Datatilsynet (Denmark) - 2022-432-0099: Difference between revisions

From GDPRhub
(Good summary! I would suggest elaborate a bit more in the holding, to explain more the reasoning of the DPA and state the numbers explicitly mentioned in the case. :))
No edit summary
 
(5 intermediate revisions by 3 users not shown)
Line 65: Line 65:
}}
}}


The Danish DPA strongly criticised and banned the Danish Agency for Digital Government's excessive processing of personal data for the Driving Licence app. The DPA found that the additional processing of the data of 2.26 million citizens who had not actively joined the app was in breach of the data minimisation principle under [[Article 5 GDPR#1c|Article 5(1)(c) GDPR]].
The Danish DPA banned the Government's Driving Licence app from continuing the processing of personal data of 2.26 million citizens who had not actively joined the app. This processing was found to be in breach of the data minimisation principle under [[Article 5 GDPR#1c|Article 5(1)(c) GDPR]].


== English Summary ==
== English Summary ==
Line 76: Line 76:
Following the complaint, on 7 September 2022, the DPA started an own-volition investigation of the matter. They found that the controller was processing the personal data of approximately 3.96 million Danish citizens with a driving licence, yet only 1.7 million had registered for the app, while the remaining group had not joined the app.
Following the complaint, on 7 September 2022, the DPA started an own-volition investigation of the matter. They found that the controller was processing the personal data of approximately 3.96 million Danish citizens with a driving licence, yet only 1.7 million had registered for the app, while the remaining group had not joined the app.


The controller attributed the excessive processing to technical constraints of the driving licence database, built on an outdated mainframe system, which gave it access to all valid Danish driving licenses. They explained to have initially considered three possible solutions for the app but deemed only the one adopted realistically viable. The one adopted complied with certain operational and performance requirements while allowing for the digital driving licence, updated with the latest information, to be made accessible to citizens.
The controller attributed the excessive processing to technical constraints of the driving licence database, built on an outdated mainframe system, which gave it access to all valid Danish driving licenses. They explained to have initially considered three possible solutions for the app but deemed only the one adopted realistically viable. The one adopted complied with certain operational and performance requirements while allowing for the digital driving licence, updated with the latest information, to be made accessible to citizens. Consequently, they claimed that the processing was in line with [[Article 5 GDPR#1c|Article 5(1)(c) GDPR]].  


=== Holding ===
=== Holding ===

Latest revision as of 12:53, 27 November 2023

Datatilsynet - 2022-432-0099
LogoDK.png
Authority: Datatilsynet (Denmark)
Jurisdiction: Denmark
Relevant Law: Article 5(1)(c) GDPR
Article 58(2)(b) GDPR
Article 58(2)(f) GDPR
Type: Investigation
Outcome: Violation Found
Started: 22.09.2022
Decided: 08.11.2023
Published: 15.11.2023
Fine: n/a
Parties: Digitaliseringsstyrelsen
National Case Number/Name: 2022-432-0099
European Case Law Identifier: n/a
Appeal: n/a
Original Language(s): Danish
Original Source: Danish DPA (in DA)
Initial Contributor: Rie Aleksandra Walle

The Danish DPA banned the Government's Driving Licence app from continuing the processing of personal data of 2.26 million citizens who had not actively joined the app. This processing was found to be in breach of the data minimisation principle under Article 5(1)(c) GDPR.

English Summary

Facts

A Danish citizen lodged a complaint with the Danish DPA regarding the Danish Agency for Digital Government's (the controller) processing of his personal data in their Driving Licence app, which he had not registered for or used.

The app is a digital alternative to the physical driving licence and contains information about the licence holder's name, birth data, place of birth, nationality, licence number, passport number, passport photo, social security number, health, and data relating to criminal convictions and offences.

Following the complaint, on 7 September 2022, the DPA started an own-volition investigation of the matter. They found that the controller was processing the personal data of approximately 3.96 million Danish citizens with a driving licence, yet only 1.7 million had registered for the app, while the remaining group had not joined the app.

The controller attributed the excessive processing to technical constraints of the driving licence database, built on an outdated mainframe system, which gave it access to all valid Danish driving licenses. They explained to have initially considered three possible solutions for the app but deemed only the one adopted realistically viable. The one adopted complied with certain operational and performance requirements while allowing for the digital driving licence, updated with the latest information, to be made accessible to citizens. Consequently, they claimed that the processing was in line with Article 5(1)(c) GDPR.

Holding

The DPA concluded that the controller violated the data minimisation principle of Article 5(1)(c) GDPR. The principle should have been complied with despite the system being the only possible solution according to the current technical structure of the driving licence register. It further stated that the accessibility needs described by the controller and the mere fact that it is convenient for citizens to have the Driving Licence app, as they can leave their physical driving licence at home, cannot justify the processing in question. Thus, the DPA concluded that data processing of all holders of a valid Danish driving licence is not justifiable, as the controller was processing data of a very large number of people - approximately 2.26 million people - who had not actively joined the Driving Licence app.

Hence, the DPA issued serious criticism to the controller under Article 58(2)(b) GDPR. In addition, per Article 58(2)(f) GDPR, it banned the storing and processing of personal data about persons who have not actively joined the Driving Licence app.

The controller has four weeks from when the decision was issued to comply with the prohibition.

Comment

This case reminds of a Norwegian decision from 2020, where the Public Roads Administration was fined NOK 1 million (reduced from 4 million) for failing to delete personal data, also because of technical constraints. They blamed their processor for the shortcomings, but the DPA notably held that it is the controller's responsibility to comply with the GDPR.

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Danish original. Please refer to the Danish original for more details.

Skip the main navigation

Search

The Digital Agency processes too much personal data in its administration of the digital driving licence

Date: 08-11-2023

Decision Public authorities Serious criticism Supervision / self-operating case Handled by the Data Council Basic principles

Approx. 1.7 million citizens have signed up to the Digitalisation Agency's digital driving licence. But in order to offer the electronic driver's license, the Digitalization Agency stores personal data on all citizens who have a valid Danish driver's license - almost 4 million. The Danish Data Protection Authority now states that the Digital Agency processes personal data on far too many citizens.

Journal number: 2022-432-0099.

1. Preliminary remarks

1.1. The Danish Data Protection Authority hereby returns to the case, where on 7 September 2022 the Danish Data Protection Authority initiated an investigation of its own operations into the Danish Agency for Digitalisation's processing of personal data in the administration and operation of the Kørekort app.

In connection with the processing of the case, the Danish Data Protection Authority has requested the Danish Agency for Digitalisation for opinions on a number of different matters regarding the driving license app, including the basis of processing, data protection through design and default settings and data minimisation.

In a number of statements, the Danish Agency for Digitization has responded to the Danish Data Protection Authority's letters, and the Danish Agency has basically stated that there is authority in the Data Protection Regulation and the Data Protection Act for the processing of personal data that the scheme with the digital driving license entails, and that, in the Danish Agency's opinion, the scheme is in accordance with the data minimization principle.

1.2. The Danish Data Protection Authority has now completed processing the case. In this connection, the case has been submitted to the Data Council.

In the final processing of the case, the Danish Data Protection Authority has chosen to concentrate in particular on the question of whether the Danish Agency for Digitalisation's processing of personal data in connection with the administration and operation of the Kørekort app is in accordance with the data minimization principle in the data protection regulation[1], article 5, subsection 1, letter c.

2. Decision

2.1. Overall, the Danish Data Protection Authority is of the opinion that the Digitalisation Agency's processing of personal data in connection with the administration and operation of the Kørekort app, whereby an extract of information about all holders of a valid Danish driving license in the driving license register is stored and processed, is not in accordance with the data minimization principle in the data protection regulation article 5, subsection 1, letter c.

Against this background, the Danish Data Protection Authority states in accordance with the data protection regulation article 58, subsection 2, letter b, serious criticism of the Digital Agency.

2.2. Furthermore, the Data Protection Authority announces pursuant to the data protection regulation article 58, subsection 2, letter f, ban on the Digitalization Agency from storing and otherwise processing personal data from the driving license register about registered persons who have not actively joined the digital driving licence.

The ban only applies to the Digitalisation Agency's processing of personal data from the driving license register of registered persons who have not actively joined the digital driving licence, and the ban thus does not apply to the processing of personal data of those registered who have joined the scheme.

The decision on the prohibition of the storage and other processing of personal data from the driving license register of registered persons who have not actively joined the digital driving license implies that the Digitalization Agency must cease the said processing within 4 weeks from today. The Danish Agency for Digitization is asked – within the same deadline – to notify the Danish Data Protection Authority of what the agency has done in light of this decision.

The Norwegian Data Protection Authority draws attention to the fact that, according to the Data Protection Act § 41, subsection 2, no. 4, it is punishable to fail to comply with a limitation of processing notified by the Danish Data Protection Authority pursuant to the regulation's article 58, subsection 2, letter f. Pursuant to section 41, subsection 6, 2nd point, public authorities can also be punished.

The Danish Data Protection Authority must note that the ban on storing and otherwise processing personal data from the driving license register of registered persons who have not actively joined the digital driving license does not imply that the scheme with the digital driving license cannot be maintained vis-à-vis those registered who actively has joined it. The basic functions of the scheme will thus be able to continue.

The continued operation will concretely be possible by the Digitalization Agency e.g. adapts the service sections and database extracts that the agency already uses in such a way that no information is processed about persons who have not actively joined the scheme. The Norwegian Data Protection Authority refers in particular to the possibility of creating a database with the current users of the Kørekort app and in the future maintaining this through so-called delta runs for de-registration and registration in the app.

Such technical adjustments in the digital driving license will ensure that the processing of information about persons who have not actively joined the scheme ceases, without this significantly affecting the functionality of the digital driving license for the persons who have actively joined the scheme.

More detailed reference is made to section 6 below.

