Datatilsynet (Denmark) - 2019-32-0709

From GDPRhub
Datatilsynet - 2019-32-0709
LogoDK.png
Authority: Datatilsynet (Denmark)
Jurisdiction: Denmark
Relevant Law: Article 5(1)(a) GDPR
Article 6(1)(a) GDPR
Article 17(1)(b) GDPR
Article 58(1) GDPR
Article 58(2) GDPR
Article 58(2)(g) GDPR
Type: Complaint
Outcome: Upheld
Started:
Decided:
Published: 03.11.2020
Fine: None
Parties: Rejsekort
National Case Number/Name: 2019-32-0709
European Case Law Identifier: n/a
Appeal: n/a
Original Language(s): Danish
Original Source: Datatilsynet (in DA)
Initial Contributor: n/a

The Danish DPA (Datatilsynet) held that an electronic ticketing system for public transport violated the principles of lawfulness, fairness, and transparency by processing personal data based on consent. The DPA expressed serious criticism against the company and ordered them to delete the personal data.

English Summary

Facts

The complainant ordered a personal travel card in 2015 and in this context gave his consent to to the processing of his personal data by the controller. In March 2019, the complainant withdrew his consent to the processing of personal data. Rejsekort then informed the data subject that the personal data has been deleted, but that it is bound by the Accounting Act to store the complainant's financial data for five years. Furthermore, the controller also continued to store the complainant's travel data and documentation for entering into the agreement for three years from the termination of the customer relationship. The data subject therefore submitted a complaint with the Datatilsynet, as he thought that the continued storage of the personal data is not necessary, including the social security number and credit card data.

Dispute

Did Rejsekort lawfully process the travel data and information on the conclusion of the agreement after the ending of the contractual relationship and the withdrawal of consent?

Holding

The Datatilsynet held that the controller did not lawfully process the complainant's personal data and ordered the company to delete the travel data and information on the conclusion of the agreement which the controller is not obliged to keep in accordance with the Accounting Act.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Danish original. Please refer to the Danish original for more details.



