| Datatilsynet - 2019-423-0202 | |
|---|---|
 | |
| Authority: | Datatilsynet (Denmark) |
| Jurisdiction: | Denmark |
| Relevant Law: | Article 12(3) GDPR Article 15 GDPR |
| Type: | Investigation |
| Outcome: | Violation Found |
| Started: | |
| Decided: | |
| Published: | 26.02.2020 |
| Fine: | None |
| Parties: | n/a |
| National Case Number/Name: | 2019-423-0202 |
| European Case Law Identifier: | n/a |
| Appeal: | Unknown |
| Original Language(s): | Danish |
| Original Source: | Datatilsynet (in DK) (in DA) |
| Initial Contributor: | n/a |
The Datatilsynet hold that the Municipality of Odense infringed Article 12(3) GDPR and Article 15 GDPR due to delayed answers to access requests.
English Summary
Facts
The Datatilsynet conducted some audits at the Municipality of Odense focusing on the compliance of Articles 12 and 15 GDPR.
Holding
The authority ruled that the controller had to some extend drafted guidelines, procedures, etc. for the municipality's compliance and its administrations with Article 15 GDPR.
However, the Datatilsynet stressed out that the Controller did not answer with the one month dealdine and thus, infringed Article 12(3) GDPR for some access requests. The authority pointed out that the controller did answer to 33% of the access requests with undue delay. Indeed, the Authority underlined that the administrations which are required to collect the information within a deadline of 14 days, as a first step, should apply this deadline only when it is necessary and not by default.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Danish original. Please refer to the Danish original for more details.
In 2019, the Data Inspectorate carried out a planned audit at the Municipality of Odense. The audit focused on the municipality's compliance with the rules on the data subject's right of access, cf. Articles 15 and 12 of the Data Protection Regulation.
On the basis of the audit, the Data Inspectorate has criticized the fact that Odense Municipality's processing of personal data did not take place in accordance with Article 12 (2) of the Regulation. Third
Among other things, the Data Inspectorate's final opinion states that the municipality of Odense's handling of access requests has generally been in accordance with Article 15 of the Regulation, but that the municipality has in three cases responded to a request for access later than one month after receiving the request.
You can read the Danish Data Protection Agency's guide on data subjects' rights here.
Decision
Odense Municipality was among the public authorities selected by the Danish Data Protection Agency for supervision in the spring of 2019.
At the request of the Data Inspectorate, the Municipality of Odense had completed a questionnaire before submitting the inspection and submitted this together with additional material to the audit. The inspection itself took place on May 20, 2019.
1. Decision
Following the audit of the City of Odense, the Data Inspectorate finds a reason to conclude:
That the Municipality of Odense has to some extent drawn up guidelines, procedures, etc. for the municipality's compliance with Article 15 of the Data Protection Regulation.
That the Municipality of Odense has to a certain extent prepared templates that can help ensure and facilitate the municipality's compliance with Article 15 of the Data Protection Regulation.
That the Municipality of Odense received and responded to 9 requests for access in the period 25 May 2018 to the time of notification of the supervision, and that in three cases the municipality did not respond to a request for access in accordance with the deadlines set in Article 12 (2) of the Data Protection Regulation. 3
In relation to point 3, the Data Inspectorate finds grounds for criticizing the fact that the municipality of Odense's processing of personal data has not taken place in accordance with the rules in Article 12 (2) of the Data Protection Regulation. Third
The following is a detailed review of the information that has emerged in connection with the audit and a justification for the Danish Data Protection Agency's decision.
2. Odense Municipality's guidelines and procedures
Prior to the audit visit, the Municipality of Odense has forwarded a copy of the municipality's procedures and guidelines, which were in effect on the date of the notification of the audit, concerning the handling of insight requests pursuant to Article 15 of the Data Protection Regulation.
Odense Municipality has, in relation to the municipality's general procedure for handling access requests, stated that requests for access are typically sent to the municipality's data protection adviser, who then disseminates the requests to the individual administrations in order for the individual administrations to collect the information about the data subject from the relevant systems. The administrations are given a 14-day deadline to submit the information about the data subject to the Data Protection Advisor. The Data Protection Advisor then reviews the information from individual administrations and answers the request.
The Municipality of Odense has prepared procedures for each of the municipality's five administrations. The procedures include: information on how the employees of individual administrations should seek information about the data subject, including which systems may be relevant to search, as well as the procedures that contain information about who handles insight requests internally in the relevant administrations.
