Datatilsynet (Denmark) - 2019-31-1713: Difference between revisions
From GDPRhub
(Created page with "{{DPAdecisionBOX |Jurisdiction=Denmark |DPA-BG-Color= |DPAlogo=LogoDK.png |DPA_Abbrevation=Datatilsynet |DPA_With_Country=Datatilsynet (Denmark) |Case_Number_Name=2019-31-17...") |
(No difference)
|
Revision as of 09:08, 1 July 2020
| Datatilsynet - 2019-31-1713 | |
|---|---|
 | |
| Authority: | Datatilsynet (Denmark) |
| Jurisdiction: | Denmark |
| Relevant Law: | Article 23 GDPR |
| Type: | Complaint |
| Outcome: | Upheld |
| Started: | |
| Decided: | |
| Published: | 02.06.2020 |
| Fine: | None |
| Parties: | n/a |
| National Case Number/Name: | 2019-31-1713 |
| European Case Law Identifier: | n/a |
| Appeal: | n/a |
| Original Language(s): | Danish |
| Original Source: | DPA Webpage (in DA) |
| Initial Contributor: | n/a |
The Danish DPA (Datatilsynet) declared itself incompetent for deciding about the processing of traffic data since the storage limitation in the telecommunication act is lex specialis to the general provision on storage in Article 5 (1)(e) GDPR.
English Summary
Facts
On June 2, 2020, the DPA decided on the case, which involved TDC A / S, Nuuday A / S and Dansk Kabel TV A / S.
Dispute
Holding
The DPA found a basis for criticizing TDC A / S for answering an access request only 5 months after the request was made. According to Article 12(3) GDPR the response has to be the latest within 3 months.
The DPA considered that it had no competence to decide on TDC A / S 'processing of position data on complaints, since the processing took place in accordance with section 23 (1) of the contract notice. 1 (telecommunication law), which does not fall under the Authority's supervisory powers. Telecommunications providers' processing of personal data is regulated in both the Data Protection Regulation and the Data Protection Act as well as telecommunications legislation, including the contract notice. It follows from section 23 (1) of the contract notice. 1, providers of public electronic communications networks or services must ensure that traffic data relating to subscribers or users is deleted or anonymized when they are no longer necessary for the transmission of the communication. This is further stated in section 23 (1) of the contract notice. 2, that, notwithstanding subsection (2). 1, a provider as mentioned in subsection 1, 1 process and store traffic data for the purpose of charging subscribers and billing for interconnection. Such processing and storage is permitted until the statutory limitation period for the debt obligations and settlements in question has expired.
The rules in the contract notice are considered to be lex specialis in relation to the data protection regulation, lex generalis. That is, to the extent that the rules govern the same issues as the Data Protection Regulation, they precede the Data Protection Regulation. Pursuant to section 23 (1) of the contract notice. 1, regulates how long data may be stored, this rule thus precedes the general provision on storage restriction in Article 5 (1)(e) of the GDPR.
In addition, the DPA did not find sufficient grounds for criticizing Nuuday A / S 'preparation of predictive models with a view to targeting any subsequent marketing. The processing ceased when complainants objected to the processing of personal data.
Furthermore, the DPA found no basis for criticizing Nuuday A / S's handling of the complainant's request for insight, as the Authority emphasized that it registered in accordance with Article 15 (1) of the Data Protection Regulation. (C) the right to be informed of the recipients or categories of recipients to whom personal data concerning them is or will be disclosed, but that, in accordance with Article 15 (1) of the Data Protection Regulation; 1, a right applies to be specifically informed what information has been disclosed.
Finally, the DPA found cause for criticism of Dansk Kabel TV A / S 'continued processing of information on complaints after the end of the customer relationship, as Dansk Kabel TV A / S processed information in the form of bank statements which extended beyond the retention period in section 10 of the Accounting Act, PCS.
