Datatilsynet (Denmark) - 2022-32-2939

From GDPRhub
Datatilsynet - 2022-32-2939
LogoDK.png
Authority: Datatilsynet (Denmark)
Jurisdiction: Denmark
Relevant Law: Article 5(1)(b) GDPR
Article 5(1)(c) GDPR
Article 10 GDPR
Type: Complaint
Outcome: Upheld
Started:
Decided: 28.03.2023
Published:
Fine: n/a
Parties: Rigspolitiet
National Case Number/Name: 2022-32-2939
European Case Law Identifier: n/a
Appeal: Unknown
Original Language(s): Danish
Original Source: Datatilsynet.dk (in DA)
Initial Contributor: n/a

The Danish DPA orders police authorities to not share speeding ticket data when the ticket in question has been disputed.

English Summary[edit | edit source]

Facts[edit | edit source]

Danish police authorities had shared personal data of speeding ticket recipients with Aalborg University. The data was used in the university's research project "Intervention Against Speed Offenders" (EASE).

The complainant had contested the ticket, and the case was awaiting trial in a court of law. The complainant was nonetheless contacted to participate in the research project. In its remarks to the complaint, the Danish police authorities confirmed that information about all speeding offences registered in their systems had been forwarded to the university, regardless of whether the speeding ticket had been accepted or not.

Holding[edit | edit source]

The DPA first noted that, in principle, the sharing of personal data about traffic law violations for the purposes of research was lawful under art. 10 (1) GDPR.

The DPA did however find that the police authorities' execution meant that personal data was being shared without a relevant and legitimate purpose in all cases. The DPA highlighted:

  1. that the relevant target group of the EASE project was people that had undoubtedly violated traffic laws, and;
  2. that one could not assume that such a violation had taken place until the case had been concluded in the legal system.

Since personal data had been shared while the complainant's case was still awaiting trial, the DPA concluded that the police authorities had violated the principles of purpose limitation and data minimisation in art. 5 (1)(b) and (c) GDPR.

As a result, the DPA reprimanded the police authorities' data sharing activities. The DPA also ordered the police authorities to stop sharing data about tickets that had been contested when a final judicial decision regarding the ticket had not yet been reached.

Comment[edit | edit source]

Share your comments here!

Further Resources[edit | edit source]

Share blogs or news articles here!

English Machine Translation of the Decision[edit | edit source]

The decision below is a machine translation of the Danish original. Please refer to the Danish original for more details.

Serious criticism of the National Police

Date: 28-03-2023

Decision Law enforcement authorities Order Serious criticism Complaint Basic principles Processed by the Data Council

The Danish Data Protection Authority has expressed serious criticism of the National Police for having passed on information that a citizen had received a speeding fine for use in the EASE research project. However, the citizen had objected to the proposed fine and was waiting for the case to be decided in the courts.

Journal number: 2022-32-2939

Summary

In the first half of 2022, the Data Protection Authority received a number of inquiries from citizens who were dissatisfied that the National Police had passed on information that they had received a speeding fine to Aalborg University for use in the research project Intervention Against Speed Offenders (EASE).

The EASE research project is about preventing speeding violations in traffic and must show whether motorists get fewer speeding fines if, after receiving a speeding fine, they go through online learning about road safety. The project is a collaboration between Aalborg University, the Technical University of Denmark and the National Police and runs in the period from 1 November 2019 to 1 April 2024.

One of the inquiries to the Data Protection Authority was from a citizen who had objected to the proposed fine and was awaiting the court's consideration of the matter.

The Danish Data Protection Authority found – after the matter had been dealt with by the Data Council – no basis for overriding the National Police's assessment that the National Police could pass on information about motorists' violations of the Traffic Act to Aalborg University for use in the research project pursuant to section 10, subsection of the Data Protection Act. 1.

Penalty cases pending may not be passed on

However, the Danish Data Protection Authority found grounds for expressing serious criticism that the National Police's disclosure had not taken place in accordance with the principles of purpose limitation and data minimization, as the National Police's disclosure had not been made for a factual and relevant purpose.

In this connection, the Data Protection Authority emphasized that, at the time of the National Police's disclosure, it must still be considered to have had the presumption against them that the citizen in question had violated the Traffic Act until the case has been decided by the courts, and that the research project's target group, in the Data Protection Authority's opinion, was persons who have violated the traffic law.

The Danish Data Protection Authority also found grounds to issue an order to the Swedish National Police to stop passing on information to Aalborg University about citizens who have received a speeding fine, where the person concerned has objected to the proposed fine, and the case has not yet been decided by the courts.

