Datatilsynet (Denmark) - 2019-431-0031

From GDPRhub
Revision as of 17:31, 21 January 2022 by Rose (talk | contribs) (→‎Holding)
Datatilsynet (Denmark) - 2019-431-0031
LogoDK.png
Authority: Datatilsynet (Denmark)
Jurisdiction: Denmark
Relevant Law: Article 6(1)(f) GDPR
Article 14(1) GDPR
Article 14(2) GDPR
Type: Investigation
Outcome: Violation Found
Started:
Decided: 22.12.2021
Published: 22.12.2021
Fine: None
Parties: Det Konservative Folkeparti (The Conservative People's Party)
National Case Number/Name: 2019-431-0031
European Case Law Identifier: n/a
Appeal: Unknown
Original Language(s): Danish
Original Source: Datatilsynet.dk (in DA)
Initial Contributor: n/a

A Danish Political Party received criticism for sending letters to potential voters without giving information about how the names and addresses had been obtained.

English Summary

Facts

A political party had sent letters to a certain number of households in connection with an election campaign. The names and addresses of the recepients had been obtained from information that was publically available, and information about voting habits in different areas had been gathered through statistical analyses. The letters did not contain information about this processing of person data, however the Party had made this information available on its website.

After having been notified by multiple recepients, the Danish DPA decided to investigate the political party's use of personal data.


Holding

The DPA first had to assess whether the Party had legal basis for the processing of personal data. The DPA held that the Party had a legitimate interest in using the personal data for campaigning purposes, and that such use of publically available was not particularly invasive to the data subjects' privacy. The Party therefore had legal basis for the processing, cf. GDPR article 6(1)(f).

The DPA then had to assess whether the Party had acted in accordance with the information obligations in GDPR article 14. The DPA found that the information published on the website of the Party did not fulfill the requirements of art. 14(2). The DPA also held that the information could not be considered "given to the data subject" when the data subject would have to find the information on the website by themself.

The DPA reprimanded the Party for its breach of article 14.


Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Danish original. Please refer to the Danish original for more details.



Criticism of the Conservative People's Party's failure to fulfill its duty to provide information
Date: 22-12-2021
Decision

The Danish Data Protection Agency has assessed that the Conservative People's Party did not fulfill its duty to provide information when collecting personal information about potential voters.

