Datatilsynet (Denmark) - 2021-31-5654

From GDPRhub
Revision as of 11:43, 25 April 2023 by At (talk | contribs) (Created page with "{{DPAdecisionBOX |Jurisdiction=Denmark |DPA-BG-Color= |DPAlogo=LogoDK.png |DPA_Abbrevation=Datatilsynet |DPA_With_Country=Datatilsynet (Denmark) |Case_Number_Name=2021-31-56...")
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Datatilsynet - 2021-31-5654
LogoDK.png
Authority: Datatilsynet (Denmark)
Jurisdiction: Denmark
Relevant Law: Article 6(1)(a) GDPR
Article 6(1)(f) GDPR
Type: Complaint
Outcome: Rejected
Started:
Decided: 22.12.2022
Published: 18.04.2023
Fine: n/a
Parties: Securitas A/S
National Case Number/Name: 2021-31-5654
European Case Law Identifier: n/a
Appeal: Unknown
Original Language(s): Danish
Original Source: Datatilsynet (Denmark) (in DA)
Initial Contributor: n/a

A former security guard complained that Securitas A/S had passed on information about him to the Norwegian Police Intelligence Service and the Defense Intelligence Service in connection with a security clearance. The DPA found no violation of the GDPR.

English Summary

Facts

The data subject was employed by Securitas A/S as a security guard. The data subject stated that Securitas had disclosed their personal data (job title, full name and social security number) to Defense Intelligence Service (DK: Forsvarets Efterretningstjeneste) (“FE”) without his consent. The data subject stated that their name and address have been protected. The data subject received a message from the FE in connection with a security clearance. The data subject said that they had not completed the “information form 2” to which Securitas had referred to, and therefore, no consent was given. The data subject argued that their personal data had been passed on to the FE without the data subjects knowledge. Securitas argued that the disclosure of the data subject’s personal data to the FE as well as the Police Intelligence Service (DK: Politiets Efterretningstjeneste) (“PET”) was justified. Securitas stated that, at the time of the disclosure of personal data, the complainant was employed as a security guard and that all such “on-call employees” are informed of the requirement for security clearance through a communication portal. Securitas argued that the data subject had completed the “information form 2” and so, a declaration of consent. Securitas stated that the application for security approval would have been rejected, if the data subject had not completed, signed, and consented to it.

Holding

The DPA initially notes that consent, under Article 6(1)(a) GDPR, will only rarely fulfill the requirement of having been submitted voluntarily due to the unequal relationship that typically exists between the employer and the employee. On this basis, the DPA viewed that the consent referred to by the data subject and Securitas did not constitute a valid consent under the GDPR. However, the DPA found that Securitas was authorized to pass on the data subject’s personal data pursuant to the balancing of interests rule under Article (6)(1)(f), according to which processing of personal data can take place if the processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data. The DPA emphasized that obtaining the relevant security approval was necessary so that Securitas, as an employer, could ensure that the data subject as an employee could carry out the tasks that were necessary in connection with the employment.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Danish original. Please refer to the Danish original for more details.

Disclosure of personal data complied with GDPR

Date: 22-12-2022

Decision Private companies No criticism Complaint Treatment basis

The Danish Data Protection Authority has made a decision in a case where Securitas A/S had passed on personal data in connection with a security clearance for an employee.

Journal Number: 2021-31-5654

Summary

The Danish Data Protection Authority has made a decision in a case where a former security guard complained that Securitas A/S had passed on information about him to the Norwegian Police Intelligence Service and the Defense Intelligence Service in connection with a security clearance. The Norwegian Data Protection Authority found in the case that there was a legal basis for the disclosure of information in question.

In connection with the employment, Securitas A/S passed on information about the person's job title, full name and social security number, and stated in connection with the case that it is a prerequisite for employment at Securitas A/S that you as an employee be security approved.

In its decision, the Danish Data Protection Authority emphasized, among other things, that the obtaining of security approval was necessary so that Securitas A/S as an employer could ensure that the person in question, as an employee, could carry out the tasks that were necessary in connection with the employment.

Decision

The Danish Data Protection Authority hereby returns to the case where [X] (hereafter the complainant) complained to the Authority on 20 October 2021 that Securitas A/S had passed on the complainant's personal data to the Norwegian Defense Intelligence Service (hereafter "FE") and the Norwegian Police Intelligence Service (hereafter " PET”) without consent.