Comment
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Danish original. Please refer to the Danish original for more details.
Processing Insight Request and Personal Information
Published 02-06-2020
Decision Private companies
Based on a complaint, the Data Inspectorate has taken a position on a number of companies in the TDC Group's processing of personal data.
Journal number: 2019-31-1713
Summary
On June 2, 2020, the Data Inspectorate decided on the case, which involved TDC A / S, Nuuday A / S and Dansk Kabel TV A / S.
The Data Inspectorate found a basis for criticizing TDC A / S 'handling of the complainant's request for insight when TDC A / S first responded to the inquiry at the request of the Data Inspectorate 5 months after the request was made.
The Data Inspectorate considered that the Authority had no competence to decide on TDC A / S 'processing of position data on complaints, since the processing took place in accordance with section 23 (1) of the contract notice. 1, which does not fall under the Authority's supervisory powers.
In addition, the Data Inspectorate did not find sufficient grounds for criticizing Nuuday A / S 'preparation of predictive models with a view to targeting any subsequent marketing. The processing ceased when complainants objected to the processing of personal data.
Furthermore, the Authority found no basis for criticizing Nuuday A / S's handling of the complainant's request for insight, as the Authority emphasized that it registered in accordance with Article 15 (1) of the Data Protection Regulation. (C) the right to be informed of the recipients or categories of recipients to whom personal data concerning them is or will be disclosed, but that, in accordance with Article 15 (1) of the Data Protection Regulation; 1, a right applies to be specifically informed what information has been disclosed.
Finally, the Data Inspectorate found cause for criticism of Dansk Kabel TV A / S 'continued processing of information on complaints after the end of the customer relationship, as Dansk Kabel TV A / S processed information in the form of bank statements which extended beyond the retention period in section 10 of the Accounting Act, PCS. First
Decision
The Data Inspectorate hereby returns to the case where [X] on April 18, 2019 has complained to the Supervisor of a number of companies' processing of personal data about him.
The Data Inspectorate has understood the complaint as concerning:
TDC A / S 'handling of the complainant's request for insight of 14 November 2018
TDC A / S 'processing of information about the complainant's position data
Nuuday A / S 'profiling of information about complaints
Nuuday A / S's information about recipients or categories of recipients of information about complaints
Dansk Kabel TV A / S 'continued processing of information on complaints after the end of the customer relationship
It appears from the case that the complainant is a subscriber to Telmore A / S and formerly a subscriber to YouSee A / S and Dansk Kabel TV A / S. The companies are all affiliated with TDC Group.
It is clear from Telmore A / S's website and Yousee A / S's website that Nuuday A / S is the data controller for Telmore A / S 'and Yousee A / S' processing of personal data and that Nuuday A / S is also affiliated with TDC Group.
Finally, Dansk Kabel TV A / S's personal data message states that Dansk Kabel TV A / S is the data controller for the company's processing of personal data.
1. Decision
Following a review of the case, the Data Inspectorate finds that there is reason to express criticism that TDC A / S has not handled the complainant's request for access in accordance with the rules of Article 15 of the Data Protection Regulation. [1]
With regard to TDC A / S 'processing of information on the complainant's position data, the Data Inspectorate finds that the Authority has no competence to assess whether TDC A / S' has processed information on the complainant's traffic data in accordance with the rules in section 23 of the contract notice . , PCS. 1, cf. 2nd
The Data Inspectorate does not find reason to comment on Nuuday A / S 'processing in accordance with Article 22 of the Data Protection Regulation.
Furthermore, the Data Inspectorate does not find sufficient grounds for criticizing Nuuday A / S 'processing of information in accordance with Article 6 (2) of the Data Protection Regulation. Paragraph 1 (f), up to the objection of the complainant.
In connection with the complainant's remarks about the transfer to partners, the Data Inspectorate finds that there is no basis for assuming that Nuuday A / S 'processing of the complainant's request for access should have been in violation of Article 15 (2) of the Data Protection Regulation. 1 (c).