Journal number: 2019-431-0031
Summary
The Danish Data Protection Agency has made a decision in a case where, after a series of specific inquiries in 2019, the Authority became aware of the Conservative People's Party's processing of personal data in connection with the party sending letters to selected households regarding the 2019 European Parliament and 2019 parliamentary elections. therefore to investigate the matter further on its own initiative.
The Conservative People's Party had collected the names and addresses of selected recipients in order to send letters about the party's flagship issues. The Conservative People's Party had stated as a reason for not providing information to the data subjects - the recipients of the letter - that fulfillment of the duty to provide information could be omitted because the collection of name and address for sending a letter constitutes an explicit right according to Danish practice. does not override the interests of the data subject.
The Danish Data Protection Agency found that the Conservative People's Party had not fulfilled its duty to provide information under the Data Protection Ordinance and expressed criticism of the party, as the Authority did not find that there were grounds for failing to fulfill the duty to provide information.
Decision
After a review of the case, the Danish Data Protection Agency finds that the Conservative People's Party's processing of personal data has taken place within the framework of Article 6 (1) of the Data Protection Regulation [1]. 1.
At the same time, however, the Danish Data Protection Agency finds that there are grounds for expressing criticism that the Conservative People's Party's processing of personal data has not taken place in accordance with the rules in Article 14 of the Regulation.
Below is a more detailed review of the case and a justification for the Danish Data Protection Agency's decision.
2. Case presentation
It appears from the case that the Conservative People's Party in the run-up to the elections to the European Parliament and the Folketing in May / June 2019 sent out a number of letters to private citizens about the party's key issues.
2.1. The Conservative People's Party's remarks
NJORD Advokatpartnerselskab (hereinafter "Njord") has stated on behalf of the Conservative People's Party that the case is largely identical to a previous case, which the Danish Data Protection Agency decided on 8 June 2016 (The Danish Data Protection Agency's j.nr. 2014-219-0516) [2]. As in the previous case, the Conservative People's Party has collaborated with the data distributor Geomatic A / S.
Njord has stated that in connection with the election to the European Parliament, letters were sent to 130,210 people, and that in connection with the election to the Folketing, letters were sent to 149,339 people. It is not known with certainty whether and to what extent there was personal coincidence for the receipt of letters in the two campaigns. It is likely that there has been some degree of personal coincidence.
Njord has generally stated that the sending of the letters took place by a generally accepted method of sending political messages.
The Conservative People's Party entered into cooperation with Geomatic with a view to conducting a so-called "direct mail campaign". The campaign was to send letters to potential voters with a presentation of the party's political flagships. The letters were distributed via the printing company Degn Grafisk A / S
The recipients of the letters were selected on the basis of a segmentation made by Geomatic. The segmentation was created on the basis of statistical data from Statistics Denmark, publicly available data from e.g. polling station data, BBR and CVR, geographical variables on population density and the product conzoom®.
The product conzoom® is a data-driven segmentation that uncovers features or trends in the population and consists of segmentation of nine groups and 36 types.
The specific names and addresses used for the direct mail campaign were identified via Geomatics' "decision-maker variable" based on selected geographical areas from the segmentation.
The decision-maker variable is a product that Geomatic delivers by virtue of its status as a distributor of teledata (www.118.dk), where they receive and validate names, addresses and telephone numbers for subsequent distribution to, among others, via a distributor agreement with TDC A / S. . direct mail campaigns.
The validation is carried out by means of a CPR quick check and the publicly available data from the telecommunications information in order to make it probable which person opens letters at home at a given address.
The decision-maker variable must ensure that letters are not addressed to deceased persons or children. This is a very common practice in direct mail campaigns.
The Conservative People's Party was data responsible for the processing of the names and addresses of private individuals in connection with the sending of letters with information about the party's political issues. The Conservative People's Party considers Geomatic to be an independent data controller for the company's own processing of information from the telecommunications information. The same applies to Degn Grafisk A / S, which handled printing and mail delivery of the letters.
The name and address information was collected from the telecommunications information by Geomatic as telecommunications distributor and passed on to the Conservative People's Party for the purpose of sending the letters.
The basis for processing was Article 6 (1) of the Data Protection Regulation. 1, letter f. The Conservative People's Party's interest in spreading its political messages up to the parliamentary elections was not apt to violate the fundamental rights and freedoms of the letter recipients. In this connection, reference is made to the fact that it is legal to send letters to residents at private addresses using name and address.
Against this background, the principle of legality, fairness and transparency in Article 5 (1) of the Regulation became 1, letter a, fulfilled.
Njord has noted about the fulfillment of the duty of disclosure in connection with the sending of the letters that the Conservative People's Party kept within best practice in direct mail campaigns. Thus, it is not customary to enclose a privacy policy with the fulfillment of the duty of disclosure in Article 13 of the Data Protection Regulation solely for the activity relating to the sending of a letter. The omission of the duty to provide information is justified by the exception in Article 14 (1) of the Regulation. 5, letter c, based on the consideration that the collection of name and address for the purpose of sending a letter, constitutes an explicitly determined right according to Danish practice, which does not override the consideration of the registered (recipient of the letter) himself.
After the letters were sent, a number of inquiries came from citizens to the Conservative People's Party, and Jyllands-Posten wrote an article mentioning the letters. This prompted the Conservative People's Party to publish an information page about the letters on its website. The information page is available at https://konservative.dk/brev-fra-os/ and is an expression of a general explanation of the function of the letters and not a privacy policy to comply with Article 13 or 14 of the Data Protection Regulation.
Njord has stated that all information about the recipients of the letters has been deleted as an immediate extension of the sending of the letters in each campaign.
The Conservative People's Party has not in practice had access to the personal information (name and address) of the recipients of the letters. Geomatic provided a list of letter recipients to the Conservative People's Party. The list was, by agreement with the party, sent directly from Geomatic to Degn Grafiks A / S. Degn Grafisk A / S deleted the list immediately after printing and sending the letters, as they no longer needed data. There has been no instruction that the term is used in the data protection rules vis-à-vis a data processor.
