Datatilsynet (Denmark) - 2024-32-0482
From GDPRhub
| Datatilsynet - 2024-32-0482 | |
|---|---|
 | |
| Authority: | Datatilsynet (Denmark) |
| Jurisdiction: | Denmark |
| Relevant Law: | Article 5(1) GDPR Article 5(1)(b) GDPR Article 5(1)(c) GDPR Article 6(1)(e) GDPR |
| Type: | Complaint |
| Outcome: | Rejected |
| Started: | |
| Decided: | 13.09.2025 |
| Published: | 13.09.2025 |
| Fine: | n/a |
| Parties: | Helsingør Kommune Data Subject |
| National Case Number/Name: | 2024-32-0482 |
| European Case Law Identifier: | n/a |
| Appeal: | Unknown |
| Original Language(s): | Danish |
| Original Source: | Datatilsynet (in DA) |
| Initial Contributor: | nikolaj |
Data Subject files a complaint that Data Controller has refused to delete illegally intercepted data.
The DPA finds that though the data is obtained illegally it serves the greater interest of the child and is processed in the exercise of official authority.
English Summary
Facts
The Data Protection Authority (DPA) received a complaint that Helsingør Kommune (City Council, Data Controller) processes and refuses to delete a number of data collected illegally by a third party. The data was being used in a in an investigation following a disclosure on the Data Subjects’ possible mistreatment of child.
Part of the investigation is interception by means of microphones found to be violation of Penal code (Straffeloven 263(2)).
The illegal interception was forwarded to the Data Controller along with the disclosure for possible mistreatment of child by the third party.
On the basis of objection by the Data Subject the City Council initially decided to disregard the interception and transcription, as the Data Controller assumed the data to be collected illegally. The Data Controller also deleted the data. Subsequently the third party chose to re-send the illegally collected data to the Data Controller [again].
The Data Controller later chose to change their original decision (to disregard the data) and use the illegal data. This under the consideration of the greater interests of the child and because of a received disclosure from the Family Court (Familieretshuset). In the disclosaure the Familiy Court expresses concerns over the Data Controllers closure of the investigation and requests the case be re-opened. In addition the Family Court requests that the Data Processer takes the intercepted data into consideration, irrespective of their legality.
The Data Controller believes that the processing of the data services a factual and necessary purpose, even if they have been attained through a criminal act.
After receiving the complaint, the DPA consults The Danish Data Protection Council (Datarådet).
Holding
The Data Protection Authority (DPA) takes the Article 6(1)(e) and Article 5(1), (b), (c) into consideration.
The DPA takes into account that
- The data has been intercepted throug illegal means
- That the data is protected by the Article 6
- That the Data Controller (Helsingør Kommune (City Council)) processes the data in accordance with the Article 6(1)(e) in the exercise of official authority
The DPA does not find that there is cause to countermand the decision by Data Controller to process the data.
The DPA finds that the decision to process, and refusal to delete, the data is in accordance with the Article 5(1), in that the processing occurs to protect the greater interests of the child.
Comment
Further Resources
English Machine Translation of the Decision
The decision below is a machine translation of the Danish original. Please refer to the Danish original for more details.
Helsingør Municipality's processing of illegally obtained information was in accordance with data protection regulations Date: 13-09-2024 Decision Public authorities No criticism Complaint Processed by the Data Protection Council Basic principles The Danish Data Protection Authority has made a decision in a case concerning Helsingør Municipality's processing of illegally obtained information. Case number: 2024-32-0482. Summary The Danish Data Protection Authority has made a decision in a case in which a citizen complained that Helsingør Municipality, in connection with the processing of a notification received, had decided to withhold information that was illegally obtained by a third party. It appeared from the case that the father of the complainant's child had carried out wiretapping in the form of hidden microphones. It also appeared from the case that the wiretapping in question had resulted in a conviction for illegal wiretapping. The Municipality of Helsingør had previously, on the basis of an objection from the complainant, decided to exclude the interceptions and transcriptions in question from the municipality's case processing, as the municipality presumed that they had been obtained through a criminal act. The Municipality of Helsingør later changed this decision and chose to use the information. It follows from the practice of the Danish Data Protection Authority that the processing of information by public authorities that has been obtained in violation of other rules can, under certain circumstances, be considered unreasonable, even if the information is relevant to a specific case. In the specific case, however, the Danish Data Protection Authority found – after the case had been discussed at a meeting of the Data Protection Council – that the Municipality of Helsingør's processing of personal data is in accordance with the rules in the General Data Protection Regulation. Decision The Danish Data Protection Authority received […] a complaint that the Municipality of Helsingør is processing – and has refused to delete – a number of information that has been obtained (by a third party) in violation of the rules of the Criminal Code on (secret) interception. 1. Decision The Danish Data Protection Authority finds – after the case has been considered at a meeting of the Data Protection Council – that the Municipality of Helsingør’s processing of personal data is in accordance with the rules of the General Data Protection Regulation, cf. Article 6(1)(e) and Article 5(1). 