Datatilsynet - 2018-423-0018

From GDPRhub
Datatilsynet - 2018-423-0018
LogoDK.png
Authority: Datatilsynet (Denmark)
Jurisdiction: Denmark
Relevant Law: Article 5(1) GDPR
Article 24(2) GDPR
Article 26 GDPR
Article 30 GDPR
Article 30(1) GDPR
Type: Investigation
Outcome: Other Outcome
Decided: n/a
Published: 10.08.2020 [[Category:]]
Fine: None
Parties: n/a
National Case Number/Name: 2018-423-0018
European Case Law Identifier: n/a
Appeal: Unknown
Original Language(s): Danish
Original Source: Datatilsynet (in DA)
Initial Contributor: n/a

In August 2020, the Danish Data Protection Authority completed a planned inspection at Varde Municipality. The audit focused on the municipality's compliance with the requirement to keep records of processing activities, including in particular whether the municipality's records could be used for the purposes on which the requirement to keep records is based.

English Summary[edit | edit source]

Facts[edit | edit source]

The audit focused on the municipality's compliance with the requirement to keep records of treatment activities, including in particular whether the municipality's records could be used for the purposes on which the requirement to keep records is based.

Dispute[edit | edit source]

The Danish Data Protection Authority found reason to conclude that certain sections of the municipality's directories raised some challenges in relation to the underlying purposes of maintaining directories. After a review of the submitted lists, it was not clear to the Danish Data Protection Authority which categories of personal data Varde Municipality processes about the individual categories of data subjects.

Holding[edit | edit source]

The Danish Data Protection Authority informed Varde Municipality that an employee who has been assigned an internal responsibility for the processing of personal data is not considered a joint data controller in accordance with the rules in the GDPR. A list - if personal data is or will be passed on - must contain information about which categories of personal data are or will be passed on to the recipient in question, it must also be stated which categories of data subjects the information in question relates to. The lists should be prepared in such a way that the requested information can be clearly deduced directly from the lists.


Comment[edit | edit source]

Share your comments here!

Further Resources[edit | edit source]

Share blogs or news articles here!

English Machine Translation of the Decision[edit | edit source]

The decision below is a machine translation of the Danish original. Please refer to the Danish original for more details.

Supervision of preparation of lists in Varde Municipality
Published 10-08-2020
Decision Public authorities

Journal number: 2018-423-0018
Summary

In August 2020, the Danish Data Protection Authority completed a planned inspection at Varde Municipality. The audit focused on the municipality's compliance with the requirement to keep records of treatment activities, including in particular whether the municipality's records could be used for the purposes on which the requirement to keep records is based.

Following the audit of Varde Municipality, the Danish Data Protection Authority found reason to conclude that certain sections of the municipality's directories raised some challenges in relation to the underlying purposes of maintaining directories.

On the basis of the overall experience from the three completed inspections regarding the preparation of lists, the Danish Data Protection Authority has found reason to update the guidelines on lists from January 2018.

You can read the Danish Data Protection Agency's guide on listing here.

Decision

Varde Municipality was among the authorities that the Danish Data Protection Authority in autumn 2018 had chosen to supervise in accordance with the General Data Protection Regulation [1] and the Data Protection Act [2].

The Data Inspectorate's planned inspection of Varde Municipality focused on the municipality's compliance with the requirement to keep records of processing activities in accordance with Article 30 GDPR.

At the request of the Danish Data Protection Agency, Varde Municipality had - before the inspection visit - submitted the municipality's lists to the inspection. The actual inspection visit took place on 24 October 2018.

The GDPR's requirement to keep records of processing activities is to a large extent related to the Regulation's principle of accountability. This principle requires both the data controller to ensure that the processing of personal data is in accordance with the Regulation and the data controller to be able to demonstrate compliance with the Regulation, in accordance with Article 5 (1) of the Regulation. And Article 24 (2). The list must be drawn up in order to demonstrate compliance with the Regulation [3] and must be made available to the Danish Data Protection Agency upon request so that it can be used for supervision in accordance with Article 30 (1). 4.

One of the Data Inspectorate's focus points for the supervision of Varde Municipality was thus whether the municipality's records could be used for the purposes on which the requirement to keep records of processing activities is kept.

Following the audit of Varde Municipality, the Danish Data Protection Authority finds a summary reason to conclude that the preparation of certain sections of the municipality's records raised some challenges in relation to the underlying purposes of keeping records.

On the basis of the experiences from the inspections concerning the preparation of lists, the Danish Data Protection Authority has therefore found reason to update the guidelines on lists from January 2018 [4].

1. Shared data responsibility

Prior to the inspection visit, the Danish Data Protection Authority had noted that Varde Municipality had generally listed named employees in the municipality's registers as being joint data controllers with the municipality for the processing of personal data. When asked about this, Varde Municipality stated that the municipality had stated the names of the heads of the departments / units in which the information is processed.

Against this background, the Danish Data Protection Authority informed Varde Municipality that an employee who has been assigned an internal responsibility for the processing of personal data is not considered a joint data controller in accordance with the rules in the GDPR. The concept of joint data controller is directed at another / external legal entity, e.g. another municipality with which Varde Municipality shares a data responsibility. In cases where there is a common data responsibility, it is also a requirement under Article 26 GDPR that the parties define in a transparent manner their respective responsibilities for compliance with the obligations in the Regulation.

