Datatilsynet (Denmark) - 2023-432-0022
From GDPRhub
| Datatilsynet - 2023-432-0022 | |
|---|---|
 | |
| Authority: | Datatilsynet (Denmark) |
| Jurisdiction: | Denmark |
| Relevant Law: | Article 5(1)(c) GDPR Article 6(1)(e) GDPR Article 9(2)(g) GDPR § 12(1) of the Danish Auditor General Act |
| Type: | Investigation |
| Outcome: | No Violation Found |
| Started: | |
| Decided: | 14.11.2023 |
| Published: | |
| Fine: | n/a |
| Parties: | Rigsrevisionen |
| National Case Number/Name: | 2023-432-0022 |
| European Case Law Identifier: | n/a |
| Appeal: | n/a |
| Original Language(s): | Danish |
| Original Source: | Datatilsynet (in DA) |
| Initial Contributor: | ar |
Following an inspection, the Danish DPA assessed that Rigsrevisionen, an independent institution conducting auditing on government-funded agencies and enterprises, performed its auditing activities on the basis of Article Article 6(1)(e) GDPR and in compliance with the principle of data minimisation, under Article 5(1)(c) GDPR.
English Summary
Facts
On 29 August 2023, the Danish DPA started a probe into Rigsrevisionen's data processing practices. Rigsrevisionen is an independent institution placed under the Danish parliament conducting audits to determine whether the public accounts are correct and whether government-funded agencies and enterprises comply with current laws and regulations. Because of this function, the DPA considered Rigsrevisionen to be a processor.
The DPA aimed to assess the legal basis of the data processing under Article 6 GDPR and how the processor ensures compliance with the principle of data minimisation of Article 5(1)(c) GDPR. The processor stated that its tasks follow the Danish Auditor General Act and special legislation, which also gives it authorisation to obtain material containing personal data by terminal access to the audited authority's systems. It emphasised that its processing is considered necessary for the performance of a task carried out in the public interest or the exercise of official authority under Article 6(1)(e) GDPR and Article 9(2)(g) GDPR. Although the processor further stated that it is not always relevant and necessary for its auditing activities to obtain personal data, its employees are instructed to justify and document if personal data is to be collected.
Following the report, the Danish DPA asked the processor to clarify its utilisation of terminal access to access personal data. The processor explained that, in practice, terminal access is primarily used in connection with financial audits and that this system allows it to search for specific accounting documents and data, avoiding retrieving entire cases. It clarified that that it does not have unlimited terminal access to all the auditee's systems or cases, as the audited authority decides whether terminal access should be made available to the processor and there needs to be an agreement. For example, an agreement is in place with the Danish Agency for Public Finance and Management. From the agreement, it appears that the employees of the processor can access the data in the joint governmental systems without contacting the authority whose data the access may concern when they have an official necessity. Nonetheless, ministries and agencies are informed about this automatic access to the information in the systems. The processor further explained that the alternative to this system would be retrieving the information by obtaining documents in physical form. Therefore, it believed that using the terminal access supported the principle of data minimisation under Article 5(1)(c) GDPR.
Holding
Pursuant to the information provided, the Danish DPA found that the processor conducted processing of personal data in compliance the GDPR.
The DPA believed that the relevant legal basis for the processor's collection of personal data when performing auditing activities is Article 6(1)(e) GDPR, which states that processing is lawful if necessary for the performance of a task carried out in the public interest or the exercise of official authority vested in the controller. It follows from Article 6(2) GDPR and Article 6(3) GDPR that this legal basis requires a supplementary legal basis in EU or Danish law. In light of this, the processor rightfully mentioned § 12(1) of the Danish Auditor General Act, which provides that the processor may demand that any public authority provide the documents necessary for the performance of its duties.
In addition to having a legal basis for processing, any processing of personal data must also be in accordance with the principles of Article 5 GDPR, including the principle of data minimisation, under Article 5(1)(c) GDPR. This means that when the processor performs its auditing activities, it may only obtain the information necessary for this purpose. Thus, considering the information provided by the processor, the DPA acknowledged that the processor specifically instructs its employees to ensure compliance with the data minimisation obligation, including avoiding receiving certain data, such as civil registration data or other personally identifiable information, if not relevant to the audit. Additionally, considering the terminal access inquiry, the DPA found that the usage of this system was also compliant with the article in question.
Thus, the DPA found that Rigsrevisionen's collection of personal data when performing its auditing activities is within the framework of Article 5(1)(c) GDPR.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Danish original. Please refer to the Danish original for more details.
Skip the main navigation
Search
The National Audit Office's provision of information takes place within the framework of the data protection rules
Date: 14-11-2023
Decision Public authorities No criticism Supervision / self-operating case Processing basis
In connection with an inspection, the Danish Data Protection Authority has assessed that the National Audit Office's collection of personal data, when the National Audit Office carries out its auditing activities, takes place within the framework of the data protection rules.
Journal number: 2023-432-0022.
The Danish Data Protection Authority hereby returns to the case where the Danish Data Protection Authority - in accordance with § 27 of the Data Protection Act - on 29 August 2023 initiated a case about the Swedish Audit Office's processing basis in Article 6 of the Data Protection Regulation to obtain personal data when the Swedish Audit Office carries out its auditing activities, and how the Swedish Audit Office in this connection ensures compliance with the principle of data minimization in the regulation's article 5, subsection 1, letter c.