As part of the overall agreement for the provision of services, the Conservative People's Party and Geomatic have also entered into a data processor agreement. However, the data processor agreement does not regulate the processing of personal data in connection with the sending of letters to selected households. Njord has sent a copy of the data processor agreement to the Danish Data Protection Agency.
Njord has sent a sample of letters from the European Parliament campaign and from the Parliamentary election campaign to the Danish Data Protection Agency. The letter samples did not contain information about letter recipients.
Justification for the Danish Data Protection Agency's decision
3.1.
It appears from the case that the Conservative People's Party for the purpose of sending the letters with the party's flagship cases had collected address information from Geomatic, which prior to the transfer of the information to the Conservative People's Party had made a segmentation based on information from Statistics Denmark. .a. from BBR and polling station data and when using the product conzoom®.
With reference to the Danish Data Protection Agency's previous case concerning the Conservative People's Party's distribution of election material [3], the Authority has not found grounds to include Geomatics' collection and transfer of address information to the Conservative People's Party during the proceedings.
In deciding the present case, the Danish Data Protection Agency has assumed that Geomatic was data responsible for processing information from the telecommunications information in the form of names and addresses of private individuals.
Furthermore, the Danish Data Protection Agency has assumed that the Conservative People's Party was data responsible for the processing of the names and addresses of private individuals in connection with the collection of this information and the sending of letters with information about the party's political issues.
3.2. Processing of personal data in connection with marketing
In the Data Protection Act [4] § 13, para. 1-7, more detailed conditions have been laid down for the processing of personal data in connection with marketing.
An enterprise may not disclose information about a consumer to another enterprise for direct marketing purposes or use the information on behalf of another enterprise for that purpose unless the consumer has given his express consent. Consent must be obtained in accordance with the rules in the Marketing Act [5] § 10, cf. the Data Protection Act § 13, paragraph. 1.
According to the Danish Data Protection Agency's practice [6], the Conservative People's Party cannot be perceived as a trader who has collected the data of the data subjects for the purpose of selling goods or services to the data subjects. The processing of personal data at issue in the case is therefore not covered by section 13 of the Data Protection Act. The decision must then be made in accordance with Article 6 of the Data Protection Regulation.
3.3. Personal data processing authority
In connection with the Conservative People's Party's distribution of letters to potential voters, the party has processed information covered by Article 6 of the Data Protection Regulation in the form of the name and address of the recipients collected from Geomatic.
The processing of personal data covered by Article 6 may include: take place when the processing is necessary for the data controller or a third party to pursue a legitimate interest, unless the data subject's interests or fundamental rights and freedoms requiring the protection of personal data take precedence, in accordance with Article 6 (1) of the Data Protection Regulation. 1, letter f.
The Danish Data Protection Agency finds that the Conservative People's Party's processing of personal data has taken place within the framework of Article 6 (1). 1, letter f.
The Danish Data Protection Agency has emphasized that the processing of personal data that took place in connection with the sending of the letters was necessary for the Conservative People's Party to pursue a legitimate interest in informing about the party's key issues to potential voters up for election.
The Danish Data Protection Agency has also attached importance to the fact that the information on name and address is in principle publicly available information, and that the processing thereof in connection with the sending of letters cannot be regarded as interfering with the data subjects. The data subjects 'interests or fundamental rights and freedoms therefore, in the opinion of the Data Inspectorate, do not precede the Conservative People's Party's processing of the data subjects' personal data.
3.4. Duty to provide information if the information has not been collected from the data subject
It appears from the case that the Conservative People's Party has collected personal information for the purpose of sending letters, and that the information has not been collected from the data subjects themselves.
If the personal data have not been collected from the data subject, the data controller shall, on his own initiative, provide the data subject with a number of data listed in Article 14 (1) of the Data Protection Regulation. 1. In addition to the information referred to in paragraph (1), the data controller shall provide the data subject with a range of information in accordance with Article 14 (1). 2, which are necessary to ensure a fair and transparent treatment.
The data controller shall provide the information referred to in paragraph 1. 1 and 2, within a reasonable time after the collection of the personal data, but no later than within one month, taking into account the specific circumstances under which the personal data are processed, in accordance with Article 14 (1). The maximum time limit within which the information must be provided to the data subject is in any case one month.
Article 14 (1) of the Data Protection Regulation 1-4, does not apply if and to the extent that collection or disclosure is expressly provided for in EU law or the national law of the Member States to which the data controller is subject and which lays down appropriate measures to protect the data subject's legitimate interests, cf. Article 14, paragraph 5, letter c.
It follows from the former Article 29 Working Party's transparency guidelines under Regulation 2016/679 [7] that:
"Article 14, paragraph Article 14 (5) (c) allows for the abolition of the disclosure requirements in Article 14 (2). 1, 2 and 4, in so far as the collection or transfer of personal data "is expressly provided for in Union or national law of the Member States to which the controller is subject". This exception is conditional on the legislation in question providing for "appropriate measures to protect the legitimate interests of the data subject". Such legislation must be directed at the data controller, and the collection or transfer in question must be mandatory for him. The data controller must accordingly be able to demonstrate how the legislation in question applies to them and oblige them to either collect or pass on the personal data in question. "
In the opinion of the Danish Data Protection Agency, Article 14 (1) of the Regulation 5, letter c, does not apply, as the processing of information in connection with the sending of letters about the party's key issues is not explicitly stipulated in the legislation.
Furthermore, the Danish Data Protection Agency is of the opinion that the publication of a text on the Conservative People's Party's website with information on sending the letters does not meet the conditions in Article 14 of the Data Protection Regulation, as the information does not meet the content requirements as stated in Article 14 2, or can be regarded as "given" to the data subject, as he or she must find the information on the party's website.
As there is no legal basis for failing to fulfill the duty to provide information in Article 14 or in section 22 of the Data Protection Act, the Danish Data Protection Agency finds grounds for expressing criticism of the Conservative People's Party, as the party has not fulfilled its duty to provide information under Article 14 of the Data Protection Regulation.

