Datatilsynet (Denmark) - 2023-32-0023
Datatilsynet - 2023-32-0023 | |
---|---|
Authority: | Datatilsynet (Denmark) |
Jurisdiction: | Denmark |
Relevant Law: | Article 15(1)(c) GDPR 17(1) skatteforvaltningsloven (Tax Administration Act) |
Type: | Complaint |
Outcome: | Partly Upheld |
Started: | 26.09.2024 |
Decided: | |
Published: | |
Fine: | n/a |
Parties: | Udviklings- og Forenklingsstyrelsen |
National Case Number/Name: | 2023-32-0023 |
European Case Law Identifier: | n/a |
Appeal: | Unknown |
Original Language(s): | Danish |
Original Source: | Datatilsynet (Denmark) (in DA) |
Initial Contributor: | wp |
The DPA found a data subject was entitled to access under Article 15 GDPR the identity of an accountant to whom a controller erroneously disclosed the data.
English Summary
Facts
In 2020 a data breach within the Danish Agency for Development and Simplification (Udviklings- og Forenklingsstyrelsen, a controller) took place. The controller erroneously shared the data in response to an accountant request. The accountant then disclosed the data to their client.
The controller notified data subjects about the breach by sending a letter in 2023. In response, the data subjects requested access to the identity of the accountant. The controller refused to provide the data subject with exact identity, calling upon the controller’s professional secrecy. Instead, the controller informed that data was shared with a Danish accountant, who disclosed the data to their Danish client.
The data subjects filed complaints with the Danish DPA (Datatilsynet).
Holding
According to the DPA the identity of unauthorised data recipient was, in principle, covered by Article 15(1)(c) GDPR.
The DPA excluded the controller’s interpretation of professional secrecy under Article 17(1) of the Tax Administration Act. The fact that the accountant was granted the access to the data had no relation to professional or business secrecy, as it was a “common knowledge” that accountants were able to request and access the documents on behalf of their clients.
Nevertheless, the identity of person to whom the accountant shared the data with didn’t amount to the identity of the accountant. The DPA found no interest that overridden the secrecy duty in relation to the client’s identity. Hence, it fell within the scope of professional secrecy under Article 17(1) of the Tax Administration Act.
Consequently, for the DPA the data subject was entitled to access the accountant identity, but not the client one.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Danish original. Please refer to the Danish original for more details.
Skip the main navigation Search Citizens had the right to access the name of the unintended recipient Date: 26-09-2024 Decision Public authorities No criticism Complaint Handled by the Data Council The right to access Unintentional disclosure Exercise of rights The Danish Data Protection Authority has ruled in two cases about the Danish Development and Simplification Agency's refusal to disclose the name of an unintended recipient. The cases have given the Danish Data Protection Authority the opportunity to take a position on the principled question of whether unintended recipients are covered by the right of access. Journal number: 2023-32-0023 Summary The Danish Data Protection Authority has made a decision in two cases where two citizens complained that the Danish Development and Simplification Agency had refused to give the complainants insight into which auditor had mistakenly received personal data about them. The complainants had been notified by the Danish Tax Agency of a breach of personal data security in connection with the response to a file access request, where a number of personal data about the complainants had been mistakenly passed on to an accountant who had shared the information with a client. Based on the notification, the complainants wanted to be informed who the specific recipients of their personal data were. The Danish Development and Simplification Agency refused to provide insight into the identity information of the auditor and his client, citing that the information was confidential and covered by a special duty of confidentiality in the Tax Administration Act. The complaints gave the Data Protection Authority the opportunity to take a decision on whether unintended recipients of personal data are covered by the concept of recipient and thus covered by the right to access, which i.a. consists in the data subject having the right to obtain information about the recipients or categories of recipients to whom the personal data is or will be passed on. The Danish Data Protection Authority found – after the cases had been dealt with at a meeting of the Data Council – that unintended recipients are covered by the broad definition of a "recipient" and thus covered by the right to access recipients of personal data. The Danish Data Protection Authority also found that in the specific cases there was a sufficiently secure basis for overriding the Danish Development and Simplification Agency's assessment that the information about the auditor's name was confidential information covered by the duty of confidentiality in the Tax Administration Act. Decision The Danish Data Protection Authority hereby returns to the case where complainants 1 and [X], on behalf of complainant 2 (hereinafter referred to as "the complainants"), have complained that the Danish Development and Simplification Agency has refused to provide insight into specific information at the Tax Agency. 