Datatilsynet (Denmark) - 2022-31-6316

From GDPRhub
Datatilsynet - 2022-31-6316
LogoDK.png
Authority: Datatilsynet (Denmark)
Jurisdiction: Denmark
Relevant Law: Article 12(2) GDPR
Article 12(3) GDPR
Article 15(1) GDPR
§ 22(1) Danish Data Protection Act
Type: Complaint
Outcome: Partly Upheld
Started:
Decided:
Published: 12.09.2023
Fine: n/a
Parties: n/a
National Case Number/Name: 2022-31-6316
European Case Law Identifier: n/a
Appeal: n/a
Original Language(s): Danish
Original Source: Datatilsynet (in DA)
Initial Contributor: Malte Tolstrup

The Danish Data Protection Authority (Datatilsynet) criticised a housing association which refused to grant a resident access to information related to complaints filed against them by other residents. The handling of the request for access was not in accordance with Article 12(2) and (3) GDPR, or Article 15(1) GDPR.

English Summary[edit | edit source]

Facts[edit | edit source]

On the 31st of March 2022, a resident requested their housing association to provide access to their records related to complaints filed against the resident. The request for access included complaint letters, witness statements, and other documentation.

On the 11th of April 2022, the housing association rejected the request to grant access to the aforementioned information, stating that the housing association was not subject to the rules regarding access to records of either the Danish Public Access Act or the Danish Public Administration Act. The resident then lodged a complaint with the Danish Data Protection Authority (Datatilsynet) due to the housing association's refusal to grant access.

Holding[edit | edit source]

The handling of the request for access was not in accordance with Article 12(2) and (3) GDPR, as well as Article 15(1) GDPR. However, the decision to not grant access in itself was considered acceptable as Article 15 is not an absolute right.

The Danish Data Protection Authority (Datatilsynet), hereinafter the DPA, finds that the housing association's handling of the resident's request for access was not in accordance with Article 12(2) and (3) GDPR, as well as Article 15(1) GDPR. In this regard, the DPA particularly emphasizes that the housing association rejected providing the resident with access, citing that the association is not subject to the rules of either the Public Access Act (Offentlighedsloven) or the Public Administration Act (Forvaltningsloven) regarding access to records. The housing association did not assess the extent to which the resident could have been granted access to their personal data under Article 15 GDPR. Furthermore, the DPA placed weight on the fact that at the time of the decision on the case, the housing association did not appear to have responded to the resident's request for access dated March 31, 2022. Additionally, any complaints lodged with the DPA do not have a suspensive effect, meaning that the association did not have an excuse to delay the handling of, for example, a request for access. For these reasons the DPA expressed serious criticism.

Regarding the scope of access under Article 15 GDPR, the DPA refers to the fact that this right to access is not absolute. According to Article 15(1)(g) GDPR, the data subject has the right to obtain information about the source of their personal data if it was not collected from the data subject. Furthermore, Article 15(3) GDPR requires the data controller to provide a copy of the personal data being processed. However, these rights are not absolute, as stipulated in § 22(1) of the Danish Data Protection Act (Databeskyttelsesloven - DBL), which states that Article 15 GDPR does not apply if the data subject's interest in the information is found to have to give way to decisive private interests, including the interests of the data subject themselves. Based on this, the DPA assesses that the resident's interest in knowing the identity of those who have complained about them to the housing association is considered to have to yield to decisive private interests. This assessment takes into account the concrete risk that the complaining residents could face harassment if the resident requesting access were to be informed of their names. As a result, the identities of the individuals who have complained about the resident can be withheld from access under Section 22(1) DBL.

Comment[edit | edit source]

Share your comments here!

Further Resources[edit | edit source]

Share blogs or news articles here!

English Machine Translation of the Decision[edit | edit source]

The decision below is a machine translation of the Danish original. Please refer to the Danish original for more details.

Housing Association receives serious criticism for denying citizens insight
Date: 12-09-2023

The Danish Data Protection Authority has expressed serious criticism in a case where a housing association refused to give access to a resident, as the housing association did not believe it was subject to the rules on public access or the Public Administration Act.

Journal number: 2022-31-6316.
Summary

The Danish Data Protection Authority has made a decision in a case where a resident complained that a housing association refused to provide insight into the housing association's records about him in connection with house order cases.