Appendix: Legal basis
Excerpt from Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46 / EC (General Regulation on data protection).
Article 4. For the purposes of this Regulation:

'Personal data' means any information relating to an identified or identifiable natural person ('the data subject'); identifiable natural person means a natural person who can be directly or indirectly identified, in particular by an identifier such as a name, identification number, location data, an online identifier or one or more elements specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;
'Processing' means any activity or series of activities - with or without the use of automatic processing - to which personal data or a collection of personal data are made, e.g. collection, registration, organization, systematization, storage, adaptation or modification, retrieval, search, use, disclosure by transmission, dissemination or any other form of transfer, assembly or interconnection, restriction, deletion or destruction;

[…]

'Data controller' means a natural or legal person, a public authority, an institution or any other body which, alone or in conjunction with others, decides on the purposes and means by which personal data may be processed; if the purposes and means of such processing are laid down in Union or national law of the Member States, the controller or the specific criteria for its designation may be laid down in Union or national law of the Member States;
'Data processor' means a natural or legal person, a public authority, an institution or any other body which processes personal data on behalf of the data controller;

[…]
Article 6. Treatment shall be lawful only if and to the extent that at least one of the following conditions applies:

The data subject has given consent to the processing of his personal data for one or more specific purposes.
Processing is necessary for the performance of a contract to which the data subject is a party or for the implementation of measures taken at the request of the data subject prior to the conclusion of a contract.
Processing is necessary to comply with a legal obligation incumbent on the data controller.
Processing is necessary to protect the vital interests of the data subject or another natural person.
Processing is necessary for the purpose of performing a task in the interest of society or which falls within the exercise of public authority, which has been imposed on the data controller.
Processing is necessary for the data controller or a third party to pursue a legitimate interest, unless the data subject's interests or fundamental rights and freedoms requiring the protection of personal data take precedence, in particular if the data subject is a child.

The first subparagraph, point (f), does not apply to processing carried out by public authorities in the performance of their tasks.
Article 14. If the personal data are not collected from the data subject, the data controller shall provide the data subject with the following information:

identity and contact details of the data controller and his / her representative, if any
contact information for any data protection adviser
the purposes of the processing for which the personal data are to be used, as well as the legal basis for the processing
the affected categories of personal data
any recipients or categories of recipients of the personal data
where relevant, the data controller intends to transfer personal data to a recipient in a third country or international organization, and whether the Commission has decided on the adequacy of the level of protection, or in the case of transfers under Article 46 or 47 or Article 49; , PCS. 1, second subparagraph, point (h), reference to the necessary or appropriate guarantees and how a copy can be obtained or where they have been made available.

