Datatilsynet (Denmark) - 2021-432-0070

From GDPRhub
Revision as of 15:54, 10 May 2023 by At (talk | contribs) (Created page with "{{DPAdecisionBOX |Jurisdiction=Denmark |DPA-BG-Color= |DPAlogo=LogoDK.png |DPA_Abbrevation=Datatilsynet |DPA_With_Country=Datatilsynet (Denmark) |Case_Number_Name=2021-432-0070 |ECLI= |Original_Source_Name_1=Datatilsynet (DK) |Original_Source_Link_1=https://www.datatilsynet.dk/afgoerelser/afgoerelser/2023/feb/statens-serum-instituts-opfyldelse-af-oplysningspligten |Original_Source_Language_1=Danish |Original_Source_Language__Code_1=DA |Original_Source_Name_2= |Origina...")
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Datatilsynet - 2021-432-0070
LogoDK.png
Authority: Datatilsynet (Denmark)
Jurisdiction: Denmark
Relevant Law: Article 5(1)(b) GDPR
Article 14(1) GDPR
Article 14(3) GDPR
Article 14(5)(b) GDPR
Type: Investigation
Outcome: Violation Found
Started:
Decided: 02.02.2023
Published:
Fine: n/a
Parties: Statens Serum Institute
National Case Number/Name: 2021-432-0070
European Case Law Identifier: n/a
Appeal: Unknown
Original Language(s): Danish
Original Source: Datatilsynet (DK) (in DA)
Initial Contributor: n/a

The Danish DPA initiated found that a medical institue could not fail to fulfill its information obligations under Article 14(1) and (4) GDPR with reference to Article 14(5)(b) GDPR.

English Summary

Facts

Following a citizen’s inquiry, the Danish DPA initiated an investigation regarding a medical institute’s (Statens Serum Institut or SSI) fulfillment of the obligation to provide information under Article 14(1) to 14(4) GDPR with regard to certain operations carried out by the SSI.

The SSI receives and analyses biological samples taken from patients (for example blood samples) for diagnostic analysis purposes which is done as part of the institute's exercise of authority pursuant to Section 222 of the Danish Health Act. In addition, SSI processes other information about the person (e.g. the person’s name and ID number). After a diagnostic analysis has been carried out, often resulting excess biological material is stored in Denmark's National Biobank for future research purposes. The SSI argued that the exception under Article 14(5)(b) of said information obligations applies, as informing would require a disproportionately large effort in the form of large administrative and financial costs. The SSI's laboratory information system is over 20 years old and does not currently support automatic notifications which means that the SSI would need to inform individuals manually.

Additionally, the SSI viewed that the concerned persons’ interests were covered by making general information about the collection available online on their websites.

With regard to storing data in the national biobank for further research purposes, the SSI argued that the processing is compliant with the GDPR, as the further processing is not seen incompatible with the original processing purposes pursuant to Article 5(1)(b) GDPR.

Holding

The Danish DPA made the assessment separately regarding when the SSI a) received biological samples for analysis and b) where residual material is stored in the national biobank.

Firstly, the DPA considered that a balancing of interests must be done when assessing whether compliance with the obligation to provide information can be considered to require a disproportionately large effort under Article 14(5)(b) GDPR. The balance must be made on the one hand, the significance of such notification and, on the other hand, the work effort of the controller that will be associated with such notification.

The DPA emphasized that the difficulties SSI had stated did not relate to challenges in identifying the data subjects due to, for example, missing or outdated contact information. Therefore, the said difficulties are not caused by the fact that SSI has not collected the information from the data subjects.

Based an overall assessment, the DPA found that the SSI cannot fail to fulfill its obligation to provide information pursuant to Article 14(1) and 14(3) GDPR with reference to Article 14(5)(b), when the receiving samples for the diagnostic analysis purposes. Secondly, the DPA considered that further processing for a new purpose, which is compatible with the original one, does not constitute an exception to the controller's information obligation, which follows from Article 14(4), which precisely regulate the controller's fulfillment of the obligation to provide information, where further processing is carried out for a new and compatible purpose.

On that basis, the DPA found alike that the SSI cannot, fail to fulfill its information obligation pursuant to Article 14(4) with reference to Article 14(5)(b) in cases where residual material is stored in Denmark's National Biobank.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Danish original. Please refer to the Danish original for more details.

