Datatilsynet (Denmark) - 2021-431-0142

From GDPRhub
Revision as of 08:51, 6 October 2021 by FA (talk | contribs) (Minor grammar changes + edited links to articles within wiki)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Datatilsynet (Denmark) - 2021-431-0142
LogoDK.png
Authority: Datatilsynet (Denmark)
Jurisdiction: Denmark
Relevant Law: Article 12(1) GDPR
Article 13(1) GDPR
Article 13(2) GDPR
Type: Investigation
Outcome: No Violation Found
Started:
Decided: 21.09.2021
Published:
Fine: None
Parties: Falck Danmark A/S
National Case Number/Name: 2021-431-0142
European Case Law Identifier: n/a
Appeal: Not appealed
Original Language(s): Danish
Original Source: Datatilsynet (in DA)
Initial Contributor: n/a

The Danish DPA recommended that a company involved in rapid COVID-19 testing of children aged 12 or over should provide processing information through booklets or pamphlets directly aimed at children.

English Summary

Facts

The Danish DPA investigated a company's compliance with the GDPR information obligations. The company processed personal data in relation to rapid COVID-19 testing of children aged 12 or above in primary school. Information about the processing could be found in a privacy policy that had been forwarded to both the data subjects (the children) as well as their guardians through a digital communications platform used by the schools. The company had also attached an invitation to read the privacy policy.

Holding

The DPA had to assess whether the controller had fulfilled its information obligations under Article 13(1)(a-f) GDPR and Article 13(2) GDPR. The DPA first noted that pursuant to Artilcle 12(1) GDPR, the information must be given in a "concise, transparent, intelligible and easily accessible form, using clear and plain language, in particular for any information addressed specifically to a child".

The DPA held that the privacy policy contained all the information the controller had to provide. Furthermore, the DPA found that using a digital communications platform was sufficient to fulfil the information obligations. The DPA therefore found no violation of the GDPR. However, the DPA recommended that the controller prepares information more directly aimed at children, both in form and content.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Danish original. Please refer to the Danish original for more details.



Supervision of observance of the duty to provide information during rapid tests in primary and lower secondary school
Date: 21-09-2021
Decision

The Danish Data Protection Agency has investigated Falck Danmark A / S 'observance of the duty to provide information when processing personal data in connection with COVID-19 rapid tests of pupils over the age of 12 in primary school. The conclusion is that Falck complies with the rules, but the Authority recommends that information targeted at children be prepared.

