Datatilsynet (Denmark) - 2020-32-1566
Datatilsynet (Denmark) - 2020-32-1566 | |
---|---|
Authority: | Datatilsynet (Denmark) |
Jurisdiction: | Denmark |
Relevant Law: | Article 5(1)(c) GDPR Article 6(1)(a) GDPR Article 6(1)(d) GDPR Article 6(1)(f) GDPR |
Type: | Complaint |
Outcome: | Upheld |
Started: | |
Decided: | 06.07.2021 |
Published: | |
Fine: | - |
Parties: | Erhvervsstyrelsen (Danish Business Authority) |
National Case Number/Name: | 2020-32-1566 |
European Case Law Identifier: | n/a |
Appeal: | Unknown |
Original Language(s): | Danish |
Original Source: | Datatilsynet (in DA) |
Initial Contributor: | Rose |
The Danish Supervisory Authority decided that the general recording of phone calls by the Danish Business Authority without prior consent is in breach of the GDPR. The DPA found that neither recording calls to document threatening of employees nor recordings for internal educational purposes are covered by legal basis in the GDPR different from consent.
English Summary
Facts
The data subject lodged a complaint with the Danish Supervisory Authority (Datatilsynet) stating that the Danish Business Authority recorded a telephone conversation of them without their consent. The Business Authority had recorded all incoming calls for the previous two years, each stored for a 96 hours period.
According to the Business Authority, the conversations were recorded in order to protect employees from criminal offences and for educational and training purposes. The recording of such calls are therefore covered by the legal bases of vital interest of employees and are necessary for the performance the Agency's obligation to provide general guidance.
Holding
The DPA made clear, that processing based vital interests of another natural person can ultimately only take place if no other legal basis is applicable. And while the Business Authority as public entity cannot base its processing on legitimate interest, the recording of phone calls could potentially be necessary for the performance of a task carried out in the public interest
However, the DPA found that the general recording of all phone calls cannot be considered necessary under Article 6(1)(e) GDPR and Article 5(1)(c) GDPR given the intrusive nature of the processing compared to the rare occurrence of actual threats against employees. Similarly, the DPA emphasizes that recording telephone calls for improving the performance of his or her employees in order or to provide better guidance does not exceed the data subject's interest and therefore require their consent.
Therefore, the DPA considers the recording of telephone conducted by the Business Authority unlawful, but must be based on the consent of data subjects in accordance with Article 6(1)(a) GDPR. The Business Authority was ordered to inform the DPA of how it plans to bring the processing activities into compliances within 4 weeks.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Danish original. Please refer to the Danish original for more details.
The Danish Business Authority's recording of telephone conversations Date: 06-07-2021 Decision Public authorities The Danish Data Protection Agency hereby returns to the case where a citizen on 25 June 2020 complained to the Authority that the Danish Business Authority had recorded a telephone conversation between him and the agency without consent. Journal number: 2020-32-1566 Summary The Danish Data Protection Agency has made a decision in a case where a citizen complained that the Danish Business Authority had recorded a telephone conversation between him and the agency without first obtaining consent. During the case, it emerged that since 1 June 2018, the Danish Business Authority had recorded all incoming telephone calls to the Agency's customer center. The recordings were made for the purpose of having documentation when submitting a police report in order to protect the employees in the agency's customer center against threats, etc., and for use in training and ongoing training of the customer center's employees in view of the authority's duty to provide guidance. The Data Inspectorate found - after the case had been submitted to the Data Council - that the Danish Business Authority's general practice, according to which without exception recorded telephone conversations with citizens, companies, etc., who called the agency for advice and guidance, could not be considered necessary for execution. of a task in the interest of society or which falls within the exercise of public authority. In this connection, the Danish Data Protection Agency emphasized that it - i.a. with regard to the Danish Business Authority's authority tasks - had to be assumed to have the nature of the exception, that citizens and companies called in and threatened the agency's employees to such an extent that the agency would make a police report. The Danish Data Protection Agency also found that the Danish Business Authority's recording telephone conversations for use in quality and educational purposes could only take place on the basis of a consent from the data subjects. On that basis, the Danish Data Protection Agency expressed serious criticism of the Danish Business Authority's processing of personal data in connection with the recording of telephone conversations. Decision After a review of the case, the Danish Data Protection Agency finds that there are grounds for expressing serious criticism that the Danish Business Authority's processing of information on complaints in the form of recording a telephone conversation has not taken place in accordance with Article 6 (1) of the Data Protection Regulation. 