Statens Serum Institut's fulfillment of the obligation to provide information

Date: 02-02-2023

Decision Public authorities Supervision / self-operation case Handled by the Data Council Sensitive information Obligation to disclose

The Statens Serum Institut cannot fail to fulfill its obligation to provide information on the grounds that fulfillment will require a disproportionately large effort.

Journal number: 2021-432-0070

Summary

In 2021, on the basis of a citizen's inquiry, the Danish Data Protection Authority initiated an investigation of its own operations into Statens Serum Institut's (SSI) fulfillment of the obligation to provide information in the following cases:

when SSI receives blood samples etc. from the regions for analysis, and when SSI decides to store residual material in Denmark's National Biobank.

SSI has informed the case that, even if the institute can notify data subjects using digital or physical mail, this will require a disproportionately large effort in the form of large administrative and financial costs. In this connection, SSI has referred to, among other things, that the institute processes information about a large number of registered users, that the institute currently does not have a system that can automatically notify the registered users, and that the institute has established certain compensatory measures by to provide information about the treatment on its website and on Denmark's National Biobank website.

The Norwegian Data Protection Authority found – after processing the case in the Data Council – that SSI cannot fail to fulfill its obligation to provide information, citing that it will require a disproportionately large effort.

In this connection, the Danish Data Protection Authority emphasized, among other things, that the obligation to provide information is central to ensuring transparency when processing personal data and to creating a relationship of trust between the data controller and the data subjects.

SSI collected the information from the registrants themselves

In addition, the Danish Data Protection Authority noted that it is a prerequisite for failing to fulfill its obligation to provide information, citing that it will require a disproportionately large effort, that the disproportionately large effort is caused by or connected to the fact that the information has not been collected by the registered. In that case, the data controller will be in a different and – depending on the circumstances – less suitable position to notify a data subject than a data controller who has collected the information directly from the data subject.

However, SSI's difficulties in fulfilling the obligation to provide information are not caused by the fact that SSI has not collected the information directly from the data subjects. The difficulties, on the other hand, are due to the fact that the institute has not currently set up its system in such a way that the process in connection with fulfilling the obligation to provide information is facilitated, for example by using automated processes.

The Danish Data Protection Authority has therefore requested SSI for an explanation of what the institute will do in order to fulfill its obligation to provide information.

SSI has subsequently requested the Danish Data Protection Authority to reopen the case with reference to a more detailed description of the resource consumption. The inquiry did not give the Norwegian Data Protection Authority grounds to reopen the case, and the Norwegian Data Protection Authority is therefore currently awaiting SSI's explanation of how the institute will fulfill its obligation to provide information going forward.

Decision

The Danish Data Protection Authority hereby returns to the case where, on 12 October 2021, based on a citizen inquiry, the Danish Data Protection Authority initiated an investigation of its own operation into the Statens Serum Institut's (hereafter "SSI") fulfillment of the obligation to provide information pursuant to the data protection regulation[1] article 14, subsection 1-4, in the following cases:

when SSI receives blood samples etc. from the regions for analysis, and when SSI decides to store residual material in Denmark's National Biobank.

It should be noted that this decision does not concern SSI's fulfillment of the obligation to provide information in extraordinary situations such as, for example, during the covid-19 pandemic.

1. Decision

The Danish Data Protection Authority finds – after the case has been dealt with by the Data Council – that SSI cannot fail to fulfill its obligation to provide information pursuant to Article 14, paragraph 1 of the Data Protection Regulation. 1-3, with reference to Article 14, subsection 5, letter b, in cases where SSI receives samples for analysis.

Furthermore, the Danish Data Protection Authority finds that SSI cannot fail to fulfill its obligation to provide information pursuant to Article 14, subsection 4, with reference to Article 14, subsection 5, letter b, in cases where SSI stores residual material in Denmark's National Biobank.

Based on this, the Danish Data Protection Authority must request SSI for an explanation of what the institute will do in order to fulfill the provisions of Article 14. The Danish Data Protection Authority must request this statement within 3 months from today's date.

Below follows a closer review of the case and a rationale for the Data Protection Authority's decision.

