Datatilsynet - 2019-421-0028

From GDPRhub
Datatilsynet - 2019-421-0028
LogoDK.png
Authority: Datatilsynet (Denmark)
Jurisdiction: Denmark
Relevant Law: Article 12(3) GDPR
Article 15(1)(h) GDPR
Article 22(1) GDPR
Type: Investigation
Outcome: Violation Found
Decided: n/a
Published: 26.02.2020
Fine: None
Parties: Udbetaling Danmark
National Case Number/Name: 2019-421-0028
European Case Law Identifier: n/a
Appeal: n/a
Original Language(s): Danish
Original Source: Datatilsynet (in DK) (in DA)
Initial Contributor: {{{Initial_Contributor}}}

The Datatilsynet ruled that the controller must answer clearly if there are automated decisions made against the data subject in the context of an access requests, to comply with Article 15(1)(h) GDPR.

English Summary[edit | edit source]

Facts[edit | edit source]

The Datatilsynet conducted some investigations at Udbetaling Danmark focusing on the answers to access request and thus on the compliance with Articles 12 and 15 GDPR.

Dispute[edit | edit source]

n/a

Holding[edit | edit source]

Despite the procedures, guidelines and templates created and implemented by the controller, the Datatilsynet ruled that Udbetaling Danmark infringed both Articles 12(3) and 15 GDPR.

The authority stressed out that the controller did not provide the data subject with the necessary information pursuant to Article 15 (1) (h) GDPR. Indeed, the controller did not provide the data subject with the specific information on whether automatic decisions have been made against the data subject. The authority issued that the controller should from now on answer clearly to the data subject if he/she has been subject to automated decision making. For example, the authority recommend that the controller could state in each response whether or not automatic decisions have been made vis-à-vis the data subject.

In addition, the authority pointed out that the controller answered to 2 subject access requests with undue delay. Although the controller claimed that they needed time to confirm the data subject identification, the authority ruled that the one-month deadline was not respected and thus that, Article 12(3) was infringed.


Comment[edit | edit source]

Further Resources[edit | edit source]

Share blogs or news articles here!

English Machine Translation of the Decision[edit | edit source]

The decision below is a machine translation of the Danish original. Please refer to the Danish original for more details.

DENMARK
- https://www.datatilsynet.dk/tilsyn-og-afgoerelser/afgoerelser/2020/feb/tilsyn-med-udbetaling-danmarks-behandling-af-personoplysninger/
(DPA stated that Payment Denmark may, in connection with some services, make decisions based solely on automatic processing pursuant to Article 22 of the Regulation, and that in five cases the Authority has not provided the data subject with the necessary information on the existence of automatic decisions within the meaning of Article 15 (1) (h) GDPR.) (deepl translation)

Supervision of Payment Denmark's processing of personal data
In 2019, the Data Inspectorate carried out a planned audit at Payout Denmark. The audit focused on the authority's compliance with the rules on the data subject's right of access, cf. Articles 15 and 12 of the Data Protection Regulation.
On the basis of the audit, the Data Inspectorate has criticized the fact that Payments Denmark's processing of personal data did not take place in accordance with Articles 15 and 12 (2) of the Regulation. Third
The Authority's concluding opinion states, inter alia, that Payment Denmark may, in connection with some services, make decisions based solely on automatic processing pursuant to Article 22 of the Regulation, and that in five cases the Authority has not provided the data subject with the necessary information. on the existence of automatic decisions within the meaning of Article 15 (2) of the Regulation. 1, point h.
In addition, it appears that Payment Denmark in four cases did not respond to a request for access later than one month after receipt of the request, one of which was due to an excusable misunderstanding between Payment Denmark and the data subject regarding the scope of the request.
You can read the Danish Data Protection Agency's guide on data subjects' rights here.
Decision

Disbursement Denmark was among the public authorities selected by the Danish Data Protection Agency for supervision in the spring of 2019.

