Datatilsynet (Denmark) - 2019-421-0028
Datatilsynet - 2019-421-0028 | |
---|---|
Authority: | Datatilsynet (Denmark) |
Jurisdiction: | Denmark |
Relevant Law: | Article 12(3) GDPR Article 15(1) GDPR |
Type: | Complaint |
Outcome: | Upheld |
Started: | |
Decided: | |
Published: | 26.02.2020 |
Fine: | None |
Parties: | Udbetaling Danmark |
National Case Number/Name: | 2019-421-0028 |
European Case Law Identifier: | n/a |
Appeal: | n/a |
Original Language(s): | Danish |
Original Source: | Datatilsynet (in DA) |
Initial Contributor: | n/a |
The Danish Data Protection Authority (Datatilsynet) investigated the requests of data subjects to access personal data. The data subjects did not receive information about automated decision making and the answer of the requests took longer than one month. The data controller failed to fulfill the requirements of Art. 15(1), 12(3) GDPR.
English Summary
Facts
The Danish DPA investigated the data controller, Udbetaling Denmark, with a focus on the fulfillment of the access rights in the GDPR. The data controller adopted internal guidelines dealing with data subject requests. A template was available for all employees to answer these requests. The data protection audit was conducted by the Danish DPA on the 25 Mai 2018 and focused on requests from twelve data subjects to access personal data.
Dispute
The question raised by the Danish DPA was whether the data controller fulfilled the requests of data subjects to access personal data in accordance with Art. 15, 12(3) GDPR.
Holding
The Danish DPA found that the data controller answered requests later than one month and therefore, did not fulfill the requirements of Art. 15, 12 (III) GDPR. Further, data subjects were not informed about the fact that they were subjects to automated decision making in accordance with Article 15(1)(h). The Danish DPA considered the audit to be complete and criticized that the data controller did violate the requirements of Art. 15, 12(3) GDPR.
Comment
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Danish original. Please refer to the Danish original for more details.
Supervision of Payment Denmark's processing of personal data Summary In 2019, the Data Inspectorate carried out a planned audit at Udbetaling Denmark. The audit focused on the authority's compliance with the rules on the data subject's right of access, cf. Articles 15 and 12 of the Data Protection Regulation. On the basis of the audit, the Data Inspectorate has criticized the fact that Payments Denmark's processing of personal data did not take place in accordance with Articles 15 and 12 (2) of the Regulation. Third The Authority's concluding opinion states, inter alia, that Payment Denmark may, in connection with some services, make decisions based solely on automatic processing pursuant to Article 22 of the Regulation, and that in five cases the Authority has not provided the data subject with the necessary information. on the existence of automatic decisions within the meaning of Article 15 (2) of the Regulation. 1, point h. In addition, it appears that Payment Denmark in four cases did not respond to a request for access later than one month after receipt of the request, one of which was due to an excusable misunderstanding between Payment Denmark and the data subject regarding the scope of the request. You can read the Danish Data Protection Agency's guide on data subjects' rights here . Decision Disbursement Denmark was among the public authorities that the Data Inspectorate had selected for supervision in the spring of 2019. The Data Inspectorate's planned supervision of Disbursement Denmark focused in particular on the authority's compliance with the rules on the data subject's right of access, cf. Articles 15 and 12 of the Data Protection Regulation [1] . At the request of the Data Inspectorate, Pre-payment Denmark had completed a questionnaire and submitted this together with additional material to the audit prior to the audit visit. The inspection itself took place on May 13, 2019. 1. Decision Following the supervision of Udbetaling Denmark, the Data Inspectorate finds reason to conclude: 1. That Udbetaling Denmark has largely drawn up guidelines, procedures, etc. for the authority's compliance with Articles 15 and 12 of the Data Protection Regulation. 2. That Udbetaling Denmark has to a large extent prepared templates that can help ensure and facilitate the authority's compliance with Articles 15 and 12 of the Regulation. 3. That Udbetaling Denmark has received and responded to 12 requests for insights during the period 25 May 2018 until the time of notification of the supervision. 4. That Udbetaling Denmark has in five cases not provided the data subject with the necessary information on the occurrence of automatic decisions, in accordance with Article 15 (1) of the Data Protection Regulation. 