2. Case presentation

SSI has stated that SSI functions as the country's central laboratory for diagnostic analyses. This means that SSI carries out species identification and characterization of various biological samples taken from patients, which is done as part of the institute's exercise of authority pursuant to Section 222 of the Health Act and is specified in a terms of reference. The commission forms the framework for the professional council regarding the organization of microbiological diagnostics.

When SSI is sent a biological sample taken from a citizen, this is done with a view to examining for microorganisms (viruses, fungi, bacteria and pesticides). In addition, SSI processes information about the citizen's name, CPR number, doctor, etc., and the test may contain information about the citizen's state of health. If the sample contains human tissue, it will also contain information about the citizen's genetic material and genetic condition. However, such information will require a special analysis, which SSI does not carry out when the sample is only analyzed for the purpose of diagnosis. If the healthcare professional who has requested the analysis submits relevant information about the citizen's state of health, this information will also be processed by SSI.

SSI has also stated that when a diagnostic analysis has been carried out, there will often be excess biological material which will be stored in Denmark's National Biobank for future research. The storage of the residual material takes place pursuant to Section 10 of the Data Protection Act[2]. SSI has stated that the purposes of the storage of the residual material are (i) to avoid that an invaluable resource for future research is thrown away and (ii) to enable and support statistical and scientific research of significant societal importance. Denmark's National Biobank will be able to pass on biological material from the biobank to other researchers to enable research of significant societal importance. Disclosure to external researchers takes place on the basis of a permit from the Norwegian Data Protection Authority and an approval of the research project from the Scientific Ethics Committee.

The remaining material in the biobank is stored until the time when the material no longer has statistical or scientific value. If a citizen is not interested in their biological material being used for research, the citizen can register in the Tissue Use Register. Denmark's National Biobank checks whether the citizen appears in the Tissue Use Register before the biobank decides whether the remaining material can be handed over to research projects. The biological material is thus only handed over if the person in question is not registered in the Tissue Use Register.

In its explanation of how Article 14 is fulfilled, SSI has distinguished between the cases where samples are received for analysis and the cases where residual material is stored in Denmark's National Biobank.

2.1. Samples for diagnostic analysis

SSI has stated that the exception provision in the data protection regulation's article 14, subsection 5, letter b, applies when biological samples are received for analysis, as fulfilling the obligation to provide information will require a disproportionately large effort.

In this connection, SSI has emphasized that the institute analyzes more than 500,000 samples annually (which during the covid-19 pandemic increased to more than 50,000,000 samples annually). Individual notification to each individual citizen will entail a disproportionately large administrative burden, as some of the notifications will be able to be sent via e-Boks, while others will have to be sent by physical post, as certain citizens cannot receive digital mail.

SSI's laboratory information system was established in 1999/2000 and currently does not support automatic notification to the registered person. According to SSI, developing an automated solution for notification will require a new IT solution. SSI wants to replace the current laboratory information system and is in the process of clarifying e.g. the financing of the project, including whether SSI must develop the system itself or whether it must be delivered by an external supplier. Regardless of how the system is delivered, there will be a process to ensure data protection through design and default settings.

Furthermore, SSI has stated that a more or less manual notification of the registered will entail a not inconsiderable financial burden for the institute. However, SSI is aware that financial considerations, including usual expenses for letters, postage, etc., do not in themselves imply that notification to the registered can be considered impossible or as requiring a disproportionately large effort.

In connection with the assessment of the applicability of the regulation's article 14, subsection 5, letter b, SSI has also emphasized that the scope of information about the individual citizen is not large quantitatively and consists of CPR number, the biological sample, applicant and analysis result.

Furthermore, SSI has emphasized that the institute provides general information on its website about its processing of personal data in various situations, including when a sample is analyzed at SSI, cf. section 2.2 below. It is also possible for the citizen to access information about the performing laboratory for each individual test via the self-service at sundhed.dk. The healthcare professional who has requested the analysis or taken the sample will also be able to state where the sample is analysed, including in accordance with Article 13 of the Data Protection Regulation.

Finally, SSI has stated that in certain cases there may be a statutory duty to send samples to the institute. In that case, the exception in the regulation's article 14, paragraph 5, letter c, apply.