1. Decision

After a review of the case, the Danish Data Protection Authority finds that Securitas A/S' processing of personal data has taken place in accordance with the rules in the data protection regulation[1] article 6, subsection 1, letter f, and the Data Protection Act[2] § 11, subsection 2.

Below follows a closer review of the case and a rationale for the Data Protection Authority's decision.

2. Case presentation

It appears from the case that the complainant was employed by Securitas A/S as a security guard.

Employment at Securitas A/S as a security guard is subject to the approval of the Chief of Police. For employees who carry out on-call duties associated with customers with special security requirements at their locations, employment is also subject to register approval at PET and security approval for service use, confidential and/or HEM.

In connection with his employment at Securitas A/S, the complainant was contacted by FE, as the complainant had been nominated for a security clearance, and therefore had to fill in an electronic form for use in the case processing.

The complainant subsequently complained to the Data Protection Authority about Securitas A/S's disclosure of his personal data to FE, as the complainant stated that the complainant had not consented to this.

2.1. Complainant's comments

The complainant has generally stated that Securitas A/S has passed on the complainant's personal data (job title, full name and social security number) to FE without his consent. The complainant has stated that the complainant has name and address protection.

The complainant has stated that the complainant received a message from FE on 22 December 2020 in connection with security clearance.

The complainant has also stated that the complainant has not completed information form 2, which Securitas A/S refers to, and thus no declaration of consent, and that the complainant's personal data has therefore been passed on to FE without the complainant's knowledge.

2.2. Securitas A/S' comments

Securitas A/S has generally stated that Securitas A/S's disclosure of the complainant's personal data to the Defense Intelligence Service (hereafter "FE") and the Police Intelligence Service (hereafter "PET") was justified.

Securitas A/S has also stated that, at the time of the disclosure of personal data, the complainant was employed as a security guard at Securitas A/S. Securitas A/S has stated that all on-call employees are informed of the requirement for security clearance via the communication portal.

In addition, Securitas A/S has stated that an employee in connection with HEM approval fills in physical papers, which Securitas A/S passes on in a closed envelope to Statens IT in Ballerup, which is responsible for final HEM approval. Securitas A/S has stated that they do not have a copy of completed papers.

In this connection, it is pointed out that the complainant has completed information form 2 and a declaration of consent, as the application for security approval would have been rejected if the complainant had not completed, signed and consented to it.

Finally, Securitas A/S has indicated that complaints were approved for security on [Y month 2020].

3. Reason for the Data Protection Authority's decision

Processing of general personal data can take place in accordance with Article 6 of the Data Protection Regulation. Processing of social security numbers for private data controllers can take place on the basis of § 11, subsection 1 of the Data Protection Act. 2.

The Danish Data Protection Authority initially notes that consent, cf. the data protection regulation's article 6, subsection 1, letter a, will only rarely fulfill the validity condition of having been submitted voluntarily due to the unequal relationship that typically exists between the employer and the employee.

On this basis, the Danish Data Protection Authority assumes that the consent referred to by the complainant and Securitas A/S does not constitute consent under data protection law.

However, the Danish Data Protection Authority finds that Securitas A/S in the present case was authorized to pass on the complainant's personal data pursuant to the balancing of interests rule in the Data Protection Regulation, Article 6, subsection 1, letter f, according to which processing of personal data can take place if the processing is necessary for the data controller or a third party to pursue a legitimate interest, unless the interests of the data subject take precedence.

The Danish Data Protection Authority has emphasized that obtaining the relevant security approval was necessary so that Securitas A/S, as an employer, could ensure that the complainant as an employee could carry out the tasks that were necessary in connection with the employment.

The Danish Data Protection Authority also finds that Securitas A/S' disclosure of the complainant's social security number falls within the scope of section 11, subsection 1 of the Data Protection Act. 2, no. 3, according to which disclosure of information about social security numbers, i.a. can be done for the purpose of unique identification.



[1] Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons in connection with the processing of personal data and on the free exchange of such data and on the repeal of Directive 95/46/EC (general regulation on data protection).

[2]   Act No. 502 of 23 May 2018 on supplementary provisions to the regulation on the protection of natural persons in connection with the processing of personal data and on the free exchange of such information (Data Protection Act).