Datatilsynet (Denmark) - 2020-31-3586

From GDPRhub
Revision as of 10:18, 15 September 2021 by SR (talk | contribs) (→‎Dispute)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Datatilsynet (Denmark) - 2020-31-3586
LogoDK.png
Authority: Datatilsynet (Denmark)
Jurisdiction: Denmark
Relevant Law: Article 15 GDPR
§22 Danish Data Protection Act of 23 May 2018
Type: Complaint
Outcome: Upheld
Started:
Decided: 06.09.2021
Published:
Fine: None
Parties: Anonymous ( data subject vs insurance company)
National Case Number/Name: 2020-31-3586
European Case Law Identifier: n/a
Appeal: Unknown
Original Language(s): Danish
Original Source: Danish DPA (in DA)
Initial Contributor: n/a

The Danish DPA held that an insurance company breached Article 15 GDPR by refusing to give an insured person access to a surveillance report which the company had compiled about them. The company could not restrict the data subject’s access right because the report might be used in litigation against it.

English Summary

Facts

The complainant in this case got injured in a traffic accident and sought compensation for loss of earnings with their insurance company. As a result, the insurance company started monitoring the complainant. This included taking photos and videos of the complainant without their knowledge, and structuring such data in a surveillance report. When the latter became aware of this, he/she contacted a law firm. On 4 May 2020, the law firm, acting on behalf of the complainant, requested access to the surveillance report pursuant to Article 15 GDPR (right to access to the personal data).

Subsequently, the insurance company filed a complaint with the police, and then responded that it would not release the surveillance report, invoking section 22 of the Danish Data Protection Act of 24 May 2018. According to that section, the right of data subjects to access their personal data may be restricted on the basis of 'decisive considerations of private interests'. A dispute ensued, and the law firm filed a complaint with the Danish DPA. On 4 January 2021, while the complaint was still being processed by the Danish DPA, the insurance company decided to hand over the surveillance report to the law firm (i.e. 8 months after the initial request by the law firm).

The data subject considered that the insurance company should have provided the surveillance report within one month of the access request, in accordance with Article 15 GDPR and Article 12(3) GDPR. By contrast, the insurance company argued that the right to access is not absolute, and that it can be restricted when it would adversely affect the rights and freedoms of others, and in particular the interests of the insurance company in the context of a litigation against the data subject, in accordance with Article 15(4) GDPR and section 22 of the Danish Data Protection Act.

Holding

After reviewing the facts of the case, the Danish DPA found that the insurance company had infringed Article 15 GDPR, as implemented by section 22 of the Danish Data Protection Act. In particular, the Danish DPA recalled that the right to access of the data subject could only be restricted on the basis of “decisive considerations” pertaining to prevailing interests of the data controller or another party. According to the Danish DPA, this exception only applies when there is an "imminent danger" that the interests of a private party will suffer "significant damage". In this case however, the insurance company would have not suffered a significant damage from handing over the surveillance report to the data subject. In particular, the Danish DPA considered that the fact that the surveillance report may have been used, by the complainant, as evidence in a litigation against the insurance company did not constitute a "decisive consideration".

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Danish original. Please refer to the Danish original for more details.



Decision regarding the insurance company's processing of personal data
Date: 06-09-2021
Decision