2.2. Storage of residual material in Denmark's National Biobank

As far as information to the registered about the storage of residual material from diagnostic samples in Denmark's National Biobank is concerned, SSI has stated that the exception in the data protection regulation, article 14, subsection 5, letter b, applies, as it will require a disproportionately large effort to notify each individual citizen in accordance with the regulation's article 14, subsection 4.

In this connection, SSI has emphasized that the processing takes place for scientific purposes and that a very extensive number of samples are stored in the biobank. Individual notification of each individual citizen will therefore constitute a significant work effort for SSI. Furthermore, SSI has emphasized that citizens' rights are taken into account in a different way, including by making general information about the collection available on both SSI's website and on Denmark's National Biobank website. SSI has also noticed that the further processing takes place for a purpose other than the original, which is however not incompatible with the original purpose, cf. the data protection regulation's article 5, subsection 1, letter b.

Information about SSI's processing of personal data in connection with the analysis of samples and storage of residual material appears on the institute's website https://www.ssi.dk/om-ssi/persondatapolitik. In particular, the points "have you had a sample analyzed at SSI" and "if residual material from your diagnostic sample is stored in Denmark's National Biobank" are indicated by SSI to be relevant. SSI has stated that the institute generally has an increased focus on transparency and is constantly seeking to improve the personal data policy on its website. SSI is thus continuously considering how the personal data policy can be made more visible to citizens.

Further information on the storage of biological material can be found at https://www.ssi.dk/om-ssi/juridisk-information/information-om-biologisk-materiale. Furthermore, SSI has referred to Denmark's National Biobank's website https://www.nationalbiobank.dk/for-borgere, of which i.a. it appears how you can opt out of the storage of biological material.

In cases where SSI is in dialogue with citizens, for example in connection with invitations and bookings for covid-19 tests, SSI at this point informs the citizen about the institute's processing of personal data in this context, including that excess positive residual material is transferred to Denmark's National Biobank for future research.

It is then SSI's assessment that the institute has appropriately ensured that the data subjects are informed as far as possible about the institute's processing of personal data within the framework of the exception provision in the data protection regulation, article 14, subsection 5, letter b.

3. Legal basis

3.1.

It follows from the data protection regulation's article 14, subsection 1-3, that if personal data about a data subject is not collected from the data subject, the data controller provides a range of information to the data subject about the processing within a reasonable period of time after collection.

Furthermore, it appears from the regulation's article 14, subsection 4, that if the data controller intends to further process personal data for a purpose other than that for which they were collected, the data controller provides the data subject with information about this other purpose and other relevant information prior to this further processing.

Article 14, subsection of the Data Protection Regulation 1-4, however, does not apply, i.a. if and to the extent that communication of such information proves impossible or will require a disproportionately large effort, in particular in connection with processing for e.g. scientific research purposes. In such cases, the data controller takes appropriate measures to protect the rights and freedoms and legitimate interests of the data subjects, including by making the information publicly available, cf. Article 14, paragraph 5, letter b.

3.2.

From the data protection regulation's preamble consideration no. 62 it appears about, among other things, article 14, subsection 5, letter b:

"However, it is not necessary to impose the obligation to provide information if the data subject is already aware of the information, if the registration or disclosure of the personal data is expressly stipulated by law, or if it proves to be impossible or will require a disproportionately large effort to notify the data subject. The latter may in particular be the case in connection with processing for archival purposes in the interest of society, for scientific or historical research purposes or for statistical purposes. In this connection, account should be taken of the number of registered users, the age of the information and any necessary guarantees that have been provided.”

3.3.

What is to be understood more precisely by disproportionate effort, cf. Article 14, subsection 5, letter b, is also referred to in the Ministry of Justice's report no. 1565/2017. The following appears on pages 301-303 of the report about the previous and almost similar provision in section 29, subsection of the Personal Data Act. 3:

"From comments to the Personal Data Act, it appears that it is disproportionately difficult to establish a principle of proportionality when assessing whether notification, as prescribed in subsection 1, must be given. There must be a balancing of, on the one hand, the significance of such notification for the data subject and, on the other hand, the work effort of the data controller that will be associated with such notification. The extent to which notification of registered persons is disproportionately difficult or even impossible must be decided in the individual situation. In this connection, i.a. emphasis is placed on the number of registrants, the age of the information and the compensatory measures, e.g. public information campaigns that may be undertaken by the data controller. Furthermore, importance must be attached to how significant the interests are, for the purposes of which the information is processed, and how invasive it is for the individual that information is processed about them.

