Datatilsynet - 2019-41-0043

From GDPRhub
Datatilsynet - 2019-41-0043
LogoDK.png
Authority: Datatilsynet (Denmark)
Jurisdiction: Denmark
Relevant Law: Article 5(1)(a) GDPR
Article 5(2) GDPR
Article 12(1) GDPR
Article 12(2) GDPR
Article 13 GDPR
Article 13(1)(c) GDPR
Article 13(2)(d) GDPR
Article 14 GDPR
Type: Investigation
Outcome: Violation Found
Decided: n/a
Published: 07.08.2020 [[Category:]]
Fine: None
Parties: SIF Gruppen A/S
National Case Number/Name: 2019-41-0043
European Case Law Identifier: n/a
Appeal: Unknown
Original Language(s): Danish
Original Source: Datatilsynet (in DA)
Initial Contributor: n/a

The Danish DPA hold that SIF Gruppen A / S ' compliance with the duty to provide information pursuant to Articles 13 and 14 has been deficient, including in that the company has not provided employees with sufficient information about the legal basis for processing personal data, the data subject's rights and the right to lodge a complaint with the DPA in connection with the use of GPS surveillance, and that the company has not informed the employees about the processing of personal data that takes place in connection with CCTV surveillance.

English Summary[edit | edit source]

Facts[edit | edit source]

In August 2020, the Danish Data Protection Agency completed a planned written inspection at SIF Gruppen A / S. The audit focused on the company's compliance with the rules on disclosure by using control measures towards employees. The audit also focused on whether SIF Gruppen A / S 'observance of the duty to provide information complied with the regulation's basic principle of transparency.

SIF Gruppen A / S has informed the Danish Data Protection Agency that the company makes use of the following control measures towards employees:

   CCTV surveillance in connection with employees' stays at the company's address.
   GPS monitoring in service cars.
   "Find me" function in mobile phones and tablets.

SIF Gruppen A / S has stated that the company's employees are informed about the TV surveillance via signs at the company. Based on the information provided, the Danish Data Protection Agency assumes that the signs constitutes the information that the employees are given about TV surveillance, and that the signs are not supplemented by additional written information to the employees.

SIF Gruppen A / S has stated that employees are notified of the processing of personal data in connection with the use of GPS monitoring as a control measure in the company's local agreements. In this connection, SIF Gruppen A / S has sent a template for such a local agreement, just as the company has sent copies of a number of signed local agreements as documentation of the company's compliance with the duty to provide information in practice.

It appears from the example provided that the overall purpose of GPS monitoring of the service vehicles is to collect data regarding driving history, driving behavior and technical data about the service vehicle. In this connection, a number of more specific purposes have been stated for which the information collected will be used.

Regarding the storage period, it appears that the collected information - for reasons of accounting, documentation and analytical purposes - is stored for up to 5 years, after which the information is deleted. However, individual information on the individual employee may not be used in employment law after 4 months.

Regarding any recipients of the information, it appears, among other things, that relevant administrative persons and managers will have access to individual information regarding vehicles within their own area of ​​responsibility and work. An updated list of user rights will be available in the system at all times.

Dispute[edit | edit source]

Has the SIF Gruppen A / S complied with its data protection obligations regarding CCTV surveillance in connection with employees' stays at the company's address and GPS monitoring in service cars?

Holding[edit | edit source]

The Danish Data Protection Agency finds that SIF Gruppen A / S ’notification of the processing of personal data in connection with GPS monitoring in the service vehicles does not meet the requirements of Article 13 (1) (c) (2) (d) GDPR.

Regarding the storage period, it appears that the collected information - for reasons of accounting, documentation and analytical purposes - is stored for up to 5 years, after which the information is deleted. However, individual information on the individual employee may not be used in employment law after 4 months.

Based on the submitted images, the Danish Data Protection Agency can conclude that the signage regarding CCTV only contains information about the fact that CCTV surveillance is carried out. In addition, a telephone number is indicated on the doorman, just as the company name is indicated on the sign. This is not enough information.