1, point h. 5. That, in three cases, Payment Denmark has not responded to a request for access in accordance with the deadlines set in Article 12 (2) of the Data Protection Regulation. Third 6. That Udbetaling Denmark in one case - as a result of a misunderstanding - has not responded to a request for access in accordance with the deadlines in Article 12 (2) of the Data Protection Regulation. Third In relation to points 4 and 5, the Data Inspectorate finds grounds for criticizing the fact that Payments Denmark's processing of personal data has not taken place in accordance with the rules in Articles 15 and 12 (2) of the Data Protection Regulation. Third The following is a detailed review of the information that has emerged in connection with the audit and a justification for the Danish Data Protection Agency's decision. 2. Payment Denmark's guidelines and procedures Payment Denmark, prior to the audit visit, sent a copy of the authority's procedures and guidelines, which were in effect on the date of notification of the audit, regarding the handling of access requests pursuant to Articles 15 and 12 of the Data Protection Regulation. Payment Denmark has stated that the procedures and guidelines can be accessed by the employees on the intranet, and that these act as a working tool for the employees. In addition, Udbetaling Denmark has stated that all the authority's procedures and guidelines are targeted at employees across different departments. Payment Denmark has prepared a knowledge solution in which the authority, among other things. shares knowledge about managing insight requests, and where employees can quickly find information about insight rules using keywords. Employees are also made aware of the data protection rules, including the right of access, in connection with status meetings, annual meetings and in participation in training regarding the data protection rules. In addition, the employees carry out an e-learning game on data protection every year, and Udbetaling Denmark has a number of customer ambassadors who share knowledge with the employees. In this way, the employees are also made aware that the existing procedures, guidelines and templates etc. can be found on the intranet. Here The procedures and guidelines submitted include: information that employees - once they have identified a request for insight - must forward the request to the "Quality & Complaints" department, as well as describe how the Quality & Complaints staff can request information about the data subject and how to submit the information to the data subject. In addition, the procedures and guidelines contain information on the deadline for responding to requests for access pursuant to Article 12 (2) of the Regulation. 3, and information on the information to be provided to the data subject when responding to requests for access pursuant to Article 15 (2) of the Regulation; 1, point ah. After a review of the procedures and guidelines, the Data Inspectorate cannot immediately ascertain that information is provided on how employees should handle insight requests, where there is doubt about the identity of the data subject and where the authority will therefore have to request additional information from the data subject. in order to confirm their identity in accordance with Article 12 (2) of the Regulation. 6th Against this background, the Data Inspectorate must recommend that Payment Denmark - to the extent that the authority has not already done so - adds information to this in the procedures and / or guidelines. It is stated in one of the guidelines (Compendium on the data subject's rights) concerning the right of access that " if the data subject wishes to do so, the data controller must provide a copy of the personal data processed in the course of the right of access". The same does not appear in the other guidelines, etc. The Data Inspectorate must note that it follows from Article 12 (2) of the Regulation. 3, that the data controller provides a copy of the personal data being processed and that this is not conditional on the data subject requesting to receive a copy of the data. The Data Inspectorate must therefore recommend that this is also made clear in the guidelines mentioned. 3. Payment Denmark's standard texts Payment Denmark has sent a copy of the templates used by the authority's employees in answering insights requests, including a template used for responding to the request itself and a template used for information on extended case processing time. It is clear from the template for answering insight requests that Udbetaling Denmark can make decisions based solely on automatic processing. Furthermore, it appears that the automatic decisions are made, for example, by Paying Denmark obtaining information from public registers, which are mechanically compared with information in the data subject's case, and which together determine whether the data subject is entitled to the benefit in question. It follows from Article 15 (2) of the Regulation. (1) (h), the data controller must provide the registered information on the occurrence of automatic decisions, including profiling, as referred to in Article 22 (1). 