Incorrect treatment basis
Published 03-11-2020
Decision

The Danish Data Protection Agency expresses serious criticism that Rejsekort's processing of personal data has taken place on the basis of an incorrect processing basis. Journal number: 2019-32-0709
Summary
On the basis of a complaint, the Danish Data Protection Agency has expressed serious criticism that Rejsekort has processed complainants' information in violation of the principle of legality, fairness and transparency, as Rejsekort should not have processed information on complaints on the basis of consent.
In this connection, the Danish Data Protection Agency is of the opinion that Rejsekort must make a new assessment of the processing basis for the processing of personal data on other than complaints in cases where the processing is based on consent. Travel cards must send a written statement of this renewed assessment to the Danish Data Protection Agency.
Furthermore, on the basis of the complaint, the Danish Data Protection Agency has expressed serious criticism of Rejsekort's continued processing of travel data and information on the conclusion of agreements between Rejsekort and complaints, as Rejsekort has no basis for this continued processing, after complainants withdrew their consent. Thereafter, the Danish Data Protection Agency has issued Rejsekort an order to delete travel data and information about the conclusion of the agreement regarding complaints which Rejsekort is not obliged to keep in accordance with the Accounting Act.
Decision
The Danish Data Protection Agency hereby returns to the case, where complainants on 19 March 2019 complained to the Authority about the lack of deletion at Rejsekort A / S (hereinafter Rejsekort).
Seen in the light of the complaint, the Danish Data Protection Agency has also found reason to ask Rejsekort questions about the company's compliance with the duty to provide information.
1. Order and decision
After reviewing the case, the Danish Data Protection Agency finds that there are grounds for expressing serious criticism that Rejsekort has processed information on complaints in violation of the basic principle of legality, fairness and transparency, cf. Article 5 (1) of the Data Protection Regulation [1]. 1, letter a.
Travel cards must provide a written statement of a reassessment of the processing basis for the processing of personal data other than complaints, in cases where the processing is based on a consent under Article 6 (1) of the Regulation. 1, letter a. This information must be sent to the Danish Data Protection Agency no later than 1 February 2021.
Furthermore, the Danish Data Protection Agency finds that there are grounds for expressing serious criticism of Rejsekort's continued processing of travel data and information on the conclusion of agreements between Rejsekort and complaints, cf. Article 6 of the Data Protection Regulation, cf. Article 17 (1). 1, letter b.
The Danish Data Protection Agency must then issue Rejsekort an order to delete travel data and information on the conclusion of the agreement regarding complaints, which Rejsekort is not obliged to keep in accordance with the Accounting Act. The order is issued pursuant to Article 58 (1) of the Data Protection Regulation. 2, letter g.
The deadline for compliance with the order is 1 December 2020. The Danish Data Protection Agency must request a confirmation that the order has been complied with no later than the same date.
According to the Data Protection Act, section 41, subsection 2, no. 5, is punishable by a fine or imprisonment for up to 6 months whoever fails to comply with an order issued by the Danish Data Protection Agency pursuant to Article 58 (1) of the Data Protection Regulation. 2.
Below is a more detailed review of the case and a justification for the Danish Data Protection Agency's decision.
2. Case presentation
It appears from the case that complaints in 2015 in connection with ordering a personal travel card gave consent to the processing of information by Rejsekort.
On 19 March 2019, the complainant withdrew his consent to Rejsekort's processing of personal data.
By e-mail of the same day, Rejsekort stated that the complainant's customer relationship with Rejsekort had been closed and that her personal information had been deleted. Rejsekort stated that Rejsekort pursuant to the Accounting Act is obliged to store financial data for five years, and that Rejsekort also stores travel data and documentation for entering into an agreement for three years from the termination of the customer relationship.
On the same day, the complainant contacted the Danish Data Protection Agency and complained about Rejsekort's failure to delete all information about her.
2.1. Complainant's remarks
Complainants have generally stated that Rejsekort has not deleted her data, even though she is no longer a customer of Rejsekort.
Complainants believe that it is not relevant for Rejsekort to continue to store e.g. complainant's social security number and credit card data.
2.2. Travel card remarks
Rejsekort has generally stated that Rejsekort has, as far as possible, complied with the complainant's request for deletion, and that Rejsekort continues to process information about the complainant's financial data, including payment information on payment and deductions on the travel card, as Rejsekort is obliged to keep the information in question for five years from the end of the year the complainant is no longer a customer. Travel cards thus process the information in question in accordance with Article 6 (1). Travel cards have also referred to Article 17 (1) (b) of the Data Protection Regulation. 3, letter b, according to which the right to deletion does not apply if the further processing is necessary to comply with a legal obligation.
Information is also treated as documentation of the complainant's agreement with Rejsekort and travel data, as this information is necessary for Rejsekort to document the complainant's transactions, etc., so that Rejsekort can meet any complaints or other claims from complainants. Travel cards process information on documentation of the conclusion of the agreement and travel data pursuant to Article 6 (1). 1, letters b and f, for a period of three years after the consent has been withdrawn.
On the basis of the Danish Data Protection Agency's consent guide from September 2019, Rejsekort has further stated that the continued processing of information on travel data and documentation for entering into agreements takes place on the basis of Article 6 (1) of the Regulation. 1, letter b. It is Rejsekort's opinion that the storage of the information for a three-year period must be considered necessary for the sake of the contract entered into between Rejsekort and the data subject, including in order to be able to document, among other things, travel transactions, the agreement with the customer and the terms thereof.
Travel cards have also referred to Article 17 (1) of the Data Protection Regulation. 3, letter e, according to which the right to deletion does not apply if it is necessary to keep the information in order for a legal claim to be determined, asserted or defended. The three-year deletion period is set on the basis of the statute of limitations' ordinary limitation period of three years for claims, and the storage of personal data is necessary for this period.
In connection with the conclusion of the agreement, Rejsekort stated complaints that her information would be processed on the basis of Article 6 (1) of the Data Protection Regulation. 1, letter a.
When the complainant withdrew his consent, Rejsekort further stated that information on financial data would continue to be stored pursuant to Article 6 (1) of the Data Protection Regulation. 1, letters b and c, and that travel data and information on the complainant's conclusion of a contract with Rejsekort would continue to be stored pursuant to Article 6 (1) (b) and (f) of the Data Protection Regulation.
Rejsekort has stated in connection with the case that the company has complied with the obligations arising from Articles 13 and 14 of the Data Protection Regulation on the duty to provide information.
In this connection, Rejsekort has added that the company's privacy policy has been changed so that already at the time of entering into the agreement, information is provided that Rejsekort may, depending on the circumstances, have a basis for processing in the event of withdrawal of consent to the processing. Rejsekort has sent the changed privacy policy out to all the company's customers. On the basis of the Danish Data Protection Agency's updated consent guide, Rejsekort also intends to change its privacy policy and the information text so that in future reference is made to Article 6 (1) (b) instead of letter f.
Justification for the Danish Data Protection Agency's decision
3.1. Travel card processing basis
The case deals in particular with questions about the data controller's choice of appropriate basis for processing, and the importance of revoking consent when this has constituted the data controller's basis for processing.
The processing of data covered by Article 6 of the Data Protection Regulation may, on the basis of the grounds set out in paragraph 1 of that provision. The treatment can thus, among other things. a. take place on the basis of:

consent in accordance with Article 6 (1) 1, letter a,
if the processing is necessary for the performance of a contract in accordance with Article 6 (1). 1, letter b,
if the processing is necessary to comply with a legal obligation in accordance with Article 6 (1). 1, letter c,
if the processing is necessary in the interests of a legitimate interest within the meaning of Article 6 (1). 1, letter f.