Finally, the Data Inspectorate finds that there is reason to express criticism that Dansk Kabel TV A / S 'continued processing of information on complaints after the end of the customer relationship has not been in accordance with Article 6 (2) of the Data Protection Regulation. 1, smh. Article 5 (1) of the Data Protection Regulation 1 (e).
The following is a detailed examination of the case and a justification for the Authority's decisions.
2. TDC A / S 'handling of the complainant's request for insight
On November 14, 2018, complainants sent a request for access to the email address dpo@tdc.dk. The complainant's request was a reply to a marketing email from YouSee A / S.
When the complainant did not receive a reply to his request, he contacted the Danish Data Protection Agency, which on February 21, 2019 sent the inquiry to TDC A / S with a view to TDC A / S answering the complainant's request.
TDC A / S then responded to the complainant's request on April 11, 2019.
2.1. The complainant's remarks
The complainant states that TDC A / S responded to his request under Article 15 of the Data Protection Regulation for late access as almost four months went from his request of 18 November 2018 to TDC's reply of 11 April 2019.
2.2. TDC A / S 'comments
TDC A / S has generally stated that the company is not seen to have received the complainant's email of November 14, 2018. TDC A / S has stated that the company does not therefore exclude having received the email in question.
TDC A / S has stated that on November 14, 2018, YouSee A / S accidentally sent a very large number of unfinished emails to current and former customers whose email addresses were contained in a temporary broadcast database that should have been "Cleaned" of old email addresses before a later broadcast. The incident was previously dealt with by the Danish Data Protection Agency in connection with the Danish Data Protection Agency's decision of 28 March 2019, jnr. 2018-431-0017. In this connection, TDC A / S received exceptionally many inquiries about the e-mail transmission, and many asked for insight into their personal data.
Against this background, TDC A / S has considered that the complaint of the complainant must unfortunately have been overlooked due to the large number of inquiries.
2.3. The Authority's decision and justification
The Data Inspectorate assumes that on November 14, 2018, complaints were requested by TDC A / S for insight into what information YouSee A / S and the TDC Group as a whole processed about him.
The Data Inspectorate further assumes that on April 11, 2019, TDC A / S responded to the complainant's request.
It follows from Article 12 (1) of the Data Protection Regulation. 3 that a request for access must be answered without undue delay and no later than one month after receipt. If the request is complicated, the data controller can extend the response time by another two months. Thus, there is an absolute deadline for replying to requests from a registrant of three months.
Thus, the Data Inspectorate finds that TDC A / S has not responded to the complainant's request for access within the time limit in Article 12 (2) of the Data Protection Regulation. 3, cf. Article 15.
Against this background, the Data Inspectorate criticizes TDC A / S for not responding to the complainant's request for access in accordance with Article 12 (2) of the Data Protection Regulation. 3, cf. Article 15.
3. TDC A / S 'processing of position data information
TDC A / S stated in reply to the complainant's insight request that TDC had registered logs of position data on the complainant's SMS and voice activity.
TDC A / S thus sent two appendices entitled "Position data on text and speech (detailed)" and "Position data on text and speech (summarized)". The appendices contain a number of information about telephone calls and SMSs, including locations, telephone numbers, service providers and call length or megabytes.
The most recent logging was from March 2019 and the oldest from 2016.
3.1. The complainant's remarks
The complainant has generally stated that TDC A / S is not authorized to process information about his traffic and location data.
3.2. TDC A / S 'comments
TDC A / S has confirmed that the company processes information on complaints in the form of logging of traffic data. TDC A / S processes traffic data in order to be able to transmit communication in an electronic communications network as well as to charge the subscriber for this use and to settle interconnection with other providers.
The treatment is based on section 23 (2). 2, of Executive Order No. 715 of 23 June 2011 on the provision of electronic communications networks and services ("the contract notice").