Comment[edit | edit source]

Share your comments here!

Further Resources[edit | edit source]

Share blogs or news articles here!

English Machine Translation of the Decision[edit | edit source]

The decision below is a machine translation of the Danish original. Please refer to the Danish original for more details.

Supervision of SIF Gruppen A / S
Published 07-08-2020
Decision Private companies

Journal number: 2019-41-0043
Summary

In August 2020, the Danish Data Protection Agency completed a planned written inspection at SIF Gruppen A / S. The audit focused on the company's compliance with the rules on disclosure by using control measures towards employees. The audit also focused on whether SIF Gruppen A / S 'observance of the duty to provide information complied with the regulation's basic principle of transparency, which, among other things, implies that the data controller must provide employees with easily accessible and prior information about the control measures applied.

On the basis of the audit carried out, the Danish Data Protection Agency has had occasion to express serious criticism of SIF Gruppen A / S 'processing of personal data.

The Danish Data Protection Agency's concluding statement states, among other things, that SIF Gruppen A / S 'compliance with the duty to provide information in connection with the use of GPS monitoring has been deficient, including in that the company has not provided employees with sufficient information on the legal basis for processing personal data. data subjects' rights and the right to lodge a complaint with the Danish Data Protection Agency.

In addition, it appears that SIF Gruppen A / S 'has not informed the employees about the processing of personal data that takes place in connection with TV surveillance, which is why it has not been sufficiently transparent for the employees that the TV surveillance can be used for control purposes. 

You can read the Danish Data Protection Agency's guidelines on data protection in connection with employment relationships here.

You can read the Danish Data Protection Agency's guide on data subjects' rights here.

Decision
1. Written supervision of SIF Gruppen A / S 'processing of personal data

SIF Gruppen A / S was among the companies that the Danish Data Protection Agency in the autumn of 2019 had chosen to supervise in accordance with the Data Protection Ordinance [1] and the Data Protection Act [2].

The Danish Data Protection Agency's audit was a written audit which focused on SIF Gruppen A / S 'compliance with the duty to provide information in connection with control measures towards employees, cf. Articles 13 and 14 GDPR complied with the principle of transparency in Article 5 (2)  (1) (a) GDPR, which according to the Authority's assessment i.a. implies that the data controller must provide employees with easily accessible - prior - information about the control measures applied.

By letter dated 10 September 2019, the Danish Data Protection Agency notified the Authority of SIF Gruppen A / S and in this connection requested the company for an opinion.

SIF Gruppen A / S has then by letter of 7 October 2019 issued a statement for use in the case.

Following the audit of SIF Gruppen A / S, the Danish Data Protection Agency finds reason to conclude in summary:

    That SIF Gruppen A / S 'compliance with the duty to provide information pursuant to Articles 13 and 14 has been deficient, including in that the company has not provided employees with sufficient information about the legal basis for processing personal data, the data subject's rights and the right to lodge a complaint with the Data Inspectorate. in connection with the use of GPS surveillance, and that the company has not informed the employees about the processing of personal data that takes place in connection with TV surveillance, which is why it has not been sufficiently transparent for the employees that the TV surveillance can be used for control purposes. 

In relation to pkt. 1 basis for expressing serious criticism that SIF Gruppen A / S 'processing of personal data has not taken place in accordance with Articles 13 and 14 of the Data Protection Regulation. As regards the lack of information about the control purpose in relation to the use of television surveillance, The Danish Data Protection Agency further states that SIF Gruppen A / S 'processing of personal data has not taken place in accordance with the basic principle of transparency in Article 5 (1) of the Regulation. 1, letter a.

Below is a more detailed review of the information that has emerged in connection with the written inspection and a justification for the Data Inspectorate's decision.
2. SIF Gruppen A / S ’use of control measures towards employees

SIF Gruppen A / S has informed the Danish Data Protection Agency that the company makes use of the following control measures towards employees:

    TV surveillance in connection with employees' stays at the company's address.
    GPS monitoring in service cars.
    "Find me" function in mobile phones and tablets.