At the request of the Data Inspectorate, Pre-payment Denmark had completed a questionnaire and submitted this together with additional material to the audit prior to the audit visit. The inspection itself took place on May 13, 2019.
1. Decision

Following the supervision of Payout Denmark, the Data Inspectorate finds reason to conclude:

    That Payout Denmark has to a large extent drawn up guidelines, procedures, etc. for compliance by the Authority with Articles 15 and 12 of the Data Protection Regulation.
    That Payout Denmark has to a large extent prepared templates that can help ensure and facilitate the authority's compliance with Articles 15 and 12 of the Regulation.
    That Payout Denmark has received and responded to 12 requests for insights during the period 25 May 2018 until the time of notification of the supervision.
    That Payout Denmark has in five cases not provided the data subject with the necessary information on the occurrence of automatic decisions, in accordance with Article 15 (1) of the Data Protection Regulation. 1, point h.
    That, in three cases, Payment Denmark has not responded to a request for access in accordance with the deadlines set out in Article 12 (2) of the Data Protection Regulation. Third
    That Payout Denmark in one case - as a result of a misunderstanding - has not responded to a request for access in accordance with the deadlines in Article 12 (2) of the Data Protection Regulation. Third

In relation to paragraphs 4 and 5, the Data Inspectorate finds a basis for criticizing the fact that Payments Denmark's processing of personal data has not taken place in accordance with the rules in Articles 15 and 12 (2) of the Data Protection Regulation. Third

The following is a detailed review of the information that has emerged in connection with the audit and a justification for the Danish Data Protection Agency's decision.
2. Payment Denmark's guidelines and procedures

Payment Denmark, prior to the audit visit, sent a copy of the authority's procedures and guidelines, which were in effect on the date of notification of the audit, regarding the handling of access requests pursuant to Articles 15 and 12 of the Data Protection Regulation.

Payment Denmark has stated that the procedures and guidelines can be accessed by the employees on the intranet and that these act as a working tool for the employees.

In addition, Payout Denmark has stated that all the authority's procedures and guidelines are targeted at employees across different departments. Payment Denmark has prepared a knowledge solution in which the authority, among other things. shares knowledge about managing insight requests, and where employees can quickly find information about insight rules using keywords.

Employees are also made aware of the data protection rules, including the right of access, in connection with status meetings, annual meetings and in participation in training regarding the data protection rules. In addition, the employees carry out an e-learning game on data protection every year, and Payout Denmark has a number of customer ambassadors who share knowledge with the employees. In this way, the employees are also made aware that the existing procedures, guidelines and templates, etc. can be found on the intranet. Here

The procedures and guidelines submitted include: information that employees - once they have identified a request for insight - must forward the request to the "Quality & Complaints" department, as well as describe how the Quality & Complaints staff can request information about the data subject and how to submit the information to the data subject. In addition, the procedures and guidelines contain information on the deadline for responding to requests for access pursuant to Article 12 (2) of the Regulation. 3 and information on the information to be provided to the data subject when responding to requests for access pursuant to Article 15 (2) of the Regulation. 1 (a) to (h).

Following a review of the procedures and guidelines, the Data Inspectorate cannot immediately ascertain that information is provided on how employees should handle insight requests, where there is doubt about the identity of the data subject and where the authority will therefore have to request additional information from the data subject. in order to confirm their identity in accordance with Article 12 (2) of the Regulation. 6th

Against this background, the Data Inspectorate must recommend that Payment Denmark - to the extent that the authority has not already done so - adds information to this in the procedures and / or guidelines.

It is stated in one of the guidelines (Compendium on the data subject's rights) concerning the right of access that "if the data subject wishes to do so, the data controller must provide a copy of the personal data processed in the course of the right of access". The same does not appear in the other guidelines, etc.

The Data Inspectorate must note that it follows from Article 12 (2) of the Regulation. 3 that the data controller provides a copy of the personal data being processed and that this is not conditional on the data subject requesting to receive a copy of the data.

The Data Inspectorate must therefore recommend that this is also made clear in the guidelines mentioned.
3. Payment Denmark's standard texts

Payment Denmark has sent a copy of the templates used by the authority's employees in answering insights requests, including a template used for responding to the request itself and a template used for information on extended case processing time.

It is clear from the template for answering insight requests that Payout Denmark can make decisions based solely on automatic processing. Furthermore, it appears that the automatic decisions are made, for example, by Paying Denmark obtaining information from public registers, which are mechanically compared with information in the data subject's case, and which together determine whether the data subject is entitled to the benefit in question.

It follows from Article 15 (2) of the Regulation. (1) (h), the data controller must provide the registered information on the occurrence of automatic decisions, including profiling, as referred to in Article 22 (1). 1 and 4, and at least meaningful information about the logic therein, as well as the significance and expected consequences of such processing for the data subject.

When asked about this during the audit visit, Utbetaling Denmark stated that some types of benefits (eg income-based benefits such as housing subsidies) make automatic decisions against the data subject.

The Data Inspectorate asked whether it is possible for Payout Denmark to provide the data subject with specific information on whether automatic decisions have been made against the person concerned.

