Datatilsynet (Denmark) - 2021-31-5654
Datatilsynet - 2021-31-5654 | |
---|---|
Authority: | Datatilsynet (Denmark) |
Jurisdiction: | Denmark |
Relevant Law: | Article 6(1)(a) GDPR Article 6(1)(f) GDPR |
Type: | Complaint |
Outcome: | Rejected |
Started: | |
Decided: | 22.12.2022 |
Published: | 18.04.2023 |
Fine: | n/a |
Parties: | Securitas A/S |
National Case Number/Name: | 2021-31-5654 |
European Case Law Identifier: | n/a |
Appeal: | Unknown |
Original Language(s): | Danish |
Original Source: | Datatilsynet (Denmark) (in DA) |
Initial Contributor: | n/a |
The Danish DPA found that Securitas A/S had a legal basis under Article 6(1)(f) GDPR for disclosing the personal data of an employee to the Police Intelligence Service and the Defense Intelligence Service in connection with a security clearance.
English Summary
Facts
The data subject was employed by Securitas A/S as a security guard. Employment at Securitas as a security guard is subject to the approval of the Chief of Police (DK: Rigspolitichef). For employees who carry out "on-call duties" associated with customers with special security requirements, employment is also subject to register approval at the Police Intelligence Service (DK: Politiets Efterretningstjeneste) (“PET”).
In connection with the employment at Securitas, the data subject was contacted by the Defense Intelligence Service (DK: Forsvarets Efterretningstjeneste) (“FE”) as the data subject had been nominated for a security clearance, and therefore, was viewed to have been filled out an electronic form for the processing.
The data subject complained to the Danish DPA about Securitas disclosing their personal data to the FE, as the data subject stated that they had not consented to such disclosure. The data subject stated that Securitas had disclosed their personal data (job title, full name, and social security number).
The data subject argued that they had not completed the “information form 2” to which Securitas referred to, and therefore, no declaration of consent had been given. The data subject argued that their personal data had been disclosed to the FE without their knowledge.
Securitas argued that the disclosure of the data subject’s personal data to the FE as well as the PET was justified. Securitas stated that, at the time of the disclosure of personal data, the complainant was employed as a security guard and that all such “on-call employees” are informed of the requirement for security clearance through a communication portal.
Securitas argued that the data subject had completed the “information form 2” and so, a declaration of consent. Securitas stated that the application for security approval would have been rejected, if the data subject had not completed, signed, and consented to it.
Holding
The DPA initially notes that consent, under Article 6(1)(a) GDPR, will only rarely fulfil the requirement of having been submitted voluntarily due to the unequal relationship that typically exists between the employer and the employee. On this basis, the DPA viewed that the consent referred to by the data subject and Securitas did not constitute a valid consent under the GDPR.
However, the DPA found that Securitas was authorized to pass on the data subject’s personal data pursuant to the balancing of interests rule under Article (6)(1)(f) GDPR, according to which processing of personal data can take place if the processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data.
The DPA emphasized that obtaining the relevant security approval was necessary so that Securitas, as an employer, could ensure that the data subject as an employee could carry out the tasks that were necessary in connection with the employment.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Danish original. Please refer to the Danish original for more details.