PCS. 2. In addition to the information referred to in paragraph 1, the data controller shall provide the data subject with the following information necessary to ensure fair and transparent processing in respect of the data subject:

the period during which the personal data will be stored or, if this is not possible, the criteria used to determine this period;
the legitimate interests pursued by the controller or a third party if the processing is based on Article 6 (1); 1 (f)
the right to request the data controller access to and rectification or deletion of personal data or restriction of processing concerning the data subject and to object to the processing, as well as the right to data portability;
when treatment is based on Article 6 (1) Article 9 (1) (a) or Article 9 (1) Article 2 (2) (a), the right to withdraw consent at any time, without prejudice to the lawfulness of consent-based proceedings before its withdrawal;
the right to lodge a complaint with a supervisory authority
which source the personal data comes from and, if so, whether it comes from publicly available sources
the existence of automatic decisions, including profiling, as referred to in Article 22 (1); 1 and 4, and in these cases at least meaningful information about the logic therein as well as the significance and the expected consequences of such processing for the data subject.

PCS. The data controller shall provide the information referred to in paragraph 1. 1 and 2:

within a reasonable time after the collection of the personal data, but no later than within one month, taking into account the specific circumstances under which the personal data are processed,
if the personal data is to be used to communicate with the data subject, at the latest at the time of the first communication with the data subject, or
if the personal data is intended to be passed on to another recipient, at the latest when the personal data is first passed on.

PCS. If the data controller intends to further process the personal data for a purpose other than that for which it was collected, the data controller shall provide the registered information on this other purpose as well as other relevant additional information prior to this further processing, cf. 2.
PCS. 5 pieces. 1-4 shall not apply if and to the extent:

the data subject is already aware of the information
the provision of such information proves impossible or will require a disproportionate effort, in particular in relation to processing for archival purposes in the public interest, for scientific or historical research purposes or for statistical purposes subject to the conditions and guarantees referred to in Article 89 (1); Or to the extent that the obligation referred to in paragraph 1 of this Article 1, is likely to make it impossible or will seriously impede the achievement of the purposes of this treatment. In such cases, the data controller shall take appropriate measures to protect the data subject's rights and freedoms as well as legitimate interests, including by making the information publicly available.
collection or disclosure is expressly provided for in Union or national law of the Member States to which the data controller is subject and which provides for appropriate measures to protect the legitimate interests of the data subject; or
personal data must remain confidential as a result of professional secrecy under EU law or the national law of the Member States, including statutory professional secrecy.

Excerpt from Act no. 502 of 23 May 2018 on supplementary provisions to the Regulation on the protection of natural persons in connection with the processing of personal data and on the free exchange of such data (the Data Protection Act).

 13. An undertaking may not disclose information about a consumer to another undertaking for direct marketing purposes or use the information on behalf of another undertaking for this purpose unless the consumer has given his express consent. Consent must be obtained in accordance with the rules in section 10 of the Marketing Act.

PCS. 2. Transfer and use as mentioned in para. However, paragraph 1 may be done without consent in the case of general customer information which forms the basis for division into customer categories and if the conditions in Article 6 (1) of the Data Protection Regulation 1, letter f, is met.
PCS. 3. Pursuant to para. 2, the information referred to in Article 9 (2) of the Data Protection Regulation shall not be disclosed or used. 1, or section 8 of this Act.
PCS. 4. Before a company passes on information about a consumer to another company for the purpose of direct marketing or uses the information on behalf of another company for this purpose, it must examine in CPR whether the consumer has refused inquiries for marketing purposes.
PCS. Data controllers who, for the purposes of direct marketing, sell lists of groups of persons or who, for third parties, address or send messages to such groups may only process:
1) information on name, address, position, occupation, e-mail address, telephone and fax numbers,
2) information included in business registers which, in accordance with law or regulations laid down in law, are intended to inform the public, and
3) other information if the data subject has given express consent.
PCS. 6. A consent pursuant to para. 5 must be obtained in accordance with section 10 of the Marketing Act.
PCS. 7. Processing of information as mentioned in para. Paragraph 5 may not include information as referred to in Article 9 (2) of the Data Protection Regulation. 1, or section 8 of this Act.
PCS. 8. The Minister of Justice may lay down further restrictions on the right to disclose or use certain types of information pursuant to subsection (1). 2.
PCS. 9. The Minister of Justice may lay down further restrictions than those in subsection (1). 7 mentioned in the access to process certain types of information.