2.3. Below follows a closer review of the case and a rationale for the Data Protection Authority's decision.

3. Case presentation

3.1. On the basis of a complaint from a citizen regarding the Danish Agency for Digitalisation's processing of his personal data in the Agency's solution with the digital driving licence, on 7 September 2022 the Danish Data Protection Authority initiated a closer investigation of the Danish Agency for Digitalisation's administration and operation of the digital driving licence. In this connection, the Danish Data Protection Authority asked the Danish Agency for Digitalisation to explain, among other things, which personal data the agency processes as part of its administration and operation of the driving license app, which further processing takes place, for which purposes and with what authority in the data protection regulation and the data protection act the processing in question takes place, just as the Data Protection Authority asked the Digitalization Agency to explain the division of roles between the Digitalization Agency, the National Police and any other authorities with regard to the processing of personal data for use in the Kørekort app. Finally, the Danish Data Protection Authority asked the Danish Agency for Digitalisation to state whether the processing is in accordance with the requirement for "data minimisation" in the data protection regulation, Article 5, subsection 1, letter c.

The Digital Agency responded by letter of 26 September 2022 to the Data Protection Authority's question. In relation to the issue of data minimisation, the Digital Agency stated overall that the agency assessed that the processing of personal data was in accordance with the requirement for data minimisation.

By letter of 7 October 2022 to the Danish Agency for Digitalisation, the Danish Data Protection Authority requested that the Agency further explain, among other things, why the processing of certain specific types of personal data was considered necessary and thus to be in accordance with the principle of data minimisation.

The Digital Agency responded to the Data Protection Authority's request by letters of 30 November and 19 December 2022.

At the request of the Danish Data Protection Authority, a meeting was subsequently held on 17 May 2023 between the Danish Agency for Digitalisation and the Danish Data Protection Authority, where the agency had the opportunity to answer a number of further questions from the Danish Authority, including about data minimisation.

In continuation of the meeting, on 12 June 2023 the Danish Data Protection Agency asked the Danish Agency for Digitalisation to give a written account of, among other things, the needs for accessibility that the Digital Agency had referred to, just as the supervisory authority asked the agency to elaborate on certain additional matters regarding the data minimization principle.

The Digital Agency answered the Danish Data Protection Authority's supplementary questions by letter of 30 June 2023.

The Digitalisation Agency's response to the Danish Data Protection Authority is reviewed in more detail below, under section 3.2 – 3.6.

3.2. In its responses to the Danish Data Protection Agency, the Digital Agency has provided the following information about the background for the creation of the digital driving licence:

"The government's finance committee decided in 2018 that they wanted to start developing a digital driving license app. In connection with the establishment and implementation of the digital driver's license, it appears that the authority task is anchored in the Digitalization Agency with a view to ensuring coherence in the establishment of digital ID proofs across the public sector. It follows from this that:

"The Danish Agency for Digitalisation will be responsible for the app, including that the app complies with the rules in the area as well as responsibility for the processing of data from the driving license register".

In connection with the coherence reform (see the government's "world-class digital service" World-class digital service, October 2018 (fm.dk) ), the Danish Agency for Digital Affairs was tasked with carrying out this official task of developing the digital driving license and thereby carrying out a task in the interest of society, which has general interest and is of importance to a wider circle of people in Denmark. On page 47 of the Finance Act for 2019, it is mentioned that 1.5 million DKK for initiative on digital driving license and digitization of administration project in the area of driving license - PUBL (fm.dk) [...]"

The driving license app was launched on November 24, 2020.

The Danish Agency for Digitalisation has stated that when the driving license app was launched, the app quickly gained many users, and that the number of users therefore increased very significantly in the first period. According to the Danish Agency for Digitalisation, the connection to the driving license app is still increasing, but the increase is now more moderate and is primarily driven by the fact that young people who acquire driving licenses are continuously connecting.

The Agency for Digitization has also stated that, as part of the administration of the digital driving licence, the agency processes information about approx. 3.96 million citizens that approx. 1.7 million of which use the Kørekort app, and that the remaining group has not joined the scheme.

The National Police and the Digital Agency have entered into an agreement on joint data responsibility for the processing of the personal data from the driving license register, which is delivered to the Digital Agency for use by the Driving License app. It appears from the agreement that the Digital Agency is responsible for the processing of personal data that takes place in connection with the digital driving licence, including responsibility for the correct collection and registration of information.

3.3. The Danish Agency for Digitization has stated that the data that the agency displays in the Kørekort app comes from the driving license register and has been made available to the agency by the National Police. The Danish Agency for Digitalisation thus stores an extract of driving license information for all valid Danish driving licenses from the driving license register, which, according to the Danish Agency for Digitalisation, amounts to approx. 3.96 million driver's license. As mentioned, the Digital Agency has stated that there are approx. 1.7 million people using the Kørekort app.

The Agency for Digitization has stated that the agency receives the following information from the driving license register about all holders of a valid Danish driving licence:

Non-sensitive personal data: Name Date of birth Place of birth Nationality Driving license number Passport number Passport photo Confidential personal data: CPR number Sensitive personal data: Health information, e.g. information on glasses and prostheses (to the extent that such information appears on the current driving licence) Information on criminal offences: Information that the holder of the driving license must drive with an alcohol lock in order to drive the vehicle or must not drink alcohol (to the extent such information appears on the current driver's license)

In addition, the Digital Agency has stated that the processing also includes vulnerable groups, as information is processed on 17-year-olds who have obtained a driving license under the "17-year-old scheme" and on 15-year-olds who have a driving license for a small moped and/or tractor .

3.4. The Agency for Digitization has stated that the agency receives a monthly extract from the driving license register. In addition, the Digital Agency receives a daily extract of changes (a "delta extract") for citizens with a driving licence. The Delta extract contains all new and deleted or changed driving licenses since the last extract. The Digital Agency has explained that the monthly statement is received to safeguard against synchronization errors.

According to the Danish Agency for Digitalisation, the mentioned procedure is the only one possible when, among other things, certain operational and performance requirements must be met, and is therefore necessary to be able to make the digital driving license available to citizens, updated with the latest information.

In order to be able to offer the digital driving licence, it is therefore necessary, according to the Digitalisation Agency, that the Driving License app has access to the driving license holder's (updated and correct) driving license information, which, according to the agency, requires the Driving License app to be able to look up information from the driving license register. According to the Danish Agency for Digitalisation, it is currently not possible to create a technical solution where the Agency can make entries directly in the driving license register, and where the Danish Agency for Digitalisation does not itself store an extract from the register. The Agency for Digitization has stated that the agency therefore finds itself forced to store driving license information for all citizens with a valid Danish driving licence.

3.5. The Danish Agency for Digitization has provided the following information about the data minimization principle:

"The Digital Agency assesses that the processing of the information is in accordance with the requirement for 'data minimisation' in the data protection regulation, Article 5, subsection 1, letter c.

Only the information that is necessary in relation to the processing in question is processed. The Danish Agency for Digitalisation processes information on all citizens who have a valid driving licence, as it is not currently technically possible to make a direct connection to the driving license register, which is why the Danish Agency for Digitalisation has to store a complete extract from the Driving License Register.

A look-up service has not been implemented against the National Police's driving license register, as the driving license register is a mainframe-based system that cannot guarantee the accessibility required by the driving license app's users. The Danish Transport Agency is in the process of starting a project with the development of a new driving license register. The Danish Agency for Digitization has submitted the driving license app's needs to the development project, so that in a future register it will be possible to look up as needed - without making major extracts."

In its impact assessment from November 2020, the Digitalization Agency stated the following:

"Other risks in the solution are that DIGST has to keep an extract from the National Police's [Traffic Agency's] driving license register of all citizens who have a valid driving licence. Information on more citizens than is necessary in relation to the Digital driving license is thus processed. This is because it is not currently technically possible to make a direct entry in the National Police's register, which is why DIGST is forced to store an extract from the driving license register of all citizens who have a valid driving licence. As it is not technically possible to offer a digital driving license with less information, it is DIGST's assessment that the agency has authority in the data protection regulation. 6 pieces. 1, letter e, to also process personal data of citizens who do not have a Digital driving licence.”

In its consultation response of 3 July 2023 to the Danish Data Protection Authority on the section just quoted, the Danish Digital Agency stated that "the impact analysis from 2020 (...) is not correct in relation to the passage mentioned." The Digital Agency has instead referred to the following section in the agency's new impact analysis from May 2023:

"Only the information that is necessary in relation to the purpose of the processing is processed. The Digital Agency only processes an extract of the necessary information from the driving license register. This extract includes all citizens with a valid driver's license for a motor vehicle, as it is not currently technically possible to create a look-up service that looks up the individual users' information in the driver's license register when the user wants to enroll in the app."

Furthermore, in the impact analysis from 2023, the Digital Agency has stated the following about why it is not technically possible to create a look-up service that looks up the individual users' information in the driving license register when the Driving License app needs to access driving license information:

"The reason (...) is that the driving license register is a mainframe-based system that cannot guarantee the need for accessibility that the users of the driving license app need. A single lookup service against the current driver's license register would result in users not being able to enroll in the app. The Swedish Transport Agency is currently working on a project to develop a new driving license register that will be able to provide the necessary accessibility. When the new driving license register is put into use, the Digital Agency will be able to avoid storing an extract of all citizens with a driving licence.

Personal information from the extract is encrypted with strong encryption at the individual level in the databases. The Danish Digital Agency only uses data from the extract regarding the users who enroll in the app. This means that personal data is not decrypted and used on users who do not use the app.

The Danish Digital Agency assesses that the processing of the information is in accordance with the requirement for "data minimisation" in the Data Protection Regulation, Article 5, subsection 1, letter c.”

The reason why the Digital Agency prepared a new impact analysis in 2023, despite the fact that such an analysis had already been prepared in 2020, is that the agency had originally taken the view that only ordinary personal data was processed in connection with the Kørekort app . In May 2022, the Digital Agency became aware that sensitive information and information about criminal matters are also being processed, which necessitated a new impact analysis.

As far as considerations about other technical solutions are concerned, the Digital Agency has stated the following:

"In collaboration with the National Police, the following technical solutions were considered:

A direct integration to the current driving license register A web service integration to the current driving license register The current technical solution with an extract of the necessary driving license information from the driving license register.

Solution 1 was not a technical possibility, as it would require a disproportionately large pressure on the Driving License Register, which is established on an older mainframe system.