The background to the case is that the Danish Data Protection Authority's targeted supervisory activities in 2023 include the Danish Parliament and its institutions.
1. Decision
After a review of the case, the Danish Data Protection Authority finds that the Swedish Audit Office's processing of personal data takes place within the framework of the data protection rules, including the rules in the data protection regulation[1].
Below follows a closer review of the case and a rationale for the Data Protection Authority's decision.
2. Case presentation
2.1. The National Audit Office is an independent institution under the Folketing and is part of parliamentary control in Denmark. The National Audit Office is tasked with examining whether the state accounts are correct (financial audit). In addition, in connection with the audit and the larger investigations, the National Audit Office examines whether state authorities and other state-funded agencies and companies comply with applicable laws and regulations (legal-critical audit) and are managed sparingly, productively and efficiently (management audit).
2.2. On 29 August 2023, the Danish Data Protection Authority asked the Swedish Audit Office to provide information on how the Swedish Audit Office provides material that contains personal data when the Swedish Audit Office carries out its auditing activities, including whether this is done by physical review at the audited authority, by the audited authority sending material, by terminal access to the audited authority's systems or otherwise.
The Data Protection Authority also asked the National Audit Office to state what the National Audit Office's authority under EU law or Danish law is to obtain personal data when the National Audit Office carries out its auditing activities.
Finally, the Data Protection Authority asked the National Audit Office to be sent a list of completed audits in 2022 and to state whether it is in all cases relevant and necessary for the National Audit Office to receive personal data when the National Audit Office carries out its audit activities, including providing material for use in the audit.
2.3. The National Audit Office stated on 18 September 2023 that the National Audit Office obtains material in all the ways mentioned.
The National Audit Office also stated that:
"The National Audit Office's tasks are bound by law and follow from Act No. 321 of 26 June 1975 on the audit of the state's accounts, etc. with later amendments (the Auditor General's Act) (latest statutory order no. 101 of 19 January 2012) as well as special legislation.
The National Audit Office's authority to obtain information appears in section 12, subsection 1 of the National Auditors Act. 1:
"The Auditor-General may request from any public authority all such information and submission of all such documents which, in the opinion of the Auditor-General, are of importance for the performance of the Auditor-General's duties. The Auditor General can set a deadline for this."
In addition, it is in section 6, subsection of the Auditor General's Act. 2, determined which material and which information the auditor-general has access to in connection with the review of accounts in accordance with section 4 of the Auditor-General's Act:
"The accounts mentioned in § 4, cf. however subsection 3, includes annual accounts with any consolidated accounts and annual reports, interim and interim accounts as well as relevant accounting material, including bookkeeping material, management protocols and similar material, auditor's protocols and reports, etc., as well as other material and information which, in the opinion of the auditor general, is of importance to the performance of his duties duty.”
It is the auditor general who decides which material and which information is important for an audit task.
In relation to the question of obtaining personal data, the following appears from the Ministry of Justice's report on the data protection regulation (2016/679), no. 1565/2017, part II, assessments of special legislation in the individual ministerial areas, p. 14:
"However, the department can inform that two laws have been identified in the area of competence of the Folketing that can regulate the processing of personal data, cf. the appendix's table 3. These are section 12, subsection of the Auditor General's Act. 1, according to which the auditor-general of any public authority may request all such information and submitted all such documents which, in the opinion of the auditor-general, are of importance for the performance of the auditor-general's duties, as well as section 4, subsection of the State Auditors Act. 3, according to which everyone who works in public service has a duty to notify the state auditors of the information and documents that they consider necessary for the performance of their duties. There is thus potential processing of personal data. It is the assessment that the mentioned provisions can be maintained after the regulation comes into force. In the assessment, emphasis has been placed on the fact that the processing is deemed to be necessary for the performance of a task in the interest of society, or which falls under the exercise of public authority, cf. Article 6, subsection 1, letter e, and Article 9, subsection 2, letter g.”
Thus, even after the data protection regulation comes into force, the National Audit Office can obtain the information that the Auditor General deems necessary for audit tasks, including personal data. However, the audit is not aimed at individuals, but at the authority.
It may be relevant and necessary to obtain personal data when the National Audit Office carries out investigations. As an example, report no. 13/2021 on the management of the disability area, where the National Audit Office investigates whether the Ministry of Social Affairs and the Elderly's supervision of the municipalities' management of the disability area is satisfactory.
It is also relevant and necessary for the National Audit Office to obtain certain information about the auditee's employees when the National Audit Office has to check the auditee's rules and guidelines, e.g. whether correct wages etc. are paid, or whether severance payments comply with the rules.
Section 12, subsection of the Auditor General's Act. 1, is "technology neutral" and also constitutes authority to provide material containing personal data by terminal access to the audited authority's systems. Rigsrevisionen's employees can be granted access to a number of systems if they have a work-related need."
The National Audit Office also stated that:
"No, it is not always relevant and necessary for the National Audit Office to obtain personal data when the National Audit Office carries out its auditing activities, including providing material for use for the audit, cf. the attached list. In some cases, however, it is relevant and necessary for the National Audit Office to obtain directly identifiable information, cf. answer to question 2.