1 and 4, and at least meaningful information about the logic therein, as well as the significance and expected consequences of such processing for the data subject. When asked about this during the audit visit, Utbetaling Denmark stated that some types of benefits (eg income-based benefits such as housing subsidies) make automatic decisions against the data subject. The Data Inspectorate asked whether it is possible for Udbetaling Denmark to provide the data subject with specific information on whether automatic decisions have been made against the person concerned. Payment Denmark stated that it is possible to give more specific information about this in relation to the individual benefits. When asked, Udbetaling Denmark also stated that no automatic decisions are made in connection with all services and that it will therefore only be relevant to provide information on this in some cases. In relation to the above, the Data Inspectorate has noted that, after the inspection visit, Udbetaling Denmark has stated that the background for the general formulation of automatic decisions in Payments Denmark's reply to the reply is that when preparing the letter template, the Danish Data Protection Agency's templates for observing the duty of disclosure have been taken into account. but that after the discussions at the inspection visit, Udbetaling Denmark will change the wording in the template, so that it will be stated in each future reply whether or not automatic decisions have been made vis-à-vis the data subject. 4. Payment Denmark's handling of requests for insight 4.1. Payment Denmark has informed the Danish Data Protection Agency that the authority has received and responded to 12 requests for insight in the period from 25 May 2018 to 9 April 2019. Payment Denmark has submitted a copy of the replies to the Danish Data Protection Agency prior to the audit visit. As mentioned in the submitted template for answering insights requests, it is clear that Udbetaling Denmark can make decisions based solely on automatic processing. At the time of the audit, the Data Inspectorate asked whether automatic decisions were made against the data subjects who requested access during the period from 25 May 2018 to 9 April 2019. Payment Denmark, after the inspection visit, stated that after an examination of the submitted insights cases, the authority has found that in five of the cases, the citizens have been the subject of an automatic decision, which is not apparent from the replies. The automatic decisions in the five cases are about pension and housing benefits. In two of the cases, automatic decisions on both pensions and housing assistance were made, in two other cases, automatic decisions on pensions were made, while in the latter case automatic decisions on housing assistance were made. Payment Denmark has confirmed to the Data Inspectorate that the data subjects have not been informed that they have in fact been subject to an automatic decision in accordance with Article 15 (2) of the Regulation. 1, point h. 4.2. After a detailed examination of the 12 response requests submitted, the Data Inspectorate finds that, in three cases, Payment Denmark responded to a request later than one month after receiving the request. Payment Denmark received on September 3, 2018 a request for insight, which the authority responded to on November 8, 2018, ie. 2 months and 5 days after receiving the request. Payment Denmark has stated that the request was only identified late. When Paying Denmark became aware that the deadline had been exceeded, the authority prioritized responding to the request rather than giving the data subject a notice of the extension of the reply. In addition, Udbetaling Denmark received a request for insight on 12 November 2018, which was answered on 3 January 2019, ie. 1 month and 22 days after receiving the request. Payment Denmark has also stated that the request was only identified late. When Paying Denmark became aware that the deadline had been exceeded, the authority prioritized responding to the request rather than giving the data subject a notice of the extension of the reply. Thus, the Data Inspectorate assumes that the extension of the response to the two requests was not due to the complexity and number of the requests, but to the disbursement of Denmark's request that no insights were made and that the deadline laid down in Article 12 (2) of the Regulation. 