Datatilsynet (Denmark) - 2021-32-2645

From GDPRhub
Datatilsynet - 2021-32-2645
LogoDK.png
Authority: Datatilsynet (Denmark)
Jurisdiction: Denmark
Relevant Law: Article 5(1)(b) GDPR
Article 6(1)(e) GDPR
Type: Complaint
Outcome: Rejected
Started:
Decided:
Published:
Fine: n/a
Parties: n/a
National Case Number/Name: 2021-32-2645
European Case Law Identifier: n/a
Appeal: Unknown
Original Language(s): Danish
Original Source: Datatilsynet (Denmark) (in DA)
Initial Contributor: n/a

The Danish DPA found that the sharing information about a data subject's inheritence between the Tax Agency and the Debt Agency did not infringe the GDPR.

English Summary

Facts

The Tax Agency received information from the Probate Court (Skifteretten), including about the data subject’s inheritance, and shared the information with the Debt Agency, which then sought to recover the complainant's debt to the public sector.

The data subject complained with the Danish DPA about the fact that the Tax Agency had shared this information about them with the Debt Agency. Both authorities are part of the Tax Administration.

The data subject argued that it was unlawful that information obtained for one purpose was shared for other purposes. The Debt Agency viewed that it has a legal basis under Article 6(1)(e) GDPR to process the personal data it received from the Tax Agency.

Holding

The DPA considered that the Tax Agency and the Debt Agency both have official authority to carry out their respective official duties (including tax assessment and debt recovery), and therefore, both authorities have a legal basis to process the personal data in question under Article 6(1)(e) GDPR.

In light of the principle of purpose limitation under Article 5(1)(b) GDPR, the DPA also assessed whether processing for another purpose is compatible with the purpose for which the personal data was originally collected, in accordance with Article 6(4)(a) and 6(4)(e) GDPR. The DPA found that 1) there is a significant connection between the tasks of the two administrations, and that 2) the data subject should reasonably expect that information about income in the form of (future) inheritance is held up against information about debt to the public.

Eventually, the DPA found that the sharing of personal data that took place between the Tax Agency and the Debt Agency had been carried out in accordance with the GDPR - including the principle of purpose limitation.

Comment

The decision from the Danish DPA seems incoherent, as the DPA found that both authorities had authority to carry out their respective official duties under e.g. the Danish Tax Control Act and Debt Recovery Act. Therefore, the DPA concluded that both authorities have a legal basis under Article 6(1)(e) GDPR to process the personal data.

Thus, there should be a Union or Member State law providing a basis for such processing. Nevertheless, in this case the DPA continued to assess whether processing for another purpose is compatible with the purpose for which the personal data was originally collected under Article 6(4) letter (a) and (e) GDPR which foresee that there is no Union or Member State law for the purpose other than for which the personal data was originally collected (in this case the Debt Agency's processing).

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Danish original. Please refer to the Danish original for more details.

Entitled for the Tax Administration to share personal data internally

Date: 14-03-2023

Decision Public authorities No criticism Complaint Basic principles Processing basis

The Danish Data Protection Authority has made a decision in a case where a citizen complained that the Tax Agency had shared information about him with the Debt Agency. The inspectorate found that the sharing had taken place within the framework of the GDPR.

Journal number:  2021-32-2645

Summary

The Danish Data Protection Authority has made a decision in a case where a citizen complained that the Tax Agency had shared information about the person concerned, i.a. information about inheritance, with the Debt Agency. Both authorities are part of the Tax Administration.

The inspectorate found that the relevant sharing of information within the Tax Administration had taken place within the framework of the data protection regulation - including the principle of purpose limitation.

The Danish Data Protection Authority assumed that both the Tax Agency and the Debt Agency have authority in, among other things, the Tax Control Act and the Debt Recovery Act to carry out their respective official duties, including tax assessment and debt recovery. The Tax Agency and the Debt Agency could therefore each process the information in question within the framework of the data protection regulation.

The Authority also assessed that the internal sharing of personal data between the relevant authorities, both of which are part of the Tax Administration, did not take place for incompatible purposes.

In this connection, the Data Protection Authority emphasized, among other things, that there is a significant connection between the tasks (objectives) of the two administrations, as they both concern the state's "proceeds". In this connection, the Data Protection Authority noted that the data subject – in this case the complainant – should reasonably expect that information on income in the form of (future) inheritance is held up against information on debt to the public sector.

Furthermore, the Danish Data Protection Authority found that there was no basis for disregarding the Debt Agency's statement that the sharing in question had not taken place in violation of the rules in section 32 of the Public Administration Act.

Decision

The Danish Data Protection Authority hereby returns to the matter where you, as a representative of [X] (complainant), on 27 September and 17 November 2021 contacted the Danish Data Protection Authority about the Tax Administration's processing of information about complaints.

The Danish Data Protection Authority has understood your inquiry as a complaint that the Tax Agency, which has received information from the Court of Insolvency about complaints, including inheritance, has shared this information with the Debt Agency.