[...]

It will be important whether the processing of information is carried out as part of individual case processing, or whether the processing is carried out in a number of identical cases, possibly as part of mass case processing. If it is a matter of individual case processing, there will be a presumption that it will not be disproportionately difficult to fulfill the obligation to provide information, especially not if the fulfillment of this can take place in connection with the initiation of other case processing steps, etc. towards the registered. If there are a large number of identical cases, it will often be disproportionately difficult to fulfill the obligation to provide information.”

About the data protection regulation's article 14, subsection 5, letter b, also appears on pages 308-309:

"It follows, among other things, of the regulation's preamble consideration no. 62, that in connection with the assessment of whether exemptions from the notification obligation should be taken into account, the number of registered users, the age of the information and any necessary guarantees that have been provided should be taken into account.

The consideration is immediately seen to constitute a linguistic change in relation to preamble consideration no. 40 of the data protection directive, where it is stated that if it proves impossible or disproportionately difficult to notify the person concerned, which may be the case in connection with processing in historical, statistical or scientific purpose, the number of registered users, the age of the information and the compensatory measures that can be taken can be taken into account in this connection.

As far as the assessment of whether the notification "will require a disproportionately large effort" is concerned, this is, however, a linguistic change in relation to the directive's Article 11, subsection 2, where notification can be exempted if it "is disproportionately difficult".

These changes in the wording of the regulation's article 14, subsection 5, letter b, and preamble consideration no. 62, can immediately suggest that there may be a substantive change in the exception option under the data protection directive and the regulation.

The fact that notification must not take place if "it will require a disproportionately large effort" speaks in the direction that it is a subjective rather than an objective concept, when it must be assessed whether the obligation to provide information must be complied with in a given cases as a result of which it turns out that it will require a disproportionately large effort. This immediate hint of a change in the nature of the concept may mean that a data controller will probably potentially be able to refrain from making a notification, even where compliance is in reality well possible, but where it will require a disproportionately large effort from the data controller.

Thus, with the wording of the regulation's article 14, subsection 5, letter b, is interpreted as a hint that the possibility of exception is extended in relation to the data protection directive and the Personal Data Act.”

3.4. About the exception provision in the regulation's article 14, subsection 5(b), the Article 29 Working Party (now the European Data Protection Board) has stated in its guidelines on transparency[3]:

"In determining what may constitute either impossibility or disproportionate effort under Article 14.5(b), it is relevant that there are no comparable exemptions under Article 13 (where personal data is collected from a data subject). The only difference between an Article 13 and an Article 14 situation is that in the latter, the personal data is not collected from the data subject. It therefore follows that impossibility or disproportionate effort typically arises by virtue of circumstances which do not apply if the personal data is collected from the data subject. In other words, the impossibility or disproportionate effort must be directly connected to the fact that the personal data was obtained other than from the data subject.

[…]

One appropriate measure, as specified in Article 14.5(b), that controllers must always take is to make the information publicly available. A controller can do this in a number of ways, for instance by putting the information on its website, or by proactively advertising the information in a newspaper or on posters on its premises. Other appropriate measures, in addition to making the information publicly available, will depend on the circumstances of the processing, but may include: undertaking a data protection impact assessment; applying pseudonymisation techniques to the data; minimizing the data collected and the storage period; and implementing technical and organizational measures to ensure a high level of security. Furthermore, there may be situations where a data controller is processing personal data which does not require the identification of a data subject (for example with pseudonymised data). In such cases, Article 11.1 may also be relevant as it states that a data controller shall not be obliged to maintain, acquire or process additional information in order to identify the data subject for the sole purposes of complying with the GDPR.”

The disproportionate effort that fulfillment of the duty to provide according to Article 14 of the Data Protection Regulation will entail must therefore be caused by or connected to the fact that the information has not been collected from the data subject and that the data controller is therefore in another and – depending on the circumstances – less suitable position to notify a data subject than would be the case for a data controller who has collected the information directly from the data subject.

