Datatilsynet (Denmark) - 2020-31-4131

From GDPRhub
Revision as of 16:38, 6 December 2023 by Ar (talk | contribs) (Ar moved page Datatilsynet - 2020-31-4131 to Datatilsynet (Denmark) - 2020-31-4131)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Datatilsynet - 2020-31-4131
LogoDK.png
Authority: Datatilsynet (Denmark)
Jurisdiction: Denmark
Relevant Law: Article 2(1) GDPR
Article 2(2)(c) GDPR
Article 32(1) GDPR
§23 The Danish Act on Parental Responsibility (Forældreansvarsloven)
Type: Complaint
Outcome: Partly Upheld
Started:
Decided:
Published: 04.03.2021
Fine: None
Parties: Orienteringsret.dk
National Case Number/Name: 2020-31-4131
European Case Law Identifier: n/a
Appeal: n/a
Original Language(s): Danish
Original Source: Datatilsynet (in DA)
Initial Contributor: Tetyana Porokhonko

On 4 March 2021, the Danish DPA (Datatilsynet) published its decision regarding usage of website Orienteringsret.dk. The DPA found that parents use the website in the course of a purely personal/family activity, and thus the processing of personal data fall outside the scope of the GDPR.

Additionally, the DPA in its decision addressed a number of the website´s security issues and found any grounds to establish that Orienteringsret.dk had failed to implement appropriate security measures in accordance with the Article 32 of the GDPR.


English Summary

Facts

On 22 October 2020, a complainant submitted a complain to the DPA regarding processing of her children information on the website Orienteringsret.dk. A request for data was initiated by the children's father via Orienteringsret.dk.

Orienteringsret.dk. provides a possibility to parents without custody to contact more than 4,000 authorities, institutions, schools, etc. in order to obtain information about their children pursuant to §23 of the Parental Responsibility Act.

The complainant argued that Orienteringsret.dk. (a) had an unauthorized access to the civil registration system (CPR); (b) sent her children personal information via unsecured communication channel to a number of irrelevant public institutions and private entities; (c) failed to identify person who made the request, (d) used an insecure website address (http), (e) included misleading information in its email and (f) provided a service that might be used for harassment.


Dispute

The DPA considered whether the GDPR provisions apply to processing carried out by parents when sending a request via website Orienteringsret.dk.

The DPA assessed if the Orienteringsret.dk activities fall under the scope of the GDPR and the website must implement appropriate security measures according to the Article 32.

Holding

The DPA found that the parents´ activities on website Orienteringsret.dk has a purely personal or family characteristics, hence the processing of personal data is not covered by the GDPR, according to Article 2(2)(c) of the GDPR.

However, the DPA concluded that Orienteringsret.dk provides the means for processing personal data for such activities (recital 18 of the GDPR) and therefore, the website must operate according to the GDPR requirements. The DPA examined Orienteringsret.dk security measures and concluded that it was unable to find that Orienteringsret.dk had failed to implement appropriate security measures in accordance with the Article 32 of the GDPR.


Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Danish original. Please refer to the Danish original for more details.



Parent's use of Orienteringsret.dk
Published 04-03-2021
Decision

The Danish Data Protection Agency has received a number of inquiries and complaints about the website Orienteringsret.dk. The Danish Data Protection Agency has now made a decision in the first appeal case, where the Authority, among other things, found that a parent's use of the website occurred as part of a purely personal activity.Journal number: 2020-31-4131
Summary
The website Orienteringsret.dk makes it possible for a parent who does not have parental authority to send out requests for information about the child's relationship with schools, institutions, authorities, etc. This can be done, cf. the Parental Responsibility Act.
In a case where the father of two children had used Orienteringsret.dk, the children's mother subsequently complained to the Danish Data Protection Agency that Orienteringsret.dk passed on information about custody
and social security number for a large number of schools, authorities, institutions, etc. The mother stated, among other things, that the website did not meet the requirements for adequate security in a number of areas.
The Danish Data Protection Agency initially found that the father's request for information was made as part of a purely personal or family activity, which is why the rules for data protection did not apply to his processing of information about the children.
However, it was the Data Inspectorate's assessment that Orienteringsret.dk should live up to the rules in the Data Protection Ordinance. In this connection, the Authority emphasized that it is clear from the introductory recitals in the preamble to the regulation that the regulation applies to the person who provides the means for processing personal data for personal or family activities.
The complaint thus gave the Danish Data Protection Agency the opportunity to assess a number of security issues regarding the processing of personal data, which was carried out by Orienteringsret.dk.
However, the Danish Data Protection Agency did not find grounds to establish that Orienteringsret.dk had not laid down appropriate security measures.
Decision
The Danish Data Protection Agency hereby returns to the case where a citizen on 22 October 2020 has complained about the processing of information about her children that takes place via the website www.orienteringsret.dk.
It appears from the case that the website was set up and run by a group of parents who identify themselves on the website under the name ‘Orienteringsret.dk’. The Danish Data Protection Agency has understood the citizen's inquiry as a complaint about:

that Orienteringsret.dk has passed on her children's confidential information, including information about custody and social security number,
that Orienteringsret.dk uses an insecure website address (http),
that Orienteringsret.dk submits confidential information unencrypted and encourages responding to ordinary unsecured e-mail,
that Orienteringsret.dk has an unauthorized access to the civil registration system or similar,
that Orienteringsret.dk does not secure the identity of the person using the service, and
that the e-mails sent from Orienteringsret.dk may give the impression that they have been sent by the Family Court.

The Danish Data Protection Agency has also noted that complainants have drawn attention to the fact that the website is used for harassing behavior, and that the website - through the exclusion method - circumvents the protection of children who may live in hidden conditions.
Decision
The Danish Data Protection Agency should first note that for the processing of personal data initiated by the children's father, the Authority is of the opinion that the Data Protection Regulation [1] does not apply in accordance with Article 2 (1) of the Regulation. 2, letter c, as the treatment in question of information about the complainant's children must be regarded as a treatment carried out as part of purely personal or family activities.
However, the Data Inspectorate is of the opinion that Orienteringsret.dk is covered by the scope of the Data Protection Ordinance, as Orienteringsret.dk provides the means for processing personal data for personal or family activities, which is why Orienteringsret.dk must comply with the rules on e.g. data protection.
However, the Danish Data Protection Agency has not found grounds to establish that Orienteringsret.dk has not laid down appropriate security measures, cf. Article 32 of the Data Protection Ordinance, in connection with the processing of information that takes place as part of Orienteringsret.dk providing the funds for requests for on behalf of parents, cf. section 23 of the Parental Responsibility Act.
Below is a more detailed review of the case and a justification for the Danish Data Protection Agency's decision.
2. Case presentation
2.1.
It appears from the case that the website www.orienteringsret.dk is a free privately run service without gain, earnings or business-oriented purposes in general, which parents without custody can make use of to contact about 4,000 authorities, regions, municipalities, schools, etc. to obtain information about their children pursuant to section 23 of the Parental Responsibility Act. In that case, the parents must enter a number of information, including name, address, e-mail address and the child's full name in a form on the website, after which e-mails are sent via the website. to the recipients chosen by that parent.
It also appears from the website that authorities and institutions are obliged to provide information on the child's situation, cf. section 23 of the Parental Responsibility Act, but only if the parents actively contact themselves. Parents are therefore required to contact each institution, authority, school, etc. themselves. to investigate whether the child should have had contact with the individual places and to receive a status of how the child thrives in that place. In continuation of this, it appears from the website that it quickly becomes an unmanageable - and impossible - task when parents do not know if the child has had contact with the place at all.
Finally, it appears from the website that the information entered is only used in connection with the submission of the request, cf. the Parental Responsibility Act. In this connection, it appears, among other things. of the website that Orienteringsret.dk only uses the parents' information for transmission to the respective authorities, and that Orienteringsret.dk deletes all information when the respective e-mails have been sent out.
2.2.
In the complainants' inquiry to the Danish Data Protection Agency, the complainants have attached an e-mail sent by Orienteringsret.dk. The e-mail states that it was sent at the request of the children's father, and that pursuant to section 23 of the Parental Responsibility Act, a request is made that a briefing be given regarding one of their joint children. Please send the information to the parent via e-mail or e-Box. The e-mail is "signed" by Orienteringsret.dk. In continuation of the request itself in the e-mail, an explanatory text section follows, where information is provided about the background for the sending of the e-mail, including that the e-mail takes care of a uniform request across authorities and institutions. Finally, the e-mail refers to the Family Court with regard to questions of legal authority and rights.
Complainants have i.a. stated that Orienteringsret.dk has forwarded her children's confidential information, including information on custody and social security number to thousands of irrelevant administrative bodies and private practitioners, etc., and that the service sends unsafe messages in violation of data protection legislation.
Complainants have further stated that Orienteringsret.dk has an unauthorized access to the civil registration system or similar, as the applicant does not enter anything other than name and address, but the service still provides the social security number of both parent and child.
Furthermore, the complainants have stated in their complaint that Orienteringsret.dk does not ensure the identity of the person who fills in the form on www.orienteringsret.dk.
In the complainants' inquiry to the Danish Data Protection Agency, the complainants have also stated that the e-mail from Orienteringsret.dk may give the impression of having been sent by the Family Court.
In addition, complainants have stated that the service is used for harassing behavior that has nothing to do with the desire for the legitimate right to information. In the complainant's own case, the father is aware of where the children are and which school they go to. He could thus have contacted the specific school himself, but instead used the opportunity to create as much unrest as possible around the children.
3. Justification
3.1.
On the basis of the information in the case, the Danish Data Protection Agency assumes that the processing of information about the complainant's children, which has taken place via the website www.orienteringsret.dk, is facilitated by the children's father. In this connection, it must be assumed that he has also decided who will receive the information entered.
According to Article 2 (1) of the Data Protection Regulation, 1, applies to the processing of personal data carried out in whole or in part by means of automatic data processing, and to other non-automatic processing of personal data which is or will be contained in a register.