The Danish Data Protection Agency hereby returns to the case where [law firm] (hereinafter [law firm]) on 7 July 2020 on behalf of [X] (hereinafter the complainant) complained to the Authority that [insurance company] has refused to provide insight into information about complaints collected in connection with his supervision.
Journal number: 2020-31-3586
Summary
The Danish Data Protection Agency has made a decision in a case where a law firm on behalf of a citizen requested access to information about the citizen that an insurance company had collected in connection with monitoring the citizen in question.
The insurance company did not want to hand over the surveillance material consisting of observation reports, photos and videos, because there were crucial considerations for the insurance company's own interests in being able to defend itself against a possible subsequent lawsuit and the police's ability to investigate a potentially serious offense. insight had to give way to.
The Danish Data Protection Agency found that the insurance company in the specific case had not demonstrated decisive considerations to which the citizen's right of access should give way. The actual personal data collected about the customer in connection with the initiated monitoring was thus not found to have a content that could entail an imminent danger that private interests would suffer material damage. The fact that the personal data collected could in all probability be involved in a possible legal dispute did not in the specific case constitute such a decisive consideration for the interests of the insurance company that the actual personal data collected on complaints in connection with the monitoring could exempt from the right of access.
The Danish Data Protection Agency notes that the present case has been treated as a local case, cf. Article 56 (1) of the Data Protection Regulation. 2, as the subject matter of the case alone significantly affects data subjects in Denmark. The Swedish Data Protection Authority, which is the leading supervisory authority in relation to [insurance company], has agreed with this recital in accordance with Article 56 (1) of the Regulation. 3.
Furthermore, the Danish Data Protection Agency notes that in the present decision, the Authority does not take a position on the legality of the monitoring that [insurance company] initiated against complaints and the collection of personal data that was caused by the monitoring, as these matters have been brought before the Danish Financial Supervisory Authority.
Decision
After reviewing the case, the Danish Data Protection Agency finds that there are grounds for expressing serious criticism that [insurance company]'s processing of personal data has not taken place in accordance with the rules in Article 15 of the Data Protection Regulation [1], cf. section 22 of the Data Protection Act [2].
Below is a more detailed review of the case and a justification for the Danish Data Protection Agency's decision.
2. Case presentation
It appears from the case that complaints in [date] were involved in a traffic accident. As a result, complainants sought i.a. on compensation for loss of earning capacity of [insurance company].
In this connection, [Insurance Company] initiated monitoring of complaints during periods [X].
As a result, on May 4, 2020, [Law Firm] requested that the monitoring material be provided.
On 18 May 2020, [insurance company] reported complaints to [police]. Subsequently, on 26 May 2020, [insurance company] responded to [law firm] request for insight, stating that [insurance company] did not wish to release the surveillance reports and the recorded photos and videos. [Insurance company] referred to section 22 of the Data Protection Act.
[Advokatselskab] approached again on 29 May 2020 and again requested access to information on complaints, as [law firm] argued that section 22 of the Data Protection Act did not contain authority to detain the monitoring material.
[Insurance company] responded to the inquiry on 16 June 2020, stating that [insurance company] maintained their position on the matter.
On 7 July 2020, the Danish Data Protection Agency then received a complaint about [the insurance company's' handling of the complainant's request for access.
On 1 September 2020, the Danish Data Protection Agency sent the complaint for consultation and asked [the insurance company] for an opinion on the matter. [Insurance company] issued an opinion on 18 September 2020.
[Advokatselskab] stated on 8 October 2020 that [law firm] as a representative of complaints in relation to [insurance company] police report had been handed the surveillance material that [insurance company] had handed in to [police], but that the material in connection with indictment was returned to the police.
[Insurance company] stated on 6 January 2021 that [insurance company] had now handed over the monitoring material to [law firm], which [law firm] in a letter of 4 January 2021 to [insurance company] confirmed.
2.1. Complainant's remarks
Complainants have generally stated that [insurance company] has not provided information on complaints that [insurance company] has collected in connection with the monitoring of him.
Complainants have stated in this connection that [insurance company] has not been entitled to reject the request for access with reference to section 22 of the Data Protection Act.
2.2. [Insurance Company] remarks