TDC A / S states that the processing is thus in accordance with Article 5 (1) of the Data Protection Regulation. 1 (c) and Article 5 (1). Paragraph 1 (e), where processing and storage of traffic data for use in debiting and settlement of interconnection is permitted until the expiry of the statutory limitation period for the debt obligations and settlement in question.
3.3. The Authority's decision and justification
Telecommunications providers' processing of personal data is regulated in both the Data Protection Regulation and the Data Protection Act as well as telecommunications legislation, including the contract notice [3] .
It follows from section 23 (1) of the contract notice. 1, providers of public electronic communications networks or services must ensure that traffic data relating to subscribers or users is deleted or anonymized when they are no longer necessary for the transmission of the communication.
This is further stated in section 23 (1) of the contract notice. 2, that, notwithstanding subsection (2). 1, a provider as mentioned in subsection 1, 1 process and store traffic data for the purpose of charging subscribers and billing for interconnection. Such processing and storage is permitted until the statutory limitation period for the debt obligations and settlements in question has expired.
The rules in the contract notice are considered to be lex specialis in relation to the data protection regulation, lex generalis. That is, to the extent that the rules govern the same issues as the Data Protection Regulation, they precede the Data Protection Regulation.
Pursuant to section 23 (1) of the contract notice. 1, regulates how long data may be stored, this rule thus precedes the general provision on storage restriction in Article 5 (1) of the Data Protection Regulation. 1 (e).
The same applies to the extent that TDC A / S processes information to comply with section 23 (1) of the contract notice. 2nd
In this connection, the Data Inspectorate finds that there is no basis for overriding it stated by TDC A / S that the information presented in the annexes "Position data on SMS and speech (detailed)" and "Position data on SMS and speech (summarized) ”, Is necessary to keep in order to charge the subscriber and to settle interconnection with other providers in accordance with section 23 (2) of the contract notice. 2nd
Thus, the Data Inspectorate cannot decide on TDC A / S 'processing of traffic data on complaints, since this is assumed to be done in accordance with section 23 (1) of the contract notice. 1, cf. 2, which does not fall under the Authority's supervisory powers.
4. Nuuday A / S 'profiling of information about complaints
With the reply to the complainant's request for insight, TDC A / S sent two documents entitled "Predictive models explanation" and "Predictive models". The documents show that the complainant's tendency to terminate his subscription with Telmore A / S has been assessed, as well as whether complaints have been more or less likely to buy a number of mobile phone models.
4.1. The complainant's remarks
The complainant has generally stated that TDC A / S has not had the authority to process the information in question about him because it is a marketing promotion.
The complainant claims that an automatic decision was made in accordance with Article 22 (2) of the Data Protection Regulation. 1, in relation to the degree of marketing, which products to promote and which websites the marketing should be from. For this reason alone, the complainants do not consider Article 6 (2) of the Data Protection Regulation. 1 (f) as sufficient legal basis, since profiling and automatic decisions require consent.
In addition, the complainant has disagreed with the statement by TDC A / S that targeted banner advertising is not direct marketing.
Finally, complainants have maintained that TDC A / S has processed traffic data covered by section 23 (1) of the contract notice. 1, for direct marketing purposes.
4.2. TDC A / S 'comments
TDC A / S has stated that Nuuday A / S does not process information on complaints with a view to profiling for direct marketing purposes. However, Nuuday A / S has processed personal data on complaints for other marketing activities following a balance of interests based on Article 6 (2) of the Data Protection Regulation. 1, but has ceased to process the information for that purpose, after complainants objected to this processing in accordance with Article 21 (1) of the Data Protection Regulation. First
Personal information that is normally used for profiling is either obtained from the customer himself or has been generated in Nuuday A / S 'systems in connection with the customer's use of Nuuday A / S' services. TDC A / S also processes information about the customer's possible telephone subscriptions with other telecommunications providers, if these are available via the directory information service 118, which receives this information directly from the telecommunications providers.