However, the Data Protection Regulation does not apply to the processing of personal data carried out by a natural person in the context of purely personal or family activities, in accordance with Article 2 (1). 2, letter c.
The decisive factor in determining whether the processing of personal data by private individuals falls outside the scope of the data protection rules is whether processing is carried out for the purpose of carrying out purely personal or family activities. These must be ordinary and legitimate private interests. An example of such a treatment activity that constitutes a personal activity is i.a. an inquiry by a private person to a public authority in a case which concerns the person himself or his family.
It is the Data Inspectorate's assessment that the father's processing of the information in question about their joint children has been carried out as part of a purely personal and family activity, and that the data protection rules therefore do not apply. In this connection, it is the Data Inspectorate's assessment that the processing that has taken place via the website www.orienteringsret.dk has been initiated by the danger and has only taken place on behalf of the danger.
The Danish Data Protection Agency has also emphasized that, in the Authority's view, it must be free to choose how it will send its request under the Parental Responsibility Act, including whether it will use a third party, e.g. Orienteringsret.dk, to handle the communication with the respective authorities.
Following this, the Danish Data Protection Agency finds that Orienteringsret.dk has only provided the funds for the treatment activity, which consists of the father having contacted authorities, schools, institutions, etc.
3.2.
It is clear from recital 18 in the preamble to the Data Protection Regulation that the Regulation also applies to data controllers or data processors who provide the means for processing personal data for personal or family activities. In this connection, the Danish Data Protection Agency is of the opinion that Orienteringsret.dk is covered by the scope of the Data Protection Ordinance, which is why Orienteringsret.dk must observe the rules on e.g. data protection.
It follows from Article 32 (1) of the Data Protection Regulation 1, that data controllers and data processors, taking into account i.a. the nature, scope, coherence, purpose and risks of the treatment implement appropriate technical and organizational measures to ensure an appropriate level of safety. This includes a requirement that the data controller must ensure that personal data does not come to the knowledge of unauthorized persons.
In continuation of this, the Danish Data Protection Agency has chosen, on its own initiative, to investigate a number of security issues concerning the website www.orienteringsret.dk.
For information, the Danish Data Protection Agency may state that the Authority has in this connection found that the website uses the protocol "https", ie an encrypted version of "http", which is why the website does not immediately appear insecure. The Danish Data Protection Agency has also been able to establish that www.orienteringsret.dk supports TLS encryption during the transmission of information.
With regard to the question of a possible unauthorized access to the civil registration register, the Danish Data Protection Agency has not found grounds to assume that Orienteringsret.dk should have such access. In this connection, the Danish Data Protection Agency notes that it has previously been possible to provide social security numbers by filling in the form on the website, but that this is no longer possible.
On the basis of what the complainants in their inquiry to the Authority stated that Orienteringsret.dk does not ensure the identity of the person who fills in the form on www.orienteringsret.dk, the Data Inspectorate has had occasion to assess whether this in itself implies a unnecessary risk that information is disclosed to unauthorized persons, including Orienteringsret.dk. However, the Authority has noted that it appears from the e-mail sent by Orienteringsret.dk that answers to the request must be sent to the parent's e-mail or e-Box. The Authority must also note that public authorities as well as private companies and institutions have an independent responsibility to ensure that information is not sent to the wrong recipient.
As mentioned above, the complainants have in their complaint to the Danish Data Protection Agency further stated that the e-mail from Orienteringsret.dk may give the impression of having been sent by the Family Court. However, after an overall assessment of the e-mail in question, the Danish Data Protection Agency does not find that the referral contained in the Family Court entails an unnecessary risk that information may come to the knowledge of unauthorized persons. In this connection, the Danish Data Protection Agency has, among other things, emphasized that the request in accordance with the Parental Responsibility Act has been "signed" by Orienteringret.dk, that it is clear from the e-mail that it was sent at the instigation of the father, and that the reference to the Family Court does not appear from the "main text" in the e-mail, but only by an attached accompanying text, which in the Data Inspectorate's opinion is more in the nature of an expression of opinion, and which is included for e.g. to draw the recipient's attention to the fact that information on relevant legal rules can be obtained by contacting the Family Court.
The Danish Data Protection Agency has thus not been able to establish that Orienteringsret.dk has not laid down appropriate security measures, cf. Article 32 of the Data Protection Ordinance, in connection with the processing of information that takes place as part of Orienteringsret.dk providing the means for requests, cf. 23, on behalf of parents.
3.3.
With regard to the complainant's remarks that the service is used for harassing behavior and that the service - through the exclusion method - circumvents the protection of the children who may live in hidden conditions, it is the Data Inspectorate's assessment that these conditions - in the specific case - do not has such a data protection nature that the supervisory authority can take a more detailed position on the issues.
Appendix: Legal basis
Extract from Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46 / EC (General Regulation on data protection).
Article 2, paragraph This Regulation shall apply to the processing of personal data carried out in whole or in part by means of automatic data processing and to other non-automatic processing of personal data which are or will be contained in a register.
PCS. 2. This Regulation shall not apply to the processing of personal data:
[…]