Disclosure of personal data complied with GDPR Date: 22-12-2022 Decision Private companies No criticism Complaint Treatment basis The Danish Data Protection Authority has made a decision in a case where Securitas A/S had passed on personal data in connection with a security clearance for an employee. Journal Number: 2021-31-5654 Summary The Danish Data Protection Authority has made a decision in a case where a former security guard complained that Securitas A/S had passed on information about him to the Norwegian Police Intelligence Service and the Defense Intelligence Service in connection with a security clearance. The Norwegian Data Protection Authority found in the case that there was a legal basis for the disclosure of information in question. In connection with the employment, Securitas A/S passed on information about the person's job title, full name and social security number, and stated in connection with the case that it is a prerequisite for employment at Securitas A/S that you as an employee be security approved. In its decision, the Danish Data Protection Authority emphasized, among other things, that the obtaining of security approval was necessary so that Securitas A/S as an employer could ensure that the person in question, as an employee, could carry out the tasks that were necessary in connection with the employment. Decision The Danish Data Protection Authority hereby returns to the case where [X] (hereafter the complainant) complained to the Authority on 20 October 2021 that Securitas A/S had passed on the complainant's personal data to the Norwegian Defense Intelligence Service (hereafter "FE") and the Norwegian Police Intelligence Service (hereafter " PET”) without consent. 1. Decision After a review of the case, the Danish Data Protection Authority finds that Securitas A/S' processing of personal data has taken place in accordance with the rules in the data protection regulation[1] article 6, subsection 1, letter f, and the Data Protection Act[2] § 11, subsection 2. Below follows a closer review of the case and a rationale for the Data Protection Authority's decision. 2. Case presentation It appears from the case that the complainant was employed by Securitas A/S as a security guard. Employment at Securitas A/S as a security guard is subject to the approval of the Chief of Police. For employees who carry out on-call duties associated with customers with special security requirements at their locations, employment is also subject to register approval at PET and security approval for service use, confidential and/or HEM. In connection with his employment at Securitas A/S, the complainant was contacted by FE, as the complainant had been nominated for a security clearance, and therefore had to fill in an electronic form for use in the case processing. The complainant subsequently complained to the Data Protection Authority about Securitas A/S's disclosure of his personal data to FE, as the complainant stated that the complainant had not consented to this. 2.1. Complainant's comments The complainant has generally stated that Securitas A/S has passed on the complainant's personal data (job title, full name and social security number) to FE without his consent. The complainant has stated that the complainant has name and address protection. The complainant has stated that the complainant received a message from FE on 22 December 2020 in connection with security clearance. The complainant has also stated that the complainant has not completed information form 2, which Securitas A/S refers to, and thus no declaration of consent, and that the complainant's personal data has therefore been passed on to FE without the complainant's knowledge. 2.2. Securitas A/S' comments Securitas A/S has generally stated that Securitas A/S's disclosure of the complainant's personal data to the Defense Intelligence Service (hereafter "FE") and the Police Intelligence Service (hereafter "PET") was justified. Securitas A/S has also stated that, at the time of the disclosure of personal data, the complainant was employed as a security guard at Securitas A/S. Securitas A/S has stated that all on-call employees are informed of the requirement for security clearance via the communication portal. In addition, Securitas A/S has stated that an employee in connection with HEM approval fills in physical papers, which Securitas A/S passes on in a closed envelope to Statens IT in Ballerup, which is responsible for final HEM approval. Securitas A/S has stated that they do not have a copy of completed papers. In this connection, it is pointed out that the complainant has completed information form 2 and a declaration of consent, as the application for security approval would have been rejected if the complainant had not completed, signed and consented to it. Finally, Securitas A/S has indicated that complaints were approved for security on [Y month 2020]. 3. Reason for the Data Protection Authority's decision Processing of general personal data can take place in accordance with Article 6 of the Data Protection Regulation. Processing of social security numbers for private data controllers can take place on the basis of § 11, subsection 1 of the Data Protection Act. 2. The Danish Data Protection Authority initially notes that consent, cf. the data protection regulation's article 6, subsection 1, letter a, will only rarely fulfill the validity condition of having been submitted voluntarily due to the unequal relationship that typically exists between the employer and the employee. On this basis, the Danish Data Protection Authority assumes that the consent referred to by the complainant and Securitas A/S does not constitute consent under data protection law. However, the Danish Data Protection Authority finds that Securitas A/S in the present case was authorized to pass on the complainant's personal data pursuant to the balancing of interests rule in the Data Protection Regulation, Article 6, subsection 1, letter f, according to which processing of personal data can take place if the processing is necessary for the data controller or a third party to pursue a legitimate interest, unless the interests of the data subject take precedence. The Danish Data Protection Authority has emphasized that obtaining the relevant security approval was necessary so that Securitas A/S, as an employer, could ensure that the complainant as an employee could carry out the tasks that were necessary in connection with the employment. The Danish Data Protection Authority also finds that Securitas A/S' disclosure of the complainant's social security number falls within the scope of section 11, subsection 1 of the Data Protection Act. 2, no. 3, according to which disclosure of information about social security numbers, i.a. can be done for the purpose of unique identification. [1] Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons in connection with the processing of personal data and on the free exchange of such data and on the repeal of Directive 95/46/EC (general regulation on data protection). [2] Act No. 502 of 23 May 2018 on supplementary provisions to the regulation on the protection of natural persons in connection with the processing of personal data and on the free exchange of such information (Data Protection Act).