As the Data Protection Regulation unspecified defines the term "direct marketing", has Nuuday A / S has chosen to settle against the corresponding marketing legal concept, see. DCO Spam Manual from 2018 [4] , which among other things contains an exhaustive list of the marketing channel types requiring a consent.
Appendix 1 of the Guide provides a number of examples of what may constitute direct marketing on social media, including private messages, notifications, comments and tags.
In conclusion, TDC A / S has emphasized that Nuuday A / S does not use "traffic data", cf. section 2 (2) of the contract notice. 1 (2) for marketing purposes.
4.3. The Authority's decision and justification
The Data Inspectorate assumes that Nuuday A / S has processed information about complaints to prepare predictive models with a view to targeting any subsequent marketing, and that the information has been collected in connection with the complainant's subscription with Telmore A / S.
Furthermore, the Data Inspectorate assumes that Nuuday A / S no longer processes the information on complaints after complaints objected to the processing.
Finally, the Data Inspectorate assumes that Nuuday A / S has not obtained a consent from complaints for the specific purpose of the processing.
The Data Inspectorate does not find reason to comment on Nuuday A / S 'processing in accordance with Article 22 of the Data Protection Regulation.
It follows from Article 22 (2) of the Data Protection Regulation. Paragraph 1 that the data subject has the right not to be subject to a decision based solely on automatic processing, including profiling, which has legal effect or similarly significantly affects the person concerned.
The Data Inspectorate finds that Nuuday A / S's processing for that purpose cannot be considered to fall within the complainant's right not to be the subject of an automatic individual decision under Article 22 (2) of the Data Protection Regulation. 1, since the predictive models developed by Nuuday A / S cannot be considered to have had legal effect or similarly significantly affected complaints.
As far as the basis for the processing is concerned, the Data Inspectorate considers that the processing of information on complaints for the purpose of drawing up the models concerned must have been based on Article 6 (2) of the Data Protection Regulation. 1 (f) (the “balancing rule”).
In order for a processing to be considered lawful under the balancing rule, the processing must have been necessary for the data controller or a third party to pursue a legitimate interest, unless the data subject's interests or fundamental rights and freedoms requiring protection of personal data precede it.
The data controller must, when processing is based on Article 6 (2) of the Data Protection Regulation. In addition, at paragraph 1 (f), at any time, decide on the data subject's objection in accordance with Article 21 (1) of the Data Protection Regulation. First
In this connection, the Data Inspectorate has noted that Nuuday A / S ceased to process the information after complainants objected to the processing pursuant to Article 21 (2) of the Data Protection Regulation. First
As regards the extent to which the processing of the information could take place in the light of Article 6 (1) of the Data Protection Regulation. In accordance with Article 6 (1) (f), the Data Inspectorate may state that, at the time of this decision, work is under way within the European Data Protection Council on the application of Article 6 (1) of the Data Protection Regulation. 1 (f), including processing of personal data for marketing purposes.
The Data Inspectorate has also noted that there is no information that Nuuday A / S has used the predictive models in question to carry out marketing.
In addition, the Data Inspectorate has noted that Nuuday A / S has stated that the information has not been disclosed.
Against this background, the Data Inspectorate does not find sufficient grounds to express criticism of Nuuday A / S 'processing of information until the complainant's objection.
5. Insight into Nuuday A / S 'disclosure of information on complaints to partners
The document "TELMORE business partners - data processor" states that Nuuday A / S discloses information to a number of business partners in order to provide the best possible service for complaints. Following is a list of Telmore A / S's business partners, where each unit indicates whether it is a data processor or an independent data controller.
5.1. The complainant's remarks
The complainant claims that personal data on him has been disclosed to a number of business partners who have marketing and profiling him for the purpose and that he has not received insight into what information has been provided to the list of recipients who TDC A / S has reportedly provided information on complaints.