Employees of the National Audit Office are instructed to justify and document if personal data is to be collected. The employees are also instructed to engage in dialogue with the audited authority to ensure compliance with the obligation to minimize data, including avoiding receiving, for example, CPR information or other personally identifiable information if it is not relevant to the audit. The National Audit Office can, among other things, refer to the attached material request template that addresses the issue of data minimization. It also follows from section 12 of the Auditor General's Act, skt. 1, and § 6, subsection 2, that the National Audit Office may only obtain the information that is necessary for our tasks. For the sake of order, it should be noted that the requirement for systematic documentation of our considerations about the need to collect personal data was introduced in early 2023 as a follow-up to the National Audit Office's meeting with the Norwegian Data Protection Authority in October 2022.
However, it may happen that the National Audit Office receives personal data that we have not asked for. However, the National Audit Office does not have the authority to demand that the audited prepare new documents for use in the audit, including deleting information in documents before they are handed over to the National Audit Office. It may also be contrary to the auditing purpose if authorities process, including delete, the original material in connection with the National Audit Office's collection of material and information. This is because the material/information must be used as audit evidence.”
It appears from the attached material request template that:
“Material request
For use by the National Audit Office #specify the specific investigation#, #the auditee# is requested to provide the following information/documents, cf. § 12 of the National Auditors Act:
#XX# #XX# #XX#
For the sake of the principle of data minimization, cf. the data protection regulation's article 5, subsection 1, letter c, and section 12, subsection 1 of the Auditor General's Act, the National Audit Office must request that no more information than mentioned above be disclosed, and that personal data be pseudonymized/anonymized as far as possible before disclosure.
You are welcome to return if this gives rise to questions, including to discuss how data minimization can be achieved…”
Finally, the National Audit Office stated that:
"The National Audit Office's tasks include major investigations with a view to reports to the State Auditors on specific subjects, 2 annual reports on the audit of the national accounts and the audit of the state administration, the individual ministerial areas/paragraphs therein as well as the audit of 54 other annual accounts for 2022 (independent public companies etc. ). In addition, there are minor tasks with declarations in connection with EU grants to Danish authorities.
The individual task can consist of several processes, audit visits, etc. In the Norwegian Audit Office's ESDH system, the tasks are therefore often divided into several audit cases.
The Danish Data Protection Authority requests a list of completed audits in 2022. The National Audit Office's cases do not follow a specific calendar year and are therefore not necessarily completed in the year in which they are started. The attached list therefore shows all created audit cases in 2022 in the National Audit Office's ESDH system.
For each audit case, it is stated whether the case contains personal data and, if so, how the information was provided, cf. the categorization in the Danish Data Protection Authority's question 1. For the sake of order, the National Audit Office draws attention to the fact that in a number of the cases there is general personal data in the form of e.g. contact details of those we audit, signatories on annexes and accounts as well as names in instructions etc. Such information is not marked with a "yes" on the list.
Please be aware that the list does not include information on the audit of the classified accounts of the Defense Intelligence Service (FE) and the Police Intelligence Service (PET), respectively, as these cases are classified. It can be stated that the audit of these accounts takes place physically during an on-site visit.”
2.4. In continuation of the Swedish National Audit Office's report of 18 September 2023, the Danish Data Protection Authority asked the Swedish National Audit Office on 3 October 2023 to state how it is determined that personal data must be provided via terminal access, including whether this is linked to the type of audit, who decides that is terminal access made available to the National Audit Office and how the provision of personal data via terminal access takes place in practice, including whether the National Audit Office gets unlimited terminal access to the audited authority's systems or only to pre-selected (relevant) cases.
If the National Audit Office gets unlimited terminal access to the audited authority's systems, the Norwegian Data Protection Authority also asked the National Audit Office to consider whether this is in accordance with the principle of data minimization, including whether the purpose of the audit can be achieved in a similar way without such unlimited access.
2.5. In response to this, the National Audit Office stated on 13 October that:
"In the response of 18 September 2023 to the Norwegian Data Protection Authority regarding the 2022 audits, the National Audit Office has stated that in a number of cases personal data has been obtained for the audit via terminal access. There are 3 different types of terminal access:
The National Audit Office primarily makes use of terminal access to the joint government IT systems on which the Danish Economic and Financial Services Agency and the National Audit Office have entered into an agreement. There are, however, government authorities that do not use the common government IT systems, but other accounting systems, e.g. SAP. Here, specific agreements have been made between the National Audit Office and the audited authority on terminal access. Finally, the National Audit Office is tasked with auditing accounts outside the national accounts. In such cases, an agreement may also have been entered into for terminal access to the auditee's own system or parts of it. This applies, for example, to assignments with the audit of Banedanmark and the Nordic Culture Fund.
Terminal access is generally used to obtain audit evidence, e.g. accounting information, invoices, salary information etc. The choice of audit certificate is made on the basis of the requirements for the audit task, which are laid down in the Auditor General's Act and in the standards for public auditing.
Decision on whether accounting information etc. must be accessed via terminal access, based on the following considerations:
data protection – in connection with the transfer and storage of data the principle of data minimization – i.e. to get as little data as possible for efficiency - both with the auditee and with the National Audit Office.
In principle, the question of whether terminal access is used is not linked to certain types of audit. Terminal access can thus be used for all audit tasks, regardless of whether it is a financial audit, a legal critical audit or an administrative audit. In practice, terminal access is primarily used in connection with the financial audit, where i.a. part of the audit procedures for the audit of the national accounts are carried out centrally and automatically, which is done via direct access to the joint government systems.”