Solution 2 was considered, but in dialogue with the National Police and the National Police's supplier […], the solution was deemed untenable. This is due to a number of factors:

The National Police's systems are basically not directly citizen-facing. When launching the Kørekort app, the initial load on a possible web service at the National Police far exceed their capacity and potentially affect the National Police's internal systems. Every time a citizen opens their driving license app, a series of calls are made to the back-end, in which the status and validity of the driving license is determined. Depending on how the web service could be built, at a minimum it would have to handle between 50,000 and 150,000 calls per day, corresponding to the average daily load. At the time, the National Police was not interested in this solution, as it would most likely burden their running systems. As an extension of this, the uptime of the web service could not be guaranteed, whereby situations could arise where updates to the citizen's driving license (e.g. in the event of revocation) did not go through to the citizen's driving license app. The risk that a denial-of-service attack on the web service via the Driving License app could potentially affect the National Police's other systems.

Since solutions 1 and 2 could not fulfill the necessary requirements for accessibility and did not meet the concerns of the National Police, solution 3 was implemented.

Overall, a large number of measures have been taken for data minimization and data protection through design and standard settings. These appear from the previously submitted impact analysis for the app, cf. "Implications analysis regarding data protection Digital Driving License" of May 2023 page 42 and response of 15 May 2023 page 3 ff."

In relation to the question of the Driving License app's accessibility needs, the Digitalization Agency has stated that when using the Driving License app, a distinction is made between 3 different accessibility needs:

"1) Accessibility requirements when creating in the app (enrolment)

As a major end-user-facing product for the Danish population, availability of enrollment to the solution has general critical business value. If there are repeated or long-lasting breakdowns of the solution, which means that citizens cannot create their digital driving licence, this will harm both the trust, the distribution and the use of the solution.

2) Availability needs for trusted control (Police)

The driving license app is first and foremost built to be accessible to the widest possible extent to police checks (trusted check), where it is required that you can document your driving license, cf. Section 56, subsection of the Traffic Act. 1., 2 pts. Therefore, the driving license app can also – in most cases – be presented to the police without contact to the backend, so that the citizen does not have to pay a fine for any internet breakdown, lack of mobile signal, etc.

[…]

3) Availability needs for non-trusted control of the app (e.g. Citizen service, Car rental, etc.)

In order for the driving license app to function on an equal footing with the physical driving licence, the app can also be used as a picture ID. The check is carried out by scanning the QR code for non-trusted checkers. This is because the use of the driver's license as photo ID is significantly more widespread than police checks alone.

If the driving license app is not available, it will not be possible to use it for untrusted control. This will mean that the citizen cannot show identification in citizen services, car rental, access to nightlife etc. This function is online-dependent, as the check takes place against the Kørekort app's backend. Contrary to the police control, which the police carry out via their own system.”

3.6. In the impact analysis from 2023, the Digitalization Agency has stated the following about the potential incidents in the risk picture that the agency has identified:

"Ad 4: Violation of availability - breakdown/inaccessibility of the solution's back-end

Consequence (1)

The consequence for the data subject of unavailability of the solution's back-end is Insignificant (insignificant 1). The app works in almost all cases without the back-end being available. In case of unavailability of the back-end, it is not possible to carry out the non-trusted controller's control with QR code. However, the Trusted Controller's (Police) control still works offline.

[…]

Mitigation actions implemented and current probability (4):

[…] It is a known and accepted risk, since the availability of the solution is only categorized as business-critical and not society-critical.

[…]

Ad 5: Violation of accessibility – introduction of blocking errors in the app's code

Consequence (2):

The consequence for the data subject in the event of a breach of the availability of the app is less serious (annoying – 2), as the data subject in that case cannot, for example, show his driving license (denial of access to business services). This could result in the user receiving a fine or, for example, not being able to rent a car. This also corresponds to a consequence of 2.

[…]

Mitigation actions implemented and current probability (2):

[…] The risk of the user being fined is mitigated by the Digital Agency contacting the police department for the search app: They help notify the officers that there is an error in the app. In that case, the officers will look up the users in the driver's license register on their own search app until the error is corrected. It is therefore less likely that the user will be fined for not having brought their driving licence.

[…]

Ad 10: Citizens who do not use the app experience inconvenience when processing their driver's license information

The solution is structured in such a way that the Digital Agency is forced to store driver's license information for all citizens with a valid driver's license. This is due to technical limitations which are further elaborated in the data minimization section above.

Consequence (2):

Citizens who do not want to use the app will be able to experience, for example, a lack of understanding and fear about the protection of their personal data. This corresponds to a consequence of 2 – Less serious

Initial Probability (4):

It will not be often, but expected, that there will be inquiries from citizens who cannot understand why we process information about them without them being enrolled in the app. The probability is therefore 4 – expected.

Mitigation actions implemented and current probability (3):

If a citizen approaches because they experience a lack of understanding and fear of the security of processing when storing their driving license information, the Digital Agency explains the technical reason for the necessity of storing their personal data from the driving license register. In addition, the level of technical protection of their driving license information and the fact that the encrypted information is not decrypted and used unless the citizen enrolls in the app is explained. In addition, there is an information text on the website of the Danish Agency for Digitalisation, which provides information on the above matters. Although some citizens will still be misunderstanding after this, most citizens will be understanding and thus reassured about the storage of their personal data. In this way, we ensure as much security as possible for citizens who do not use the app. combined, this reduces the likelihood to 3 – moderately likely.

Residual risk (6):

After implementation of the mitigation measures, the residual risk is therefore 6 (Consequence 2 x Probability 3) and "Yellow".

In its question framework for risk assessment, the Digital Agency has stated the following:

"Acceptable downtime in the Backend part is less than a week, as the app can function in offline mode without access to the backend. Furthermore, a physical driving license is still a requirement, the digital driving license is only a supplement, which is why it is not critical that new users cannot register for a few days. For the App part of the solution, it is expected that it must/should be available to the citizen within 4-8 hours.”

When asked about what was just quoted from the question frame, the Digitalization Agency stated that if the citizen's digital driving license is not available during a possible police check, it will have significant consequences for the citizen, as the citizen will be able to receive a fine. The Danish Agency for Digitalisation has also stated that the consequences for the Danish Agency for Digitalisation will also be significant, as it will noticeably undermine trust in the Driving License app if citizens experience being fined because the solution is not available.

4. Legal basis, etc.

4.1. Article 5 of the Data Protection Regulation, subsection 1, letter c has the following wording:

"Personal information must:

[…]

c) be sufficient, relevant and limited to what is necessary in relation to the purposes for which they are processed ("data minimization")"

In preamble consideration no. 39 of the data protection regulation, the following is stated about the principle:

”(39) […] Personal data should be sufficient, relevant and limited to what is necessary in relation to the purposes of their processing. In particular, this requires ensuring that the period of storage is no longer than strictly necessary. Personal data should only be processed if the purpose of the processing cannot reasonably be fulfilled in another way. […]”

In the Ministry of Justice's report no. 1565/2017, pp. 87-88, the following is stated about the previously applicable and almost equivalent provision in the Personal Data Act § 5, subsection 3:

"It appears from § 5, subsection of the Personal Data Act. 3, that information that is processed must be relevant and sufficient and not include more than what is required to fulfill the purposes for which the information is collected and the purposes for which the information is later processed.

It appears from the comments to the Personal Data Act that the terms relevant and sufficient information mean that the nature of the information must correspond to the intended purpose of the processing. The provision also stipulates that the data controller's processing of information is subject to a principle of proportionality.

From p. 97 of the report, it appears that based on a literal interpretation of the Personal Data Act § 5, subsection 3, and the data protection regulation article 5, subsection 1, letter c, does not appear to be intended for a different substantive meaning of Article 5, subsection 1, letter c, than what applied under the Personal Data Act.

From the Data Protection Regulation and the Data Protection Act with comments[2], pp. 328-329, it appears, among other things, the following about the data protection regulation, article 5, subsection 1, letter c:

"The processing of information must not go beyond what is required to fulfill the purposes that the data controller is entitled to pursue, i.e. that the controller's processing of personal data is subject to a principle of proportionality."

4.2. The Danish Data Protection Authority and the former Register Supervision have in a number of cases taken a closer look at the data minimization principle:

4.2.1. In a case that was decided by the former Register Supervisory Authority (Registertilsynet's j.nr. 1993-4210-092), the supervisory authority dealt with the creation of an electronic test response register in the Statens Serum Institut, which was to contain an extract from the Central Personal Register with name and social security number on the entire Danish population. The purpose of the register was that, by virtue of its role as a central laboratory, the Statens Serum Institut should be able to carry out special diagnostics for the whole of Denmark, and with an extract from the CPR register, which was requested to be updated once every six months or the whole year, one would achieve a quick, correct and secure registration of patients on the basis of handwritten sample requisitions. In addition, the register should enable a more automated processing and administration of submitted analytical samples on the basis of an electronic registration of sample data.

The Norwegian Register Authority did not oppose the establishment of the register for the stated purposes. However, the Norwegian Register Authority stated that the authority did not find that the test response register could be created on the basis of an extract from the CPR register covering the entire population of Denmark, as information would be registered on a large number of persons for whom no analyzes would be carried out at the institute's departments .

4.2.2. In another case, which was decided in accordance with the Personal Data Act's provision on data minimization (DATAtilsynet's j.nr. 2004-54-1396), the Ministry of Education wanted to create a database containing exam and grade information from upper secondary education with a view to processing applications for admission to higher education etc. The Ministry of Education had also stated that exam and grade information would be deleted after 60 years.

The Danish Data Protection Authority stated that upon the establishment of the examination database, a register would be created which would eventually contain the majority of the Danish population's examination certificates, and that in the long run there would thus be a very large amount of data, including data which - in at least with the intended uses at the time – would never be needed or that there was no current need for the Ministry of Education to be involved with.

Against this background, the Norwegian Data Protection Authority found it doubtful whether there was the necessary proportionality between the registration of all diplomas in Denmark for 60 years and the fulfillment of the purpose of the database.