The Danish Data Protection Authority notes for the sake of order that the Danish Data Protection Authority can only take a position on data protection legal matters. The Danish Data Protection Authority cannot therefore take a position on other matters that do not relate to data protection.

1. Decision

The Danish Data Protection Authority finds that the relevant processing of information about complaints has taken place within the framework of the rules in the data protection regulation[1].

Below follows a closer review of the case and a rationale for the Data Protection Authority's decision.

2. Case presentation

It appears from the case that the Tax Agency, which has received information from the Probate Court, including about the complainant's inheritance, has shared this information with the Debt Agency, which has then sought to recover the complainant's debt to the public sector.

2.1. Your comments

You have generally stated that the Debt Agency's approach in connection with debt recovery is illegal.

In this connection, you have stated that the Probate Court only sends notice to the Tax Agency about heirs in a deceased's estate with the aim of ensuring that a correct tax assessment of the deceased and the estate takes place.

It is your opinion that information obtained for one purpose must not be shared for other purposes, e.g. recovery of debts that are unrelated to the deceased and the estate.

2.2. The Debt Agency's comments

The Debt Agency has stated that the Tax Agency and the Debt Agency are agencies within the same authority, the Tax Administration. Internal disclosure (sharing) of information is covered by the general rules on this in the Public Administration Act and the Data Protection Act.

In this connection, the Debt Agency has stated that it follows from the data protection regulation's article 6, subsection 1, letter e, that the processing of personal data by public authorities is lawful if the processing is necessary for the performance of a task in the interest of society, or which falls under the exercise of public authority that the data controller has been tasked with.

This provision thus authorizes the sharing of personal data when another authority needs the information as part of their processing of a case.

According to the Public Administration Act, anyone who works within the public administration must not obtain confidential information that is not of importance to the performance of the tasks of the person in question. The provision thus sets limits on who within an administrative authority can be given access to confidential information, cf. Section 32 of the Public Administration Act.

The competence to decide whether confidential information must be shared within the same authority belongs to the person who, as a result of his work, has knowledge of the information, here the Tax Agency.

The purpose of the provision is to clarify that public servants may not obtain confidential information that is not relevant to the work they perform. Access to the information about a debtor's inheritance is thus conditional on a work-related/official need.

In order for the Debt Agency to handle the task of recovering public receivables, it is thus crucial that the sharing of information about inheritance takes place within the same authority, the Tax Administration, and the sharing of the information ensures that the Debt Agency can carry out recovery by either transport or attachment.

3. Reason for the Data Protection Authority's decision

This appears from the data protection regulation's article 6, subsection 1, letter e, that the processing of personal data is lawful if the processing is necessary for the performance of a task in the interest of society or which falls under the exercise of public authority that the data controller has been tasked with.

According to the data protection regulation article 6 paragraph 3, the basis for processing according to the regulation's article 6, subsection 1, letter e, appear from either EU law or the national law of the Member States to which the data controller is subject. The provision implies that the processing – in order to be able to take place in accordance with 6, subsection 1, letter e – must appear from EU law or the national law of the Member States. However, this does not mean that there must be national implementing legislation on the processing itself.

The Danish Data Protection Authority assumes that both the Tax Agency and the Debt Agency have authority, including in e.g. the Tax Control Act and the Debt Recovery Act, to carry out their respective official duties, including tax assessment and debt recovery.

The Tax Agency and the Debt Agency can thus each process the information in question, including on inheritance, within the framework of Article 6, paragraph 1 of the Data Protection Regulation. 1, letter e.

However, it follows from the data protection regulation's article 5, subsection 1, letter b, that personal data must be collected for explicitly stated and legitimate purposes and must not be further processed in a way that is incompatible with these purposes ("purpose limitation").

When assessing whether processing for another purpose is compatible with the purpose for which the personal data was originally collected, in accordance with the data protection regulation, Article 6, paragraph 4, account is taken of i.a. the conditions mentioned in letter a-e of the provision.

The case concerns the sharing of information which is only covered by Article 6 of the Data Protection Regulation.

There is also a significant connection between the tasks (objectives) of the two administrations, as they both relate to the state's "proceeds". In addition, it should be noted that the registered person – in this case the complainant – should reasonably expect that information about income in the form of (future) inheritance is held up against information about debt to the public.

Finally, the Danish Data Protection Authority finds that there is no basis for overriding the Debt Agency's statement that the sharing in question has not taken place in violation of the rules in section 32 of the Public Administration Act.

Based on this – and an overall assessment of the circumstances of the case in general – the Danish Data Protection Authority finds that the relevant sharing of information, including on inheritance, internally in the Tax Administration has not been in breach of the principle of purpose limitation.

The Danish Data Protection Authority then finds that the relevant processing of information about complaints has taken place within the framework of the data protection regulation.



[1] Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons in connection with the processing of personal data and on the free exchange of such data and on the repeal of Directive 95/46/EC (general regulation on data protection).