It is clear from one of the procedures submitted that "the person requesting access is contacted to find out if specific areas are requested to access".
When asked about this, the Municipality of Odense stated at the inspection visit that this must be understood so that the municipality usually contacts the citizen in order to clarify whether he or she wants access to or insight, as it is the municipality's experience that the citizen is not always aware of the difference between the two concepts and set of rules. However, the municipality does not ask for clarification in cases where it is clear from the request that the citizen wants insight under Article 15 of the Data Protection Regulation, including in cases where the citizen wants all information about himself provided.
The Data Inspectorate then asked how the municipality behaves in cases where the citizen has not returned with a clarification.
Odense Municipality stated that the municipality has not yet experienced that a citizen has not returned with a clarification, but that the municipality will, if necessary, respond to the request in accordance with the deadlines set by Article 12 of the regulation.
During the audit visit, the Data Inspectorate asked why the procedures submitted for the administrations' handling of insight requests do not contain specific information on the rules on access, including on Articles 15 and 12 of the Regulation.
The Municipality of Odense confirmed that the municipality has not prepared specific information about the actual rules for individual administrations and stated that the municipality has only prepared the submitted procedures in relation to the general handling of requests for insight, since the employees in the administrations do not account for the actual answer to insight requests.
Against this background, the Data Inspectorate asked how Odense Municipality ensures that the employees in the administrations are familiar with the rules on insight, including that the employees are able to identify requests for insight when they are received.
The Municipality of Odense stated that there has been training of the employees in the individual administrations.
Furthermore, the municipality stated that the employees are aware that inquiries regarding both access and access to documents must be communicated to the Jura office and / or the data protection adviser, who then handles the further handling of the request.
The Data Inspectorate generally has no comment that Odense Municipality's procedures are based on the fact that there is a specific department or person who must respond to all requests from the data subjects, because the employees of this department or the person in question have special requirements in relation to the handling of the data protection rules. However, the Data Inspectorate must emphasize the importance of all employees being familiar with this procedure, so that there is no doubt in the organization who should respect the rights of the data subjects and where requests for access from the data subjects should be sent, including for example in the cases where a request is not sent directly to the Data Protection Advisor.
The Municipality of Odense can - if the municipality has not already done so - draw up some procedures, guidelines, etc. regarding the Jura Office and the Data Protection Advisor's handling of access requests, which contain more specific information on the Regulation's rules on access to support the municipality's observance of the data subject's right of access.
Regarding the deadlines that are normally given to individual administrations, see section. 4.2. below.
3. Odense Municipality's standard texts
Some of the procedures that have been prepared for the municipal administrations contain standard letters that the relevant administration can use in the internal handling of insight requests.
A management has prepared a standard text that can be used when information about the data subject is to be sought internally in the management. The default text is used to request a system administrator to investigate whether the data subject is in cases or professional systems for which he is responsible.
Another administration has prepared a similar standard text, asking the system administrator to submit any contribution to the insight request within 14 days. The system administrator is also asked to inform and justify if situations arise that result in a longer processing time.
After a review of the submitted procedures, including standard letters, the Data Inspectorate cannot immediately establish that the Municipality of Odense has prepared templates, etc., which can be used in connection with the municipality's communication with the data subject, for example when responding to requests for access pursuant to the article's regulation. 15, notice of extension of the reply to the data subject pursuant to Article 12 (2) of the Regulation. 3, or by requesting additional information for the purpose of identifying the data subject under Article 12 (2) of the Regulation. 6th
The Data Inspectorate must therefore recommend that the Municipality of Odense - if the municipality has not already done so - prepare templates, etc., which can be used in connection with the municipality's communication with the data subject, especially for use by the Jura office and the data protection adviser, who according to the information is responsible for responding to the data subject's requests and communicating with the data subject in general.
4. Odense Municipality's handling of requests for insight
4.1. The Municipality of Odense has informed the Danish Data Protection Agency that the municipality has received and responded to 9 requests for information during the period from 25 May 2018 to 16 April 2019. Odense Municipality has submitted a copy of the replies to the Danish Data Protection Agency prior to the audit visit.
The Danish Data Protection Agency generally has no comments on Odense Municipality's replies to the 9 insights requests, pursuant to Article 15 of the Data Protection Regulation.
However, in three of the cases, the Municipality of Odense has responded to the request later than 1 month after receiving the request.
Thus, on 17 June 2018, the Municipality of Odense received a request for insight, which the municipality responded to on 9 August 2018, ie. 1 month and 23 days after receiving the request.
