Datatilsynet (Denmark) - 2021-432-0056

From GDPRhub
Datatilsynet - 2021-432-0056
LogoDK.png
Authority: Datatilsynet (Denmark)
Jurisdiction: Denmark
Relevant Law: Article 28(3)(a) GDPR
Article 36 GDPR
Article 36(1) GDPR
Article 36(2) GDPR
Article 58(2)(d) GDPR
Type: Investigation
Outcome: Violation Found
Started: 01.09.2022
Decided: 08.09.2022
Published: 08.09.2022
Fine: n/a
Parties: Aarhus municipality
National Case Number/Name: 2021-432-0056
European Case Law Identifier: n/a
Appeal: n/a
Original Language(s): Danish
Original Source: Datatilsynet (in DA)
Initial Contributor: Rie Aleksandra Walle

The Danish DPA ordered Aarhus municipality, amongst other things, to change their data processing agreement with Google and bring all third country transfers in line with the GDPR, following the DPA's most recent Helsingor decision.

English Summary[edit | edit source]

Facts[edit | edit source]

Following the Danish DPA's (Datatilsynet) decisions (from September 2021 as well as July and August 2022) related to Helsingor municipality's processing of personal data using Google products and services, Aarhus municipality reassessed their risk assessment during August 2022. On 1 September, they sent the DPA a request for consultation as per Article 36 GDPR along with the relevant documentation, as they were using the same processing setup (Google, Google Chromebooks, Google Workspace for Education).

Holding[edit | edit source]

Based on the documentation submitted, the DPA found that the processing activities entailed a high risk for the data subjects' rights and freedoms that could not be mitigated, and referred to Article 36(1) GDPR and Article 36(2) GDPR.

The DPA ordered the municipality to:

  • Change the data processing agreement with Google so that the DPA's remarks in their 14 July and 18 August decisions to Helsingor municipality, are implemented. This includes, at a minimum, a clarification of where and if Google acts as a sole controller and any uncertainties that may entail that Google acts beyond their role as a processor, see Article 28(3)(a) GDPR.
  • Document that all transfers of personal data to insecure third countries, are in line with the GDPR.
  • Describe all data flows and identify the personal data that are shared with the vendor, and clarify when the vendor acts as a sole or joint controller. This documentation must include the whole technology stack used by the municipality (for this processing activity).
  • Update their data protection impact assessment based on all identified risks.
  • Consult the DPA if the DPIA shows any high risks the municipality is not able to mitigate.
  • If any processing activities are still not in line with the GDPR before the DPA's deadline 3 November 2022, present a final plan for bringing them in line with the GDPR.

Comment[edit | edit source]

Share your comments here!

Further Resources[edit | edit source]

Share blogs or news articles here!

English Machine Translation of the Decision[edit | edit source]

The decision below is a machine translation of the Danish original. Please refer to the Danish original for more details.

Regarding Aarhus Municipality's processing of personal data.

Date: 08-09-2022

Decision Public authorities Order Processing security Basic principles Children Risk assessment and impact analysis

1. Decision

The Danish Data Protection Authority notifies Aarhus Municipality of an order to amend the existing agreement with the data processor in such a way that the matters mentioned in the Danish Authority's decisions of 14 July and 18 August 2022, in relation to Helsingør Municipality, as well as the material, Aarhus Municipality has forwarded on 1 September 2022, and which derives from the overall basis of the agreement with the supplier, is brought into line with the data protection regulation. This includes, as a minimum, a clarification of the places where the "data processor" acts as an independent data controller, as well as for what purposes, the support situations that the municipality no longer uses, and ambiguities in the contract text that create uncertainty about the data processor's actions in addition to the rule in the article of the data protection regulation 28, subsection 3, letter a. In addition, all intended transfers to unsafe third countries must documentably comply with the data protection regulation.