The National Audit Office also stated that:
"The National Audit Office's terminal access to the common government IT systems is described in the agreement between the National Agency for Economic Affairs and the National Audit Office. It appears from the agreement that the employees of the National Audit Office who have an official need can gain access to the government authorities' data in the joint government systems via the Danish Economic and Financial Services Authority without prior contact with the authority whose data access may concern. Ministries and agencies are informed about this automatic access to the information in the systems. In addition, it is the audited authority that decides whether terminal access must be made available to the National Audit Office.
The National Audit Office may, however, at any time carry out audits and review accounts at the place where the accounts are kept, or where the necessary material is otherwise found, cf. section 13 of the National Auditors Act. However, the National Audit Office cannot demand that the information be made available in a certain way, including at terminal access. Local audit – i.e. audit by the auditee – can, however, be compared to terminal access, as the auditor in both cases accesses the information from the auditee. On-site auditing with unlimited access to relevant information, including when terminal access is granted, is a recognized audit access in both public and private auditing.”
Section 5.4 of the Danish Economic and Financial Services Agency's "General service description" from March 2020, to which the National Audit Office has referred, appears. about the National Audit Office's access:
"The National Audit Office and the National Agency for Economic Affairs have entered into an agreement on audit access to the common government IT systems. The agreement means that those of the employees of the National Audit Office who have an official need can gain access to the data of the state institutions in the joint government systems via the Danish Agency for Economic Affairs without prior contact with the institution whose data access may concern. The National Audit Office is responsible for ensuring that only employees with a specific need for the individual system have access to the system, and the National Audit Office is also responsible for ensuring that access is continuously deleted when the need is no longer present. The agreement is a practical expression of the obligation to provide data that public authorities have in accordance with section 12 of the National Auditors Act. This means that the Danish Agency for Economic Affairs is exempt from any responsibility for the National Audit Office's use of data. The National Audit Office thus has sole responsibility both in relation to ministries and agencies and for complying with applicable legislation, including the data protection act and regulation."
In addition, the National Audit Office stated that:
"The National Audit Office does not have unlimited terminal access to all the auditee's systems or files. Employees with a work-related need get read access to the relevant system. If the system allows for it, access is limited to the part of the system that is relevant for the Audit Task of the National Audit Office. This applies, for example, in the area of the Ministry of Taxation, where the National Audit Office has access to the ministry's accounting program SAP Intern, but not to the HR module, which is also located in SAP Intern.
It depends on the specific system how terminal access is provided in practice. This will typically be done by handing over a username and a code.”
Finally, the National Audit Office stated that:
"Cf. above, the National Audit Office does not have unrestricted terminal access to all the auditee's systems or files. The alternative to accessing relevant audit information via terminal access is to take the information home, for example by obtaining attachments in physical form. It is Rigsrevisionen's assessment that terminal access supports the principle of data minimization, since with terminal access the Rigsrevisionen only needs to store personal data to a limited extent, just as terminal access allows the Rigsrevisionen to search for specific accounting documents and data and thus avoid taking home the entire cases.”
3. Reason for the Data Protection Authority's decision
3.1. This appears from the data protection regulation's article 6, subsection 1, that processing is only lawful if and to the extent that at least one of the following conditions applies:
The data subject has given consent to the processing of his personal data for one or more specific purposes. Processing is necessary for the performance of a contract to which the data subject is a party, or for the implementation of measures taken at the data subject's request prior to entering into a contract. Processing is necessary to comply with a legal obligation owed to the data controller. Processing is necessary to protect the vital interests of the data subject or another natural person. Processing is necessary for the performance of a task in the interest of society or which falls under the exercise of public authority, which the data controller has been tasked with. Processing is necessary for the controller or a third party to pursue a legitimate interest, unless the data subject's interests or fundamental rights and freedoms requiring the protection of personal data take precedence, in particular if the data subject is a child.
The Danish Data Protection Authority assumes that the relevant processing basis for the National Audit Office's collection of personal data when the National Audit Office carries out its auditing activities is the data protection regulation's article 6, subsection 1, letter e, from which it follows that processing is lawful if processing is necessary for the performance of a task in the interest of society or which falls under the exercise of public authority that the data controller has been assigned.
It follows from the data protection regulation's article 6, subsection 2 and 3, that this processing basis cannot be used "directly", but requires that there is a supplementary legal basis (authority) in EU law or Danish law.
The National Audit Office has referred to the National Auditors Act[2], including its section 12, subsection 1, as a supplementary legal basis. It appears from this provision that the auditor-general can demand from any public authority all such information and submitted all such documents which, in the opinion of the auditor-general, are of importance for the performance of the auditor-general's duties. The Auditor General can set a deadline for this.
It also appears from report no. 1565[3] 2nd part p. 12 that the Ministry of Finance has assessed that section 12, subsection 1, can be maintained after the entry into force of the regulation. In the assessment, emphasis has been placed on the fact that the processing is deemed necessary for the performance of a task in the interest of society.
On this basis, the Danish Data Protection Authority finds that the National Audit Office has authority in the Data Protection Regulation, Article 6, subsection 1, letter e, to obtain personal data when the National Audit Office carries out its auditing activities, cf. the rules in the National Auditors Act, including section 12, subsection of the Act. 1.
3.2. In addition to having a basis for processing, any processing of personal data must also take place in accordance with the basic principles in Article 5 of the Data Protection Regulation, including the principle of data minimization in letter c of the provision.