In addition, any processing of personal data must take place in accordance with the basic processing conditions set out in Article 5 of the Data Protection Regulation. always dealt with lawfully, fairly and in a transparent manner in relation to the data subject (the principle of legality, fairness and transparency), in accordance with Article 5 (2). 1, letter a.
In relation to the choice of basis for processing, a data controller must always know, prior to the commencement of processing of personal data, which basis of processing in Article 6 of the Data Protection Regulation is the most appropriate. A data controller may have several processing bases for different processing purposes concerning the same personal data and must also in this situation, before the processing begins, have made it clear in which situations the different processing bases apply.
If a processing is to be carried out on the basis of the data subject's consent, the data controller must, among other things, consider whether it will actually be possible for the data subject to withdraw his consent, including what consequences this may have, as the processing of information carried out by the data controller on the basis of the consent must cease upon revocation.
On the basis of the information provided, the Danish Data Protection Agency assumes that Rejsekort's processing of personal data on complaints took place on the basis of Article 6 (1) of the Regulation. 1, letter a, until the complainant withdrew his consent.
Furthermore, it is assumed that Rejsekort had organized its processing of personal data in such a way that the basis for processing would have to be changed if the consent was withdrawn, as Rejsekort would continue to process information on complaints pursuant to Article 6 (1) of the Regulation. According to the information, travel cards would thus apply Article 6 (1). 1, letters b, c and f, regarding the complainant's agreement, travel data, deductions / payments on the card in connection with the complainant's use of his travel card.
Following a review of the case, the Danish Data Protection Agency's assessment is that consent was not the most appropriate basis for processing Rejsekort's processing of information about complaints, as other processing grounds must be regarded as clearly more appropriate in relation to the processing of complainants' personal data.
On the basis of the information in the case, the Danish Data Protection Agency is of the opinion that Rejsekort could have processed personal data on complaints during the entire contractual relationship with complainants on the basis of Article 6 (1) of the Regulation, respectively. Article 6 (1) (b) on the processing of contractual information (in relation to the travel card agreement itself); 1, letter c, on the processing of information in fulfillment of a legal obligation, (in relation to compliance with the Accounting Act).
The Danish Data Protection Agency has emphasized that the complainant's conclusion of an agreement with Rejsekort on the acquisition of a travel card must be regarded as a contractual matter and that the information necessary for the conclusion and fulfillment of this contract can be processed on the basis of Article 6. , skt. 1, letter b. The Danish Data Protection Agency notes that Rejsekorts otherwise uses the term “contractual relationship” with complaints in connection with the case.
With regard to Article 6, 1, letter c, Rejsekort must, in the opinion of the Danish Data Protection Agency, be considered to have had an obligation to store and process necessary personal data during the entire contractual relationship with complainants in accordance with the provisions of the Accounting Act.
In the opinion of the Danish Data Protection Agency, Rejsekort should therefore not have processed the information on complaints on the basis of Article 6 (1) of the Data Protection Regulation. 1, letter a, on consent.
In its assessment, the Danish Data Protection Agency has attached significant importance to the fact that, as a general rule, a data controller should not change the basis for processing after the processing of personal data has begun [2]. In this respect, a change of basis of processing must be considered particularly problematic when the processing takes place on the basis of a consent, as a consent under the Data Protection Regulation is an expression of the data subjects being given a real choice and control over how their information is processed. Thus, by using consent as a basis for processing, Rejsekort has given the complainant an expectation that the complainant had control over the processing of personal data about her.
The Danish Data Protection Agency then finds that Rejsekort has processed information on complaints in violation of the principle of legality, reasonableness and transparency pursuant to Article 5 (1) of the Data Protection Regulation. 1, letter a, as consent can not be considered the most appropriate basis for treatment. The Danish Data Protection Agency therefore finds grounds for expressing serious criticism of Rejsekort.
It is the opinion of the Danish Data Protection Agency that Rejsekort must re-evaluate the processing basis for the processing of personal data on other than complaints in cases where the processing is based on a consent pursuant to Article 6 (1) of the Regulation. 1, letter a. The Danish Data Protection Agency must request that Rejsekort submit a written statement of this renewed assessment to the Authority no later than 1 February 2021.
3.2. Travel card storage of information according to the Accounting Act
It is the opinion of the Danish Data Protection Agency that Rejsekort during the entire contractual relationship with complainants has had a legal obligation under the Accounting Act to store certain financial information, and that this processing can take place on the basis of the nature of the Data Protection Ordinance. 6 pieces. 1, letter c.