In this connection, SIF Gruppen A / S has stated that 400 employees are affected by TV surveillance at the company's address, and that 200 employees are affected by GPS in the service cars.

In addition, SIF Gruppen A / S ’has stated that the“ Find me ”function in mobile phones and tablets affects approximately 100 employees, but that the function is only used in connection with the loss of devices.

Based on the information, the Danish Data Protection Agency assumes that the "Find me" function in mobile phones and tablets is not used for control purposes against the company's employees, but that the function only serves a security purpose. The company's fulfillment of the disclosure obligation in relation to the "Find me" function will therefore not be reviewed further in this statement. If SIF Gruppen A / S at any time wishes to use the "Find me" function in mobile phones for control purposes vis-à-vis the company's employees, the Danish Data Protection Agency must point out that it is a prerequisite for the use of control measures that the employees - before establishment of the control measures - be informed of the purpose and scope of the measures and of the use of the information collected in accordance with Articles 13 and 14 of the Regulation. [3]

SIF Gruppen A / S has further stated that the company's employees - through the work of the company's customers - may be exposed to control measures over which SIF Gruppen A / S has no knowledge or influence.

In this connection, the Danish Data Protection Agency assumes that SIF Gruppen A / S is not controller for any information collected about the company's employees in connection with control measures at the company's customers.

3. Procedures, etc. in relation to the fulfillment of the duty to provide information and prior information on control measures

SIF Gruppen A / S has stated that the company has not prepared procedures etc. for the company's compliance with the data protection regulation's rules on the duty to provide information and the requirement for prior information in connection with the use of control measures towards employees.

The Danish Data Protection Agency must recommend that SIF Gruppen A / S prepare procedures, etc. for the company's compliance with the rules on disclosure and prior information in connection with control measures towards employees, where it i.a. should state how and at what time employees must be informed of the processing of personal data that takes place in connection with the individual control measures.



3676/5000
Review of SIF Gruppen A / S ’notification of the processing of personal data concerning the use of GPS in service vehicles and television surveillance
4.1. Regarding information on TV surveillance

SIF Gruppen A / S has stated [4] that the company uses TV surveillance at the company's address as a control measure. The Danish Data Protection Agency is of the opinion that television surveillance can be used for both security and control purposes. As the Danish Data Protection Agency cannot rule out that the TV surveillance is used for control purposes against SIF Gruppen A / S 'employees, this is the basis for the review of the company's information to the employees regarding TV surveillance.

SIF Gruppen A / S has stated that the company's employees are informed about the TV surveillance via signage at the company. In this connection, SIF Gruppen A / S has sent pictures of the signage at the various entrances to the company's address. Based on the information provided, the Danish Data Protection Agency assumes that the signage constitutes the information that the employees are given about TV surveillance, and that the signage is not supplemented by additional written information to the employees.

Private and public authorities that carry out television surveillance of places or premises where there is general access to, or of workplaces, must, according to the Television Surveillance Act [5], provide information about the surveillance by means of signs or other clear means. In addition to the requirement for signage, the rules of the Data Protection Ordinance and the Data Protection Act on the duty to provide information to data subjects apply.

It thus follows from section 3 b of the Television Surveillance Act that the provision in Article 14 of the Data Protection Ordinance applies regardless of any signage pursuant to sections 3 and 3 a of the Act. to the requirements of Article 14 of the Data Protection Regulation.

Based on the submitted images, the Danish Data Protection Agency can conclude that the signage only contains information about the fact that television surveillance is carried out. The sign consists of an image of a surveillance camera with a caption that says "TV surveillance". In addition, a telephone number is indicated on the doorman, just as the company name is indicated on the sign.