1. Decision The Danish Data Protection Authority finds – after the case has been dealt with at a meeting of the Data Council – that the complainants have the right to receive information about which auditor has inadvertently received information about the complaints. However, the complainants do not have the right to receive information about which client the information has been passed on by the auditor. Below follows a closer review of the cases and a rationale for the Data Protection Authority's decision. 2. Case presentation It appears from the cases that, by letter of 6 February 2023, the Danish Tax Agency notified the complainants of a breach of personal data security committed in 2020 in connection with responding to a file access request, whereby a number of personal data about the complainants had been mistakenly passed on to an auditor, who then had shared the information with his client. The complainants then requested the Tax Agency to be informed who had specifically received information about them in connection with the breach of personal data security. By decisions of 23 March and 14 April 2023 respectively, the Danish Development and Simplification Agency rejected the complainants' request for access to the information in question. In the decisions, the Development and Simplification Agency informed the two complainants that a Danish accountant and his client (citizen) in Denmark had received the information about the complaints, but the agency refused to inform the complainants of the identity (name) of the persons in question, citing § 17, subsection 1, cf. Section 35 of the Public Information Act, cf. Section 22, subsection of the Data Protection Act. 3, cf. the data protection regulation, article 15, subsection 1. The Danish Development and Simplification Agency justified the refusal with, among other things, that: "During its processing, the tax administration became aware of information about the financial, business or private life of the recipients. This includes, among other things, the identity information of the recipient with the nature of confidentiality, because the identity information in the context of the notification letter of 6 February 2023 about the breach of personal data security can shed light on the recipients' mutual, general, financial (partially private, e.g. privacy) and business relationships. The identity information can, in conjunction with the notification letter, show the recipients' shares in the breach of personal data security. In connection with the notification letter, the identity information can be further used when other citizens contact the recipients about their specific role in the handling of the breach, including actual circumstances of the breach and measures taken to remedy/limit its possible harmful effects. Information about who exactly the recipients are is thus covered by the authority's unconditional and special duty of confidentiality towards third parties." On 28 March and 11 May 2023, the complainants addressed the Danish Data Protection Authority with a complaint about the Danish Development and Simplification Agency's decision. The complainants have generally stated that they have the right and need to know to whom their information has been disclosed in order to safeguard their interests, including to ensure that their information is not misused and is not disclosed to further unauthorized third parties . On 23 January 2024, the Danish Data Protection Authority requested the Ministry of Taxation for an opinion regarding the non-disclosure clause in § 17, subsection 1 of the Tax Administration Act. 1. The Ministry of Taxation stated i.a. the following in its opinion of 1 March 2024: "Information which is publicly known or available, or according to common opinion is non-confidential, is not covered by the duty of confidentiality [...]. Names and contact information are therefore generally not covered. […] However, the context in which the information is included may mean that information which is in itself non-confidential will nevertheless be covered by the duty of confidentiality. This will be the case if the information in the specific context, for example because it can be linked with other information, reveals confidential information.” Furthermore, the Ministry of Taxation stated the following: "Information that an auditor on behalf of an unnamed client has been given access to documents cannot in itself be considered to be covered by the special duty of confidentiality. This follows from the fact that the auditor has not been given access to information about his own financial, professional or personal circumstances. Furthermore, it cannot be considered a business secret etc. that an auditor gets access to documents, as it is common knowledge that auditors apply for and receive access to documents on behalf of clients. If information that an auditor has been given access to documents, together with other information, may reveal confidential information covered by the special duty of confidentiality, e.g. information that there is a tax case against a certain client, or that a certain client has carried out certain financial transactions, the information that the auditor has been given access to documents could however also be subject to confidentiality." On 15 March 2024, the Danish Data Protection Authority sent the statement from the Ministry of Taxation to the Danish Development and Simplification Agency, so that the agency had the opportunity to deal with the matter anew. The Danish Development and Simplification Agency announced on 23 May 2024 that the agency maintained the decisions of 23 March and 14 April 2023. 