It follows from the data protection regulation's article 5, subsection 1, letter c, that personal data must be sufficient, relevant and limited to what is necessary in relation to the purposes for which they are processed ("data minimization").
This means that the National Audit Office, when the National Audit Office carries out its auditing activities, may only obtain the information that is necessary for this purpose.
Rigsrevision has stated that the Rigsrevision obtains information in a number of ways, including by physical review at the audited authority, by the audited authority sending material and by terminal access to the audited authority's systems.
The National Audit Office has also stated that employees of the National Audit Office are instructed to justify and document if personal data is to be obtained. The employees are also instructed to engage in dialogue with the audited authority to ensure compliance with the obligation to minimize data, including avoiding receiving e.g. CPR information or other personally identifiable information if it is not relevant to the audit.
In this connection, it appears from the attached template that the National Audit Office, when the National Audit Office requests information from an authority, explicitly draws attention to the principle of data minimization, including that no more information than requested is provided and that personal data is pseudonymised/anonymized as far as possible before delivery.
Rigsrevision has also stated that the decision on whether accounting information etc. must be accessed via terminal access, based on several considerations, including "data protection - in connection with the transfer and storage of data" and "the principle of data minimization - i.e. to get as little data in as possible”.
Based on the above and what the National Audit Office has otherwise informed, the Danish Data Protection Authority finds that the National Audit Office's collection of personal data when the National Audit Office carries out its auditing activities takes place within the framework of Article 5, paragraph 1 of the Data Protection Regulation. 1, letter c.
The Norwegian Data Protection Authority has noted with satisfaction that the National Audit Office - in continuation of the meeting between the Norwegian Authority and the National Audit Office - has introduced a requirement for systematic documentation of considerations about the need to collect personal data.
[1] Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons in connection with the processing of personal data and on the free exchange of such data and on the repeal of Directive 95/46/EC (general regulation on data protection).
[2] Act No. 321 of 26 June 1975 on the audit of the state's accounts, etc. with later amendments (the Auditor General's Act)
[3] Report no. 1565 on the data protection regulation - and the legal framework for Danish legislation
The Norwegian Data Protection Authority
Carl Jacobsens Vej 35
2500 Valby
Tel. 33 19 32 00
dt@datatilsynet.dk
About us
About the Norwegian Data Protection AuthorityPresseHome pagePrivacy policyAvailability statement
Shortcuts
Guidance on GDPRCall usNewsletterThe National Whistleblower Scheme
follow us
The Norwegian Data Protection Authority on LinkedIn
The National Audit Office's provision of information takes place within the framework of the data protection rules
Date: 14-11-2023
Decision Public authorities No criticism Supervision / self-operating case Processing basis
In connection with an inspection, the Danish Data Protection Authority has assessed that the National Audit Office's collection of personal data, when the National Audit Office carries out its auditing activities, takes place within the framework of the data protection rules.
Journal number: 2023-432-0022.
The Danish Data Protection Authority hereby returns to the case where the Danish Data Protection Authority - in accordance with § 27 of the Data Protection Act - on 29 August 2023 initiated a case about the Swedish Audit Office's processing basis in Article 6 of the Data Protection Regulation to obtain personal data when the Swedish Audit Office carries out its auditing activities, and how the Swedish Audit Office in this connection ensures compliance with the principle of data minimization in the regulation's article 5, subsection 1, letter c.
The background to the case is that the Danish Data Protection Authority's targeted supervisory activities in 2023 include the Danish Parliament and its institutions.
1. Decision
After a review of the case, the Danish Data Protection Authority finds that the Swedish Audit Office's processing of personal data takes place within the framework of the data protection rules, including the rules in the data protection regulation[1].
Below follows a closer review of the case and a rationale for the Data Protection Authority's decision.
2. Case presentation
2.1. The National Audit Office is an independent institution under the Folketing and is part of parliamentary control in Denmark. The National Audit Office is tasked with examining whether the state accounts are correct (financial audit). In addition, in connection with the audit and the larger investigations, the National Audit Office examines whether state authorities and other state-funded agencies and companies comply with applicable laws and regulations (legal-critical audit) and are managed sparingly, productively and efficiently (management audit).
2.2. On 29 August 2023, the Danish Data Protection Authority asked the Swedish Audit Office to provide information on how the Swedish Audit Office provides material that contains personal data when the Swedish Audit Office carries out its auditing activities, including whether this is done by physical review at the audited authority, by the audited authority sending material, by terminal access to the audited authority's systems or otherwise.
The Data Protection Authority also asked the National Audit Office to state what the National Audit Office's authority under EU law or Danish law is to obtain personal data when the National Audit Office carries out its auditing activities.
Finally, the Data Protection Authority asked the National Audit Office to be sent a list of completed audits in 2022 and to state whether it is in all cases relevant and necessary for the National Audit Office to receive personal data when the National Audit Office carries out its audit activities, including providing material for use in the audit.
2.3. The National Audit Office stated on 18 September 2023 that the National Audit Office obtains material in all the ways mentioned.
The National Audit Office also stated that:
"The National Audit Office's tasks are bound by law and follow from Act No. 321 of 26 June 1975 on the audit of the state's accounts, etc. with later amendments (the Auditor General's Act) (latest statutory order no. 101 of 19 January 2012) as well as special legislation.