3.5.

In its guidelines on data protection by design and default settings, the European Data Protection Board has stated[4]:

"The chosen measures must thus ensure that the data processing intended by the data controller does not process personal data in violation of the principles, regardless of the costs. Data controllers should be able to manage the overall costs to effectively implement all the principles and thus protect rights.”

4. Reason for the Data Protection Authority's decision

On the basis of the information in the case, the Danish Data Protection Authority assumes that SSI can in reality fulfill the obligation to provide information pursuant to Article 14, paragraph 1 of the Data Protection Regulation. 1-4, as SSI has the necessary information about the data subjects in order to be able to contact them and has the option of providing the data subjects with the required information using digital or physical mail.

The question is therefore whether SSI can fail to fulfill the obligation to provide information on the basis of one of the exceptions in the data protection regulation, article 14, subsection 5.

When assessing whether compliance with the obligation to provide information can be considered to require a disproportionately large effort, cf. the data protection regulation, article 14, subsection 5, letter b, a balance must be made of, on the one hand, the significance of such notification for the data subject and, on the other hand, the work effort of the data controller that will be associated with such notification. It is thus a matter of balancing proportionality, where several factors must be held up against each other.

4.1. Obligation to provide information when receiving samples for diagnostic analysis

SSI has stated that the institute processes information on a large number of registered persons, and that fulfilling the obligation to provide information will therefore require a disproportionately large effort. Furthermore, SSI has pointed out that, as a result of the institute's current laboratory information system not being able to automatically notify those registered, fulfillment of the obligation to provide information will have to be done manually. According to SSI, manual fulfillment of the obligation to provide information using digital or physical mail will entail large administrative and financial costs. The Danish Data Protection Authority must also note that SSI has not specified in detail what the institute's efforts to fulfill the disclosure obligation will consist of - for example, what the time consumption or costs are expected to be.

Furthermore, SSI has, in support of its application of the exceptional provision in Article 14, paragraph 5, letter b, stated that the institute has established certain compensatory measures by disclosing on its website about its processing of personal data, the purpose thereof, the legal basis, access to the information, etc.

Article 14, subsection 5, letter b, however, as an exception provision, should be interpreted restrictively. In addition, the purpose of the disclosure obligation in Article 14 is to ensure transparency with the processing of personal data. The data controller should therefore, as a starting point, ensure the data subject's legitimate interest in being informed about the processing to which the data subject's personal data is subject. This applies not least when sensitive personal data is processed, for example health information and genetic data.

Furthermore, in its assessment, the Danish Data Protection Authority emphasized that the administrative and financial difficulties that SSI states it would experience in fulfilling the obligation to provide information pursuant to Article 14, are not caused by the fact that SSI has not collected the information from the data subject. The difficulties thus do not consist of, for example, missing or outdated contact information or other challenges in identifying the registered. On the other hand, the difficulties are due to the fact that SSI has not currently set up its system in such a way that the process in connection with fulfilling the obligation to provide information is facilitated, e.g. through automated processes, noting that the obligation to provide information can be assumed to be fulfilled with a standard text.

Based on an overall assessment of the above, the Danish Data Protection Authority finds that SSI cannot fail to fulfill its obligation to provide information pursuant to Article 14, subsection 1-3, with reference to Article 14, subsection 5, letter b, when the institute receives samples for the purpose of diagnostic analysis.

The Danish Data Protection Authority must note that if and to the extent that the data subject is already familiar with the information, the duty to provide information in Article 14, subsection 1-4, not applicable, cf. the regulation's article 14, subsection 5, letter a. This implies that SSI will be able to refrain from giving the registered notice in accordance with the regulation's article 14, subsection 1-4, if the regions etc. have already provided the necessary information – including stating that the sample is sent to SSI for diagnosis – to the registered person in connection with their fulfillment of the obligation to provide information pursuant to Article 13, cf. the regulation's Article 14, subsection 5, letter a.