Varde Municipality then stated that the municipality would change the lists so that it becomes clearer that this is an internal division of responsibilities and not a joint data responsibility under Article 26 GDPR.
Categories of data subjects and categories of personal data

Pursuant to Article 30 (I) (1) (c) GDPR, a list must contain a description of the categories of data subjects and the categories of personal data.

2.1. Categories of registered

Prior to the inspection visit, the Danish Data Protection Authority had noted that Varde Municipality's lists generally contained a list of the categories of data subjects about which the municipality processes information.

In some registers, for example, "family members" were listed as categories of registered persons. During the inspection visit, the Danish Data Protection Authority asked in more detail what each of the specified categories covered.

It was then the Data Inspectorate's opinion that those present could not state this with certainty, but that they could only make a qualified guess as to what the listed categories covered. Varde Municipality referred, however, to the fact that the municipality's employees in the individual areas would be able to explain exactly what the specified categories of registered persons covered.

The Danish Data Protection Auhtority therefore stated during the inspection visit that Varde Municipality can advantageously specify several of the specified categories of data subjects in order to ensure that it is not only the municipality's employees in the individual areas who can provide further information about the categories.

2.2. Categories of personal information

Prior to the inspection visit, the Danish Data Protection Auhtority had noted that Varde Municipality's lists generally contain fields in which the municipality could check whether Article 6 information, Article 9 information and Article 10 information are processed in connection with the specific processing activity.

During the inspection visit, however, the Danish Data Protection Auhtority was able to establish that neither those present nor the inspection could see from the lists which specific Article 6 information, Article 9 information or Article 10 information that the municipality processes in connection with the processing activities in question. When asked about this, Varde Municipality stated, however, that the municipality's employees in the individual areas to which the lists relate would be able to specify the categories of information.

In this connection, the Danish Data Protection Agency referred to the Authority's (now earlier) guidelines on inventories from January 2018, which state that the data controller must be able to specify which specific types of Article 9 information are processed.

During the inspection visit, it was therefore discussed that Varde Municipality - in the opinion of the Data Inspectorate - can advantageously prepare its lists in such a way that all categories of personal information are specified in more detail, including to ensure that it is not only the municipality's employees. individual areas that can provide more information about the categories.

Link between categories of data subjects and categories of information

After a review of the submitted lists, it was not clear to the Danish Data Protection Authority which categories of personal data Varde Municipality processes about the individual categories of data subjects. For example, the Danish Data Protection Auhtority could not deduce from the records whether the municipality processes Article 9 information on all of the categories of data subjects listed in the individual directories, or whether this was only the case for some of the specified categories of data subjects.

When asked about this, Varde Municipality stated that the persons present would not be able to state from the lists which categories of personal data the municipality processes about the individual categories of data subjects, and that this would at best be qualified guesses.

Against this background, the Danish Data Protection Agency stated during the inspection visit that, in view of the purposes of the record requirement, the Authority's assessment is that a list of processing activities must contain a clear link between which categories of personal data are processed about the individual categories of data subjects. The Danish Data Protection Authority's updated guidance on inventories from August 2020 is in accordance with this.

4. Categories of recipients to whom the information is or will be passed on

Pursuant to Article 30 (1) (1) (d) GDPR, a list shall include information on the categories of recipients to whom the personal data is or will be transferred, including recipients in third countries or international organizations.

Prior to the inspection visit, the Danish Data Protection Authority had noted that Varde Municipality's lists generally contained a list of the companies, authorities, etc. to which personal data is or could be passed on. In addition, the municipality had specified data processors as a category of recipients to whom personal data is or could be passed on.

During the inspection visit, the Danish Data Protection Authority stated that - in the Data Inspectorate's opinion - it is important to distinguish between when information is handed over to data processors and when information is passed on to other independent data controllers, as there are different forms of exchange of personal data. 

After a review of the submitted lists, it was not clear to the Danish Data Protection Authority which categories of personal data, including which categories of data subjects, could be passed on to the recipients that the municipality had stated in the list. When asked about this, Varde Municipality stated that the persons present would not be able to state this based on the lists.

In this connection, the Danish Data Protection Authority's assessment is that a list - if personal data is or will be passed on - must contain information about which categories of personal data are or will be passed on to the recipient in question. In connection with this, it must also be stated which categories of data subjects the information in question relates to. The Danish Data Protection Auhtority has therefore updated the guidelines on inventories so that the edition from August 2020 is in accordance with this.
5. Deadlines for deleting the different categories of information

Pursuant to Article 30 (I) (1) (f) GDPR, a list shall, if possible, include the expected time limits for deletion of the various categories of information.

Prior to the inspection visit, the Danish Data Protection Authority had noted that in Varde Municipality's registers there was a reference to the recommended deletion deadlines in the municipalities' subject system, KLE.