3. Relevant regulations It follows from the data protection regulation's article 15, subsection 1, letter c, that the data subject has the right to obtain information about the recipients or categories of recipients to whom the personal data is or will be passed on, in particular recipients in third countries or international organisations. Section 22 of the Data Protection Act contains a number of exceptions to the right of access pursuant to Article 15, paragraph 1 of the Data Protection Regulation. 1. This appears from § 22, subsection of the Data Protection Act. 3, that information that is processed for the public administration as part of administrative case processing can be exempted from the right to access to the same extent as according to the rules in sections 19-29 and 35 of the Act on public access in the administration. In this connection, it appears from Section 35 of the Public Information Act that the duty to provide information is limited by special provisions on confidentiality laid down by law or based on law for persons working in public service or office. Such a special non-disclosure provision is laid down in Section 17, subsection of the Tax Administration Act. 1. It follows from the provision that "The tax authorities must, under the responsibility of §§ 152, 152 a and 152 c-152 f of the Criminal Code, observe unconditional silence towards unauthorized persons with regard to information about a natural or legal person's financial, business or private life matters that they in the course of carrying out their work become familiar with. The obligation also applies to expert assistants as well as anyone else who, as a result of work undertaken in accordance with an agreement with the public sector, becomes aware of such matters. If the agreement has been concluded with a company, the obligation applies to everyone who, during their work in the company, becomes aware of matters such as the above." 4. The Danish Data Protection Authority's assessment The Danish Data Protection Authority assumes that the information about the identity of an unintended recipient of information is, as a matter of principle, covered by the right of access pursuant to Article 15, paragraph 1 of the Data Protection Regulation. 1, letter c. The Danish Agency for Development and Simplification has assessed in its decisions that the identity information in the context of the notification letter about the security breach can shed light on the recipients' mutual relationships and shed light on their shares in the breach of personal data security. On this basis, the agency finds that the information is covered by the special duty of confidentiality pursuant to Section 17, subsection 1 of the Tax Administration Act. 1, and that the information can be exempted from the right of access pursuant to section 22, subsection of the Data Protection Act. 3, cf. Section 35 of the Public Disclosure Act. As a clear starting point, the Data Protection Authority will base another administrative authority's interpretation of provisions in other legislation. This is because the Norwegian Data Protection Authority normally has no other and better prerequisites for assessing such "special rules" than the authority which has knowledge of the specific case and whose work is regulated by the rules in question. There must therefore be a secure basis before the Data Protection Authority overrides another administrative authority's assessment to exclude information from the right to access pursuant to section 22, subsection of the Data Protection Act. 3. In the present case, it is the Danish Data Protection Authority's understanding of the Ministry of Taxation's statement to the Danish Data Protection Authority that the duty of confidentiality according to section 17, subsection of the Tax Administration Act. 1, is not so far-reaching that it cuts off insight into an auditor's identity in all cases. The Danish Data Protection Authority finds, on the basis of the statement of the Ministry of Taxation and after assessing the information in the case, that the information about which auditor has inadvertently received the information cannot be exempted from inspection for the reasons set out in the Danish Development and Simplification Agency's decisions of 23 March 2023 and 14 April 2024, as the information is not confidential according to the Danish Data Protection Authority's assessment. In this respect, the Danish Data Protection Authority has attached importance to the Ministry of Taxation's statement that information that an auditor has obtained access to documents on behalf of an unnamed client cannot in itself be considered to be covered by the special duty of confidentiality in section 17, subsection 1 of the Tax Administration Act. 1. The Danish Data Protection Authority has further emphasized that the Ministry of Taxation has stated in their statement that it is not considered a trade secret, etc., that an auditor has been given access to documents, as it is common knowledge that auditors request and receive access to documents on behalf of clients. The Danish Data Protection Authority thus finds that this information cannot be exempted from the right of access with reference to Section 17, subsection of the Tax Administration Act. 1, cf. Section 35 of the Public Information Act, cf. Section 22, subsection of the Data Protection Act. 3, cf. the data protection regulation, article 15, subsection 1. As far as the information about which client the auditor has passed on the complainants' personal data to, however, the Danish Data Protection Authority - to the extent that the information is covered by the right of access that the complainants can obtain from the tax administration - does not find grounds for overriding the tax administration's assessment that this personal data is covered by the special duty of confidentiality in § 17 of the Tax Administration Act, and thus exempt from the right to access in accordance with § 22, subsection of the Data Protection Act. 3. In summary, the Danish Data Protection Authority is of the opinion that the complainants have the right to receive information about which auditor has inadvertently received their personal data, cf. the data protection regulation, article 15, subsection 1, letter c, but not which client to whom the auditor has disclosed the information. 