2. Circumstances of the case The Danish Data Protection Authority received […] a complaint that the Municipality of Helsingør, in connection with the municipality’s processing of a notification received, has made a decision to withdraw information that has been illegally obtained (by a third party). It appears from the case that the father of the complainant’s child – during a pending case regarding […] – has carried out wiretapping in the form of microphones, […]. It is stated in this connection that the wiretapping in question has led to a conviction for illegal wiretapping pursuant to Section 263(1) of the Criminal Code. 2. It is further stated in the complaint that the (illegal) recordings in […] – together with a notification of […] – were forwarded to the Municipality of Helsingør, just as the complainant was otherwise reported for […]. Based on an objection from the complainant, the Municipality of Helsingør decided […] that the interceptions in question and transcriptions thereof should not be included in the municipality’s case processing of the notification case, as the municipality assumed that they had been obtained by means of a criminal act. The Municipality of Helsingør simultaneously deleted the information. In this connection, it is stated in the complaint that the father of the complainant’s child subsequently chose to forward interceptions to the Municipality of Helsingør again, including the original (illegal) interceptions. […] the Municipality of Helsingør informed the complainant that the municipality had decided to reverse its decision not to make use of information that may have been obtained illegally. This is with reference to what is in the best interests of the child, and based on a request from the Family Court, in which the Family Court expresses concern about the closure of the case by the Municipality of Helsingør and at the same time requests the municipality to look at the case again, including including the information in question, regardless of whether it was obtained illegally. It is thus the assessment of the Municipality of Helsingør that the municipality's processing of the information serves an objective and necessary purpose, regardless of whether it was obtained through a criminal act. This is with a view to uncovering the case in relation to being able to make a materially correct discovery of - and decision on - any support needs. 3. The Danish Data Protection Authority's reasoning 3.1. Relevant rules It follows from Article 6(1) of the Data Protection Regulation that processing is only lawful if and to the extent that at least one of the circumstances in the provision applies. For example, processing is lawful if processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the data controller, cf. Article 6(1)(e). In addition to having a lawful basis in Article 6(1) of the General Data Protection Regulation, personal data must be processed in accordance with the principles in Article 5(1) of the General Data Protection Regulation. Among other things, personal data must – according to point (a) of the provision – be processed lawfully, fairly and in a transparent manner in relation to the data subject. In addition, the processing of personal data must be objective and proportionate, cf. points (b) and (c) of the provision. 3.2. The Danish Data Protection Authority’s practice It follows from the Danish Data Protection Authority’s practice that processing of information that has been unlawfully obtained may be in breach of the principle of fairness in Article 5(1) of the General Data Protection Regulation. 1, letter a. An example of this is the case with case number 2018-32-0065, which concerned SKAT's processing of a number of information about complaints that had been collected by the State Prosecutor for Economic and International Crime (formerly known as SØIK) in violation of the Administration of Justice Act and subsequently shared with SKAT. The Danish Data Protection Authority found – after the case had been heard by the Data Council – that SKAT had processed information in violation of Section 5(1) of the former Personal Data Act on good data processing practices (which corresponds to Article 5(1)(a) of the General Data Protection Regulation), and that SKAT should delete the information in question. 4. The Danish Data Protection Authority's assessment The Danish Data Protection Authority assumes that the personal data processed by the Municipality of Helsingør is part of a notification case in the municipality. The personal data was obtained in connection with a case concerning […], and it is further assumed that the information originates from wiretapping that the other parent of the child in question has carried out in the complainant's home in violation of Section 263(2) of the Criminal Code. The Danish Data Protection Authority further assumes that the personal data in question is covered by Article 6 of the General Data Protection Regulation, and that the processing of the personal data by the Municipality of Helsingør is based on Article 6(1)(e), which stipulates that the processing of personal data may take place, among other things, if it is necessary for the exercise of public authority. The Danish Data Protection Authority finds no basis for overriding the municipality's assessment that it is necessary to process the personal data as part of the municipality's performance of its official duties (the notification case), and it is thus assumed that the municipality has the legal basis in Article 6(1)(e) to process the personal data. The question is then whether the processing of the unlawfully obtained personal data is contrary to the principles of Article 5 of the General Data Protection Regulation, in particular the provision in letter a that the processing of personal data must be fair. In the opinion of the Danish Data Protection Authority, whether the use and other processing of personal data that has been unlawfully obtained is fair must depend on a specific assessment in the individual case. Reference can