5.2. TDC A / S 'comments
TDC A / S has stated that personal data is transferred to business partners either in the form of a transfer to data processors with which data processing agreements have been concluded, or transfer to independent data controllers.
TDC A / S has stated that information on complaints has been disclosed to the following companies, if the individual requirements are met, with the stated purposes and powers:
Bookmate Ltd
Information: Name, email address and customer number
Purpose: Establish customer relationship with Bookmate Ltd
Home: Article 6 (2) of the Data Protection Regulation. 1, point a
Prerequisite: Customer has opted for the Telmore Play benefit "Bookmate"
C More Entertainment AB
Information: Name, email address and customer number
Purpose: Establish customer relationship with C More Entertainment AB
Home: Article 6 (2) of the Data Protection Regulation. 1, point a
Prerequisite: Customer has opted for the Telmore Play benefit "C-More"
Department of the Ministry of Economic and Business Affairs
Information: Name and address
Purpose: Look up CPR to verify a customer's identity
Home: Article 6 (2) of the Data Protection Regulation. 1, point f
Prerequisite: Passed on when subscribing
Docktricks AB
Information: E-mail address
Purpose: To send emails to customers
Home: Article 6 (2) of the Data Protection Regulation. 1, point f
Prerequisite: Passed on if IT platform is responsible for sending e-mails
Egmont
Information: Name, email address and customer number
Purpose: Creating customer relationships
Home: Article 6 (2) of the Data Protection Regulation. 1, point a
Prerequisite: Customer has opted for the Telmore Play benefit "Flipp"
Ericsson / Metratech
Information: Identification information and invoices
Purpose: Supplier of billing system. Information is passed in order to be able to charge correctly and when the supplier has to make errors in the system
Home: Article 6 (2) of the Data Protection Regulation. 1, point f
Prerequisite: Passed on in cases where the supplier has had access to the system
Google Ltd.
Information: Online data collected using first-party cookies on "My Telmore"
Objective: Statistics, marketing and optimizing user experience on the page using Google Analytics
Home: Article 6 (2) of the Data Protection Regulation. 1, point f
Prerequisite: The customer has used the website "My Telmore"
HBO Nordic Services Denmark ApS
Information: Name, email address and customer number
Purpose: Establish customer relationship with HBO Nordic
Home: Article 6 (2) of the Data Protection Regulation. 1, point a
Prerequisite: Customer has opted for the Telmore Play benefit "HBO Nordic"
Nets Denmark A / S
Information: Customer information needed to make payments
Purpose: Making payments via Nets' solutions
Home: Article 6 (2) of the Data Protection Regulation. 1, point a
Prerequisite: The customer has chosen to pay TDC via Nets' payment solutions
PostNord A / S
Information: Name, address and order number
Purpose: Send letters and parcels to TDC's customers
Home: Article 6 (2) of the Data Protection Regulation. 1, point f
Prerequisite: TDC has sent letters or packages to the customer
TV2 Denmark A / S
Information: Name, email address and customer number
Purpose: Establish customer relationship with TV2
Home: Article 6 (2) of the Data Protection Regulation. 1, point a
Prerequisite: Customer has opted for the Telmore Play benefit "TV2 Play"
TDC A / S has stated that Nuuday A / S has not, as stated by the complainants, disclosed information about the complaints to other business partners than the specified partners, which the complainant was all informed of in response to his objection request.
5.3. The Authority's decision and justification
The Data Inspectorate finds that Nuuday A / S, with the appendix "TELMORE partners - data processor" has complied with Article 15 (2) of the Data Protection Regulation. 1 (c).
The Data Inspectorate hereby emphasizes that, in accordance with Article 15 (1) of the Data Protection Regulation, it registered. (C) the right to be informed of the recipients or categories of recipients to whom personal data concerning them is or will be disclosed, but that, however, in accordance with Article 15 (1) of the Data Protection Regulation; 2. Paragraph 1 does not apply to a right to be specifically informed which information has been disclosed.