The National Audit Office's authority to obtain information appears in section 12, subsection 1 of the National Auditors Act. 1:
"The Auditor-General may request from any public authority all such information and submission of all such documents which, in the opinion of the Auditor-General, are of importance for the performance of the Auditor-General's duties. The Auditor General can set a deadline for this."
In addition, it is in section 6, subsection of the Auditor General's Act. 2, determined which material and which information the auditor-general has access to in connection with the review of accounts in accordance with section 4 of the Auditor-General's Act:
"The accounts mentioned in § 4, cf. however subsection 3, includes annual accounts with any consolidated accounts and annual reports, interim and interim accounts as well as relevant accounting material, including bookkeeping material, management protocols and similar material, auditor's protocols and reports, etc., as well as other material and information which, in the opinion of the auditor general, is of importance to the performance of his duties duty.”
It is the auditor general who decides which material and which information is important for an audit task.
In relation to the question of obtaining personal data, the following appears from the Ministry of Justice's report on the data protection regulation (2016/679), no. 1565/2017, part II, assessments of special legislation in the individual ministerial areas, p. 14:
"However, the department can inform that two laws have been identified in the area of competence of the Folketing that can regulate the processing of personal data, cf. the appendix's table 3. These are section 12, subsection of the Auditor General's Act. 1, according to which the auditor-general of any public authority may request all such information and submitted all such documents which, in the opinion of the auditor-general, are of importance for the performance of the auditor-general's duties, as well as section 4, subsection of the State Auditors Act. 3, according to which everyone who works in public service has a duty to notify the state auditors of the information and documents that they consider necessary for the performance of their duties. There is thus potential processing of personal data. It is the assessment that the mentioned provisions can be maintained after the regulation comes into force. In the assessment, emphasis has been placed on the fact that the processing is deemed to be necessary for the performance of a task in the interest of society, or which falls under the exercise of public authority, cf. Article 6, subsection 1, letter e, and Article 9, subsection 2, letter g.”
Thus, even after the data protection regulation comes into force, the National Audit Office can obtain the information that the Auditor General deems necessary for audit tasks, including personal data. However, the audit is not aimed at individuals, but at the authority.
It may be relevant and necessary to obtain personal data when the National Audit Office carries out investigations. As an example, report no. 13/2021 on the management of the disability area, where the National Audit Office investigates whether the Ministry of Social Affairs and the Elderly's supervision of the municipalities' management of the disability area is satisfactory.
It is also relevant and necessary for the National Audit Office to obtain certain information about the auditee's employees when the National Audit Office has to check the auditee's rules and guidelines, e.g. whether correct wages etc. are paid, or whether severance payments comply with the rules.
Section 12, subsection of the Auditor General's Act. 1, is "technology neutral" and also constitutes authority to provide material containing personal data by terminal access to the audited authority's systems. Rigsrevisionen's employees can be granted access to a number of systems if they have a work-related need."
The National Audit Office also stated that:
"No, it is not always relevant and necessary for the National Audit Office to obtain personal data when the National Audit Office carries out its auditing activities, including providing material for use for the audit, cf. the attached list. In some cases, however, it is relevant and necessary for the National Audit Office to obtain directly identifiable information, cf. answer to question 2.
Employees of the National Audit Office are instructed to justify and document if personal data is to be collected. The employees are also instructed to engage in dialogue with the audited authority to ensure compliance with the obligation to minimize data, including avoiding receiving, for example, CPR information or other personally identifiable information if it is not relevant to the audit. The National Audit Office can, among other things, refer to the attached material request template that addresses the issue of data minimization. It also follows from section 12 of the Auditor General's Act, skt. 1, and § 6, subsection 2, that the National Audit Office may only obtain the information that is necessary for our tasks. For the sake of order, it should be noted that the requirement for systematic documentation of our considerations about the need to collect personal data was introduced in early 2023 as a follow-up to the National Audit Office's meeting with the Norwegian Data Protection Authority in October 2022.
However, it may happen that the National Audit Office receives personal data that we have not asked for. However, the National Audit Office does not have the authority to demand that the audited prepare new documents for use in the audit, including deleting information in documents before they are handed over to the National Audit Office. It may also be contrary to the auditing purpose if authorities process, including delete, the original material in connection with the National Audit Office's collection of material and information. This is because the material/information must be used as audit evidence.”
It appears from the attached material request template that:
“Material request
For use by the National Audit Office #specify the specific investigation#, #the auditee# is requested to provide the following information/documents, cf. § 12 of the National Auditors Act:
#XX# #XX# #XX#
For the sake of the principle of data minimization, cf. the data protection regulation's article 5, subsection 1, letter c, and section 12, subsection 1 of the Auditor General's Act, the National Audit Office must request that no more information than mentioned above be disclosed, and that personal data be pseudonymized/anonymized as far as possible before disclosure.
You are welcome to return if this gives rise to questions, including to discuss how data minimization can be achieved…”
Finally, the National Audit Office stated that:
"The National Audit Office's tasks include major investigations with a view to reports to the State Auditors on specific subjects, 2 annual reports on the audit of the national accounts and the audit of the state administration, the individual ministerial areas/paragraphs therein as well as the audit of 54 other annual accounts for 2022 (independent public companies etc. ). In addition, there are minor tasks with declarations in connection with EU grants to Danish authorities.
The individual task can consist of several processes, audit visits, etc. In the Norwegian Audit Office's ESDH system, the tasks are therefore often divided into several audit cases.