1. Below is a more detailed review of the case and a justification for the Danish Data Protection Agency's decision. 2. Case presentation It appears from the case that on 26 June 2020, the Danish Business Authority's customer center recorded a telephone conversation with complaints. On 3 June 2020, complainants contacted the Danish Business Authority in order to make the Agency aware that the Agency's practice for recording telephone conversations was contrary to the Danish Data Protection Agency's guidelines and practice, because the recording was made without obtaining consent. On 24 June 2020, the Danish Business Authority responded to the inquiry. In this connection, the Danish Business Authority explained the purpose of the Agency's recording of telephone conversations, including the basis for the processing. The Danish Business Authority stated that the purpose of recording all incoming telephone calls to the agency's customer center is partly to protect the employees in the customer center and partly to ensure quality in order to provide better guidance. The Danish Business Authority stated complaints that the recordings are made on the basis of e.g. Article 6 (1) of the Data Protection Regulation 1, letters d and e. Complainants commented on 25 June 2020 on the Danish Business Authority's response and at the same time complained to the Danish Data Protection Agency. On 18 August 2020, the Danish Business Authority issued a statement for use in the Danish Data Protection Agency's processing of the case, to which complaints on 1 September 2020 submitted comments. 2.1. Complainant's remarks Complainants have generally stated that the Danish Business Authority's processing of personal data in connection with the recording of incoming telephone calls to the Agency's customer center can only take place with the prior consent of the data subject. In this connection, the complainant has stated that he does not agree with the Danish Business Authority's assessment that recording telephone conversations can be considered necessary for the agency's activities, including that the data subjects' interests must give way to training, ongoing training and quality assurance and employee protection. against threats etc. On that basis, the complainants claim that the treatment is not proportionate. Complainants have noted that it would be more proportionate to let the employee who feels threatened start a recording at the moment he or she feels threatened and not by default record all conversations. 2.2. The Danish Business Authority's comments The Danish Business Authority has stated that since 1 June 2018, the Agency has recorded all incoming telephone calls to the Agency's customer center. Regarding the purpose of recording the telephone conversations in the customer center, the Danish Business Authority has stated that recording, among other things, is done for the sake of protecting the individual employee. In this connection, the Danish Business Authority has referred to a specific episode in the spring of 2018, where a citizen threatened an employee with death and was subsequently reported to the police. In the specific case, the police requested material for use in the investigation, which the agency could not accommodate due to failure to record telephone calls. The Danish Business Authority has noted that the customer center's employees have generally experienced an increased level of threat. Telephone conversations are also recorded for the purpose of training and ongoing training of the customer center's employees in consideration of the administrative law guidance obligation pursuant to section 7 (1) of the Public Administration Act. 1, and the principle of friendly and considerate behavior towards citizens, which follows from good administrative practice. In this connection, the Danish Business Authority has referred to the Ombudsman's statement in FOB 2011 21-1 [2]. The recordings are thus made to develop the quality of the agency's services and thereby prevent and prevent errors in the agency's guidelines (eg to avoid giving incorrect answers or references), and to speak nicely. It is the Danish Business Authority's assessment that quality assurance must take place regularly in order to be able to implement the necessary improvements on an ongoing basis. The Danish Business Authority has also stated that the service offered by the Agency's customer center is carried out as part of the Agency's actual management activities and thus as part of the Agency's authority tasks. The Danish Business Authority has, among other things, stated that it is the Agency's assessment that much of what is carried out in the customer center is directly related to the Agency's general guidance obligation, which is why telephone conversations can be recorded on the basis of Article 6 (1) of the Data Protection Regulation. 1, letter e. It is also the Danish Business Authority's assessment that telephone conversations can be recorded on the basis of Article 6 (1) of the Data Protection Ordinance. 