4.2.3. In a case concerning the Capital Region's use of fingerprint identification for the secure identification of blood donors (Datatilsynet's j.nr. 2014-632-0081), the Datatilsynet took a position on the region's practice of registering images of the donors' fingerprints and not only registering mathematical values calculated on the basis of this . The Capital Region referred to a lack of funding as a reason for not using mathematical values (templates) instead of images.

The Danish Data Protection Authority concluded - after submitting the case to the Data Council - that the chosen solution did not comply with section 5, subsection of the Personal Data Act. 3, according to which information that was processed should "be relevant and sufficient and not include more than what is required to fulfill the purposes for which the information is collected and the purposes for which the information is later processed."

The Danish Data Protection Authority thus found that the chosen solution was significantly more intrusive towards the data subjects than what was required to fulfill the purpose, and that the processing therefore did not meet the requirements for proportionality which, among other things, followed from § 5, subsection of the Personal Data Act. 3.

4.2.4. In a case where, over a period of 10 months, TDC had carried out 11,366 loggings of location data from mobile data traffic and recorded 185 so-called MMS CDR information about a citizen, the question was whether TDC had recorded more information than was necessary to comply TDC's obligation according to section 4, no. 5 of the logging executive order (Datatilsynet's j.nr. 2018-31-0070).

Overall, TDC stated that it was necessary to register location data for all mobile data traffic in order to comply with the logging order's requirement for registration of location data for MMS communication, as the technical structure of TDC's mobile network did not allow for only recording location data for MMS communication without simultaneously recording location data for all mobile data traffic.

The Danish Data Protection Authority found – after the case had been submitted to the Data Council – that the structure of TDC's IT system could not justify non-compliance with the data protection rules, just as any costs associated with establishing new systems that made it possible to only register the necessary information could not justify a non-compliance with the data protection rules.

On that basis, the Danish Data Protection Authority found that TDC's processing of personal data, which the company had not been obliged to register according to the logging order, was in breach of the Data Protection Regulation, Article 5, subsection 1, letter c, on data minimization.

In this connection, the Danish Data Protection Authority placed particular emphasis on the fact that the vast majority of the information that TDC had registered about the citizen was not necessary to comply with TDC's obligations under the logging order.

4.2.5. In a case concerning the National Police's passing on of information about speeding violations to Aalborg University (Datatilsynet's j.nr. 2022-32-2939), the Data Protection Authority stated – after submission to the Data Council – that the National Police's passing on of personal data was not in accordance with, among other things the data protection regulation, article 5, subsection 1, letter c.

The National Police stated that it was necessary to pass on the relevant information to Aalborg University so that the university could identify and invite relevant persons to participate in a research project on the prevention of speeding offences.

The National Police passed on personal data to the university, regardless of whether the citizen had accepted the fine or not, and regardless of whether the relationship later to be decided in court. The National Police simply passed on information about all persons who were charged in an automatic traffic control and who had received a preliminary fine.

The disclosure was thus not limited to information about persons who had adopted a fine or where the court had made a decision on a fine, and the Danish Data Protection Authority thus found that the disclosure of personal data was not in accordance with the data minimization principle. In relation to the specific case, the Danish Data Protection Authority placed particular emphasis on the fact that the citizen had objected to the proposed fine and was waiting for the courts to process the case when the National Police passed on his information. The supervision also emphasized that the purpose of Aalborg University's processing of personal data was to be able to invite motorists to participate in a research project whose purpose was, among other things, to investigate whether motorists received fewer speeding tickets if – after receiving a speeding ticket – they completed an online course on road safety.

The Danish Data Protection Authority issued an order to the Swedish National Police to stop passing on information to Aalborg University about persons who had received a fine for violating the Traffic Act, if these persons had objected to the fine and the case had not yet been decided by the courts.

5. Reason for the Data Protection Authority's decision

5.1. Processing of personal data in the Kørekort app must – in addition to being based on a legal basis in the data protection regulation – meet the other requirements in the data protection regulation. It includes i.a. the principle of data minimization in Article 5, paragraph 1, letter c.

This also applies even if the Agency for Digitalization may have been under the view that the agency was subject to a deadline for when the digital driving license should be available to citizens, and regardless of whether the Agency for Digitalization may have seen itself obligated to arrange a possible solution according to the current driving license register technical structure, including the fact that it is a mainframe-based system which, according to the agency, is not suitable for making direct postings.

As mentioned, the Danish Agency for Digitization has stated that the alternative solutions that were considered – a direct integration and a web service integration to the current driving license register – were rejected with reference to, among other things, that such solutions would burden the National Police's internal systems, and that the driving license register would be put under pressure as it is established on an older mainframe based system. Furthermore, the Digital Agency has pointed out that the National Police's systems are not directly citizen-facing, and that "uptime" could not be guaranteed if a web service integration was chosen. These alternative solutions were therefore not selected, as the solutions "could not meet the necessary requirements for accessibility and did not meet the concerns of the National Police".

However, the chosen solution implies that the Digitalization Agency stores a copy of personal data from all valid Danish driving licenses in the driving license register (approx. 3.96 million citizens) and thus processes personal data of a very large part of the Danish population who do not have a digital driving license . As mentioned, the Digital Agency has stated that approx. 1.7 million citizens use the Kørekort app. The Norwegian Data Protection Authority has understood this to mean that there is thus a residual group of approx. 2.26 million citizens who are not users of the Kørekort app, but about whom the agency also processes information, notwithstanding that they have not registered for the scheme.

It appears from the data protection regulation's preamble consideration no. 39, among other things, that personal data should only be processed if the purpose cannot reasonably be fulfilled in another way. In accordance with this consideration, in the data protection regulation, Article 5, paragraph 1, letter c, established a principle of data minimization, cf. 4.1 above.

Whether the solution currently chosen for the operation of the Driving license app meets the requirement for data minimization in relation to the approx. 2.26 million citizens who have not joined the Driver's License app is based on an assessment of the accessibility needs that the Digital Agency believes the Driver's License app must be able to meet in relation to the purpose of the processing of the personal data in question.

5.2. The Danish Agency for Digitalisation has stated that repeated or prolonged crashes or unavailability of the digital driving license can damage trust in, the distribution and use of the Driving License app. In addition, the Danish Data Protection Authority is of the opinion that waiting time or delay in creating a digital driving license cannot in itself be considered to be such a significant negative consequence for citizens that it can justify the very extensive processing of personal data in question, as citizens will be able to use their physical driving license at any time. Furthermore, the Danish Data Protection Authority must note that the Danish Agency for Digitalisation, in its question framework for risk assessment, has also stated itself that a "physical driver's license [is] still a requirement, the digital driver's license is only a supplement, which is why it is not critical that new users cannot register in some days."

In the Danish Data Protection Authority's view, the accessibility needs for trusted control described by the Digitalization Agency cannot justify such extensive processing of personal data as the agency currently carries out in relation to the group of driving license holders who have not joined the scheme. This is because citizens can show the Driving License app to the police without contacting the backend, and that the police have the option, via their own system, to check the validity of the driving licence. In other words, the validation of a digital driving license can take place in a state where the citizen's device is offline, but the police's device is online. In the Digitalisation Agency's own words, inaccessibility of the solution's backend will be "negligible" for users, while a breach of the app's availability will be "less serious".

Nor can the accessibility requirements for non-trusted checks (other than the police) as described by the Digital Agency, in the Danish Data Protection Authority's view, justify the processing of personal data for the administration and operation of the Kørekort app, which is currently carried out. Citizens, when they want to pick up parcels, rent vehicles or gain access to nightlife, etc., will have the opportunity to identify themselves with their physical driving license if the Driving License app is (temporarily) unavailable, and the lack of availability will therefore not be significant for the citizens.

The mere fact that it is convenient for citizens to have the Driver's License app, since to a certain extent you can leave the physical driver's license at home, cannot justify the treatment in question either. As mentioned, the Danish Digital Agency has also stated itself that the risk of a breach of accessibility is "a known and accepted risk, since the availability of the solution is only categorized as business-critical and not socially critical."

5.3. It is therefore the Danish Data Protection Authority's opinion that the Danish Agency for Digitalisation's processing of personal data in connection with the administration and operation of the driving license app entails the processing of personal data for which there is no current need, and which the Agency will probably never need in certain cases. It is therefore not necessary to process information about all approx. 3.96 million citizens with a valid Danish driving license in order to fulfill the purpose of making the digital supplement to the physical driving license available to citizens.

Although the purpose of a digital driving license is worthy of recognition, it cannot justify the processing of information about all holders of a valid Danish driving licence, as information is processed about a very large number of people – approx. 2.26 million persons - who have not actively joined the digital driving licence.

Based on the above, the Danish Data Protection Authority is of the opinion that the Danish Agency for Digitalisation's processing of personal data in connection with the administration and operation of the Kørekort app, whereby an extract of information about all holders of a valid Danish driving license in the driving license register is stored and processed, is not in accordance with the data minimization principle in the data protection regulation, article 5, subsection 1, letter c.

5.4. Against this background, the Danish Data Protection Authority states in accordance with the data protection regulation article 58, subsection 2, letter b, serious criticism of the Digital Agency.

Furthermore, the Data Protection Authority announces pursuant to the data protection regulation article 58, subsection 2, letter f, ban on the Digitalization Agency from storing and otherwise processing personal data from the driving license register about registered persons who have not actively joined the digital driving licence.

The ban only applies to personal data from the driving license register of registered persons who have not actively joined the digital driving license and thus not to the Digitalization Agency's processing of personal data of registered persons who have joined the scheme.

The decision on the prohibition of the storage and other processing of personal data from the driving license register of registered persons who have not actively joined the digital driving license implies that the Digitalization Agency must cease the said processing within 4 weeks from today. The Danish Agency for Digitization is asked – within the same deadline – to notify the Danish Data Protection Authority of what the agency has done in light of this decision.

The Norwegian Data Protection Authority draws attention to the fact that, according to the Data Protection Act § 41, subsection 2, no. 4, it is punishable to fail to comply with a limitation of processing notified by the Danish Data Protection Authority pursuant to the regulation's article 58, subsection 2, letter f. Pursuant to section 41, subsection 6, 2nd point, public authorities can also be punished.