be made in this regard to recital 4 of the General Data Protection Regulation, which states that the right to the protection of personal data is not an absolute right, but must be weighed against other fundamental rights. The assessment of fairness pursuant to Article 5(1) must in particular include how (and by whom) the information was obtained, and what conflicting interests there are in (continued) processing of the information. As mentioned, the present case concerns personal data that was obtained in connection with a case concerning […]. The information originates from wiretapping that the father of the child in question has carried out in violation of Section 263(2) of the Danish Penal Code. The information is part of a notification case in the Municipality of Helsingør, and the purpose of the municipality's processing of the information is to identify whether there is a need to take measures to ensure the child's safety. The Danish Data Protection Authority finds that the Municipality of Helsingør's processing of the illegally obtained information is reasonable and is also in accordance with the other principles in Article 5(1) of the General Data Protection Regulation. In summary, the Danish Data Protection Authority is of the opinion that the Municipality of Helsingør's (continued) processing of the personal data is in accordance with the rules in the General Data Protection Regulation, cf. Article 6(1)(e) and Article 5(1). The Danish Data Protection Authority therefore also finds that the Municipality of Helsingør should not delete the information. The Danish Data Protection Authority Carl Jacobsens Vej 35 2500 Valby Tel. 33 19 32 00 dt@datatilsynet.dk About us About the Danish Data Protection AuthorityPressHomepagePrivacy PolicyAccessibility Statement Shortcuts Call usNewsletterThe National Whistleblower Scheme Follow us The Danish Data Protection Authority on LinkedIn Helsingør Municipality's processing of illegally obtained information was in accordance with data protection regulations Date: 13-09-2024 Decision Public authorities No criticism Complaint Processed by the Data Council Basic principles The Danish Data Protection Authority has made a decision in a case concerning the Danish Data Protection Authority's processing of illegally obtained information. Case number: 2024-32-0482. Summary The Danish Data Protection Authority has made a decision in a case in which a citizen complained that the Danish Data Protection Authority, in connection with the processing of a notification received, had decided to withdraw information that was illegally obtained by a third party. It emerged from the case that the father of the complainant's child had conducted wiretapping in the form of hidden microphones. It also emerged from the case that the wiretapping in question had resulted in a conviction for illegal wiretapping. The Municipality of Helsingør had previously, on the basis of an objection from the complainant, decided to exclude the wiretappings and transcriptions in question from the municipality's case processing, as the municipality assumed that they had been obtained through a criminal act. The Municipality of Helsingør later changed this decision and chose to use the information. It follows from the practice of the Danish Data Protection Authority that the processing of information by public authorities that has been obtained in violation of other rules can, under certain circumstances, be considered unreasonable, even if the information is relevant to a specific case. In the specific case, however, the Danish Data Protection Authority found – after the case had been discussed at a meeting of the Data Protection Council – that the Municipality of Helsingør's processing of personal data is in accordance with the rules in the General Data Protection Regulation. Decision The Danish Data Protection Authority received […] a complaint that the Municipality of Helsingør processes – and has refused to delete – a number of information that has been obtained (by a third party) in violation of the Criminal Code’s rules on (secret) wiretapping. 1. Decision The Danish Data Protection Authority finds – after the case has been considered at a meeting of the Data Protection Council – that the Municipality of Helsingør’s processing of personal data is in accordance with the rules in the General Data Protection Regulation, cf. Article 6(1)(e) and Article 5(1). 2. Circumstances of the case The Danish Data Protection Authority received […] a complaint that the Municipality of Helsingør, in connection with the municipality’s processing of a notification received, has made a decision to withhold information that has been obtained (by a third party) illegally. It appears from the case that the father of the complainant’s child – during a pending case regarding […] – has carried out wiretapping in the form of microphones, […]. In this connection, it is stated that the interceptions in question have led to a conviction for illegal interception pursuant to Section 263, subsection 2 of the Danish Penal Code. It is further stated in the complaint that the (illegal) recordings in […] – together with a notification of […] – were forwarded to the Municipality of Helsingør, just as the complainant was otherwise reported to […]. Based on an objection from the complainant, the Municipality of Helsingør decided […] that the interceptions in question and their transcriptions should not be included in the municipality's case processing of the notification case, as the municipality assumed that they were obtained by means of a criminal act. The Municipality of Helsingør simultaneously deleted the information. In this connection, it is stated in the complaint that the father of the complainant's child subsequently chose to send interceptions to the Municipality of Helsingør again, including the original (illegal) interceptions […] the Municipality of Helsingør informed the complainant that the municipality had decided to reverse its decision not to make use of information that may have been obtained illegally. This with reference to what is in the best interests of the child, and on the basis of an inquiry from the Family Court, in which the Family Court expresses concern about the Municipality of Helsingør's closure of the case and at the same time requests the municipality to look at the case again, including including the inclusion of the information in question regardless of whether it may have been obtained illegally. It is thus the assessment of the Municipality of Helsingør that the municipality's processing of the information serves an objective and necessary purpose, regardless of whether it was obtained through a criminal act. This is with a view to uncovering the case in relation to being able to make a materially correct discovery of - and decision on - any support needs. 