3, for answering the requests as a result has not been observed by Payment Denmark. Payment Denmark also received on September 18, 2018 a request for insight, which the authority responded to on October 24, 2018, ie. 1 month and 6 days after receiving the request. Payment Denmark, on October 11, 2018, notified the registrant of the extension of the reply. It appears from the notification that, due to the complexity of the case, Disbursement Denmark was unable to respond to the data subject within 1 month of receipt of the request. In the reply of October 24, 2018, Udbetaling Denmark regrets the lengthy processing time, which was due to the authority having misunderstood that the data subject wanted access to all information that Paying Denmark may have registered about him. However, during a conversation between the data subject and Payment Denmark's data protection adviser, it was clarified that the data subject only wanted insight into the personal data that was processed about him in a specific case. In relation to this case, the Data Inspectorate has noted that the extension of the response to the request was due to an excusable misunderstanding between Payment Denmark and the data subject regarding the scope of the request. The Data Inspectorate has emphasized that Paying Denmark responded promptly after clarifying the misunderstanding. 4.3. When reviewing the examples of replies to insights requests, the Data Inspectorate found that three of the 12 requests - as described above - were answered later than one month after receiving the request and that the other requests were answered just within 1 month after receipt. When asked, Udbetaling Denmark stated that the authorities are aware that the answers are generally close to the deadline. The challenge is that it is difficult for employees to identify the requests, as the requests are typically hidden in a longer correspondence with the citizen concerned. Payment Denmark has stated that the authority is trying to optimize the process, so that employees become better at identifying requests for insight. 4.4. Payment Denmark has informed the Danish Data Protection Authority that in two of the requests for access received, there was doubt as to the identity of the natural person. The Authority was therefore required to request additional information in order to confirm the identity of the data subject, in accordance with Article 12 (2) of the Regulation. 6th Payment Denmark thus received, on 12 and 14 February 2019, two requests for insight, whereby, based on the content of the inquiries, it was not possible to identify the data subjects concerned. Payment Denmark requested on March 27, 2019, ie. 1 month and 15 days and 1 month and 13 days, respectively, after receiving the requests, both of them registered to apply via Digital Post at borger.dk or by calling Udbetaling Denmark, as it was not possible for Udbetaling Denmark to seek the cases were registered based on their names or the email address from which they had addressed. Alternatively, the data subjects could choose to send their CPR number via e-mail to Udbetaling Denmark. The Data Inspectorate has no comments that Udbetaling Denmark has found it necessary to request the data subjects for further information in order to have their identity verified. However, the Data Inspectorate finds that in the two cases mentioned, Payment Denmark - by first requesting additional information for verification, respectively, 1 month and 13 days and 1 month and 15 days after receipt of the requests - did not comply with the time limits in Article 12 of the Regulation, PCS. Third 5. Conclusion Following the supervision of Udbetaling Denmark, the Data Inspectorate finds reason to conclude: 1. That Udbetaling Denmark has largely drawn up guidelines, procedures, etc. for the authority's compliance with Articles 15 and 12 of the Data Protection Regulation. 2. That Udbetaling Denmark has to a large extent prepared templates that can help ensure and facilitate the authority's compliance with Articles 15 and 12 of the Data Protection Regulation. 3. That Udbetaling Denmark has received and responded to 12 requests for insights during the period 25 May 2018 until the time of notification of the supervision. 4. That Udbetaling Denmark has in five cases not provided the data subject with the necessary information on the occurrence of automatic decisions, in accordance with Article 15 (1) of the Data Protection Regulation. 1, point h. 5. That, in three cases, Payment Denmark has not responded to a request for access in accordance with the deadlines set out in Article 12 (2) of the Data Protection Regulation. Third 6. That Udbetaling Denmark in one case - as a result of a misunderstanding - has not responded to a request for access in accordance with the deadlines in Article 12 (2) of the Data Protection Regulation. Third In relation to paragraphs 4 and 5, the Data Inspectorate finds grounds for expressing criticism that Payments Denmark's processing of personal data has not taken place in accordance with the rules in Articles 15 and 12 (2) of the Data Protection Regulation. Third The Data Inspectorate then considers the audit to be complete and does not take any further action in this regard. [1] Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such information and repealing Directive 95/46 / EC (general data protection regulation).