Datatilsynet (Denmark) - Danish National Genome Center

From GDPRhub
Datatilsynet (Denmark) - Danish National Genome Center
LogoDK.png
Authority: Datatilsynet (Denmark)
Jurisdiction: Denmark
Relevant Law: Article 36(1) GDPR
Type: Investigation
Outcome: Violation Found
Started:
Decided:
Published: 25.03.2022
Fine: 50,000 DKK
Parties: Danish National Genome Center
National Case Number/Name: Danish National Genome Center
European Case Law Identifier: n/a
Appeal: n/a
Original Language(s): Danish
Original Source: Datatilsynet (in DA)
Initial Contributor: Vadym Kublik

The Danish DPA reported a government healthcare agency to the police with a proposal of a 50,000 DKK fine for violating the rules on consultation with a supervisory authority in cases of high risk processing of personal data.

English Summary[edit | edit source]

Facts[edit | edit source]

The National Genome Center (NGC) is a leading healthcare agency developing personalized medicine in Denmark. The NGC conducted a Data Protection Impact Assessment (DPIA) concerning its work on gene sequencing and, on 9 December 2021, sent it to the Danish DPA for a consultation. The DPIA documentation contained clear language suggesting circumstances that could pose high risk to data subjects' rights. However, the NGC failed to implement any mitigating measures and it initiated the data processing prior to the consultation with the DPA.

Holding[edit | edit source]

The Danish DPA held that, by starting the data processing despite the high risk to data subjects, the National Genome Center did not comply with the requirement of prior consultation with a supervisory authority where a data protection impact assessment indicates that the processing would result in a high risk to data subjects in the absence of mitigating measures. On 13 January 2022, after the initial investigation, the DPA imposed a temporary ban on further collection of personal data and a restriction on processing the collected information, limiting it to storage only.

Comment[edit | edit source]

The DPA in Denmark does not impose fines directly but refers such cases to the police. The police then investigate whether there are grounds for raising a charge, and finally, a possible fine will be decided by a court. The press release does not refer to a specific GDPR Article, but the decision seems to concern Article 36(1) GDPR. For a discussion on which circumstances trigger the obligation to consult a supervisory authority, see the GDPRHub commentary on Article 36(1) GDPR.

Further Resources[edit | edit source]

Share blogs or news articles here!

English Machine Translation of the Decision[edit | edit source]

The decision below is a machine translation of the Danish original. Please refer to the Danish original for more details.

National Genome Center is fined
Date: 25-03-2022
News
The Danish Data Protection Agency notifies the National Genome Center to the police and recommends a fine of DKK 50,000. The Authority assesses that the center has violated the rules in the GDPR by starting the processing of information without consulting the Danish Data Protection Agency.

On 9 December 2021, the Danish Data Protection Agency received an impact assessment on data protection (DPIA) from the National Genome Center (NGC), which processes information on gene sequencing. The impact assessment showed that, after initiating processing, NGC had been made aware of conditions that could pose a high risk to the data subjects' rights.

Following an initial investigation of the case, on 13 January 2022, the Danish Data Protection Agency imposed a temporary ban on further collection of personal data and a restriction on the processing of the information already collected to include only storage. The ban and the processing restriction were to apply until the NGC had complied with the rules on the content of a DPIA, and until an opinion from the Danish Data Protection Agency was available, if this was required. The Danish Data Protection Agency reserved the right to later use all its powers in relation to a possible sanction.

In the period after 9 December 2021, NGC - after consulting and dialogue with the Danish Data Protection Agency - submitted additional documentation and audited parts of the material already submitted.

Violation of the rules on consultation with the Danish Data Protection Agency

After a review of the case, the Danish Data Protection Agency finds that NGC has not acted in accordance with the rules, as they have begun processing personal data without consulting the Danish Data Protection Agency, even though their own impact assessment showed that there was a high risk to data subjects' rights.

The Danish Data Protection Agency has emphasized that NGC's description of consequence and probability as well as the description of the product's risk should have led NGC to conclude that there were risk scenarios in the category that NGC itself called “high”, which contained a high residual risk that was not brought down.

The Danish Data Protection Agency has placed particular emphasis on the fact that NGC's own description of the existing residual risk was broadly identical to the wording of what is described as a high risk at European level (see Article 29 Group guideline WP248, rev. 01, from October 2017 ). In addition, the Danish Data Protection Agency is generally of the opinion that in the event of the most far-reaching consequences for the data subjects, only a very limited probability of realization can be tolerated before there is an overall high risk.

Why police report?

The Danish Data Protection Agency always makes a concrete assessment of the seriousness of the case when assessing which sanction is, in the Authority's opinion, the most appropriate.

In its recommendation to the police, the Danish Data Protection Agency has, among other things, emphasized the high quality of the risk work at NGC and NGC's very active participation in the information of the case, which has significantly reduced the case processing time.

"We take this case very seriously because it is about the basic principle that if an organization's processing of personal data will pose a high risk to the people involved, then the organization must work with the risk and reduce it before it. starts processing the information, ”explains Allan Frank, IT security specialist and lawyer at the Danish Data Protection Agency, and continues:

“If the organization has not been able to reduce the risk by carrying out the impact assessment, the Danish Data Protection Agency must first be consulted to ensure that the processing is legal and that the data controller has identified all necessary risks and reduced the risk. In other words, this is a significant guarantee of legal certainty for citizens' rights. If you ignore it, you undermine the Danish Data Protection Agency's opportunities to become aware of and check the legality of processing, which entails a great risk for the persons whose information is processed. ”