The Danish Data Protection Authority requests a list of completed audits in 2022. The National Audit Office's cases do not follow a specific calendar year and therefore do not necessarily end in the year in which they are started. The attached list therefore shows all created audit cases in 2022 in the National Audit Office's ESDH system.
For each audit case, it is stated whether the case contains personal data and, if so, how the information was provided, cf. the categorization in the Data Protection Authority's question 1. For the sake of order, the National Audit Office draws attention to the fact that in a number of the cases there is general personal data in the form of e.g. contact details of those we audit, signatories on annexes and accounts as well as names in instructions etc. Such information is not marked with a "yes" on the list.
Please be aware that the list does not include information on the audit of the classified accounts of the Defense Intelligence Service (FE) and the Police Intelligence Service (PET), respectively, as these cases are classified. It can be stated that the audit of these accounts takes place physically during an on-site visit.”
2.4. In continuation of the Swedish National Audit Office's report of 18 September 2023, the Danish Data Protection Authority asked the Swedish National Audit Office on 3 October 2023 to state how it is determined that personal data must be provided via terminal access, including whether this is linked to the type of audit, who decides that is terminal access made available to the National Audit Office and how the provision of personal data via terminal access takes place in practice, including whether the National Audit Office gets unlimited terminal access to the audited authority's systems or only to pre-selected (relevant) cases.
If the National Audit Office gets unlimited terminal access to the audited authority's systems, the Norwegian Data Protection Authority also asked the National Audit Office to consider whether this is in accordance with the principle of data minimization, including whether the purpose of the audit can be achieved in a similar way without such unlimited access.
2.5. In response to this, the National Audit Office stated on 13 October that:
"In the response of 18 September 2023 to the Norwegian Data Protection Authority regarding the 2022 audits, the National Audit Office has stated that in a number of cases personal data has been obtained for the audit via terminal access. There are 3 different types of terminal access:
The National Audit Office primarily uses terminal access to the joint government IT systems on which the Danish Economic and Financial Services Agency and the National Audit Office have entered into an agreement. There are, however, government authorities that do not use the common government IT systems, but other accounting systems, e.g. SAP. Here, specific agreements have been made between the National Audit Office and the audited authority on terminal access. Finally, the National Audit Office is tasked with auditing accounts outside the national accounts. In such cases, an agreement may also have been entered into for terminal access to the auditee's own system or parts of it. This applies, for example, to assignments with the audit of Banedanmark and the Nordic Culture Fund.
Terminal access is generally used to obtain audit evidence, e.g. accounting information, invoices, salary information etc. The choice of audit certificate is made on the basis of the requirements for the audit task, which are laid down in the Auditor General's Act and in the standards for public auditing.
Decision on whether accounting information etc. must be accessed via terminal access, based on the following considerations:
data protection – in connection with the transfer and storage of data the principle of data minimization – i.e. to get as little data as possible for efficiency - both with the auditee and with the National Audit Office.
In principle, the question of whether terminal access is used is not linked to certain types of audit. Terminal access can thus be used for all audit tasks, regardless of whether it is a financial audit, a legal critical audit or an administrative audit. In practice, terminal access is primarily used in connection with the financial audit, where i.a. part of the audit procedures for the audit of the state accounts are carried out centrally and automatically, which is done via direct access to the joint government systems.”
The National Audit Office also stated that:
"The National Audit Office's terminal access to the common government IT systems is described in the agreement between the National Agency for Economic Affairs and the National Audit Office. It appears from the agreement that the employees of the National Audit Office who have an official need can gain access to the state authorities' data in the joint government systems via the Danish Economic and Financial Services Agency without prior contact with the authority whose data access may concern. Ministries and agencies are informed about this automatic access to the information in the systems. In addition, it is the audited authority that decides whether terminal access must be made available to the National Audit Office.
The National Audit Office can, however, at any time carry out audits and review accounts at the place where the accounts are kept, or where the necessary material is otherwise found, cf. section 13 of the National Auditors Act. However, the National Audit Office cannot demand that the information be made available in a specific way, including at terminal access. Local audit – i.e. audit by the auditee – can, however, be compared to terminal access, as the auditor in both cases accesses the information from the auditee. On-site auditing with unlimited access to relevant information, including when terminal access is granted, is a recognized audit access in both public and private auditing.”
Section 5.4 of the Danish Economic and Financial Services Agency's "General service description" from March 2020, to which the National Audit Office has referred, appears. about the National Audit Office's access:
"The National Audit Office and the National Agency for Economic Affairs have entered into an agreement on audit access to the common government IT systems. The agreement means that those of the employees of the National Audit Office who have an official need can gain access to the data of the state institutions in the joint government systems via the Danish Agency for Economic Affairs without prior contact with the institution whose data access may concern. The National Audit Office is responsible for ensuring that only employees with a specific need for the individual system have access to the system, and the National Audit Office is also responsible for ensuring that access is continuously deleted when the need is no longer present. The agreement is a practical expression of the obligation to provide data that public authorities have in accordance with section 12 of the National Auditors Act. This means that the Danish Agency for Economic Affairs is exempt from any responsibility for the National Audit Office's use of data. The National Audit Office thus has sole responsibility both in relation to ministries and agencies and for complying with applicable legislation, including the data protection act and regulation."