1, letter d, as the recordings are considered necessary to protect the employees' vital interests in relation to, for example, threats. The Danish Business Authority has stated that the recordings are generally stored for 96 hours, after which they are automatically deleted. The 96 hours are determined on the basis of a purpose consideration as well as on the basis of proportionality and data minimization considerations, where e.g. is emphasized that there must be an opportunity to respond to phone calls received on Friday despite the upcoming weekend. If a recording is to be used e.g. for use in a police report, the call is manually pulled out of the system and journaled in the agency's case processing system as an audio file, and the retention time of 96 hours can thus be deviated from in specific cases. In conclusion, the Danish Business Authority has noted that prior to all interviews and at all entrances to the telephone speaker, the Agency states the following: “Please note that we record the interview with a view to quality assurance and for the sake of our employees. You can read more about our personal data policy at erst.dk ”. Justification for the Danish Data Protection Agency's decision The Danish Data Protection Agency assumes that the Danish Business Authority's recording of telephone conversations takes place for documentation purposes for the purpose of submitting a police report in order to protect the employees in the agency's customer center against threats, etc., and that telephone conversations are also used for training and ongoing training of customer center employees. for the sake of the administrative law duty to provide guidance. 3.1. Recording for documentation purposes The Danish Business Authority has stated to the Danish Data Protection Agency that the Agency's recording and storage of telephone conversations for documentation purposes may take place on the basis of Article 6 (1) of the Data Protection Ordinance. Article 9 (1) (d) Article 2 (2) (c) and Article 10. In this connection, the Danish Business Authority has stated that recording and storage of telephone conversations in the customer center, among other things, is done for the sake of protecting the individual employee, as the customer center's employees have experienced a number of unfortunate episodes and a generally increased level of threat, and for the sake of documenting these episodes to the police, should the police request documentation of threats made etc. On the basis of the information in the case, however, the Danish Data Protection Agency is of the opinion that the Danish Business Authority will only exceptionally process personal data covered by Articles 9 and 10 of the Data Protection Ordinance in connection with citizens 'and companies' telephone inquiries to the Agency's customer center. The Danish Business Authority's practice for recording telephone conversations must therefore be assessed in accordance with Article 6 of the Data Protection Regulation. 3.1.1. It is the Data Inspectorate's assessment that the Danish Business Authority's recording telephone conversations for the purpose of ensuring documentation for use in filing a police report cannot take place on the basis of Article 6 (1) of the Data Protection Ordinance. 1, letter d. The Danish Data Protection Agency has emphasized that Article 6 (1) of the Data Protection Regulation 1, letter d, according to the wording of the provision corresponds to the provisions of Article 7 (d) of the Personal Data Directive and section 6 (1) of the Personal Data Act. However, Article 6 (1) of the Regulation provides: 1, letter d, an addition, according to which also the necessity of a treatment to protect the vital interests of another natural person will be able to make a treatment lawful. An example of when it may be lawful to process information about a person for the vital interests of another natural person is the situation that it is not possible for a hospital to get in touch with a patient who is waiting for a new organ at the time the hospital comes into possession of the organ, which is why the hospital has to process personal data about the patient's girlfriend in order to get in touch with the patient. [3] Furthermore, it is clear from recital 46 in the preamble to the Data Protection Regulation that the processing of personal data on the basis of the vital interests of another natural person should in principle only take place if the processing cannot clearly be based on another legal basis. 3.1.2. It follows from the Danish Data Protection Agency's practice and guidance on traders' recording of telephone conversations [4] that unless the data controller is obliged by other rules to record and store telephone conversations, the data controller must consider whether recording telephone conversations for documentation purposes requires consent. from the data subject, or whether the data controller's legitimate interest in recording telephone conversations exceeds the data subject's interest in not being recorded, so that the recording can be made without the consent of the data subject, cf. Article 6 (1) of the Data Protection Regulation. 1, letter f. As public authorities cannot apply Article 6 (1) of the Data Protection Regulation 1, letter f, as a legal basis for the processing of personal data, it will in the case of the Danish Business Authority instead have to decide whether it is possible to record telephone recordings without consent pursuant to Article 6 (1) of the Regulation. 