5. Concluding remarks The Data Protection Authority's decisions cannot be brought before another administrative authority, cf. Section 30 of the Data Protection Act. The Data Protection Authority's decisions can, however, be brought before the courts, cf. Section 63 of the Basic Law. The Danish Data Protection Authority hereby considers the case closed and will not take any further action in the matter, as the Danish Data Protection Agency expects the Danish Development and Simplification Agency to take the necessary steps based on the Danish Data Protection Authority's decision to comply with the complainants' right to access. The Norwegian Data Protection Authority Carl Jacobsens Vej 35 2500 Valby Tel. 33 19 32 00 dt@datatilsynet.dk About us About the Norwegian Data Protection AuthorityPresseHome pagePrivacy policyAvailability statement Shortcuts Guidance on GDPRCall usNewsletterThe National Whistleblower Scheme Follow us The Norwegian Data Protection Authority on LinkedIn Citizens had the right to access the name of the unintended recipient Date: 26-09-2024 Decision Public authorities No criticism Complaint Handled by the Data Council The right to access Unintentional disclosure Exercise of rights The Danish Data Protection Authority has ruled in two cases about the Danish Development and Simplification Agency's refusal to disclose the name of an unintended recipient. The cases have given the Danish Data Protection Authority an opportunity to take a position on the fundamental question of whether unintended recipients are covered by the right of access. Journal number: 2023-32-0023 Summary The Danish Data Protection Authority has made decisions in two cases where two citizens complained that the Danish Development and Simplification Agency had refused to give the complainants insight into which auditor had mistakenly received personal data about them. The complainants had been notified by the Danish Tax Agency of a breach of personal data security in connection with the response to a file access request, where a number of personal data about the complainants had been mistakenly passed on to an accountant who had shared the information with a client. Based on the notification, the complainants wanted to be informed who the specific recipients of their personal data were. The Danish Development and Simplification Agency refused to provide insight into the identity information of the auditor and his client, citing that the information was confidential and covered by a special duty of confidentiality in the Tax Administration Act. The complaints gave the Data Protection Authority the opportunity to take a decision on whether unintended recipients of personal data are covered by the concept of recipient and thus covered by the right to access, which i.a. consists in the data subject having the right to obtain information about the recipients or categories of recipients to whom the personal data is or will be passed on. The Danish Data Protection Authority found – after the cases had been dealt with at a meeting of the Data Council – that unintended recipients are covered by the broad definition of a "recipient" and thus covered by the right to access recipients of personal data. The Danish Data Protection Authority also found that in the specific cases there was a sufficiently secure basis for overriding the Danish Development and Simplification Agency's assessment that the information about the auditor's name was confidential information covered by the duty of confidentiality in the Tax Administration Act. Decision The Danish Data Protection Authority hereby returns to the case where complainants 1 and [X], on behalf of complainant 2 (hereinafter referred to as "the complainants"), have complained that the Danish Development and Simplification Agency has refused to provide insight into specific information at the Tax Agency. 1. Decision The Danish Data Protection Authority finds – after the case has been dealt with at a meeting of the Data Council – that the complainants have the right to receive information about which auditor has inadvertently received information about the complaints. However, the complainants do not have the right to receive information about which client the information has been passed on by the auditor. Below follows a closer review of the cases and a rationale for the Data Protection Authority's decision. 