After a review of the submitted images of the signage regarding television surveillance, it is thus the Data Inspectorate's assessment that SIF Gruppen A / S has not provided the employees with the information that follows from Article 14 of the Data Protection Ordinance. has not been sufficiently transparent to the employees that the TV surveillance can be used for control purposes towards the employees.

In view of the fact that the purpose of the control, in the opinion of the Danish Data Protection Agency, has not been sufficiently transparent for the employees, the Authority also finds that SIF Gruppen A / S 'information about TV surveillance for the music school's employees has not lived up to the basic principle of transparency in Article 5 para. . 1, letter a.

Given that TV surveillance is an intrusive form of processing of personal data, the Danish Data Protection Agency must emphasize the importance of SIF Gruppen A / S 'employees being informed of the processing of personal data that takes place in connection with the use of TV surveillance as a control measure in in accordance with Article 14 of the Regulation. In addition, the Authority must emphasize the importance of SIF Gruppen A / S - in accordance with the principle of transparency in Article 5 (1) of the Regulation. 1, letter a, provides employees with easily accessible - prior - information about the control measures used, including in particular about the control purpose.



3605/5000
4.2. Regarding information on GPS monitoring in service vehicles

SIF Gruppen A / S has stated that employees are notified of the processing of personal data in connection with the use of GPS monitoring as a control measure in the company's local agreements. In this connection, SIF Gruppen A / S has sent a template for such a local agreement, just as the company has sent copies of a number of signed local agreements as documentation of the company's compliance with the duty to provide information in practice.

It appears from the example provided that the overall purpose of GPS monitoring of the service vehicles is to collect data regarding driving history, driving behavior and technical data about the service vehicle. In this connection, a number of more specific purposes have been stated for which the information collected will be used, including:

    Reports and analyzes of the overall use of the fleet.
    Reduce driving costs through more appropriate driving behavior.
    Relevant and effective redirection for urgent tasks.
    Optimize and streamline the use of the fleet by e.g. to avoid star driving or unnecessary driving time.
    Reduce operating and service costs on the car fleet.
    Increase safety by alerting the driver of the car to inappropriate driving behavior.
    Anti-theft protection.
    Big data analysis of patterns and contexts across the company, which can lead to smarter use of the company's resources.
    Streamlining the work of the work environment representative.
    Documentation of the efficient working hours and hourly consumption to the customers.
    Compliance with traffic rules.

It also states that a GPS committee - at least represented by a management representative and the shop steward - will continuously evaluate the use of the system and address any inconveniences. Inadequacies include over strong acceleration, hard braking and violation of the speed limit.

In addition, it appears that if data from the system gives rise to an interview, this will take place between the general manager and the employee, and that the employee in this connection has the right to convene the union representative.

Regarding the storage period, it appears that the collected information - for reasons of accounting, documentation and analytical purposes - is stored for up to 5 years, after which the information is deleted. However, individual information on the individual employee may not be used in employment law after 4 months.

Regarding any recipients of the information, it appears, among other things, that relevant administrative persons and managers will have access to individual information regarding vehicles within their own area of ​​responsibility and work. An updated list of user rights will be available in the system at all times.

Finally, the employee is made aware of his or her rights under the Data Protection Regulation. It thus appears that the employee has the right to seek access to the information collected and processed about him in accordance with Article 15 of the Data Protection Regulation. In addition, it appears that the employee has rights under Articles 16, 17 and 21 of the Regulation, according to which inserted a link to the regulation itself. However, these rights are not further elaborated in the local agreement.

As the Danish Data Protection Agency's personal data is collected from the employee himself when the employee drives a service car, the Authority's assessment is that notification of processing of personal data in connection with GPS monitoring in the service cars must meet the requirements of Article 13 of the Data Protection Regulation [6].



2853/5000
The Data Protection Regulation contains an overarching obligation of transparency regarding the processing of personal data, which is intended to ensure that data subjects have the ability to hold data controllers accountable and exercise control over their personal data.