1, letter e. [5] According to the Data Inspectorate's practice, it is a condition for being able to record telephone conversations without the consent of the data subject that the need to be able to document the content of the telephone conversation in practice cannot actually be met in any other way. It appears from the Authority's guidelines on the recording of telephone conversations by traders that the recording of telephone conversations differs from other types of processing, as the data controller usually does not have prior knowledge of whether a conversation develops in such a way that there is a need to document the content of the conversation. The data controller can therefore content himself, on a general level, with regard to whether the data controller's company, etc. is of such a nature that telephone conversations usually have a content that must be able to be documented, and that this cannot be done in any other way than by recording the telephone conversation. When the data controller has to assess whether the need to be able to document the content of the telephone conversation can in practice not be fulfilled in any other way than by recording telephone conversations, the data controller can e.g. attach importance to the fact that the content of the telephone conversations cannot be documented in any other way without significant practical difficulties, including the preparation of any telephone notes and / or subsequent correspondence with the data subject. In this connection, it can i.a. importance is attached to whether details and nuances concerning e.g. the facts may be of such significance that a telephone note, for example, will not constitute sufficient documentation. Furthermore, the data controller may attach importance to the fact that the legislation that regulates the data controller's activities does not require that relevant information must in any case be given to the data subject in writing, just as the data controller may attach importance if supervisory authorities, appeals boards, etc. will usually require the submission of an audio file if the data subject files a complaint. 3.1.3. On the basis of what has been stated in the case, the Danish Data Protection Agency's assessment is that it cannot be ruled out that there may be isolated cases where the Danish Business Authority, pursuant to Article 6 (1) of the Data Protection Ordinance. 1, letter e, (and possibly the Data Protection Act § 8, paragraph 1) may record telephone conversations in order to ensure documentation for use in filing a police report, if it is of particular importance for a subsequent criminal case that the agency can document, f. ex. that a citizen's statements during a telephone conversation “were suitable to evoke serious fear for their own or others' life, health or welfare”, cf. section 266 of the Criminal Code, where the citizen's tone or emphasis of words cannot be reproduced in writing. However, it is the Data Inspectorate's assessment that the Danish Business Authority's processing in the form of a general practice, according to which telephone conversations with citizens, companies, etc., who call the Agency for advice and guidance without exception, cannot be accommodated within Article 6 of the Regulation, PCS. 1, letter e. In this connection, the Danish Data Protection Agency has emphasized that it - i.a. with regard to the Danish Business Authority's authority tasks - must be assumed to have the nature of the exception that citizens and companies call in and threaten the agency's employees to such an extent that the agency finds grounds for reporting the person in question to the police. In view of the large number of data subjects and the intrusive nature of the processing, such a general practice is not proportionate in the opinion of the Danish Data Protection Agency and can therefore not be considered necessary and can therefore not be accommodated within Article 6 (1) of the Regulation. A similar requirement of proportionality and necessity follows from Article 5 (1) of the Data Protection Regulation. 1 (c) ("data minimization principle"). 3.2. Admission for use in quality and educational purposes The Danish Business Authority has stated to the Danish Data Protection Agency that the Agency's recording and storage of telephone conversations for use in quality and educational purposes may take place on the basis of Article 6 (1) of the Data Protection Ordinance. Article 9 (1) (e) Article 2 (2) (g) and Article 10. It is the Data Inspectorate's assessment that the recording and storage of telephone conversations for quality and educational purposes as the clear starting point can only be based on a consent from the persons about whom information is registered, cf. Article 6 (1) of the Data Protection Regulation. And, to the extent that special categories of information are processed, Article 9 (1) (a). 2, letter a. The Danish Data Protection Agency emphasizes that recording telephone conversations for various reasons can be perceived as interfering with the data subject, and that the data controller's interest in empowering his employees with a view to e.g. to be able to provide better guidance as the clear starting point does not exceed the data subject's interest in not being admitted. Recording and storage of telephone conversations for quality assurance purposes can therefore in principle not take place without the consent of those for whom information is registered, even if the data controller can record the interview without consent in order to document the content of the interview. However, the Danish Data Protection Agency cannot rule out the possibility that there may exceptionally be circumstances in which telephone conversations for quality assurance purposes can be recorded without the data subject's consent. This may be the case where it is in a particular degree in the data subject's interest that there is an ongoing development in the employees' competencies and the “customer experience” derived therefrom, e.g. in connection with emergency and rescue services, where it must be assumed that it is of crucial importance to the data subject that the quality of the service or guidance received is top notch. However, the Danish Data Protection Agency finds that the Danish Business Authority has not stated such special circumstances that may justify the recording of telephone conversations for quality assurance purposes without the consent of the data subjects, cf. Article 6 (1) of the Data Protection Ordinance. 