6. Continued operation of the digital driving license

The Danish Data Protection Authority must note that the ban on storing and otherwise processing personal data from the driving license register of registered persons who have not actively joined the digital driving license does not imply that the scheme with the digital driving license cannot be maintained vis-à-vis those registered who have actively joined it. The Danish Data Protection Authority recognizes that compliance with the ban could affect the operation of the scheme in relation to e.g. the availability for people who have not actively joined the scheme, but who wish to do so.

However, there will not be a significant impact on the basic function and purpose of the digital driving licence, namely to be a digital supplement to the physical driving licence, for the persons who have actively joined the scheme, and the scheme's basic functions will be able to be continued. The ban thus does not imply that the digital driving license cannot continue in operation.

The continued operation will concretely be possible by the Digitalization Agency e.g. adapts the service sections and database extracts that the agency already uses in such a way that no information is processed about persons who have not actively joined the scheme. The Norwegian Data Protection Authority refers in particular to the possibility of creating a database with the current users of the Kørekort app and in the future maintaining this through so-called delta runs for de-registration and registration in the app.

Such technical adjustments in the digital driving license will ensure that the processing of information about persons who have not actively joined the scheme ceases, without this significantly affecting the functionality of the digital driving license for the persons who have actively joined the scheme.

The connection of new users to the digital driving license will also continue to be possible even after the above-mentioned technical adjustments have been implemented. The Norwegian Data Protection Authority acknowledges that the adjustments may have an impact on the user experience and the speed of enrollment of new users compared to what the current solution offers. However, such disadvantages cannot in any case justify unchanged operation, including the extensive processing of personal data that the scheme currently entails, because it is contrary to the data minimization principle.

In this connection, the Data Protection Authority refers to the fact that the digital driving license is only a voluntary supplement to the ordinary driving licence, and that joining other similar – non-socially critical – citizen-oriented schemes, including renewal of certificates etc., is in a number of cases connected with a some waiting time for the citizens, which they can thus generally be assumed to be used to. The supervisory authority also refers to the fact that joining the scheme is something that is generally only done once, just as the supervisory authority refers to the fact that the Danish Agency for Digitalisation has described the lack of availability of the solution as being "critical to business", but not "critical to society".



[1] Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons in connection with the processing of personal data and on the free exchange of such data and on the repeal of Directive 95/46/EC (general regulation on data protection).

[2] The Data Protection Regulation and the Data Protection Act with comments, Kristian Korfits Nielsen and Anders Lotterup, Jurist- og Økonomforbundets Forlag, 2020.

The Norwegian Data Protection Authority

Carl Jacobsens Vej 35
2500 Valby
Tel. 33 19 32 00
dt@datatilsynet.dk

About us

About the Norwegian Data Protection AuthorityPresseHome pagePrivacy policyAvailability statement

Shortcuts

Guidance on GDPRCall usNewsletterThe National Whistleblower Scheme

follow us

The Norwegian Data Protection Authority on LinkedIn

The Digital Agency processes too much personal data in its administration of the digital driving licence

Date: 08-11-2023

Decision Public authorities Serious criticism Supervision / self-operating case Handled by the Data Council Basic principles

Approx. 1.7 million citizens have signed up to the Digitalisation Agency's digital driving licence. But in order to offer the electronic driver's license, the Digitalization Agency stores personal data on all citizens who have a valid Danish driver's license - almost 4 million. The Danish Data Protection Authority now states that the Digital Agency processes personal data on far too many citizens.

Journal number: 2022-432-0099.

1. Preliminary remarks

1.1. The Danish Data Protection Authority hereby returns to the case where, on 7 September 2022, the Danish Data Protection Authority initiated an investigation of its own operations into the Danish Agency for Digitalisation's processing of personal data in the administration and operation of the Kørekort app.

In connection with the processing of the case, the Danish Data Protection Authority has requested the Danish Agency for Digitalisation for opinions on a number of different matters regarding the driving license app, including the basis of processing, data protection through design and default settings, and data minimisation.

In a number of statements, the Danish Agency for Digitization has responded to the Danish Data Protection Authority's letters, and the Danish Agency has basically stated that there is authority in the Data Protection Regulation and the Data Protection Act for the processing of personal data that the scheme with the digital driving license entails, and that, in the Danish Agency's opinion, the scheme is in accordance with the data minimization principle.

1.2. The Danish Data Protection Authority has now completed processing the case. In this connection, the case has been submitted to the Data Council.

In the final processing of the case, the Danish Data Protection Authority has chosen to focus in particular on the question of whether the Digital Agency's processing of personal data in connection with the administration and operation of the Kørekort app is in accordance with the data minimization principle in the data protection regulation[1] article 5, subsection 1, letter c.

2. Decision

2.1. Overall, the Danish Data Protection Authority's opinion is that the Digitalisation Agency's processing of personal data in connection with the administration and operation of the Kørekort app, whereby an extract of information about all holders of a valid Danish driving license in the driving license register is stored and processed, is not in accordance with the data minimization principle in the data protection regulation article 5, subsection 1, letter c.

Against this background, the Danish Data Protection Authority states in accordance with the data protection regulation article 58, subsection 2, letter b, serious criticism of the Digital Agency.

2.2. Furthermore, the Data Protection Authority announces pursuant to the data protection regulation article 58, subsection 2, letter f, ban on the Digitalization Agency from storing and otherwise processing personal data from the driving license register about registered persons who have not actively joined the digital driving licence.

The ban only applies to the Digitalisation Agency's processing of personal data from the driving license register of registered persons who have not actively joined the digital driving licence, and the ban thus does not apply to the processing of personal data of those registered who have joined the scheme.

The decision on the prohibition of the storage and other processing of personal data from the driving license register of registered persons who have not actively joined the digital driving license implies that the Digitalization Agency must cease the said processing within 4 weeks from today. The Danish Agency for Digitization is asked – within the same deadline – to notify the Danish Data Protection Authority of what the agency has done in light of this decision.

The Norwegian Data Protection Authority draws attention to the fact that, according to the Data Protection Act § 41, subsection 2, no. 4, it is punishable to fail to comply with a limitation of processing notified by the Danish Data Protection Authority pursuant to the regulation's article 58, subsection 2, letter f. Pursuant to section 41, subsection 6, 2nd point, public authorities can also be punished.

The Danish Data Protection Authority must note that the ban on storing and otherwise processing personal data from the driving license register of registered persons who have not actively joined the digital driving license does not imply that the scheme with the digital driving license cannot be maintained vis-à-vis those registered who actively has joined it. The basic functions of the scheme will thus be able to continue.

The continued operation will concretely be possible by the Digitalization Agency e.g. adapts the service sections and database extracts that the agency already uses in such a way that no information is processed about persons who have not actively joined the scheme. The Norwegian Data Protection Authority refers in particular to the possibility of creating a database with the current users of the Kørekort app and in the future maintaining this through so-called delta runs for de-registration and registration in the app.

Such technical adjustments in the digital driving license will ensure that the processing of information about persons who have not actively joined the scheme ceases, without this significantly affecting the functionality of the digital driving license for the persons who have actively joined the scheme.

More detailed reference is made to section 6 below.

2.3. Below follows a closer review of the case and a rationale for the Data Protection Authority's decision.

3. Case presentation

3.1. On the basis of a complaint from a citizen regarding the Danish Agency for Digitalisation's processing of his personal data in the Agency's solution with the digital driving licence, on 7 September 2022 the Danish Data Protection Authority initiated a closer investigation of the Danish Agency for Digitalisation's administration and operation of the digital driving licence. In this connection, the Danish Data Protection Authority asked the Danish Agency for Digitalisation to explain, among other things, which personal data the agency processes as part of its administration and operation of the driving license app, which further processing takes place, for which purposes and with what authority in the data protection regulation and the data protection act the processing in question takes place, just as the Data Protection Authority asked the Digitalization Agency to explain the division of roles between the Digitalization Agency, the National Police and any other authorities with regard to the processing of personal data for use in the Kørekort app. Finally, the Danish Data Protection Authority asked the Danish Agency for Digitalisation to state whether the processing is in accordance with the requirement for "data minimisation" in the data protection regulation, Article 5, subsection 1, letter c.

The Digital Agency responded by letter of 26 September 2022 to the Data Protection Authority's question. In relation to the issue of data minimisation, the Digital Agency stated overall that the agency assessed that the processing of personal data was in accordance with the requirement for data minimisation.

By letter of 7 October 2022 to the Danish Agency for Digitalisation, the Danish Data Protection Authority requested that the Agency further explain, among other things, why the processing of certain specific types of personal data was considered necessary and thus to be in accordance with the principle of data minimisation.

The Digital Agency responded to the Data Protection Authority's request by letters of 30 November and 19 December 2022.

At the request of the Danish Data Protection Authority, a meeting was subsequently held on 17 May 2023 between the Danish Agency for Digitalisation and the Danish Data Protection Authority, where the agency had the opportunity to answer a number of further questions from the Danish Authority, including about data minimisation.

In continuation of the meeting, on 12 June 2023 the Danish Data Protection Agency asked the Danish Agency for Digitalisation to give a written account of, among other things, the needs for accessibility that the Digital Agency had referred to, just as the supervisory authority asked the agency to elaborate on certain additional matters regarding the data minimization principle.

The Digital Agency answered the Danish Data Protection Authority's supplementary questions by letter of 30 June 2023.

The Digitalisation Agency's response to the Danish Data Protection Authority is reviewed in more detail below, under section 3.2 – 3.6.

3.2. In its responses to the Danish Data Protection Agency, the Digital Agency has provided the following information about the background for the creation of the digital driving licence:

"The government's finance committee decided in 2018 that they wanted to start developing a digital driving license app. In connection with the establishment and implementation of the digital driver's license, it appears that the authority task is anchored in the Digitalization Agency with a view to ensuring coherence in the establishment of digital ID proofs across the public sector. It follows from this that:

"The Danish Agency for Digitalisation will be responsible for the app, including that the app complies with the rules in the area as well as responsibility for the processing of data from the driving license register".