2. Case presentation It appears from the cases that, by letter of 6 February 2023, the Danish Tax Agency notified the complainants of a breach of personal data security committed in 2020 in connection with responding to a file access request, whereby a number of personal data about the complainants had been mistakenly passed on to an auditor, who then had shared the information with his client. The complainants then requested the Tax Agency to be informed who had specifically received information about them in connection with the breach of personal data security. By decisions of 23 March and 14 April 2023 respectively, the Danish Development and Simplification Agency rejected the complainants' request for access to the information in question. In the decisions, the Development and Simplification Agency informed the two complainants that a Danish accountant and his client (citizen) in Denmark had received the information about the complaints, but the agency refused to inform the complainants of the identity (name) of the persons in question, referring to § 17, subsection 1, cf. section 35 of the Public Information Act, cf. section 22 of the Data Protection Act, subsection 3, cf. the data protection regulation, article 15, subsection 1. The Danish Development and Simplification Agency justified the refusal with, among other things, that: "During its processing, the tax administration became aware of information about the financial, business or private life of the recipients. This includes, among other things, the recipient's identity information of a confidential nature, because the identity information in the context of the notification letter of 6 February 2023 about the breach of personal data security can shed light on the recipients' mutual, general, financial (partially private, e.g. privacy) and business relationships. The identity information can, in conjunction with the notification letter, show the recipients' shares in the breach of personal data security. In connection with the notification letter, the identity information can be further used when other citizens contact the recipients about their specific role in the handling of the breach, including actual circumstances of the breach and measures taken to remedy/limit its possible harmful effects. Information about who exactly the recipients are is thus covered by the authority's unconditional and special duty of confidentiality towards unauthorized persons." On 28 March and 11 May 2023, the complainants addressed the Danish Data Protection Authority with a complaint about the Danish Development and Simplification Agency's decision. The complainants have generally stated that they have the right and need to know to whom their information has been disclosed in order to safeguard their interests, including to ensure that their information is not misused and is not disclosed to further unauthorized third parties . On 23 January 2024, the Danish Data Protection Authority requested the Ministry of Taxation for an opinion regarding the non-disclosure clause in § 17, subsection 1 of the Tax Administration Act. 1. The Ministry of Taxation stated i.a. the following in its opinion of 1 March 2024: "Information which is publicly known or available, or according to common opinion is non-confidential, is not covered by the duty of confidentiality [...]. Names and contact details are therefore generally not covered. […] However, the context in which the information is included may mean that information which is in itself non-confidential will nevertheless be covered by the duty of confidentiality. This will be the case if the information in the specific context, for example because it can be linked with other information, reveals confidential information.” Furthermore, the Ministry of Taxation stated the following: "Information that an auditor on behalf of an unnamed client has been given access to documents cannot in itself be considered to be covered by the special duty of confidentiality. This follows from the fact that the auditor has not been given access to information about his own financial, professional or personal circumstances. Furthermore, it cannot be considered a trade secret etc. that an auditor gets access to documents, as it is common knowledge that auditors apply for and receive access to documents on behalf of clients. If information that an auditor has been given access to documents, together with other information, may reveal confidential information covered by the special duty of confidentiality, e.g. information that there is a tax case against a certain client, or that a certain client has carried out certain financial transactions, the information that the auditor has been given access to documents could however also be subject to confidentiality." On 15 March 2024, the Danish Data Protection Authority sent the statement from the Ministry of Taxation to the Danish Development and Simplification Agency, so that the agency had the opportunity to deal with the matter anew. The Danish Development and Simplification Agency announced on 23 May 2024 that the agency maintained the decisions of 23 March and 14 April 2023. 3. Relevant rules It follows from the data protection regulation's article 15, subsection 1, letter c, that the data subject has the right to obtain information about the recipients or categories of recipients to whom the personal data is or will be passed on, in particular recipients in third countries or international organisations. Section 22 of the Data Protection Act contains a number of exceptions to the right of access pursuant to Article 15, paragraph 1 of the Data Protection Regulation. 1. This appears from § 22, subsection of the Data Protection Act. 3, that information that is processed for the public administration as part of administrative case processing can be exempted from the right to access to the same extent as according to the rules in sections 19-29 and 35 of the Act on public access in the administration. In this connection, it appears from section 35 of the Public Information Act that the duty to provide information is limited by special provisions on confidentiality laid down by law or based on law for persons working in public service or office. Such a special non-disclosure provision is laid down in section 17, subsection of the Tax Administration Act. 1. It follows from the provision that "The tax authorities must, under the responsibility of §§ 152, 152 a and 152 c-152 f of the Criminal Code, observe unconditional silence towards unauthorized persons with regard to information about a natural or legal person's financial, business or private life matters that they in the course of carrying out their work become familiar with. The obligation also applies to expert assistants as well as anyone else who, as a result of work undertaken in accordance with an agreement with the public sector, becomes aware of such matters. If the agreement has been concluded with a company, the obligation applies to everyone who, during their work in the company, becomes aware of matters such as the above." 