Regardless of the fact that a data controller cannot in principle change the basis for the processing of personal data along the way, it will in some cases be possible to continue a processing, even if the data subject has revoked his consent. However, such continued processing may only take place if it is reasonable in relation to the data subject.
The Danish Data Protection Agency finds that the processing of information on financial information, including payment information on payment and deductions on the travel card, can continue to take place with a view to complying with a legal obligation in accordance with Article 6 (1) of the Data Protection Regulation. Article 17 (1) (c) and that the information shall not be deleted in accordance with Article 17 (1). 1, letter b.
However, the Danish Data Protection Agency must point out that it follows from section 10 of the Accounting Act that the person required to keep accounts must keep the accounting material in a secure manner for 5 years from the end of the financial year to which the material relates. The relevant information on complaints can thus only be kept for a 5-year period from the end of the financial year to which the information relates and thus not necessarily for a 5-year period from complainants withdrew their consent if this period may be longer than the 5-year period from the end of the financial year to which the information relates.
3.3. Travel card continued storage of information about entering into agreements and travel data
Rejsekort has stated that, following the complainant's withdrawal of its consent, the company continues to process information on the conclusion of the agreement and travel data on the basis of Article 6 (1) of the Data Protection Regulation. 1, letter b.
It follows from Article 17 (1) of the Data Protection Regulation 3, letter e, that the right to have information about oneself deleted does not apply if the processing is necessary for legal claims to be established, asserted or defended.
Pursuant to Article 6 (1) of the Data Protection Regulation 1, letter b, processing of personal data may take place if the processing is necessary for the fulfillment of a contract to which the data subject is a party or for the purpose of implementing measures taken at the data subject's request prior to the conclusion of a contract. .
It is the Data Inspectorate's assessment that the continued processing of the information in question cannot take place on the basis of Article 6 (1) of the Regulation. This is not the only case because it is not considered reasonable against complainants, as the information was originally processed on the basis of consent. In addition, the processing cannot take place on this basis, as the contractual relationship between the complainant and Rejsekort ended at the time when the complainant withdrew his consent. It is therefore the opinion of the Danish Data Protection Agency that there is no longer a contract or a contractual relationship between complainants and Rejsekort, which the processing according to Article 6, para. 1, letter b, may concern.
At least in the specific circumstances where Rejsekort has erroneously used consent as a basis for processing, the Danish Data Protection Agency finds that consideration for the data subject takes precedence over Rejsekort's interest in storing information for the purpose of handling a possible legal claim.
In this connection, the Danish Data Protection Agency adds that there are no circumstances that indicate that continued storage with reference to a possible legal claim can be considered relevant.
The Danish Data Protection Agency thus finds that Rejsekort has no basis in Article 6 of the Data Protection Regulation for the continued processing of the information on the conclusion of the agreement and travel data. Against this background, the Danish Data Protection Agency finds serious criticism of the fact that Rejsekort did not delete the information on the conclusion of the agreement and travel data, as the complainant withdrew his consent, cf. Article 17 (1) of the Data Protection Regulation. Article 6 (1) (b).
The Danish Data Protection Agency must then issue Rejsekort an order to delete travel data and information on the conclusion of agreements regarding complaints, which Rejsekort is not obliged to keep in accordance with the Accounting Act. The order is issued pursuant to Article 58 (1) of the Data Protection Regulation. 2, letter g.
The deadline for compliance with the order is 1 December 2020. The Danish Data Protection Agency must request a confirmation that the order has been complied with no later than the same date.
3.4. Duty to provide information
Rejsekort finds, depending on the circumstances, that Rejsekort must be considered to have fulfilled its duty to provide information in accordance with Article 13 of the Data Protection Regulation, referring to the company's own assessment of the processing basis for processing complaint information before and after complainant withdrew .
The Danish Data Protection Agency has noted that Rejsekort's website does not appear to have updated the privacy policy as stated by Rejsekort.
The Danish Data Protection Agency also encourages Rejsekort - in the light of this decision - to update the content of the information provided in fulfillment of the duty to provide information.

[1] Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46 / EC (General data protection regulation).
[2] See also Article 29 Working Party Guidelines on Consent under Regulation 2016/679 (WP259 rev. 01) as last revised and adopted on 10 April 2018, p. 6.