Datatilsynet - 2018-32-0232

From GDPRhub
Datatilsynet - 2018-32-0232
LogoDK.png
Authority: Datatilsynet (Denmark)
Jurisdiction: Denmark
Relevant Law: Article 6(1)(e) GDPR

Article 5(1)(c) GDPR

Type: Complaint
Outcome: Upheld
Decided: n/a
Published: 25.10.2019
Fine: None
Parties: City of Copenhaguen Vs. anonymous
National Case Number: 2018-32-0232
European Case Law Identifier: n/a
Appeal: n/a
Original Language:

Danish

Original Source: Datatilsynet (in DK)

The DPA found that each new citizen's subscription including collection of their personal data for the purpose of handling deletion requests in the Copenhaguen Civil Registration System (CPR) was not necessary for the performance of a task carried out in the plublic interest, under the data minimisation principle and Article 6(1)(e) GDPR.

English Summary[edit | edit source]

Facts[edit | edit source]

A citizen requested the deletion of their personal data into the Copenhagen Civil Registration System (CPR).

The personal data have been deleted from the CPR, but the city deletion system results in a new subscription of the citizen’s personal data in the CPR each time deletion requests are made. The consequence is that Copenhagen included the claimant’s personal data in the CPR, even though the person did not live in Copenhaguen for years and had already asked for the deletion of the personal data registered.

Therefore, the Datatilsynet received a complaint regarding the continuous subscription of citizen's personal data into the Copenhagen CPR.

Dispute[edit | edit source]

Is the new subscription of personal data upon deletion request adequate, relevant and necessary for the performance of the citizen data collection service?

Holding[edit | edit source]

The Danish DPA found that the new subscription for the purpose of handling deletion requests is not necessary under Articles 5(1)(c) (data minimisation principle) and 6(1)(e) GDPR.

Comment[edit | edit source]

Share your comments here!

Further Resources[edit | edit source]

Share blogs or news articles here!

English Machine Translation of the Decision[edit | edit source]

The decision below is a machine translation of the original. Please refer to the Danish original for more details.

The municipality's CPR subscription was in violation of the data protection rules
Published 25-10-2019
Decision Public authorities

In a specific case, the Data Inspectorate has considered that the City of Copenhagen's continuous subscription to personal data in the Central Personnel Register was in violation of the data protection rules.

Journal number: 2018-32-0232
Summary
On October 25, 2019, the Data Inspectorate decided on a case in which a citizen complained to the Data Inspectorate that the City of Copenhagen had subscribed to personal data about him in the Central Person Register, even though he had not been resident in the municipality for years.
In the specific case, the City of Copenhagen initially deleted the subscription to the citizen's CPR information, after the citizen had addressed this to the municipality. However, the citizen's request to the municipality requesting deletion had triggered a new subscription to his personal data in the CPR.
The City of Copenhagen stated to the Data Inspectorate that, in connection with the citizen's request and request for deletion, the municipality had created a new case in the citizen's name, which raised the need for unambiguous identification in order to support the municipality's exercise of authority, including the duty to handle any access requests etc. .
The Data Inspectorate found that the City of Copenhagen's subscription to the citizen's CPR information for the purpose of being able to handle any access or petition could not be considered necessary under Article 6 (2) of the Data Protection Regulation. The Danish Data Inspectorate paid particular attention to the fact that the municipality has the opportunity to make single reports in CPR when there is a current need for updated information about a citizen.
1. Decision
After a review of the case, the Data Inspectorate finds that there is reason to express criticism that the City of Copenhagen's processing of personal data has not been done in accordance with the rules in Article 6 (1) of the Data Protection Regulation. First
The following is a detailed examination of the case and a justification for the Danish Data Protection Agency's decision.
2. Case making
It appears from the case that on 17 January 2018, complaints were directed to the City of Copenhagen and asked for an explanation as to why the municipality needed to process information on, among other things. his social security number in the form of a personal subscription to information about him in the Central Person Register, as complainants had not resided in the City of Copenhagen since 1 February 1999.
On the same day, the municipality confirmed receipt of the complainant's request and informed him that a hearing letter would be sent out to the municipality to clarify why the municipality continued to subscribe to the complainant's personal information in the CPR and that the subscription would be terminated if there was no case and necessary reason for the subscription.
On February 13, 2018, the City of Copenhagen announced complaints that the municipality did not need to process the CPR information about him and that the subscription would therefore be terminated. The municipality then canceled the subscription the same day.
Subsequently, it turned out that the subscription for information on complaints in the CPR had been automatically re-subscribed because a current case concerning complaints had been registered in the municipality's filing system, which had been created on the basis of the complainant's request of 17 January 2018 about the municipality's subscription of information about him.
On April 12, 2018, the City of Copenhagen wrote to complaints, announcing that his inquiry had led to the creation of a case in the municipality's filing system and that such filing automatically re-subscribed to a subscription with CPR.
On April 18, 2018, the Complainant requested the City of Copenhagen to immediately cancel the subscription, which the City of Copenhagen refused on May 9, 2018, as the Municipality informed him that his wish for permanent cancellation of the subscription could not be met.
On May 30, 2018, complaints to the Data Inspectorate about the City of Copenhagen's processing of personal data about him.
On August 8, 2018, the Data Inspectorate requested the City of Copenhagen to issue an opinion in the case, which the Data Protection Authority received on November 30, 2018.