In connection with the coherence reform (see the government's "world-class digital service" World-class digital service, October 2018 (fm.dk) ), the Danish Agency for Digital Affairs was tasked with carrying out this official task of developing the digital driving license and thereby carrying out a task in the interest of society, which has general interest and is of importance to a wider circle of people in Denmark. On page 47 of the Finance Act for 2019, it is mentioned that 1.5 million DKK for initiative on digital driving license and digitization of administration project in the area of driving license - PUBL (fm.dk) [...]"

The driving license app was launched on November 24, 2020.

The Danish Agency for Digitalisation has stated that when the driving license app was launched, the app quickly gained many users, and that the number of users therefore increased very significantly in the first period. According to the Danish Agency for Digitalisation, the connection to the driving license app is still increasing, but the increase is now more moderate and is primarily driven by the fact that young people who acquire driving licenses are continuously connecting.

The Agency for Digitization has also stated that, as part of the administration of the digital driving licence, the agency processes information about approx. 3.96 million citizens that approx. 1.7 million of which use the Kørekort app, and that the remaining group has not joined the scheme.

The National Police and the Digital Agency have entered into an agreement on joint data responsibility for the processing of the personal data from the driving license register, which is delivered to the Digital Agency for use by the Driving License app. It appears from the agreement that the Digital Agency is responsible for the processing of personal data that takes place in connection with the digital driving licence, including responsibility for the correct collection and registration of information.

3.3. The Danish Agency for Digitization has stated that the data that the agency displays in the Kørekort app comes from the driving license register and has been made available to the agency by the National Police. The Danish Agency for Digitalisation thus stores an extract of driving license information for all valid Danish driving licenses from the driving license register, which, according to the Danish Agency for Digitalisation, amounts to approx. 3.96 million driver's license. As mentioned, the Digital Agency has stated that there are approx. 1.7 million people using the Kørekort app.

The Agency for Digitization has stated that the agency receives the following information from the driving license register about all holders of a valid Danish driving licence:

Non-sensitive personal data: Name Date of birth Place of birth Nationality Driving license number Passport number Passport photo Confidential personal data: CPR number Sensitive personal data: Health information, e.g. information on glasses and prostheses (to the extent that such information appears on the current driving licence) Information on criminal offences: Information that the holder of the driving license must drive with an alcohol lock in order to drive the vehicle or must not drink alcohol (to the extent such information appears on the current driver's license)

In addition, the Digital Agency has stated that the processing also includes vulnerable groups, as information is processed on 17-year-olds who have obtained a driving license under the "17-year-old scheme" and on 15-year-olds who have a driving license for a small moped and/or tractor .

3.4. The Agency for Digitization has stated that the agency receives a monthly extract from the driving license register. In addition, the Digital Agency receives a daily extract of changes (a "delta extract") for citizens with a driving licence. The Delta extract contains all new and deleted or changed driving licenses since the last extract. The Digital Agency has explained that the monthly statement is received to safeguard against synchronization errors.

According to the Danish Agency for Digitalisation, the mentioned procedure is the only one possible when, among other things, certain operational and performance requirements must be met, and is therefore necessary to be able to make the digital driving license available to citizens, updated with the latest information.

In order to be able to offer the digital driving licence, it is therefore necessary, according to the Digitalisation Agency, that the Driving License app has access to the driving license holder's (updated and correct) driving license information, which, according to the agency, requires the Driving License app to be able to look up information from the driving license register. According to the Danish Agency for Digitalisation, it is currently not possible to create a technical solution where the Agency can make entries directly in the driving license register, and where the Danish Agency for Digitalisation does not itself store an extract from the register. The Agency for Digitization has stated that the agency therefore finds itself forced to store driving license information for all citizens with a valid Danish driving licence.

3.5. The Danish Agency for Digitization has provided the following information about the data minimization principle:

"The Digital Agency assesses that the processing of the information is in accordance with the requirement for 'data minimisation' in the data protection regulation, Article 5, subsection 1, letter c.

Only the information that is necessary in relation to the processing in question is processed. The Danish Agency for Digitalisation processes information on all citizens who have a valid driving licence, as it is not currently technically possible to make a direct connection to the driving license register, which is why the Danish Agency for Digitalisation has to store a complete extract from the Driving License Register.

A look-up service has not been implemented against the National Police's driving license register, as the driving license register is a mainframe-based system that cannot guarantee the accessibility required by the driving license app's users. The Danish Transport Agency is in the process of starting a project with the development of a new driving license register. The Danish Agency for Digitization has submitted the driving license app's needs to the development project, so that in a future register it will be possible to look up as needed - without making major extracts."

In its impact assessment from November 2020, the Digitalization Agency stated the following:

"Other risks in the solution are that DIGST has to keep an extract from the National Police's [Traffic Agency's] driving license register of all citizens who have a valid driving licence. Information on more citizens than is necessary in relation to the Digital driving license is thus processed. This is because it is not currently technically possible to make a direct entry in the National Police's register, which is why DIGST is forced to store an extract from the driving license register of all citizens who have a valid driving licence. As it is not technically possible to offer a digital driving license with less information, it is DIGST's assessment that the agency has authority in the data protection regulation. 6 pieces. 1, letter e, to also process personal data of citizens who do not have a Digital driving licence.”

In its consultation response of 3 July 2023 to the Danish Data Protection Authority on the section just quoted, the Danish Digital Agency stated that "the impact analysis from 2020 (...) is not correct in relation to the passage mentioned." The Digital Agency has instead referred to the following section in the agency's new impact analysis from May 2023:

"Only the information that is necessary in relation to the purpose of the processing is processed. The Digital Agency only processes an extract of the necessary information from the driving license register. This extract includes all citizens with a valid driver's license for a motor vehicle, as it is not currently technically possible to create a look-up service that looks up the individual users' information in the driver's license register when the user wants to enroll in the app."

Furthermore, in the impact analysis from 2023, the Digital Agency has stated the following about why it is not technically possible to create a look-up service that looks up the individual users' information in the driving license register when the Driving License app needs to access driving license information:

"The reason (...) is that the driving license register is a mainframe-based system that cannot guarantee the need for accessibility that the users of the driving license app need. A single lookup service against the current driver's license register would result in users not being able to enroll in the app. The Swedish Transport Agency is currently working on a project to develop a new driving license register that will be able to provide the necessary accessibility. When the new driving license register is put into use, the Digital Agency will be able to avoid storing an extract of all citizens with a driving licence.

Personal information from the extract is encrypted with strong encryption at the individual level in the databases. The Danish Digital Agency only uses data from the extract regarding the users who enroll in the app. This means that personal data is not decrypted and used on users who do not use the app.

The Danish Digital Agency assesses that the processing of the information is in accordance with the requirement for "data minimisation" in the Data Protection Regulation, Article 5, subsection 1, letter c.”

The reason why the Digital Agency prepared a new impact analysis in 2023, despite the fact that such an analysis had already been prepared in 2020, is that the agency had originally taken the view that only ordinary personal data was processed in connection with the Kørekort app . In May 2022, the Digital Agency became aware that sensitive information and information about criminal matters are also being processed, which necessitated a new impact analysis.

As far as considerations about other technical solutions are concerned, the Digital Agency has stated the following:

"In collaboration with the National Police, the following technical solutions were considered:

A direct integration to the current driving license register A web service integration to the current driving license register The current technical solution with an extract of the necessary driving license information from the driving license register.

Solution 1 was not a technical possibility, as it would require a disproportionately large pressure on the Driving License Register, which is established on an older mainframe system.

Solution 2 was considered, but in dialogue with the National Police and the National Police's supplier […], the solution was deemed untenable. This is due to a number of factors:

The National Police's systems are basically not directly citizen-facing. When launching the Kørekort app, the initial load on a possible web service at the National Police far exceed their capacity and potentially affect the National Police's internal systems. Every time a citizen opens their driving license app, a series of calls are made to the back-end, in which the status and validity of the driving license is determined. Depending on how the web service could be built, at a minimum it would have to handle between 50,000 and 150,000 calls per day, corresponding to the average daily load. At the time, the National Police was not interested in this solution, as it would most likely burden their running systems. As an extension of this, the uptime of the web service could not be guaranteed, whereby situations could arise where updates to the citizen's driving license (e.g. in the event of revocation) did not go through to the citizen's driving license app. The risk that a denial-of-service attack on the web service via the Driving License app could potentially affect the National Police's other systems.

Since solutions 1 and 2 could not fulfill the necessary requirements for accessibility and did not meet the concerns of the National Police, solution 3 was implemented.

Overall, a large number of measures have been taken for data minimization and data protection through design and standard settings. These appear from the previously submitted impact analysis for the app, cf. "Implications analysis regarding data protection Digital Driving License" of May 2023 page 42 and response of 15 May 2023 page 3 ff."

In relation to the question of the Driving License app's accessibility needs, the Digitalization Agency has stated that when using the Driving License app, a distinction is made between 3 different accessibility needs:

"1) Accessibility requirements when creating in the app (enrolment)

As a major end-user-facing product for the Danish population, availability of enrollment to the solution has general critical business value. If there are repeated or long-lasting breakdowns of the solution, which means that citizens cannot create their digital driving licence, this will harm both the trust, the distribution and the use of the solution.

2) Availability needs for trusted control (Police)

The driving license app is first and foremost built to be accessible to the widest possible extent to police checks (trusted check), where it is required that you can document your driving license, cf. Section 56, subsection of the Traffic Act. 1., 2 pts. Therefore, the driving license app can also – in most cases – be presented to the police without contact to the backend, so that the citizen does not have to pay a fine for any internet breakdown, lack of mobile signal, etc.

[…]

3) Availability needs for non-trusted control of the app (e.g. Citizen service, Car rental, etc.)

In order for the driving license app to function on an equal footing with the physical driving licence, the app can also be used as a picture ID. The check is carried out by scanning the QR code for non-trusted checkers. This is because the use of the driver's license as photo ID is significantly more widespread than police checks alone.