The National Police has subsequently informed the Norwegian Data Protection Authority that the National Police immediately intends to comply with the Authority's order and that no further information has been passed on since September 2022.

In addition, the National Police has requested Aalborg University to delete the data of the citizen in question, just as the National Police has found occasion to investigate whether other citizens' data has been passed on to the research project, where the citizen is not covered by the scope of the project.

Decision

After a review of the case - and after the case has been submitted to the Data Council - the Data Protection Authority finds that there are grounds for expressing serious criticism that the National Police's disclosure of personal data has not taken place in accordance with the data protection regulation[1] article 5, subsection 1, letter b and c.

In addition, the Data Protection Authority finds that there is a basis for notifying the National Police of an order to stop passing on information to Aalborg University about persons who have received a fine for violating the traffic law, where the person concerned has objected to the fine and the case has not yet been decided at the courts.

The order is announced in accordance with the data protection regulation, article 58, subsection 2, letter d.

The Danish Data Protection Authority must request confirmation that the National Police intends to comply with the order no later than Wednesday 22 March 2023.

According to the Data Protection Act § 41, subsection 2, no. 5, anyone who fails to comply with an order issued by the Danish Data Protection Authority pursuant to Article 58, subsection of the Data Protection Regulation shall be punished with a fine or imprisonment for up to 6 months. 2, letter d.

Below follows a closer review of the case and a rationale for the Data Protection Authority's decision.

1. Case presentation

It appears from the case that in September 2021 the complainant received a fine from the police for violating the traffic law. As the complainant disagreed with having violated the local speed limit, the complainant objected to the proposed fine.

In January 2022, the National Police passed on information that the complainant had received the proposed fine in question to Aalborg University. Aalborg University subsequently approached complainants with an invitation to participate in the research project Intervention Against Speed Offenders (EASE).

The research project is about preventing speeding violations in traffic and must show whether motorists receive fewer speeding fines if, after receiving a speeding fine, they go through online learning about road safety. The aim is to clarify whether such a process can provide greater understanding of the importance of speed for road safety and greater respect for speed limits. This is a voluntary experiment that requires registration, but the information that Aalborg University has received from the National Police will also be used in statistical studies.

The project, which is a collaboration between Aalborg University, the Technical University of Denmark and the National Police, runs in the period from 1 November 2019 to 1 April 2024.

1.1. Complainant's comments

The complainant has generally stated that the National Police has passed on information that the complainant has received a notice of fine for violating the Traffic Act before the court has had the opportunity to decide on the question of guilt. In the complainant's view, the fact that the information has been passed on for research purposes does not justify that the information can be passed on before the validity of the offense has been confirmed.

The complainant has also stated that the National Police has the opportunity to distinguish between motorists who have accepted the fine and motorists who have complained about the fine. It is therefore the complainant's opinion that it was not necessary to pass on information about complaints to Aalborg University. In his remarks, the complainant refers to an internal correspondence in the National Police, which the complainant has been given access to. It appears from this that information is passed on about motorists who have received a fine with decision type 21 in the Police's Case Management System (POLSAS). Decision type 21 is used when fine notices are issued. However, the decision type changes in POLSAS when the citizen accepts the fine or when the citizen does not accept the fine and the court makes a decision.

1.2. The National Police's comments

The Swedish National Police has generally stated that the Swedish National Police pursuant to section 10, subsection of the Data Protection Act. 1, has passed on – and continues to pass on – information about persons who have been charged in an automatic traffic control (ATK) to Aalborg University, as the information is necessary for the sake of scientific investigations of significant social importance. The information is passed on in monthly lists during the project's operating period.

The National Police has also stated that it is necessary to pass on information about these persons to Aalborg University in order for the university to identify and invite the relevant persons to participate in the project.

As complaints at the time of the data extraction in January 2022 were registered as charged with a violation of the Traffic Act in POLSAS, information about complaints was included in the data extraction with registrations where the time of the offense was in September 2021.

The Swedish National Police has also informed about the necessity of the disclosure that Aalborg University has declared to the Swedish National Police that the information is necessary in order to be able to invite motorists who have received a speeding ticket to participate in the project. In addition, Aalborg University has declared that no more information is processed than is necessary for the performance of the specific research, and that any information that is not necessary will be deleted or returned as soon as possible.

Regarding the correctness of the information, the National Police has stated that it is the National Police's assessment that the information is correct in relation to the purposes for which it was passed on.