[Insurance company] has stated that in May 2020 [insurance company] did not want to hand over the monitoring material, as [insurance company] assumed that complainants would initiate a lawsuit against [insurance company] in connection with the rejection of complainants' claim for incapacity compensation.
[Insurance company] has stated that this presumption was confirmed, as the complainant's lawyer in the complaint to the Danish Data Protection Agency has stated: "I must use the material for a legal prosecution of my client's claim for loss of ability to work after the accident against [insurance company]." In addition, the complainant has continuously pursued his right to compensation through the complainant's two different lawyers. [Insurance Company] was therefore entitled to presume that the case had not been concluded with [Insurance Company]'s refusal to cover.
[Insurance company] has stated that [insurance company] made a concrete balance between the complainant's interest in obtaining the information at the time of the refusal of access, and the consideration of protecting [insurance company]'s own interests and the police's ability to investigate a potentially serious offense in the form of (attempted) fraud.
[Insurance company] estimated on the basis of the course of events, partly the changing explanations about the complainant's ability to work, and partly the complainant's lawyer's statements that the possibilities for free trial were examined, that there was a current and imminent risk that [insurance company] would be sued in the case.
[Insurance company] has further stated that [insurance company] assessed that complainants could use the observation reports, photos and videos from the surveillance to the detriment of [insurance company]'s ability to pursue [insurance company] own interests in a subsequent lawsuit if complainants gained insight into the information prior to the preparation of a writ of summons. This is substantiated by the fact that complainants have repeatedly changed his explanation of his ability to work after becoming aware that [insurance company] had been monitoring him.
It was therefore [insurance company]'s assessment that the supervision should not be handed over to complainants, but that insight could be obtained at a later stage when the considerations on which [insurance company] justified the refusal no longer applied.
Justification for the Danish Data Protection Agency's decision
3.1. In principle, data subjects have the right to receive confirmation from the data controller as to whether personal data concerning the data subject is being processed and, where applicable, access to the personal data and a number of additional data, in accordance with Article 15 of the Data Protection Regulation.
A data controller may refuse to grant a request for access from a data subject if one of the exceptions to the right of access can be invoked pursuant to Article 15 (1) of the Data Protection Regulation. 4, or section 22 of the Data Protection Act.
Pursuant to the Data Protection Act, section 22, subsection 1, the right of access may thus be limited if the data subject's interest in the information is found to give way to decisive considerations of private interests, including the consideration for the person himself.
According to this provision, a data controller may, after a specific assessment, refuse to provide insight into information if it will result in the company's business basis, business practice or know-how thereby suffering significant damage. Furthermore, after a specific assessment, it will be possible to refuse insight into internal assessments of whether the company will enter into a contractual relationship on the basis of available information, change an existing contractual relationship, set special conditions for continuation, possibly terminate a contractual relationship and similar cases. In the same way, depending on the circumstances, it will be possible to refuse insight into e.g. a memorandum assessing whether there is a prospect of a particular lawsuit being won against a customer, or an internal memorandum in a case indicating possible evidence that a customer has attempted to engage in insurance fraud against an insurance company or attempted to evade the obligation pursuant to e.g. a loan contract. [3]
According to the wording of the provision, there must be "decisive considerations", which means that an exception can only be made from the right of access in cases where there is an imminent danger that the interests of private individuals will suffer significant damage. [4]
It appears from the Register Committee's report no. 1345/1997 on the processing of personal data, p. 311, that it is recognized that private data controllers, like public data controllers, need to be able to protect internal decision-making processes to a certain extent. The right of access may be limited on the basis of the company's crucial interest in having the freedom to assess the conclusion of contracts and existing customer relationships, and in preventing competitors from gaining information that is in the nature of purely internal assessments or trade secrets. The Committee thus considered that it should be possible to limit the right of access if disclosure of information in the specific situation would entail an imminent risk of injury. On the other hand, the fact that there are internal assessments, etc., should not in itself justify a refusal of a request for access.