If the driving license app is not available, it will not be possible to use it for untrusted control. This will mean that the citizen cannot show identification in citizen services, car rental, access to nightlife etc. This function is online-dependent, as the check takes place against the Kørekort app's backend. Contrary to the police control, which the police carry out via their own system.”

3.6. In the impact analysis from 2023, the Digitalization Agency has stated the following about the potential incidents in the risk picture that the agency has identified:

"Ad 4: Violation of availability - breakdown/inaccessibility of the solution's back-end

Consequence (1)

The consequence for the data subject of unavailability of the solution's back-end is Insignificant (insignificant 1). The app works in almost all cases without the back-end being available. In case of unavailability of the back-end, it is not possible to carry out the non-trusted controller's control with QR code. However, the Trusted Controller's (Police) control still works offline.

[…]

Mitigation actions implemented and current probability (4):

[…] It is a known and accepted risk, since the availability of the solution is only categorized as business-critical and not society-critical.

[…]

Ad 5: Violation of accessibility – introduction of blocking errors in the app's code

Consequence (2):

The consequence for the data subject in the event of a breach of the availability of the app is less serious (annoying – 2), as the data subject in that case cannot, for example, show his driving license (denial of access to business services). This could result in the user receiving a fine or, for example, not being able to rent a car. This also corresponds to a consequence of 2.

[…]

Mitigation actions implemented and current probability (2):

[…] The risk of the user being fined is mitigated by the Digital Agency contacting the police department for the search app: They help notify the officers that there is an error in the app. In that case, the officers will look up the users in the driver's license register on their own search app until the error is corrected. It is therefore less likely that the user will be fined for not having brought their driving licence.

[…]

Ad 10: Citizens who do not use the app experience inconvenience when processing their driver's license information

The solution is structured in such a way that the Digital Agency is forced to store driver's license information for all citizens with a valid driver's license. This is due to technical limitations which are further elaborated in the data minimization section above.

Consequence (2):

Citizens who do not want to use the app will be able to experience, for example, a lack of understanding and fear about the protection of their personal data. This corresponds to a consequence of 2 – Less serious

Initial Probability (4):

It will not be often, but expected, that there will be inquiries from citizens who cannot understand why we process information about them without them being enrolled in the app. The probability is therefore 4 – expected.

Mitigation actions implemented and current probability (3):

If a citizen approaches because they experience a lack of understanding and fear of the security of processing when storing their driving license information, the Digital Agency explains the technical reason for the necessity of storing their personal data from the driving license register. In addition, the level of technical protection of their driving license information and the fact that the encrypted information is not decrypted and used unless the citizen enrolls in the app is explained. In addition, there is an information text on the website of the Danish Agency for Digitalisation, which provides information on the above matters. Although some citizens will still be misunderstanding after this, most citizens will be understanding and thus reassured about the storage of their personal data. In this way, we ensure as much security as possible for citizens who do not use the app. combined, this reduces the likelihood to 3 – moderately likely.

Residual risk (6):

After implementation of the mitigation measures, the residual risk is therefore 6 (Consequence 2 x Probability 3) and "Yellow".

In its question framework for risk assessment, the Digital Agency has stated the following:

"Acceptable downtime in the Backend part is less than a week, as the app can function in offline mode without access to the backend. Furthermore, a physical driving license is still a requirement, the digital driving license is only a supplement, which is why it is not critical that new users cannot register for a few days. For the App part of the solution, it is expected that it must/should be available to the citizen within 4-8 hours.”

When asked about what was just quoted from the question frame, the Digitalization Agency stated that if the citizen's digital driving license is not available during a possible police check, it will have significant consequences for the citizen, as the citizen will be able to receive a fine. The Danish Agency for Digitalisation has also stated that the consequences for the Danish Agency for Digitalisation will also be significant, as it will noticeably undermine trust in the Driving License app if citizens experience being fined because the solution is not available.

4. Legal basis, etc.

4.1. Article 5 of the Data Protection Regulation, subsection 1, letter c has the following wording:

"Personal information must:

[…]

c) be sufficient, relevant and limited to what is necessary in relation to the purposes for which they are processed ("data minimization")"

In preamble consideration no. 39 of the data protection regulation, the following is stated about the principle:

”(39) […] Personal data should be sufficient, relevant and limited to what is necessary in relation to the purposes of their processing. In particular, this requires ensuring that the period of storage is no longer than strictly necessary. Personal data should only be processed if the purpose of the processing cannot reasonably be fulfilled in another way. […]”

In the Ministry of Justice's report no. 1565/2017, pp. 87-88, the following is stated about the previously valid and almost equivalent provision in the Personal Data Act § 5, subsection 3:

"It appears from § 5, subsection of the Personal Data Act. 3, that information that is processed must be relevant and sufficient and not include more than what is required to fulfill the purposes for which the information is collected and the purposes for which the information is later processed.

It appears from the comments to the Personal Data Act that the terms relevant and sufficient information mean that the nature of the information must correspond to the intended purpose of the processing. The provision also stipulates that the data controller's processing of information is subject to a principle of proportionality.

From p. 97 of the report, it appears that based on a literal interpretation of the Personal Data Act § 5, subsection 3, and the data protection regulation article 5, subsection 1, letter c, does not appear to be intended for a different substantive meaning of Article 5, subsection 1, letter c, than what applied under the Personal Data Act.

From the Data Protection Regulation and the Data Protection Act with comments[2], pp. 328-329, it appears, among other things, the following about the data protection regulation, article 5, subsection 1, letter c:

"The processing of information must not go beyond what is required to fulfill the purposes that the data controller is entitled to pursue, i.e. that the controller's processing of personal data is subject to a principle of proportionality."

4.2. The Danish Data Protection Authority and the former Register Supervision have in a number of cases taken a closer look at the data minimization principle:

4.2.1. In a case that was decided by the former Register Supervisory Authority (Registertilsynet's j.nr. 1993-4210-092), the supervisory authority dealt with the creation of an electronic test response register in the Statens Serum Institut, which was to contain an extract from the Central Personal Register with name and social security number on the entire Danish population. The aim of the register was that, by virtue of its role as a central laboratory, the Statens Serum Institut should be able to carry out special diagnostics for the whole of Denmark, and with an extract from the CPR register, which was requested to be updated once every six months or the whole year, one would achieve a quick, correct and secure registration of patients on the basis of handwritten sample requisitions. In addition, the register should enable a more automated processing and administration of submitted analytical samples on the basis of an electronic registration of sample data.

The Norwegian Register Authority did not oppose the establishment of the register for the stated purposes. However, the Register Authority stated that the authority did not find that the test answer register could be created on the basis of an extract from the CPR register covering the entire population of Denmark, as information would be registered on a large number of people for whom no analyzes would be carried out at the institute's departments .

4.2.2. In another case, which was decided in accordance with the Personal Data Act's provision on data minimization (Data Protection Authority's j.nr. 2004-54-1396), the Ministry of Education wanted to create a database containing exam and grade information from upper secondary education programs with a view to processing applications for admission to higher education etc. The Ministry of Education had also stated that exam and grade information would be deleted after 60 years.

The Danish Data Protection Authority stated that upon the establishment of the examination database, a register would be created which would eventually contain the majority of the Danish population's examination certificates, and that in the long run there would thus be a very large amount of data, including data which - in at least with the intended uses at the time – would never be needed, or that there was no current need for the Ministry of Education to be involved in.

Against this background, the Danish Data Protection Authority found it doubtful whether there was the necessary proportionality between the registration of all diplomas in Denmark for 60 years and the fulfillment of the purpose of the database.

4.2.3. In a case concerning the Capital Region's use of fingerprint identification for the secure identification of blood donors (Datatilsynet's j.nr. 2014-632-0081), the Datatilsynet took a position on the region's practice of registering images of the donors' fingerprints and not only registering mathematical values calculated on the basis of this . The Capital Region referred to a lack of funding as a reason for not using mathematical values (templates) instead of images.

The Danish Data Protection Authority concluded - after submitting the case to the Data Council - that the chosen solution did not comply with section 5, subsection of the Personal Data Act. 3, according to which information that was processed should "be relevant and sufficient and not include more than what is required to fulfill the purposes for which the information is collected and the purposes for which the information is later processed."

The Danish Data Protection Authority thus found that the chosen solution was significantly more intrusive towards the data subjects than what was required to fulfill the purpose, and that the processing therefore did not meet the requirements for proportionality which, among other things, followed from § 5, subsection of the Personal Data Act. 3.

4.2.4. In a case where, over a period of 10 months, TDC had carried out 11,366 loggings of location data from mobile data traffic and recorded 185 so-called MMS CDR information about a citizen, the question was whether TDC had recorded more information than was necessary to comply TDC's obligation according to section 4, no. 5 of the logging executive order (Datatilsynet's j.nr. 2018-31-0070).

Overall, TDC stated that it was necessary to register location data for all mobile data traffic in order to comply with the logging order's requirement for registration of location data for MMS communication, as the technical structure of TDC's mobile network did not allow for only recording location data for MMS communication without simultaneously recording location data for all mobile data traffic.

The Danish Data Protection Authority found – after the case had been submitted to the Data Council – that the structure of TDC's IT system could not justify non-compliance with the data protection rules, just as any costs associated with establishing new systems that made it possible to only register the necessary information could not justify a non-compliance with the data protection rules.

On that basis, the Danish Data Protection Authority found that TDC's processing of personal data, which the company had not been obliged to register after the logging order, was in breach of the Data Protection Regulation, Article 5, subsection 1, letter c, on data minimization.

In this connection, the Danish Data Protection Authority placed particular emphasis on the fact that the vast majority of the information that TDC had registered about the citizen was not necessary to comply with TDC's obligations under the logging order.

4.2.5. In a case concerning the National Police's passing on of information about speeding violations to Aalborg University (Datatilsynet's j.nr. 2022-32-2939), the Data Protection Authority stated – after submission to the Data Council – that the National Police's passing on of personal data was not in accordance with, among other things the data protection regulation, article 5, subsection 1, letter c.

The National Police stated that it was necessary to pass on the relevant information to Aalborg University so that the university could identify and invite relevant persons to participate in a research project on the prevention of speeding offences.