The National Police forwards the data extracts from POLSAS to Aalborg University with information on persons charged in ATK cases and who are registered with a specific decision type. The decision type in question is used when fine notices are issued.

Cases with preliminary fines are only decided when the citizen accepts the fine, or when the court makes a decision in the case, in cases where the citizen does not accept the fine.

However, it is of no consequence to the National Police's disclosure of personal data that the complainant has not accepted the fine and that the matter must be settled in court, as information is disclosed about all persons who have been charged in an ATK and who have received a notice of fine. The disclosure is thus not limited to information about persons who have adopted a fine or where the court has made a decision.

In conclusion, the National Police has stated that the National Police and Aalborg University have received several inquiries from citizens who have received an invitation to participate in the research project. Citizens have stated that they find the project's title "EASE Intervention against speeding offenders" offensive and/or transgressive, e.g. because it was a minor speeding offence, or because they do not want to accept the fine. The National Police has taken note of these inquiries and will in future pay more attention to titles of research projects and how citizens may experience receiving such invitations to participate in research projects.

2. Reason for the Data Protection Authority's decision

It follows from § 10 of the Data Protection Act that information about criminal matters may be processed if this is done solely for the purpose of carrying out statistical or scientific studies of significant societal importance, and if the processing is necessary for the purposes of carrying out the studies.

The processing also assumes that the data protection rules are otherwise observed, including that the basic principles in Article 5 of the Data Protection Regulation are observed.

Of the data protection regulation, article 5, subsection 1, letter b, states that personal data must be collected for explicitly stated and legitimate purposes and must not be further processed in a way that is incompatible with these purposes; further processing for archival purposes in the interest of society, for scientific or historical research purposes or for statistical purposes in accordance with Article 89, subsection 1, shall not be considered to be incompatible with the original purposes.

Of the data protection regulation, article 5, subsection 1, letter c, states that personal data must be sufficient, relevant and limited to what is necessary in relation to the purposes for which they are processed.

The Danish Data Protection Authority finds that there is no basis for overriding the National Police's assessment that the National Police, pursuant to section 10, subsection of the Data Protection Act. 1 may pass on information to Aalborg University for use in the EASE research project.

In this context, the Danish Data Protection Authority has particularly emphasized that the information about motorists' violations of the traffic law's speed regulations is necessary so that Aalborg University can invite relevant people to participate in the research project, which aims to prevent speeding violations in traffic and show whether the people receive fewer speeding fines , if, after receiving a speeding ticket, they go through an online course on road safety.

However, the Danish Data Protection Authority finds that the National Police's disclosure of the complainant's personal data did not take place in accordance with Article 5, subsection 1 of the Data Protection Regulation. 1, letters b and c.

The Data Protection Authority has emphasized in particular that the complainant, at the time of the National Police's disclosure of the information, had objected to the proposed fine and was awaiting the court's processing of the case, and that the purpose of Aalborg University's processing of personal data was and is to be able to invite motorists to participate in a research project , which aims to prevent speeding offenses in traffic by investigating whether motorists receive fewer speeding tickets if, after receiving a speeding ticket, they go through an online course on road safety.

It is then the Danish Data Protection Authority's assessment that the National Police's disclosure of information about complaints to Aalborg University did not take place for a factual and relevant purpose, since at the time of the National Police's disclosure of the complainant's personal data it must still be considered to have had the presumption against it that the complainant had violated the Traffic Act, until the case has been decided by the courts, and that the research project's target group – in the opinion of the Danish Data Protection Authority – are people who have violated the Traffic Act.

Against this background, the Data Protection Authority finds that there are grounds for expressing serious criticism that the National Police's disclosure of personal data has not taken place in accordance with the rules in the Data Protection Regulation, Article 5, subsection 1, letter b and c.

The Danish Data Protection Authority also finds grounds to order the National Police to cease passing on information to Aalborg University about persons who have received a fine for violating the Traffic Act, if these persons have objected to the fine and the case has not yet been decided by the courts.

The order is announced in accordance with the data protection regulation, article 58, subsection 2, letter d.

The Danish Data Protection Authority must request confirmation that the National Police intends to comply with the order by Wednesday 22 March 2023 at the latest.

According to the Data Protection Act § 41, subsection 2, no. 5, anyone who fails to comply with an order issued by the Danish Data Protection Authority pursuant to Article 58, subsection of the Data Protection Regulation shall be punished with a fine or imprisonment for up to 6 months. 2, letter d.



[1] Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons in connection with the processing of personal data and on the free exchange of such data and on the repeal of Directive 95/46/EC (general regulation on data protection).