Payment Denmark stated that it is possible to give more specific information about this in relation to the individual benefits. When asked, Payout Denmark also stated that no automatic decisions are made in connection with all services and that it will therefore only be relevant to provide information on this in some cases.

In relation to the above, the Data Inspectorate has noted that, after the inspection visit, Payout Denmark has stated that the background for the general formulation of automatic decisions in Payments Denmark's reply to the reply is that when preparing the letter template, the Danish Data Protection Agency's templates for observing the duty of disclosure have been taken into account. However, after discussing the inspection visit, Payout Denmark will change the wording in the template, so that it will be stated in each response in the future whether or not automatic decisions have been made vis-à-vis the data subject.
4. Payment Denmark's handling of requests for insight

4.1. Payment Denmark has informed the Danish Data Protection Agency that the authority has received and responded to 12 requests for insights during the period from May 25, 2018 to April 9, 2019. Payment Denmark has submitted a copy of the replies to the Danish Data Protection Agency prior to the audit visit.

As mentioned in the submitted template for answering insights requests, it is clear that Payout Denmark can make decisions based solely on automatic processing.

At the time of the audit, the Data Inspectorate asked whether automatic decisions were made against the data subjects who requested access during the period from 25 May 2018 to 9 April 2019.

Payment Denmark, after the inspection visit, stated that after an examination of the submitted insights cases, the authority has found that in five of the cases the citizens have been the subject of an automatic decision, which is not apparent from the replies.

The automatic decisions in the five cases are about pension and housing benefits. In two of the cases, automatic decisions on both pensions and housing assistance were made, in two other cases, automatic decisions on pensions were made, while in the latter case automatic decisions on housing assistance were made.

Payment Denmark has confirmed to the Data Inspectorate that the data subjects have not been informed that they have in fact been subject to an automatic decision in accordance with Article 15 (2) of the Regulation. 1, point h.

4.2. After a detailed examination of the 12 response requests, the Data Inspectorate finds that, in three cases, Payment Denmark has responded to a request later than one month after receiving the request.

Payment Denmark received on September 3, 2018 a request for insight, which the authority responded to on November 8, 2018, ie. 2 months and 5 days after receiving the request. Payment Denmark has stated that the request was only identified late. When Paying Denmark became aware that the deadline had been exceeded, the authority prioritized responding to the request rather than giving the data subject a notice of the extension of the reply.

In addition, Payout Denmark received a request for insight on 12 November 2018, which was answered on 3 January 2019, ie. 1 month and 22 days after receiving the request. Payment Denmark has also stated that the request was only identified late. When Paying Denmark became aware that the deadline had been exceeded, the authority prioritized responding to the request rather than giving the data subject a notice of the extension of the reply.

The Data Inspectorate therefore assumes that the extension of the response to the two requests was not due to the complexity and number of the requests, but to the disbursement of Denmark's request that insights were made and that the deadline laid down in Article 12 (2) of the Regulation. 3, for answering the requests as a result has not been observed by Payment Denmark.

Payment Denmark also received on September 18, 2018 a request for insight, which the authority responded to on October 24, 2018, ie. 1 month and 6 days after receiving the request.

Payment Denmark, on October 11, 2018, notified the registrant of the extension of the reply. It appears from the notification that, due to the complexity of the case, Disbursement Denmark was unable to respond to the data subject within 1 month of receipt of the request.

In the reply of October 24, 2018, Payout Denmark regrets the lengthy processing time, which was due to the authority having misunderstood that the data subject wanted access to all information that Paying Denmark may have registered about him. However, during a conversation between the data subject and Payment Denmark's data protection adviser, it was clarified that the data subject only wanted insight into the personal data that was processed about him in a specific case.

In relation to this case, the Data Inspectorate has noted that the extension of the response to the request was due to an excusable misunderstanding between Payment Denmark and the data subject regarding the scope of the request. The Data Inspectorate has emphasized that Paying Denmark responded promptly after clarifying the misunderstanding.

4.3. When reviewing the examples of replies to insights requests, the Data Inspectorate found that three of the 12 requests - as described above - were answered later than one month after receiving the request and that the other requests were answered just within 1 month after receipt.

When asked, Payout Denmark stated that the authorities are aware that the answers are generally close to the deadline. The challenge is that it is difficult for employees to identify the requests, as the requests are typically hidden in a longer correspondence with the citizen concerned. Payment Denmark has stated that the authority is trying to optimize the process so that the employees become better at identifying requests for insight.