The National Police passed on personal data to the university, regardless of whether the citizen had accepted the fine or not, and regardless of whether the relationship later to be decided in court. The National Police simply passed on information about all persons who were charged in an automatic traffic control and who had received a preliminary fine.

The disclosure was thus not limited to information about persons who had adopted a fine or where the court had made a decision on a fine, and the Danish Data Protection Authority thus found that the disclosure of personal data was not in accordance with the data minimization principle. In relation to the specific case, the Danish Data Protection Authority placed particular emphasis on the fact that the citizen had objected to the proposed fine and was waiting for the courts to process the case when the National Police passed on his information. The supervision also emphasized that the purpose of Aalborg University's processing of personal data was to be able to invite motorists to participate in a research project whose purpose was, among other things, to investigate whether motorists received fewer speeding tickets if – after receiving a speeding ticket – they completed an online course on road safety.

The Danish Data Protection Authority issued an order to the Swedish National Police to stop passing on information to Aalborg University about persons who had received a fine for violating the Traffic Act, if these persons had objected to the fine and the case had not yet been decided by the courts.

5. Reason for the Data Protection Authority's decision

5.1. Processing of personal data in the Kørekort app must – in addition to being based on a legal basis in the data protection regulation – meet the other requirements in the data protection regulation. It includes i.a. the principle of data minimization in Article 5, paragraph 1, letter c.

This also applies even if the Agency for Digitalization may have been under the view that the agency was subject to a deadline for when the digital driving license should be available to citizens, and regardless of whether the Agency for Digitalization may have seen itself obligated to arrange a possible solution according to the current driving license register technical structure, including the fact that it is a mainframe-based system which, according to the agency, is not suitable for making direct postings.

As mentioned, the Danish Agency for Digitization has stated that the alternative solutions that were considered – a direct integration and a web service integration to the current driving license register – were rejected with reference to, among other things, that such solutions would burden the National Police's internal systems, and that the driving license register would be put under pressure as it is established on an older mainframe based system. Furthermore, the Digital Agency has pointed out that the National Police's systems are not directly citizen-facing, and that "uptime" could not be guaranteed if a web service integration was chosen. These alternative solutions were therefore not selected, as the solutions "could not meet the necessary requirements for accessibility and did not meet the concerns of the National Police".

However, the chosen solution implies that the Digitalization Agency stores a copy of personal data from all valid Danish driving licenses in the driving license register (approx. 3.96 million citizens) and thus processes personal data of a very large part of the Danish population who do not have a digital driving license . As mentioned, the Digital Agency has stated that approx. 1.7 million citizens use the Kørekort app. The Norwegian Data Protection Authority has understood this to mean that there is thus a residual group of approx. 2.26 million citizens who are not users of the Kørekort app, but about whom the agency also processes information, notwithstanding that they have not registered for the scheme.

It appears from the data protection regulation's preamble consideration no. 39, among other things, that personal data should only be processed if the purpose cannot reasonably be fulfilled in another way. In accordance with this consideration, in the data protection regulation, Article 5, paragraph 1, letter c, established a principle of data minimization, cf. 4.1 above.

Whether the solution currently chosen for the operation of the Driving license app meets the requirement for data minimization in relation to the approx. 2.26 million citizens who have not joined the Driver's License app is based on an assessment of the accessibility needs that the Digital Agency believes the Driver's License app must be able to meet in relation to the purpose of the processing of the personal data in question.

5.2. The Danish Agency for Digitalisation has stated that repeated or prolonged crashes or unavailability of the digital driving license can damage trust in, the distribution and use of the Driving License app. In addition, the Danish Data Protection Authority is of the opinion that waiting time or delay in creating a digital driving license cannot in itself be considered to be such a significant negative consequence for citizens that it can justify the very extensive processing of personal data in question, as citizens will be able to use their physical driving license at any time. Furthermore, the Danish Data Protection Authority must note that the Danish Agency for Digitalisation, in its question framework for risk assessment, has also stated itself that a "physical driver's license [is] still a requirement, the digital driver's license is only a supplement, which is why it is not critical that new users cannot register in some days."

In the Danish Data Protection Authority's view, the accessibility needs for trusted control described by the Digitalization Agency cannot justify such extensive processing of personal data as the agency currently carries out in relation to the group of driving license holders who have not joined the scheme. This is because citizens can show the Driving License app to the police without contacting the backend, and that the police have the option, via their own system, to check the validity of the driving licence. In other words, the validation of a digital driving license can take place in a state where the citizen's device is offline, but the police's device is online. In the Digitalisation Agency's own words, inaccessibility of the solution's backend will be "negligible" for users, while a breach of the app's availability will be "less serious".

Nor can the accessibility requirements for non-trusted checks (other than the police) as described by the Digital Agency, in the Danish Data Protection Authority's view, justify the processing of personal data for the administration and operation of the Kørekort app, which is currently carried out. Citizens, when they want to pick up parcels, rent vehicles or gain access to nightlife, etc., will have the opportunity to identify themselves with their physical driving license if the Driving License app is (temporarily) unavailable, and the lack of availability will therefore not be significant for the citizens.

The mere fact that it is convenient for citizens to have the Driver's License app, since to a certain extent you can leave the physical driver's license at home, cannot justify the treatment in question either. As mentioned, the Danish Digital Agency has also stated itself that the risk of a breach of accessibility is "a known and accepted risk, since the availability of the solution is only categorized as business-critical and not socially critical."

5.3. It is therefore the opinion of the Danish Data Protection Authority that the Digitalization Agency's processing of personal data in connection with the administration and operation of the Driving License app involves the processing of personal data for which there is no current need, and which the Agency will probably never need in certain cases. It is therefore not necessary to process information about all approx. 3.96 million citizens with a valid Danish driving license in order to fulfill the purpose of making the digital supplement to the physical driving license available to citizens.

Although the purpose of a digital driving license is worthy of recognition, it cannot justify the processing of information about all holders of a valid Danish driving licence, as information is processed about a very large number of people – approx. 2.26 million persons - who have not actively joined the digital driving licence.

Based on the above, the Danish Data Protection Authority is of the opinion that the Danish Agency for Digitalisation's processing of personal data in connection with the administration and operation of the Kørekort app, whereby an extract of information about all holders of a valid Danish driving license in the driving license register is stored and processed, is not in accordance with the data minimization principle in the data protection regulation, article 5, subsection 1, letter c.

5.4. Against this background, the Danish Data Protection Authority states in accordance with the data protection regulation article 58, subsection 2, letter b, serious criticism of the Digital Agency.

Furthermore, the Data Protection Authority announces pursuant to the data protection regulation article 58, subsection 2, letter f, ban on the Digitalization Agency from storing and otherwise processing personal data from the driving license register about registered persons who have not actively joined the digital driving licence.

The ban only applies to personal data from the driving license register of registered persons who have not actively joined the digital driving license and thus not to the Digitalization Agency's processing of personal data of registered persons who have joined the scheme.

The decision on the prohibition of the storage and other processing of personal data from the driving license register of registered persons who have not actively joined the digital driving license implies that the Digitalization Agency must cease the said processing within 4 weeks from today. The Danish Agency for Digitization is asked – within the same deadline – to notify the Danish Data Protection Authority of what the agency has done in light of this decision.

The Norwegian Data Protection Authority draws attention to the fact that, according to the Data Protection Act § 41, subsection 2, no. 4, it is punishable to fail to comply with a limitation of processing notified by the Danish Data Protection Authority pursuant to the regulation's article 58, subsection 2, letter f. Pursuant to section 41, subsection 6, 2nd point, public authorities can also be punished.

6. Continued operation of the digital driving license

The Danish Data Protection Authority must note that the ban on storing and otherwise processing personal data from the driving license register of registered persons who have not actively joined the digital driving license does not imply that the scheme with the digital driving license cannot be maintained vis-à-vis those registered who have actively joined it. The Danish Data Protection Authority recognizes that compliance with the ban could affect the operation of the scheme in relation to e.g. the availability for people who have not actively joined the scheme, but who wish to do so.

However, there will not be a significant impact on the basic function and purpose of the digital driving licence, namely to be a digital supplement to the physical driving licence, for the persons who have actively joined the scheme, and the scheme's basic functions will be able to be continued. The ban thus does not imply that the digital driving license cannot continue in operation.

The continued operation will concretely be possible by the Digitalization Agency e.g. adapts the service sections and database extracts that the agency already uses in such a way that no information is processed about persons who have not actively joined the scheme. The Norwegian Data Protection Authority refers in particular to the possibility of creating a database with the current users of the Kørekort app and in the future maintaining this through so-called delta runs for de-registration and registration in the app.

Such technical adjustments in the digital driving license will ensure that the processing of information about persons who have not actively joined the scheme ceases, without this significantly affecting the functionality of the digital driving license for the persons who have actively joined the scheme.

The connection of new users to the digital driving license will also continue to be possible even after the above-mentioned technical adjustments have been completed. The Norwegian Data Protection Authority acknowledges that the adjustments may have an impact on the user experience and the speed of enrollment of new users compared to what the current solution offers. However, such disadvantages cannot in any case justify unchanged operation, including the extensive processing of personal data that the scheme currently entails, because it is contrary to the data minimization principle.

In this connection, the Data Protection Authority refers to the fact that the digital driving license is only a voluntary supplement to the ordinary driving licence, and that joining other similar – non-socially critical – citizen-oriented schemes, including renewal of certificates etc., is in a number of cases connected with a some waiting time for the citizens, which they can thus generally be assumed to be used to. The supervisory authority also refers to the fact that joining the scheme is something that is generally only done once, just as the supervisory authority refers to the fact that the Danish Agency for Digitalisation has described the lack of availability of the solution as being "critical to business", but not "critical to society".



[1] Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons in connection with the processing of personal data and on the free exchange of such data and on the repeal of Directive 95/46/EC (general regulation on data protection).

[2] The Data Protection Regulation and the Data Protection Act with comments, Kristian Korfits Nielsen and Anders Lotterup, Jurist- og Økonomforbundets Forlag, 2020.