Accordingly, the Data Inspectorate finds that there is no basis for Nuuday A / S 'processing of the complainant's request for access to infringement of Article 15 of the Data Protection Regulation.
6. Continued processing of information on complaints after the end of customer relationship with Dansk Kabel TV A / S
Complainant received an overview of bank statements at Dansk Kabel TV A / S when responding to his request for insight. The table shows a number of charges and payments from the period June 15, 2012 to May 27, 2013. The same items appear in an overview called "Debtor's Book".
It is stated that the complainant's customer relationship with Dansk Kabel TV A / S ended on April 30, 2013. Following the termination, there was a complaint relationship between the complainant and Dansk Kabel TV A / S, which ended on May 28, 2013.
6.1. The complainant's remarks
Complaints have stated that the retention of information dating back to 2012 goes far beyond the period provided for in the Accounting Act.
6.2. TDC A / S 'comments
TDC A / S has stated that Dansk Kabel TV A / S no longer processes personal data in relation to the ceased customer relationship. All personal data related to the customer relationship has been deleted or anonymized per. April 30, 2019.
The information processed by Dansk Kabel TV A / S until 30 April 2019 was ordinary personal data, including master data for identification of complaints and the products covered by the customer relationship, as well as accounting and accounting data.
The personal data was processed in order to fulfill Dansk Kabel TV A / S's obligation to independently and unambiguously be able to document an audit trail for 5 years from the end of the year to which the accounting material relates.
Thus, personal data were processed on the basis of Article 6 (1) of the Data Protection Regulation. 1 (c).
TDC A / S does not consider Dansk Kabel TV A / S's processing of personal data to have been in accordance with Article 5 (1) of the Data Protection Regulation. Paragraph 1 (e) on storage restriction, the data being processed to the total extent of the customer relationship for the purpose of the above purpose, where the treatment facility for this purpose applies only for five years from the end of the year to which the accounting material relates.
Dansk Kabel TV A / S should therefore have deleted the accounting material on the customer relationship when it was older than five years from the end of the year to which the accounting material relates, rather than deleting the total accounting material for the customer relationship five years after the end of the financial year in which the customer relationship ended. .
Against this background, Dansk Kabel TV A / S has changed its policy for the deletion of personal data in this regard.
6.3. The Authority's decision and justification
The Danish Data Protection Agency assumes that until 30 April 2019, Dansk Kabel TV A / S processed information on complaints from the period 15 June 2012 to 27 May 2013.
It is stated by TDC A / S that the information was processed solely for the sake of being able to independently and unambiguously document audit evidence for five years from the end of the year to which the accounting material relates.
It follows from posting Act [5] § 10 paragraph. 1 that the accounting officer must keep the accounting material safely for five years from the end of the financial year to which the material relates. The storage must be done in a way that throughout the storage period enables an independent and unambiguous discovery of the relevant accounting material.
It follows that the personal data that Dansk Kabel TV A / S kept about complaints could not be stored on the basis of section 10 (1) of the Accounting Act. 1, beyond the period 2017-2018.
The Data Inspectorate therefore finds reason to criticize the fact that Dansk Kabel TV A / S has processed information on complaints in violation of Article 6 of the Data Protection Regulation. Article 5 (1) of the Data Protection Regulation 1 (e).
[1] Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such information and repealing Directive 95/46 / EC (general data protection regulation).
[2] Executive Order No. 715 of 23 June 2011 on the provision of electronic communications networks and services
[3] Executive Order No. 715 of 23 June 2011 on the provision of electronic communications networks and services
[4] Spam Prohibition Guide, Consumer Ombudsman, December 2018
[5] Executive Order No. 648 of June 15, 2006 of the Bookkeeping Act
data Protection Agency