4. The Danish Data Protection Authority's assessment The Danish Data Protection Authority assumes that the information about the identity of an unintended recipient of information is, as a starting point, covered by the right of access pursuant to Article 15, paragraph 1 of the Data Protection Regulation. 1, letter c. The Danish Agency for Development and Simplification has assessed in its decisions that the identity information in the context of the notification letter about the security breach can shed light on the recipients' mutual relationships and shed light on their shares in the breach of personal data security. On this basis, the agency finds that the information is covered by the special duty of confidentiality pursuant to Section 17, subsection 1 of the Tax Administration Act. 1, and that the information can be exempted from the right of access pursuant to Section 22, subsection of the Data Protection Act. 3, cf. Section 35 of the Public Disclosure Act. As the clear starting point, the Data Protection Authority will base another administrative authority's interpretation of provisions in other legislation. This is because the Norwegian Data Protection Authority normally has no other and better prerequisites for assessing such "special rules" than the authority which has knowledge of the specific case and whose work is regulated by the rules in question. There must therefore be a secure basis before the Data Protection Authority overrides another administrative authority's assessment to exclude information from the right to access pursuant to section 22, subsection of the Data Protection Act. 3. In the present case, it is the Danish Data Protection Authority's understanding of the Ministry of Taxation's statement to the Danish Data Protection Authority that the duty of confidentiality according to section 17, subsection of the Tax Administration Act. 1, is not so far-reaching that it cuts off insight into an auditor's identity in all cases. The Danish Data Protection Authority finds, on the basis of the statement of the Ministry of Taxation and after assessing the information in the case, that the information about which auditor has inadvertently received the information cannot be exempted from inspection for the reasons set out in the Danish Development and Simplification Agency's decisions of 23 March 2023 and 14 April 2024, as the information is not confidential according to the Danish Data Protection Authority's assessment. In this respect, the Danish Data Protection Authority has attached importance to the Ministry of Taxation's statement that information that an auditor has obtained access to documents on behalf of an unnamed client cannot in itself be considered to be covered by the special duty of confidentiality in section 17, subsection 1 of the Tax Administration Act. 1. The Danish Data Protection Authority has further emphasized that the Ministry of Taxation has stated in their statement that it is not considered a trade secret, etc., that an auditor has been given access to documents, as it is common knowledge that auditors request and receive access to documents on behalf of clients. The Danish Data Protection Authority thus finds that this information cannot be exempted from the right of access with reference to Section 17, subsection of the Tax Administration Act. 1, cf. section 35 of the Public Information Act, cf. section 22 of the Data Protection Act, subsection 3, cf. the data protection regulation, article 15, subsection 1. As far as the information about which client the auditor has passed on the complainants' personal data to, however, the Danish Data Protection Authority - to the extent that the information is covered by the right of access that the complainants can obtain from the tax administration - does not find grounds for overriding the tax administration's assessment that this personal data is covered by the special duty of confidentiality in § 17 of the Tax Administration Act, and thus exempt from the right to access in accordance with § 22, subsection of the Data Protection Act. 3. In summary, the Danish Data Protection Authority is of the opinion that the complainants have the right to receive information about which auditor has inadvertently received their personal data, cf. the data protection regulation, article 15, subsection 1, letter c, but not which client to whom the auditor has disclosed the information. 5. Concluding remarks The Data Protection Authority's decisions cannot be brought before another administrative authority, cf. Section 30 of the Data Protection Act. The Data Protection Authority's decisions can, however, be brought before the courts, cf. Section 63 of the Basic Law. The Danish Data Protection Authority hereby considers the case closed and will not take any further action in the matter, as the Danish Data Protection Agency expects the Danish Development and Simplification Agency to take the necessary steps based on the Danish Data Protection Authority's decision to comply with the complainants' right to access.