Journal number: 2021-431-0142.
Summary
According to the GDPR, children and young people are entitled to special protection of their data, as they are often less aware of the risks, consequences and guarantees and of their rights in the processing of personal data.
In continuation of the Danish Data Protection Agency's supervision of Covid-19 test providers earlier this year, the Danish Data Protection Agency therefore chose in June to supervise Falck Danmark A / S 'compliance with the duty to provide information when processing personal data. This happened in connection with the COVID-19 rapid test of pupils over the age of 12 in primary school.
The Danish Data Protection Agency found that Falck Danmark A / S 'observance of the duty to provide information was in accordance with the rules, but noted that it would be appropriate to prepare a booklet or posters, which in form and content are aimed at children.
Decision
Following a review of Falck Danmark A / S 'statement of 16 June 2021, the Danish Data Protection Agency finds that Falck Danmark A / S' processing of personal data has taken place within the framework of the Data Protection Ordinance [1], cf. Article 12 (1). 1 and Article 13.
Below is a more detailed review of the case and a justification for the Danish Data Protection Agency's decision.
2. Case presentation
On 3 June 2021, the Danish Data Protection Agency requested Falck Danmark A / S to state how Falck Danmark A / S ensures that the students and / or the students' parents are made aware of how Falck Danmark A / S processes information about the students.
On 16 June 2021, Falck Danmark A / S issued a statement on the matter.
2.1. Falck Danmark A / S ’comments
Falck Danmark A / S has generally stated that the company communicates its privacy policy - which constitutes Falck Danmark A / S 'notification of the data subjects in accordance with Article 13 of the Data Protection Ordinance - via five different procedures to ensure that both students and students' parents are made aware of the processing of information about students, including through the forms of communication commonly used by the relevant schools.
Falck Danmark A / S 'privacy policy is, among other things, available in physical copies at all test locations, including test areas at all primary and lower secondary schools, where Falck Danmark A / S conducts COVID-19 rapid tests. The privacy policy is freely available at the registration desk at the individual locations, marked with a sign that intends to encourage the student to orientate themselves in the policy.
In addition, Falck Danmark A / S 'privacy policy is available in digital version via scanning of QR code, which is available on posters and signs at all test locations, including test areas at all primary schools, where Falck Danmark A / S conducts COVID-19 rapid tests. Students can thereby gain direct access to the privacy policy, by scanning the QR code with their mobile phone.
The privacy policy is also communicated to the students 'parents via the relevant municipalities, which have ensured the distribution of links to digital versions of the policy via the schools' digital communication platforms such as Aula, Skoleintra and the like. Links to the privacy policy are here supplemented by text with an invitation to orientate oneself in the policy.
It is further stated that from 16 June 2021, Falck Danmark A / S expected to convey the privacy policy to students and / or parents via a direct link to the policy in the text message sent to the telephone number or numbers given at registration, immediately after registration has taken place. The link in the text message is supplemented by a text with an invitation to orientate oneself in the policy.
Finally, the privacy policy is directly accessible to everyone in digital version on Falck Danmarks A / S 'website.
Justification for the Danish Data Protection Agency's decision
3.1.
It follows from Article 13 (1) of the Data Protection Regulation 1, that if personal data has been collected from the data subject, the data controller shall, at the time when the personal data is collected, provide the data subject with a number of information, which appears from letter a-f of the provision. In addition to the information referred to in paragraph In accordance with Article 13 (1) of the Regulation, the data controller shall provide the data subject with a range of information necessary to ensure fair and transparent processing of the data subject in accordance with Article 13 (1) of the Regulation. 2.
The fact that the data controller must provide the information to the data subject means that the data controller must take active steps to provide the information, and it will therefore not be sufficient to have the information on a website or similar, where it is left to the data subject to find until the information.
It also follows from Article 12 (1) of the Data Protection Regulation Article 13 (1) requires the data controller to provide any information as covered by Article 13 in a concise, transparent, easily understandable and easily accessible form and in a clear and simple language, in particular when information is specifically directed at a child.
3.2.
The Danish Data Protection Agency finds that Falck Danmark A / S 'privacy policy - which constitutes notification pursuant to Article 13 of the Data Protection Ordinance - contains the information that appears in Article 13 (1) of the Data Protection Ordinance. 1 and 2.
With regard to the way in which the notification is to take place, the Danish Data Protection Agency finds that a solution where the privacy policy is only available to the students - either in physical copy or via scanning of the QR code - is not in itself sufficient to constitute a compliance with the obligation to provide information pursuant to Article 13 of the Data Protection Regulation.
Taking into account that the persons in question are between 12 and 15 years of age, the Danish Data Protection Agency is of the opinion that the duty to provide information must also be fulfilled in relation to the holder of parental responsibility.
Falck Danmark A / S has stated that the privacy policy will be communicated to the students 'parents via the schools' digital communication platforms, followed by an invitation to orientate themselves in the privacy policy.
As Falck Danmark A / S observes the duty to provide information to both students and their parents, the Danish Data Protection Agency finds that Falck Danmark A / S 'observance of the duty to provide information in the specific case is within the framework of Article 13 of the Data Protection Ordinance, cf. 1.
In this connection, the Danish Data Protection Agency notes that Falck Danmark A / S is responsible for ensuring that the schools disseminate the information to the parents, and Falck Danmark A / S should therefore ensure that the schools have taken active steps to disseminate the privacy policy to the parents.
The Danish Data Protection Agency also notes that, in the Authority's opinion, it would be appropriate to prepare a booklet or posters which, in form and content, are aimed at children.

[1] Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46 / EC (General data protection regulation).