Asked about the lists' references to the recommended deletion deadlines in KLE, Varde Municipality demonstrated during the inspection visit how to quickly look up in KLE during certain treatment activities and then see the recommended deletion deadline.

During the inspection visit, the Danish Data Protection Authority stated that, after the inspection's assessment, it was sufficient that the municipality had stated a reference to the recommended deletion deadlines in KLE.

6. Description of the technical and organizational security measures

Pursuant to Article 30 (1), 32 (1) (g) GDPR, a list shall, if possible, include a general description of the technical and organizational security measures referred to in Article 32 (1) (g) GDPR. 1.

Prior to the inspection visit, the Danish Data Protection Authority had noted that Varde Municipality in the lists generally referred to the municipality's information security policy.

During the inspection visit, the Danish Data Protection Authority generally had no comments on the fact that Varde Municipality referred in the lists to the municipality's information security policy with regard to a general description of the technical and organizational security measures. However, the Danish Data Protection Authority stated that the municipality can advantageously state this in the list if special measures are implemented - in addition to the general security measures - e.g. in relation to the security in Citizen Service Centers, in municipal libraries or in connection with the processing of personal data via television surveillance, etc.

Prior to the inspection visit, the Danish Data Protection Auhtority had also noted that Varde municipality had stated in several lists "obtaining a child certificate" as a technical or organizational security measure. During the inspection visit, the Danish Data Protection Auhtority stated that “obtaining child certificates - in the Authority's view - does not constitute a security measure within the meaning of Article 32 (1) GDPR. 1 in obtaining such a certificate has a purpose other than the protection of personal data.

7. TV surveillance as a treatment activity

Prior to the inspection visit, the Danish Data Protection Auhtority had noted that it did not appear from Varde Municipality's records whether the municipality processes personal data in connection with television surveillance.

When asked about this, Varde Municipality stated that TV surveillance is carried out in the municipality's citizen service center.

The Danish Data Protection Authority pointed out that this processing should appear in the list for the civil service area. In addition, the Authority pointed out that if the TV surveillance is set up with a view to crime prevention, the municipality should also be aware that information about criminal offenses is potentially processed and that this should be stated in the list.

8. Conclusion

The Danish Data Protection Authority has generally noted that there were several sections in Varde Municipality's records where neither those present from the municipality nor the Danish Data Protection Authority were able to see through the processing activities solely from the records. Although Varde Municipality stated that the municipality's employees in the areas to which the lists relate could elaborate on the contents of the lists, it is the Data Inspectorate's opinion that the lists should be prepared in such a way that the requested information can be clearly deduced directly from the lists.

However, the Danish Data Protection Auhtority can also conclude that the preparation of certain sections of Varde Municipality's lists - including the sections of the lists concerning deletion deadlines and technical and organizational security measures - provides a good overview for both the municipality and the Danish Data Protection Auhtority.

The requirement to keep records of processing activities is - as mentioned above - largely related to the Regulation's principle of accountability.

The responsibility is expressed in that the data controller must both comply with the rules of the regulation and at the same time be able to demonstrate that this is in fact the case. It is thus up to the data controller to have an overview of the processing activities that he carries out and to be able to demonstrate to e.g. the supervisory authority that the treatment activities in question comply with the rules of the Regulation.

Each data controller (and data processor) must thus cooperate with the supervisory authority and, upon request, make the records available to the supervisory authority so that these can be used to monitor whether the data controller complies with the processing conditions in the Regulation. The common thread in the regulation on liability is thus implemented, among other things. in the requirement to list treatment activities in Article 30 GDPR.

Based on the experiences with the inspections of lists in a number of municipalities - including Varde Municipality - the Danish Data Protection Authority has therefore found an opportunity to update the guidelines on lists from January 2018 [5].

This is partly due to the fact that the records that the Danish Data Protection Auhtority has had for review in connection with the inspections, in the Authority's assessment, could not be used to a sufficient extent for the purposes behind the inventory requirement. In several cases, neither the municipalities nor the Danish Data Protection Auhtority could form an overview of the scope of the processing activities based on the content of the lists. Thus, it was also difficult for the Authority to ensure that the treatment activities in question complied with the rules of the Regulation.

It is the Data Inspectorate's assessment that an update of the guidelines contributes to inventories being prepared in a way that ensures that the inventories are concretely and practically applicable to both the data controller / data processor and to the Data Inspectorate.

The Danish Data Protection Auhtority thus emphasizes that the requirement to draw up lists must not just become a formal requirement, and that the lists only become really substantive when they are drawn up in a way that creates a real overview of the treatments in question and forms a basic foundation for the data controller's / data processor's general compliance with the data protection rules.

 

[1] Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to

on the processing of personal data and on the free movement of such data and on the repeal of Directive 95/46 / EC (General Data Protection Regulation).

[2] Act No. 502 of 23 May 2018 on supplementary provisions to the Regulation on the protection of individuals with regard to the processing of personal data and on the free movement of such data (the Data Protection Act).

[3] Cf. Preamble No 80

[4] The Danish Data Protection Agency's updated guide to inventories from August 2020 can be found on the Authority's website.

[5] The Danish Data Protection Agency's updated guide to inventories from August 2020 can be found on the Authority's website.