3. The Data Protection Authority's reasoning 3.1. Relevant rules It follows from Article 6(1) of the General Data Protection Regulation that processing is only lawful if and to the extent that at least one of the conditions in the provision applies. Processing is lawful, for example, if processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the data controller, cf. Article 6(1)(e). In addition to having a lawful basis in Article 6(1) of the General Data Protection Regulation, personal data must be processed in accordance with the principles in Article 5(1) of the General Data Protection Regulation. Among other things, personal data must – according to point (a) of the provision – be processed lawfully, fairly and in a transparent manner in relation to the data subject. In addition, the processing of personal data must be objective and proportionate, cf. points (b) and (c) of the provision. 3.2. The Danish Data Protection Authority's practice It follows from the Danish Data Protection Authority's practice that the processing of information that has been unlawfully obtained may be in breach of the principle of fairness in Article 5(1)(a) of the General Data Protection Regulation. An example of this is the case with case number 2018-32-0065, which concerned SKAT's processing of a number of information about complaints that had been collected by the State Prosecutor for Economic and International Crime (formerly known as SØIK) in breach of the Administration of Justice Act and subsequently shared with SKAT. The Danish Data Protection Authority found – after the case had been heard by the Data Council – that SKAT had processed information in breach of Section 5(1) of the former Personal Data Act on good data processing practices (which corresponds to Article 5(1)(a) of the General Data Protection Regulation) and that SKAT should delete the information in question. 4. The Danish Data Protection Authority's assessment The Danish Data Protection Authority assumes that the personal data processed by the Municipality of Helsingør is part of a notification case in the municipality. The personal data was obtained in connection with a case concerning […], and it is further assumed that the information originates from wiretapping that the other parent of the child in question has carried out in the complainant's home in violation of Section 263(2) of the Danish Criminal Code. The Danish Data Protection Authority further assumes that the personal data in question is covered by Article 6 of the General Data Protection Regulation, and that the processing of the personal data by the Municipality of Helsingør is based on Article 6(1)(e), which stipulates that the processing of personal data may take place, among other things, if it is necessary for the exercise of public authority. The Danish Data Protection Authority finds no basis for overriding the municipality's assessment that it is necessary to process the personal data as part of the municipality's performance of its official duties (the notification case), and it is therefore assumed that the municipality has the legal basis in Article 6(1)(e) to process the personal data. The question is therefore whether the processing of the unlawfully obtained personal data is contrary to the principles in Article 5 of the General Data Protection Regulation, in particular the provision in letter a that the processing of personal data must be fair. In the opinion of the Danish Data Protection Authority, whether the use and other processing of personal data that has been unlawfully obtained is fair must depend on a specific assessment in the individual case. Reference can be made in this regard to recital 4 of the General Data Protection Regulation, which states that the right to protection of personal data is not an absolute right, but must be weighed against other fundamental rights. In the assessment of fairness pursuant to Article 5(1)(e) of the General Data Protection Regulation, 1, must in particular include how (and by whom) the information was obtained, and what conflicting interests there are in (continued) processing of the information. As mentioned, the present case concerns personal data obtained in connection with a case concerning […]. The information originates from wiretapping carried out by the father of the child in question in violation of Section 263(2) of the Criminal Code. The information is part of a notification case in the Municipality of Helsingør, and the purpose of the municipality's processing of the information is thus to identify whether there is a need to take measures to ensure the child's safety. The Danish Data Protection Authority finds that the Municipality of Helsingør's processing of the illegally obtained information is reasonable and is also in accordance with the other principles in Article 5(1) of the General Data Protection Regulation. In summary, the Danish Data Protection Authority is of the opinion that the Municipality of Helsingør's (continued) processing of the personal data is in accordance with the rules in the General Data Protection Regulation, cf. Article 6, paragraph 1, letter e, and Article 5, paragraph 1. The Danish Data Protection Authority therefore also finds that the Municipality of Helsingør should not delete the information.