In addition, the National Audit Office stated that:
"The National Audit Office does not have unlimited terminal access to all the auditee's systems or files. Employees with a work-related need get read access to the relevant system. If the system allows for it, access is limited to the part of the system that is relevant for the Audit Task of the National Audit Office. This applies, for example, in the area of the Ministry of Taxation, where the National Audit Office has access to the ministry's accounting program SAP Intern, but not to the HR module, which is also located in SAP Intern.
It depends on the specific system how terminal access is provided in practice. This will typically be done by handing over a username and a code.”
Finally, the National Audit Office stated that:
"Cf. above, the National Audit Office does not have unrestricted terminal access to all the auditee's systems or files. The alternative to accessing relevant audit information via terminal access is to take the information home, for example by obtaining attachments in physical form. Rigsrevisionen's assessment is that terminal access supports the principle of data minimization, since with terminal access the Rigsrevisionen only needs to store personal data to a limited extent, just as terminal access allows the Rigsrevisionen to search for specific accounting documents and data and thus avoid taking home the entire cases.”
3. Reason for the Data Protection Authority's decision
3.1. This appears from the data protection regulation's article 6, subsection 1, that processing is only lawful if and to the extent that at least one of the following conditions applies:
The data subject has given consent to the processing of his personal data for one or more specific purposes. Processing is necessary for the performance of a contract to which the data subject is a party, or for the implementation of measures taken at the data subject's request prior to entering into a contract. Processing is necessary to comply with a legal obligation owed to the data controller. Processing is necessary to protect the vital interests of the data subject or another natural person. Processing is necessary for the performance of a task in the interest of society or which falls under the exercise of public authority, which the data controller has been tasked with. Processing is necessary for the controller or a third party to pursue a legitimate interest, unless the data subject's interests or fundamental rights and freedoms requiring the protection of personal data take precedence, in particular if the data subject is a child.
The Danish Data Protection Authority assumes that the relevant processing basis for the National Audit Office's collection of personal data when the National Audit Office carries out its auditing activities is the data protection regulation's article 6, subsection 1, letter e, from which it follows that processing is lawful if processing is necessary for the performance of a task in the interest of society or which falls under the exercise of public authority that the data controller has been assigned.
It follows from the data protection regulation's article 6, subsection 2 and 3, that this processing basis cannot be used "directly", but requires that there is a supplementary legal basis (authority) in EU law or Danish law.
The National Audit Office has referred to the National Auditors Act[2], including its section 12, subsection 1, as a supplementary legal basis. It appears from this provision that the auditor-general can demand from any public authority all such information and submitted all such documents which, in the opinion of the auditor-general, are of importance for the performance of the auditor-general's duties. The Auditor General can set a deadline for this.
It also appears from report no. 1565[3] 2. part p. 12 that the Ministry of Finance has assessed that Section 12, subsection 1, can be maintained after the entry into force of the regulation. In the assessment, emphasis has been placed on the fact that the processing is deemed necessary for the performance of a task in the interest of society.
On this basis, the Danish Data Protection Authority finds that the National Audit Office has authority in the Data Protection Regulation, Article 6, subsection 1, letter e, to obtain personal data when the National Audit Office carries out its auditing activities, cf. the rules in the National Auditors Act, including section 12, subsection of the Act. 1.
3.2. In addition to having a basis for processing, any processing of personal data must also take place in accordance with the basic principles in Article 5 of the Data Protection Regulation, including the principle of data minimization in letter c of the provision.
It follows from the data protection regulation's article 5, subsection 1, letter c, that personal data must be sufficient, relevant and limited to what is necessary in relation to the purposes for which they are processed ("data minimization").
This means that the National Audit Office, when the National Audit Office carries out its auditing activities, may only obtain the information that is necessary for this purpose.
Rigsrevision has stated that the Rigsrevision obtains information in a number of ways, including by physical review at the audited authority, by the audited authority sending material and by terminal access to the audited authority's systems.
The National Audit Office has also stated that employees of the National Audit Office are instructed to justify and document if personal data is to be obtained. The employees are also instructed to engage in dialogue with the audited authority to ensure compliance with the obligation to minimize data, including avoiding receiving e.g. CPR information or other personally identifiable information if it is not relevant to the audit.
In this connection, it appears from the attached template that the National Audit Office, when the National Audit Office requests information from an authority, explicitly draws attention to the principle of data minimization, including that no more information than requested is provided and that personal data is pseudonymised/anonymized as far as possible before delivery.
Rigsrevision has also stated that the decision on whether accounting information etc. must be accessed via terminal access, based on several considerations, including "data protection - in connection with the transfer and storage of data" and "the principle of data minimization - i.e. to get as little data in as possible”.
Based on the above and what the National Audit Office has otherwise informed, the Danish Data Protection Authority finds that the National Audit Office's collection of personal data when the National Audit Office carries out its auditing activities takes place within the framework of Article 5, paragraph 1 of the Data Protection Regulation. 1, letter c.
The Norwegian Data Protection Authority has noted with satisfaction that the National Audit Office - in continuation of the meeting between the Norwegian Authority and the National Audit Office - has introduced a requirement for systematic documentation of considerations about the need to collect personal data.
[1] Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons in connection with the processing of personal data and on the free exchange of such data and on the repeal of Directive 95/46/EC (general regulation on data protection).
[2] Act No. 321 of 26 June 1975 on the audit of the state's accounts, etc. with later amendments (the Auditor General's Act)
[3] Report no. 1565 on the data protection regulation - and the legal framework for Danish legislation