 22. The provisions of Article 13 (1) of the Data Protection Regulation 1-3, Article 14, para. Paragraphs 1 to 4, Article 15 and Article 34 shall not apply if the data subject's interest in the information is found to give way to overriding reasons relating to private interests, including the interests of the data subject.

PCS. Derogation from the provisions of Article 13 (2) of the Data Protection Regulation 1-3, Article 14, para. 1-4, Article 15 and Article 34 may also be made if the data subject's interest in obtaining the information is found to give way to overriding reasons relating to the public interest, in particular to:
1) state security,
2) the defense,
3) public security,
4) prevention, investigation, detection or prosecution of criminal offenses or enforcement of criminal sanctions, including protection against and prevention of threats to public security;
5) other important objectives relating to the protection of the general public interest of the European Union or a Member State, in particular the essential economic or financial interests of the European Union or a Member State, including monetary, budgetary and fiscal matters, public health and social security;
6) protection of the independence of the judiciary and litigation;
7) prevention, investigation, detection and prosecution in connection with breaches of ethical rules for regulated professions,
8) control, supervisory or regulatory functions, including tasks of a temporary nature related to the exercise of official authority in the cases referred to in points 1-5 and 7;
Protection of the data subject's rights or freedoms of the data subject or others; and
10) enforcement of civil law claims.
PCS. Information processed by the public administration in the context of administrative proceedings may be exempted from the right of access pursuant to Article 15 (1) of the Data Protection Regulation. 1, to the same extent as under the rules in §§ 19-29 and 35 of the Public Administration Act.
PCS. Articles 13 to 15 of the Data Protection Regulation shall not apply to the processing of personal data by the courts when they act in their capacity as a court.
PCS. 5. Articles 15, 16, 18 and 21 of the Data Protection Regulation shall not apply if the data are processed solely for scientific or statistical purposes.
PCS. Article 34 of the Data Protection Regulation does not apply as long as the notification of data subjects is specifically considered to complicate the investigation of criminal offenses. Application of 1st sentence. can only be decided by the police.

[1] Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46 / EC (General data protection regulation).
[2] In the case, in the run-up to the European Parliament elections in May 2014, the Conservative People's Party had sent a letter to a data subject stating that his address was at risk of burglary. The party had sent similar letters to a number of other selected addresses in areas with an increased statistical risk of burglary. The party had received information about names and addresses from Geomatic A / S. The Danish Data Protection Agency assessed, among other things, that the Conservative People's Party could not be regarded as a trader who had collected the data subject's personal data for the purpose of disposing of goods or services, and that Geomatic A / S had not passed on personal data with a view to marketing, which is why the disclosure was not covered by the current provisions in the Personal Data Act, section 6, subsection. 2-4, and § 36 on marketing.
[3] In the case 2014-219-0516 - also mentioned in note 2 - the Danish Data Protection Agency took the position that prior to sending letters with the Conservative People's Party's flagship cases, a segmentation of Geomatic A / S had been carried out using statistical information, publicly available information as well as when using conzoom®.
[4] Act No. 502 of 23 May 2018 on supplementary provisions to the Regulation on the protection of individuals with regard to the processing of personal data and on the free movement of such data (the Data Protection Act).
[5] Act No. 426 of 3 May 2017 on Marketing with Subsequent Amendments (Marketing Act).
[6] The Danish Data Protection Agency stated in j.nr. 2000-139-0002, that the concept of "marketing" in the Personal Data Act §§ 6, paragraph. 2-4, and 36, are generally to be understood as a trader's contact with a consumer for the purpose of selling goods or services.
[7] Article 29 Working Party on Data Protection, WP 260 rev. 01, guidelines for transparency in accordance with Regulation 2016/679, adopted on 29 November 2017, last revised and adopted on 11 April 2018, p. 35 (Danish language version). At its first meeting on 25 May 2018, the European Data Protection Board confirmed that this is also an expression of the Council's position.