carried out by a natural person as part of purely personal or family activities

[…]
Article 4. For the purposes of this Regulation:

'Personal data' means any information relating to an identified or identifiable natural person ('the data subject'); identifiable natural person means a natural person who can be directly or indirectly identified, in particular by an identifier such as a name, identification number, location data, online identifier or one or more elements specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;
'Processing' means any activity or series of activities - with or without the use of automatic processing - to which personal data or a collection of personal data are subjected, e.g. collection, registration, organization, systematization, storage, adaptation or modification, retrieval, search, use, disclosure by transmission, dissemination or any other form of transfer, compilation or interconnection, restriction, deletion or destruction;

[…]

'Data controller' means a natural or legal person, a public authority, an institution or any other body which, alone or in conjunction with others, decides for what purposes and by what means the processing of personal data may be carried out; if the purposes and means of such processing are laid down in Union or national law of the Member States, the controller or the specific criteria for designating it may be laid down in Union or national law of the Member States;
'Data processor' means a natural or legal person, a public authority, an institution or any other body which processes personal data on behalf of the data controller;

[…]
Article 32. Taking into account the current state of the art, the cost of implementation and the nature, scope, coherence and purpose of the processing concerned, as well as the risks of varying probability and seriousness of natural persons' rights and freedoms, the controller and processor shall take appropriate technical and organizational measures to ensure level of safety appropriate to these risks, including as appropriate:

pseudonymization and encryption of personal information
ability to ensure lasting confidentiality, integrity, availability and robustness of treatment systems and services;
ability to timely restore the availability of and access to personal data in the event of a physical or technical incident;
a procedure for regular testing, assessment and evaluation of the effectiveness of technical and organizational measures to ensure treatment security.

PCS. 2. In assessing the appropriate level of security, particular account shall be taken of the risks posed by processing, in particular in the event of accidental or unlawful destruction, loss, alteration, unauthorized disclosure of or access to personal data transmitted, stored or on otherwise treated.
PCS. Compliance with an approved code of conduct as referred to in Article 40 or an approved certification mechanism as referred to in Article 42 may be used as an element to demonstrate compliance with the requirements of paragraph 1 of this Article. 1.
PCS. The Data Controller and the Processor shall take steps to ensure that any natural person performing work for the Data Controller or Processor who accesses personal data shall only process it on the instructions of the Data Controller, unless processing is required under EU the law or the national law of the Member States.
[1] Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46 / EC (General data protection regulation).