In the case, the Danish Data Protection Authority found reason to express serious criticism that the housing association had only assessed the resident's request in accordance with the Public Information and Administration Act's rules on access to documents and that the housing association had reserved the right to deny the resident access before the authority had made a decision on the case.

The Danish Data Protection Authority also found that there was no basis for overriding the housing association's assessment that a number of information about the complaining residents in the house order cases could be exempted from the right of access. The housing association had assessed that the resident's interest in gaining insight into the identity of the complaining residents had to give way to decisive considerations for the protection of private interests. Here, the housing association emphasized the concrete risk that the complaining residents would be exposed to further harassment if the residents were told their names.
Decision

The Danish Data Protection Authority hereby returns to the case where [complainant] on 22 April 2022 complained to the Danish Authority that Boligforeningen [X] (hereafter [X]) refused to give the complainant access to her personal data.
1. Decision

After a review of the case, the Danish Data Protection Authority finds that [X]'s handling of the complainant's request for access has not taken place in accordance with the Data Protection Regulation[1] Article 12, subsection 2 and 3, as well as Article 15, subsection 1, which gives the Data Protection Authority occasion to issue serious criticism.

The Norwegian Data Protection Authority also finds that there is no basis for overriding [X]'s assessment that a number of information can be exempted from access, cf. the Data Protection Act[2] § 22, subsection 1.

Below follows a closer review of the case and a rationale for the Data Protection Authority's decision.
2. Case presentation

It appears from the case that, on 31 March 2022, the complainant requested [X] to access their records of complaints in connection with house order cases, including copies of letters of complaint, witness statements, documentation (including photos, video recordings and material from surveillance).

[X] responded to the complainant's inquiry on 11 April 2022, where [X] refused to provide access to documents with reference to the rules of the Public Disclosure and Administration Act.
2.1. Complainant's comments

The complainant has generally stated that the complainant has the right to full access to the records that [X] has about complaints in connection with house order cases relating to complaints, and that the complainant had specified his request for access.
2.2. [X]'s comments

[X] has generally stated that the association is not in possession of photos, video recordings and material from monitoring complaints, which is why the request is limited to insight into letters of complaint, explanations and documentation in connection with the house order case against complaints.

[X] has also stated that it is the association's assessment that complainants can gain insight into letters of complaint, explanations and documentation in connection with the house order case against complainants, but only in anonymized form, so that it will not be possible for complainants to identify which residents who has complained about her.

In this connection, [X] has pointed out that the right of access only relates to access to personal data that concerns the registered person himself, which is why the identity of persons who complain to [X] is not considered to be information covered by the complainant's right of access. [X] has also referred to Section 22, subsection of the Data Protection Act. 1, as it is the association's assessment that the complainant's interest in information about the identity of the persons must give way to their interest in ensuring the secrecy of their identity for the sake of their safety, well and good. [X] refers to the fact that the complainant allegedly harassed the residents in question by e.g. to have shouted at other residents, filmed other residents, including their children and thrown rubbish from the 2nd floor. [X] has therefore assessed that there is a concrete, overwhelming and proximate probability that the complainants will be exposed to further and more severe harassment if the complainants become aware of their identity.

[X] has also described that if the Danish Data Protection Authority were to find that complaining residents do not have the right to confidentiality, it will have the consequence that residents will be reluctant to submit justified complaints, which may result in, among other things, harassing residents would not be able to be terminated or terminated, as there would be no documentation of the behavior in question at [X]. This will lead to [X] not being able to fulfill its obligations according to Section 80, subsection of the General Tenancy Act. 1, on the obligation of the lessor to ensure that good order prevails in the property and, if necessary, terminate the tenancy.

[X] has finally stated that in its response to the complainant's request for insight of 11 April 2022, the association rightly requested the complainant to specify his request for insight, but that the complainant did not return with a specification.
3. Reason for the Data Protection Authority's decision
3.1.

The Danish Data Protection Authority assumes that the complaints in question to [X], which are covered by the complainant's request for access, contain personal data about the complainant in the form of e.g. the complainant's neighbors' experiences of her behavior in the housing association.