3.2. The Danish Data Protection Agency assumes that [insurance company] from 4 May 2020 to around 4 January 2021 did not hand over the monitoring material that [insurance company] had collected in connection with the initiated monitoring of complaints.
The Danish Data Protection Agency also assumes that the information that [insurance company] has exempted from the complainant's right of access consists of personal information about the complainant and his activities in the form of photos, video and notes in observation reports. The information is thus not in the nature of own, subjective assessments, e.g. a note on the prospect of winning a lawsuit, but purely objective information about the complainant's doings and barn.
As is clear from the preparatory work for the provision in section 22 of the Data Protection Act, it will, depending on the circumstances, be possible for a data controller to refuse access to a memorandum which, on the basis of information collected, assesses whether there is a prospect of a particular lawsuit. The provision is thus aimed at the data controller's own (subjective) assessments of e.g. conduct of a trial and thus does not aim at purely objective information.
In the opinion of the Danish Data Protection Agency, the provision can thus not be extended to include personal data collected in the form of photos, video and observation reports, which will form the very core of a possible lawsuit.
The actual personal data collected on complaints in connection with the monitoring initiated does not appear to have a content that could pose an imminent danger that private interests would suffer significant damage, that the data could be exempted from the right of access pursuant to section 22, subsection 1.
Thus, the fact that the personal data collected may in all likelihood be involved in any litigation against [insurance company] does not constitute such a decisive consideration for [insurance company]'s interests that the actual personal data collected about complaints in the monitoring of him , may be exempted from the right of access, cf. section 22 (1) of the Data Protection Act. 1.
The Danish Data Protection Agency notes that the right of access is precisely intended to give data subjects (including complainants) access to check the accuracy of the information and the legality of the processing, and exceptions to this therefore presuppose that there are current decisive considerations that the data subject's right of access should be give way to.
It is against this background that the Danish Data Protection Agency's assessment that [insurance company] could not reject the complainant's right of access with reference to the fact that complainants could use the monitoring material to the detriment of [insurance company]'s ability to pursue [insurance company] own interests in a subsequent lawsuit.
Furthermore, the Danish Data Protection Agency's assessment is that [insurance company] has not otherwise demonstrated that there are decisive considerations for either private or public interests, which may justify that information on complaints collected in connection with his supervision can be exempted. from the right of access pursuant to section 22 of the Data Protection Act.
The Danish Data Protection Agency thus finds that [insurance company] has also not proved that the complainant's right of access should give way to decisive considerations of public interest, including the possibility for the police to investigate a possible offense. In this connection, the Danish Data Protection Agency notes that an abstract possibility that disclosure of material will disrupt the investigation is not a decisive consideration, which may justify exceptions to the right of access.
The Danish Data Protection Agency has emphasized that a report had already been submitted to the police, which is why there was no consideration to be given to complaints e.g. did not have to know that an investigation was underway. The Danish Data Protection Agency has also emphasized that the complainant's lawyer was provided with the surveillance material by the police as a result of the police's processing of [insurance company] police report.
The Danish Data Protection Agency then finds that [the insurance company's] handling of the complainant's request for insight has not taken place in accordance with Article 15 of the Data Protection Ordinance, cf. section 22 of the Data Protection Act.
On the basis of this, the Danish Data Protection Agency finds reason to express serious criticism that [insurance company]'s handling of the complainant's request for insight has not taken place in accordance with Article 15 of the Data Protection Ordinance, cf. section 22 of the Data Protection Act.
In the decision of the case, the Danish Data Protection Agency has noted that [insurance company] has subsequently handed over the monitoring material to [law firm], and that [law firm] in a letter of 4 January 2021 to [insurance company] has confirmed that the monitoring material has been received.

[1] Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46 / EC (General data protection regulation).
[2] Act No. 502 of 23 May 2018 on supplementary provisions to the Regulation on the protection of individuals with regard to the processing of personal data and on the free movement of such data (the Data Protection Act).
[3] Bill no. 68, FT 2017/18, comments on section 22 of the bill
[4] Bill no. 68, FT 2017/18, comments on section 22 of the bill.