The Danish Data Protection Authority further informs Aarhus Municipality of an order to describe the data flows that take place and identify the personal data that is passed on to the supplier, and makes it clear when the latter acts as an independent or shared data controller. The documentation must include the entire technology stack that Aarhus Municipality uses for the treatment.

The Danish Data Protection Authority further orders Aarhus Municipality to draw up an updated impact analysis based on all the risks that the municipality has identified during the documentation process, if it turns out that – in addition to those for which the Article 36 procedure has now been requested – there are additional high, not mitigable high risks, the order also includes consultation with the Danish Data Protection Authority pursuant to Article 36.

Finally, the Data Protection Authority orders Aarhus Municipality to present a final time-bound plan for the legalization of any processing that has not been able to be legalized before the deadline for the orders, which is set for 3 November 2022. The Data Protection Authority expects to receive documentation for compliance with the orders before the set date.

The orders have been notified in accordance with the data protection regulation, article 58, subsection 2, letter d.

Failure to comply with an order can - unless a higher penalty is due - be punished with a fine or imprisonment for up to 6 months, cf. section 41, subsection of the Data Protection Act. 2, No. 4.

2. Case presentation

On 1 September 2022, Aarhushus Municipality sent a request for consultation to the Data Protection Authority.

3. The municipality's comments

Aarhus Municipality's letter of 1 September 2022, with a request for Article 36 procedure.

Update of case 2021-432-0056, as well as request for hearing, cf. Article 36

Updating material

Aarhus Municipality has through August 2022, based on the Data Protection Authority's decision regarding Helsingør Municipality's use of Google Workspace for Education, reassessed the risk assessment for Aarhus Municipality's use of the same.

We hereby forward, as agreed with Allan Frank, the updated documentation so that Aarhus Municipality's case 2021-432-0056 can be updated in relation to The Norwegian Data Protection Authority's handling of it.

The updated material is attached in the form of:

Appendix 15 - Policies-cb.json.covered_personalinfo.pdf Appendix 16 Risk assessment - impact analysis - Workspace for Education Updated August 2022.xlsx Response to the Danish Data Protection Authority's consultation regarding the use of Google Chromebooks - updated August 2022.pdf Answers to questions about third country transfers in relation to case 2021- 432-0056 - updated August 2022.pdf

It applies to the last three files, which are updates of previously submitted material, that all updates made in August 2022 appear in red text for quick identification.

Article 36 consultation

In connection with the reassessment of our risk assessment, there is, in the light of the Helsingør decision, and a review of the Dutch Data Protection Authority's documents regarding the solution, identified a number of matters where Aarhus Municipality considers that we need a dialogue with the Data Protection Authority, cf. Article 36 of the Data Protection Regulation regarding hearing.

Article 36 paragraph 3's requirement for the submission of information is hereby made through the above updated Appendix 16, in which Aarhus Municipality's model for risk assessment/consequence analysis contains a description of the distribution of responsibilities (letter a), the purpose of the processing and aids (letter b), measures and guarantees (letter c) and impact analysis (letter e). Regarding letter d's requirement for the data protection adviser's contact details, Aarhus Municipality, as described in the impact assessment, is currently without an appointed DPO. The function is carried out, as agreed by telephone with the Data Protection Authority, by the Mayor's Department (Aarhus Municipality), and the contact details are databeystelltsraadgiver@aarhus.dk and tel. 89402000.

Below are the risks from the risk assessment/consequence analysis (see Appendix 16 Risk assessment - impact analysis - Workspace for Education - Updated August 2022.xlsx), where either in the solution, or in the basis of the agreement (data processing agreements, terms of service etc.), there are conditions where in our assessment, there is a high risk for those registered and where we have simultaneously failed to implement an appropriate measure, or change the basis of the agreement with the data processor, in order to reduce the high risk, and where Aarhus Municipality is therefore asking for the Data Protection Authority's advice.



[Here part of the documentation is omitted]

Concluding remarks

Aarhus Municipality is ready, cf. article 36, subsection 3, letter f, to supplement the forwarded material with any additional information the Data Protection Authority may request, including entering into a clarifying dialogue.