The applicability of the exception in the data protection regulation, article 14, paragraph 5, letter a, must be based on a concrete assessment of the circumstances surrounding the collection of the information. The provision is also based on a condition that the data controller must give the registered notice in accordance with the regulation's article 14, subsection 1-2, if the data controller is in doubt as to whether the data subject is already familiar with the information.[5]

4.2. Obligation to provide information when storing material in Denmark's National Biobank

In support of the applicability of the exception provision in Article 14, paragraph 5, letter b, SSI has claimed that the storage of residual material in Denmark's National Biobank aims to enable future research, which constitutes a special and protectable public interest. Furthermore, the information will not be able to be used for anything other than scientific or statistical studies of significant social importance, cf. Section 10 of the Data Protection Act.

Nevertheless, in the opinion of the Danish Data Protection Authority, the data subject has a legitimate interest in knowing that the information is stored in the biobank for an unspecified period of time and that the information may be passed on to a number of unspecified researchers.

SSI has also referred to the possibility of being registered in the Tissue Use Register as a consideration that can speak for the application of Article 14, subsection 5, letter b. In this connection, the Danish Data Protection Authority must note that the possibility of registering in the Tissue Use Register requires, all other things being equal, that the registered person has been made aware that information about – and material from – the person in question is stored in the biobank. However, the registered person will often not be aware of the storage, when SSI has not informed him of this.

In addition, the Danish Data Protection Authority must note that although the exception provision in the regulation's article 14, subsection 5, letter b, expressly mentions the processing of personal data for research purposes as a situation where an exception to the duty to provide information may be particularly relevant, the purpose of Article 14 – fairness and transparency[6] – dictates that the applicability of the exception in Article 14, paragraph 5, letter b, is not considered a matter of course in all cases where further processing is carried out for the purpose of research. Reference is also made to it in section 4.1. stated the applicability of the data protection regulation's article 14, subsection 5, letter b.

Transparency contributes to ensuring fair processing of personal data and enables a relationship of trust between the data controller and the data subjects. This purpose should, as a general rule, be pursued by fulfilling the obligation to provide information according to Article 14 of the regulation. A broad interpretation of the applicability of Article 14, subsection 5, letter b, may risk weakening the protection of data subjects in terms of respect for their legitimate interests and expectations.

Finally, the Data Protection Authority must note that the question of the compatibility of further processing with the original purpose - which SSI has referred to as a point that speaks for the applicability of Article 14, paragraph 5, letter b – is separate from the question of the fulfillment of the obligation to provide information. Further processing for a new purpose, which is compatible with the original one, thus does not constitute an exception to the data controller's obligation to provide information, which follows from the regulation's article 13, subsection 3, and Article 14, subsection 4, which precisely regulates the data controller's fulfillment of the obligation to provide information, where further processing is carried out for a new and compatible purpose.

Article 14, subsection 4 – and Article 13, subsection 3 – is thus an expression that the data subject, at the time and in the context in which his information was collected, has a reasonable expectation that the information will be processed for a specific purpose. In other words, the data subject must not later find out for what purpose his personal data is being used.[7]

It is on this basis that the Danish Data Protection Authority's assessment is that SSI does not, with reference to the data protection regulation's article 14, subsection 5, letter b, may fail to fulfill its obligation to provide information pursuant to Article 14, subsection 4, in cases where residual material is stored in Denmark's National Biobank.

The Danish Data Protection Authority must also refer to it in section 4.1. stated.



[1] Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons in connection with the processing of personal data and on the free exchange of such data and on the repeal of Directive 95/46/EC (general regulation on data protection).

[2] Act No. 502 of 23 May 2018 on supplementary provisions to the regulation on the protection of natural persons in connection with the processing of personal data and on the free exchange of such information (the Data Protection Act).

[3] Article 29 Working Party, Guidelines on transparency under Regulation 2016/679 (wp260rev.01), recitals 62 and 64.

[4]   European Data Protection Board, Guidelines 4/2019 on Article 25, Data protection by design and data protection by default, recital 25.

[5] The Data Protection Regulation and the Data Protection Act with comments by Kristian Korfits Nielsen and Anders Lotterup, 1st edition 2020, page 502.

[6]   Thus, see preamble recital 39 of the data protection regulation.

[7] Article 29 Working Party, Guidelines on transparency under Regulation 2016/679 (wp260rev.01), recitals 10 and 45.