1, letter a. The Danish Data Protection Agency thus finds that the duty to provide guidance to which public authorities are subject pursuant to section 7, subsection 1 of the Public Administration Act. 1, and good administrative practice, does not imply that it is necessary to record telephone conversations to ensure compliance with the duty to provide guidance. The Danish Data Protection Agency also finds that the Danish Business Authority's authority task is not of such a nature that it can prove that admission is made for quality and educational purposes without consent. 3.3. The Danish Data Protection Agency thus finds that the Danish Business Authority's general practice, according to which all calls to the Agency's customer center are recorded in order to secure documentation for use in filing a police report, cannot be accommodated within Article 6 (1) of the Data Protection Ordinance. 1, letter e. The Danish Data Protection Agency also finds that the recording of telephone conversations for use in quality and educational purposes cannot be accommodated within Article 6 (1) of the Data Protection Regulation. But must be based on the consent of the data subjects, in accordance with Article 6 (1) of the Data Protection Regulation. 1, letter a. The Danish Data Protection Agency therefore finds grounds for expressing serious criticism that the Danish Business Authority's processing of information on complaints in the form of recording a telephone conversation has not taken place in accordance with Article 6 (1) of the Data Protection Regulation [1]. 1. The Danish Data Protection Agency recommends to the Danish Business Authority that the Agency notifies the Authority within 4 weeks from today how the Agency will bring the processing of personal data that takes place in connection with the Agency's recording of telephone conversations, in accordance with Article 6 (1) of the Data Protection Ordinance. 1. Concluding remarks The Danish Data Protection Agency then waits to receive the Danish Business Authority's notification as stated above. The Danish Data Protection Agency notes that the Danish Data Protection Agency's decisions cannot be appealed to another administrative authority, cf. section 30 of the Data Protection Act. However, the Danish Data Protection Agency's decisions can be appealed to the courts, cf. A copy of this letter will be sent today for complaints. The Data Inspectorate must, for the sake of good order, note that the Authority expects to publish the decision on the Authority's website in pesudonymised form. Appendix: Legal basis Excerpt from Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46 / EC (General Regulation on data protection). Article 6. Treatment shall be lawful only if and to the extent that at least one of the following conditions applies: The data subject has given consent to the processing of his personal data for one or more specific purposes. Processing is necessary for the performance of a contract to which the data subject is a party or for the implementation of measures taken at the request of the data subject prior to the conclusion of a contract. Processing is necessary to comply with a legal obligation incumbent on the data controller. Processing is necessary to protect the vital interests of the data subject or another natural person. Processing is necessary for the purpose of performing a task in the interest of society or which falls within the exercise of public authority, which has been imposed on the data controller. Processing is necessary for the data controller or a third party to pursue a legitimate interest, unless the data subject's interests or fundamental rights and freedoms requiring the protection of personal data take precedence, in particular if the data subject is a child. The first subparagraph, point (f), does not apply to processing carried out by public authorities in the performance of their tasks. [1] Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46 / EC (General data protection regulation). [2] In the specific case, a citizen had complained about a municipality's processing of several requests for access to documents. The ombudsman did not find grounds to criticize the municipality's processing of the requests for access to documents, but he believed that the language used in the municipality's response exceeded the limits of good administrative practice. The statement in its full length can be read here: https://www.ombudsmanden.dk/find/udtalelser/beretningssager/alle_bsager/2011-21-1_/pdf. [3] Report no. 1565 on the Data Protection Regulation (2016/679) - and the legal framework for Danish legislation, Part I, volume 1, page 131. [4] https://www.datatilsynet.dk/Media/B/F/Optagelse%20af%20telefonsamtaler.pdf [5] For more on this, see report no. 1565 on the Data Protection Regulation (2016/679) - and the legal framework for Danish legislation, Part I, volume 1, pages 136-140.