4. Aarhus Municipality's risk assessment

See Appendix 2.

5. Aarhus Municipality's impact analysis

[Here part of the documentation is omitted]

In addition, Aarhus has forwarded their risk assessment. This is attached to the decision as Appendix 2.

6. Reason for the Data Protection Authority's decision

The Danish Data Protection Authority finds, in accordance with Aarhus Municipality's own comments in the request of 1 September 2022, that the processing in question involves a high risk for the rights of the data subjects, which cannot be reduced cf. the data protection regulation, article 36, subsection 1.

The Danish Data Protection Authority finds that several of the treatments themselves are not in accordance with the data protection regulation, and that other treatments have not been sufficiently identified or the risk has been limited to the necessary extent. The Norwegian Data Protection Authority therefore notes that the conditions for the Danish Data Protection Authority's advice pursuant to Article 36, subsection 2, is present.

The Danish Data Protection Authority also states that for those treatments that have not been sufficiently identified, or that have had the risk limited to the necessary extent, rapid legalization must take place. The Norwegian Data Protection Authority considers that it is necessary to ensure the necessary progress in such legalization. The supervisory authority has therefore decided on the outstanding points to issue a number of orders with a shorter deadline in accordance with the data protection regulation, article 58, subsection 2, letter d.

In addition, the Danish Data Protection Authority has attached importance to creating the possibility that Aarhus Municipality, together with other data responsible municipalities that process personal data similar to that of Aarhus Municipality, can collectively go to the data processor and the supplier and obtain a final legal solution that covers all .

Against this background, the Danish Data Protection Authority states:

The Danish Data Protection Authority notifies Aarhus Municipality of an order to amend the existing agreement with the data processor in such a way that the matters mentioned in the Danish Authority's decisions of 14 July and 18 August 2022, in relation to Helsingør Municipality, as well as the material, Aarhus Municipality has forwarded on 1 September 2022, and which derives from the overall basis of the agreement with the supplier, is brought into line with the data protection regulation. This includes, as a minimum, a clarification of the places where the "data processor" acts as an independent data controller, as well as for what purposes, the support situations that the municipality no longer uses, and ambiguities in the contract text that create uncertainty about the data processor's actions in addition to the rule in the article of the data protection regulation 28, subsection 3, letter a. In addition, all intended transfers to unsafe third countries must documentably comply with the data protection regulation.

The Danish Data Protection Authority further informs Aarhus Municipality of an order to describe the data flows that take place and identify the personal data that is passed on to the supplier, and makes it clear when the latter acts as an independent or shared data controller. The documentation must include the entire technology stack that Aarhus Municipality uses for the treatment.

The Danish Data Protection Authority further orders Aarhus Municipality to draw up an updated impact analysis based on all the risks that the municipality has identified during the documentation process, if it turns out that – in addition to those for which the Article 36 procedure has now been requested – there are additional high, not mitigable high risks, the order also includes consultation with the Danish Data Protection Authority pursuant to Article 36.

Finally, the Data Protection Authority orders Aarhus Municipality to present a final time-bound plan for the legalization of any processing that has not been able to be legalized before the deadline for the orders, which is set for 3 November 2022. The Data Protection Authority expects to receive documentation for compliance with the orders before the set date.

The orders have been notified in accordance with the data protection regulation, article 58, subsection 2, letter d.

Failure to comply with an order can - unless a higher penalty is due - be punished with a fine or imprisonment for up to 6 months, cf. section 41, subsection of the Data Protection Act. 2, No. 4.

The Norwegian Data Protection Authority also reserves the right to use additional powers pursuant to Article 58, subsection of the Data Protection Regulation. 2, for conditions described in the request and otherwise presented material, when Aarhus Municipality has presented final documentation which fully explains the legality of the processing and risks for the rights and freedoms of the data subjects. In addition, the above-mentioned conditions may also be subject to sanctions under Section 41 of the Data Protection Act.