[X] has also stated, in connection with the processing of the case by the Danish Data Protection Authority, that [X] has reserved the right not to provide the complainant with insight before the Danish Data Protection Authority has made a decision in the present case.

The Danish Data Protection Authority then finds that [X]'s handling of the complainant's request for access has not taken place in accordance with Article 12, paragraph 1 of the Data Protection Regulation. 2 and 3, as well as Article 15, subsection 1, which gives the Data Protection Authority occasion to issue serious criticism.

In this respect, the Danish Data Protection Authority has particularly emphasized that [X] has refused to give the complainant access, citing that the association is not subject to the rules on access to documents in the Public Information or Public Administration Act, and that the association has thereby not assessed the extent to which the complainant could gain access to her personal data according to Article 15 of the Data Protection Regulation.

The Danish Data Protection Authority has also emphasized that [X] is still not seen to have answered the complainant's request for access by 31 March 2022, and any complaints to the supervisory authority do not have a suspensive effect, which implies that the association can postpone the handling of e.g. request for insight.

The Danish Data Protection Authority has noted that [X] has stated that the association has reviewed its procedures for processing access requests, so that [X]'s employees are familiar with how access requests must be handled going forward.
3.2.

It follows from the data protection regulation article 15, subsection 1, letter g, that the data subject has the right to any available information about where the personal data originates from, if it is not collected from the data subject.

It also follows from the regulation's article 15, subsection 3, that the data controller must provide a copy of the personal data that is processed.

Article 15 of the Data Protection Regulation, including subsection 1 and 3, however, is not absolute.

It follows, among other things, of the Data Protection Act § 22, subsection 1, that Article 15 of the Data Protection Regulation does not apply if the data subject's interest in the information is found to give way to decisive considerations of private interests, including consideration of the data subject himself.

There may thus be cases where a data controller is not obliged to provide a copy of the information processed about a data subject, or to provide information about where the personal data originates.

Of the special remarks[3] to the Data Protection Act § 22, subsection 1, appears i.a. following:

"With the use of the term 'crucial' in the provision, it is indicated that an exception to the duty to provide information and the right of access can only be made where there is a imminent danger that the interests of private individuals will suffer significant damage."

The use of i.a. Section 22, subsection of the Data Protection Act. 1, according to which the data subject's right to access is limited, requires that the data controller makes a specific assessment.

The data controller – in this case [X] – has a certain scope to assess when an exception to the right of access can be made. This is because it is typically the data controller who has knowledge of the concrete (factual) circumstances that will be able to justify an exception to the right of access.

[X] has stated to the Data Protection Authority that, on the basis of a concrete weighing of the opposing interests in the case, the association has come to the conclusion that the complainant's interest in insight into the identity of the complaining residents should give way to decisive considerations of private interests, cf. Section 22, subsection of the Data Protection Act. 1. The association has emphasized the concrete risk that the complaining residents will be exposed to further harassment if the complainants are given their names.

The Danish Data Protection Authority notes in this connection that the Danish Data Protection Authority, as a supervisory authority, can ensure that the considerations and/or interests with which the data controller in the present case has justified a restriction of the right of access are considerations and/or interests which, according to the data protection rules, are legal to emphasize.

However, the Norwegian Data Protection Authority does not normally have special or better qualifications than the data controller to assess which specific information it is necessary to exclude in order to take care of a (legitimate) consideration or a (legitimate) interest.

On this basis, the Danish Data Protection Authority finds that the Danish Data Protection Authority has no basis for overriding [X]'s assessment that, according to [X]'s, decisive considerations for complaining residents imply that the identity of complaining residents can be exempted from the complainant's right to access.

The Danish Data Protection Authority then finds that there is no basis for overriding [X]'s assessment that the information in question can be exempted from access, cf. section 22, subsection of the Data Protection Act. 1.

 

[1] Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons in connection with the processing of personal data and on the free exchange of such data and on the repeal of Directive 95/46/EC (general data protection regulation)

[2] Act No. 502 of 23 May 2018 on supplementary provisions to the Regulation on the protection of natural persons in connection with the processing of personal data and on the free exchange of such information (the Data Protection Act).

[3] Bill no. 68, FT 2017/18, the special comments on section 22 of the bill