2.1. Complainant's comments

The complainant has generally stated that he complains that the City of Copenhagen's system did not take into account the fact that he left the municipality in 1999.

The complainant further stated that he was dissatisfied that the City of Copenhagen's system automatically restores a subscription when a citizen approached the municipality, even though the municipality found in connection with the inquiry had no reason to subscribe.

The complainant further stated that in January 2018 he also addressed the municipality of Høje-Taastrup when he became aware that this municipality also continued to subscribe to personal data about him in CPR, although he left Hoge-Taastrup municipality in 2000. Hoge -Taastrup Municipality decided, on the basis of his inquiry, to delete the municipality's personal subscription for him in CPR, as the municipality did not consider a real need to maintain the subscription.
2.2. Comments from the City of Copenhagen

In its opinion to the Data Inspectorate, the City of Copenhagen stated that the municipality subscribes to CPR information on the complainant's name, social security number, current address and family relations, and that the municipality also subscribed to this information prior to the complainant's request of 17 January 2018.

The City of Copenhagen has stated that the municipality processes information on citizens' personal numbers on the basis of section 11 (1) of the Data Protection Act. 1, for unambiguous identification and as a journal number. As regards the processing of information other than identification information, the legal basis is generally and, as a general rule, Article 6 (1) of the Data Protection Regulation. 1 (e).

The City of Copenhagen has stated that it is the municipality's assessment that - for both current and former citizens of the municipality - it is thus generally possible to process the information referred to.

However, in connection with the complainant's request and request for deletion - the municipality created - in the context of the general duty to record - a case in the complainant's name, and the municipality states that the inquiry therefore raised the need for clear identification.

The City of Copenhagen has stated that the existence of current and recently concluded cases concerning a citizen, in the municipality's opinion, presupposes that the municipality has true and current identification information about the citizen in question. in order to support the exercise of authority by the municipality, including the duty to be able to handle filing requests and inquiries regarding rights under the data protection rules in a sound and secure manner. According to the municipality's assessment, such requests indicate that citizens have a legal requirement under, among other things, public law, administrative law and data protection rules.

Against this background, the municipality is of the opinion that in connection with the complainant's request of 17 January 2018, a legal basis was established to obtain information on complaints from the CPR register, cf. section 11 (1) of the Data Protection Act. 1, and that there is no basis for responding to the complainant's request of April 18, 2018 for the renewal of the subscription of the complainant's personal data in the CPR.
3. Justification for the Danish Data Protection Agency's decision

It follows from section 32 of the CPR Act [2] that when an authority needs information registered in the CPR, the authority may obtain the information in the CPR, cf., however, section 33 (2). First

Information collected through the CPR subscription includes non-sensitive personal information and confidential personal information. Such information must be processed in accordance with Article 6 (2) of the Data Protection Regulation. 1 (a) to (f).

Pursuant to Article 6 (1) of the Data Protection Regulation. In accordance with paragraph 1 (e), the processing of personal data is lawful if the processing is necessary for the sake of carrying out a task in the public interest or which falls under the public authority exercised by the data controller.

Initially, the Data Inspectorate assumes that the City of Copenhagen has subscribed to the CPR information on complaints in the Central Personnel Register for an extended period of time from his departure in February 1999 until his inquiry of 17 January 2018, and that the municipality on the background deleted the subscription to his personal data in CPR.

In addition, the Data Inspectorate assumes that the complainant's request to the City of Copenhagen on 17 January 2018 triggered a renewed subscription to his personal data in CPR, which in the opinion of the City of Copenhagen may be based on Article 6 (2) of the Data Protection Regulation. Accordingly, the municipality has referred to the fact that the treatment is carried out to ensure that the municipality has true and current identification information about the citizen for, among other things. to be able to handle any access or right of claim or other legal requirements under, inter alia, public law, administrative law and data protection rules.

Following a review of the case, the Data Inspectorate finds an opportunity to comment on both the City of Copenhagen's subscription of personal data prior to January 17, 2018 and after January 17, 2018, since in the opinion of the Data Protection Authority, the processing has not been done in accordance with Article 6 (2) of the Data Protection Regulation. . First

The Data Inspectorate has hereby emphasized that the processing of information on the basis of Article 6 (2) of the Data Protection Regulation. 1 (e) shall be necessary. In the opinion of the Data Inspectorate, the Copenhagen Municipality's assertion of the establishment of automatic personal subscriptions in the CPR for the purpose of being able to handle any access or right of petition cannot be considered necessary in accordance with Article 6 (2) of the Data Protection Regulation. 1 (e).

The Danish Data Inspectorate has placed particular emphasis on the fact that the City of Copenhagen has the opportunity to make single inquiries in CPR when there is a current need for updated information about a citizen, eg. in cases where a request for access to the file or the exercise of rights in a closed case may arise. In this context, the Data Protection Authority also refers to Article 5 (1) of the Data Protection Regulation. 1 (c) on data minimization.