The obligation for transparency follows i.a. Article 5 (1) of the Data Protection Regulation 1 (a), which states that personal data must be processed lawfully, fairly and in a transparent manner in relation to the data subject ('legality, reasonableness and transparency').

In relation to the data controller's observance of data subjects' rights, including compliance with the rules on the obligation to provide information, there is also a requirement for transparency in Article 12 (1) of the Data Protection Regulation. 1, of which i.a. it appears that the controller takes appropriate measures to provide any information referred to in Articles 13 and 14 on processing to the data subject in a concise, transparent, easily understandable and easily accessible form and in clear and simple language.

After a review of the submitted examples, it is the Data Inspectorate's assessment that the employees are not given information about the legal basis for the processing. In addition, the Authority's assessment is that the employees are not given sufficient information about the right to request the data controller to correct or delete personal data or restriction of processing regarding the data subject or to object to processing, and that the employees are not given information about the right. to lodge a complaint with the Danish Data Protection Agency.

In this connection, the Danish Data Protection Agency has emphasized that this information - in the Authority's view - is necessary to ensure fair and transparent processing as far as the employees are concerned.

In addition, the Danish Data Protection Agency has emphasized that the principle of transparency in the Authority's view, e.g. implies that the data controller - in connection with the fulfillment of the duty to provide information - should specify what the data subject's rights are, so that the data subject can easily understand which rights he / she has under the data protection rules and thereby better safeguard his or her interests in relation to to exercise control over his personal data.

On this basis, the Danish Data Protection Agency finds that SIF Gruppen A / S ’notification of the processing of personal data in connection with GPS monitoring in the service vehicles does not meet the requirements of Article 13 (1) of the Data Protection Regulation. 1, letter c and para. 2, letter d.

Furthermore, the Danish Data Protection Agency finds that SIF Gruppen A / S 'notification of the processing of personal data in connection with GPS monitoring in the service vehicles does not live up to the requirement in Article 13 (1) of the Data Protection Ordinance. Article 12 (2) (b) in conjunction with the requirement of Article 12 (2) of the Regulation. 1.



2276/5000
5. Conclusion

Following the audit of SIF Gruppen A / S, the Danish Data Protection Agency finds reason to conclude in summary:

    That SIF Gruppen A / S 'compliance with the duty to provide information pursuant to Articles 13 and 14 has been deficient, including in that the company has not provided employees with sufficient information about the legal basis for processing personal data, the data subject's rights and the right to lodge a complaint with the Data Inspectorate. in connection with the use of GPS surveillance, and that the company has not informed the employees about the processing of personal data that takes place in connection with TV surveillance, which is why it has not been sufficiently transparent for the employees that the TV surveillance can be used for control purposes. ..

In relation to pkt. 1 basis for expressing serious criticism that SIF Gruppen A / S 'processing of personal data has not taken place in accordance with Articles 13 and 14 of the Data Protection Regulation. As regards the lack of information about the control purpose in relation to the use of television surveillance, The Danish Data Protection Agency further states that SIF Gruppen A / S 'processing of personal data has not taken place in accordance with the basic principle of transparency in Article 5 (1) of the Regulation. 1, letter a.

 

[1] Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to

on the processing of personal data and on the free movement of such data and on the repeal of Directive 95/46 / EC (General Data Protection Regulation).

[2] Act No. 502 of 23 May 2018 on additional provisions to the Regulation on the protection of individuals with regard to the processing of personal data and on the free movement of such data (the Data Protection Act).

[3] Reference is made to section 7 of the Danish Data Protection Agency's guidelines on data protection in connection with employment relationships.

[4] See Section 2 of the Decision

[5] Statutory Order no. 1190 of 11 October 2007 on television surveillance, as amended

[6] Reference is made to the Danish Data Protection Agency's guidelines on data protection in connection with employment relationships, section 7, which can be accessed on the Authority's website: https://www.datatilsynet.dk/generelt-om-databeskyttelse/vejledninger/