Authority has expressed serious criticism in a case where a merchant in Meny had verbally passed on information about criminal offenses without authorization. Journal number: 2023-832-0081. Summary The Danish Data Protection Authority has made a decision in a case where a complainant complained that a merchant in Meny had passed on personal data about the complainant - including criminal offenses - to the complainant's former boss without authorization. In the case, the Data Protection Authority found grounds for expressing serious criticism of the fact that the merchant in Meny had verbally passed on information about criminal matters to the complainant's former boss. The information stated that the complainant had been expelled from the relevant Menys shop premises as a result of a case of criminal enrichment. This happened on the basis of a review of video recordings in the store. The Danish Data Protection Authority found that the description of the criminal offence, which was the reason for the complainant's expulsion, was not necessary to safeguard the company's legitimate interest, which is why the disclosure of this information could not be made pursuant to section 8, subsection of the Data Protection Act. 4. Decision The Danish Data Protection Authority hereby returns to the case where [X], on 6 March 2023, on behalf of the complainant, complained to the Danish Authority that the grocer in Meny [Y], which is owned and operated by Dagrofa ApS (hereinafter "Dagrofa"), had passed on personal data - including information about criminal offenses - about complaints to the complainant's then boss at Lagkagehuset. On the basis of the information now available in the case – including Dagrofa's consultation response of 14 April 2023 – it is the Danish Data Protection Authority's assessment that the case does not relate to a security breach notified to the Danish Authority on 20 February 2023 (j. no. 2023-441- 14849), as the case concerns the disclosure of information about criminal matters, which must be assessed according to Section 8 of the Data Protection Act[1]. 1. Decision After a review of the case, the Danish Data Protection Authority finds that there are grounds for expressing serious criticism that Dagrofa's processing of personal data has not taken place in accordance with the rules in section 8, subsection of the Data Protection Act. 4, cf. subsection 3. Below follows a closer review of the case and a rationale for the Data Protection Authority's decision. 2. Case presentation It appears from the case that on 21 January 2023 the complainant was dismissed from his workplace, Lagkagehuset, located in Meny [Y]'s shop premises. On 6 March 2023, [X], on behalf of the complainants, forwarded a complaint with annexes to the Danish Data Protection Authority in the matter. On 14 April 2023, Dagrofa issued a statement in the case. 2.1. Complainant's comments The complainant has generally stated that the grocer in Meny [Y], in violation of the TV Surveillance Act, has handed over information from the store's TV surveillance to the store manager at Lagkagehuset, where the complainant was employed at the time. As a result, the complainant was dismissed from his workplace on 21 January 2023. 2.2. Dagrofa's remarks Dagrofa has stated that Menu [Y] is owned and operated by Dagrofa, which is why Dagrofa is the data controller for the processing of personal data in question in the case. Dagrofa has generally stated about the facts of the case that the merchant in Meny [Y] has informed the store manager in Lagkagehuset that the complainants had been expelled from Meny [Y]'s premises as a result of a case of criminal enrichment. The reason for this was that the complainant was employed at Lagkagehuset at the time, and that the grocer wanted to inform the store manager that the complainant could no longer use Meny [Y]'s entrance. Recordings from the video surveillance in Menu [Y] have not been shared with third parties, but only verbal information has been given, which is based on a review of the video recordings in question. Dagrofa has subsequently informed the grocer that he should have informed the complainant about the expulsion instead, after which the complainant himself could have informed his store manager about the situation. 3. Reason for the Data Protection Authority's decision Based on the information in the case, the Danish Data Protection Authority assumes that the grocer in Meny [Y] has not shared the video recordings in question with the store manager in Lagkagehuset. The Data Protection Authority also assumes that the merchant has verbally informed the store manager at Lagkagehuset that the complainants had been expelled from Meny [Y]'s premises as a result of a case of criminal enrichment based on a review of the video recordings in the store. 4c of the TV Surveillance Act[2] regulates the disclosure of image and sound recordings with personal data recorded in connection with TV surveillance. The case must therefore be assessed according to the rules in the Data Protection Act and not the TV Surveillance Act, as it is a matter of oral disclosure based on the relevant video recordings in the store, and not a disclosure of the video recordings themselves. It appears from the preparatory work for Section 8 of the Data Protection Act [3] that the concept of "punishable circumstances" must be understood quite broadly. Not just information about a violation of legislation, without it having triggered or can trigger an actual criminal liability, but possibly other sanctions, such as deprivation of rights, is assumed to be covered by the term. Furthermore, it also appears that, however, not every information about a possible criminal matter, including every report to the police, can be considered covered. In addition, it is required that the report to the police in one form or another must be assumed to be substantiated, before there is information about criminal matters. It is the Danish Data Protection Authority's assessment that Dagrofa has passed on information about criminal offenses covered by the provisions of § 8 of the Data Protection Act on complaints to third parties. In this connection, the Danish Data Protection Authority has emphasized that the merchant has passed on specific information that the complainant has committed criminal enrichment against the store, and that the information for the recipient must be considered substantiated, especially since, according to Dagrofa, it was information that was based on review of video recordings in the store. The Danish Data Protection Authority finds that the description of the criminal offence, which was the reason for the complainant's expulsion, was not necessary to safeguard the company's legitimate interest, which is why the disclosure of this information could not be made pursuant to section 8, subsection of the Data Protection Act. 4. In this connection, the Danish Data Protection Authority emphasized that the passing on of information that the complainant had committed criminal enrichment was not necessary for Dagrofa to safeguard its legitimate interest, and that the information given to the store manager in the Lagkagehuset should have been limited to information only that complainants had been evicted from Meny [Y]'s premises and as a result could not gain access to the store. [1] Act No. 502 of 23 May 2018 on supplementary provisions to the regulation on the protection of natural persons in connection with the processing of personal data and on the free exchange of such information (the Data Protection Act). [2] Legislative Decree No. 182 of 24 February 2023. [3] Bill for Act No. 502 of 23 May 2018, LFS No. 68, the special comments on § 8.