In this case, on June 25, 2018, the Municipality of Odense informed the data subject that the response would be extended as a result of the summer vacation period at the municipality and that the data subject could expect a response to the request in August.
It is clear from Article 12 (2) of the Regulation. 3 that a request may be extended if it is deemed necessary for the complexity and number of requests. The Data Inspectorate finds that the Municipality of Odense did not comply with the deadline laid down in Article 12 (2) of the Regulation when responding to this request. 3, since the municipality has not, according to the information, extended the response due to the complexity and number of the request, but only because of the summer vacation period at the municipality.
In addition, on 25 September 2018, the Municipality of Odense received a request for insight, which the municipality responded to on 6 November 2018, ie. 1 month and 12 days after receiving the request. Odense Municipality has as a reason stated that the municipality had not accidentally attached the documents in the original reply to the registrant, which was sent on October 10, 2019. The error was due to the fact that Digital Post contains a limit on how many - and how large - files it is possible to attach.
It is here that the Data Inspectorate finds that the Municipality of Odense has failed to comply with the deadline laid down in Article 12 (2) of the Regulation. 3, the reply request being incorrectly answered 1 month and 12 days after receipt. However, the Data Inspectorate has noted that the delay in the answer in respect of the one objection request was due to the fact that the Municipality of Odense had not accidentally attached the documents to the data subject at the original answer.
The Municipality of Odense has also received a request for insight on 12 February 2019, which the municipality answered in four parts. The first part of the reply was sent to the data subject on March 19, 2019. The second part of the reply was sent on March 21, 2019. The third part of the reply was sent on March 22, 2019, and the last part of the reply was sent on March 25, 2019. Thus, the objection request was finally answered 1 month and 13 days after receipt of the request.
The Municipality of Odense has stated that the response to this request was extended as the request included many documents and that it was not possible for the municipality to reach all the documents within the deadline, which is why the request must be considered complicated. The Municipality of Odense announced on March 21, 2019, ie. One month and nine days after receiving the request, it registered the extension of the response, including that the extension was due to the complexity of the request and that the data subject would receive the information on a continuous basis as the municipality received them. The Municipality of Odense finally responded to the request on 6 November 2018, ie. 1 month and 12 days after receiving the request.
The Data Inspectorate has no comments on the assessment of the complexity of the request by the Municipality of Odense. However, it is the opinion of the Data Inspectorate that the Municipality of Odense has failed to comply with the deadline set in Article 12 (2) of the Regulation. 3, in that the data subject was first notified of the extension of the reply 1 month and 9 days after receipt of the request.
4.2. In reviewing the examples of replies to insights requests, the Data Inspectorate found that three out of 9 requests - as described above - were answered later than 1 month after receiving the request and that the other requests were answered exactly within 1 month after receipt.
When asked, the municipality of Odense stated at the inspection visit that the municipality is aware that the answers are generally close to the deadline, but that this is because the municipality spends about 137 man-hours per average on average. request for insight.
As previously described, individual administrations are given a 14-day deadline to collect information about the data subject in the relevant systems. After that, the data protection advisor spends about a week preparing a response to the data subject. When asked about this, the Municipality of Odense stated that the administrations are given a time limit of 14 days to collect information, as this is typically very extensive material and that there are generally many systems that must be searched for information about the data subject.
In general, the Data Inspectorate should note that requests for access must be answered without undue delay and in any case within one month of receipt of the request, in accordance with Article 12 (2) of the Regulation. 3. However, the data controller has the opportunity to extend the response of the request for another two months if the request proves to be complicated.
In the opinion of the Data Inspectorate, a request for access cannot be said to have been answered without undue delay if, by default, the municipal administrations are given a period of 14 days to request information about the data subject and if the administrations in the specific case do not need 14 days for this. .
The Data Inspectorate must therefore recommend that the Municipality of Odense reconsider whether it is necessary, by default, to give administrations a period of 14 days to request information about the data subject, including in cases where a request cannot be regarded as complicated.
4.3. The Municipality of Odense has stated to the Data Inspectorate that the municipality has received requests for access, where there was doubt about the identity of the natural person, and where the municipality was therefore required to request further information in order to confirm the identity of the data subject, cf. Article 12 (2) of the Regulation 6th
As an example of this, the Municipality of Odense has stated that the municipality typically receives requests for insights from a non-secure e-mail, which only shows information about the data subject's name and e-mail address. In such situations, the municipality has contacted the registered person and asked for an address or a CPR number, so that the person can look up the CPR registered and in the municipality's systems as well as for the use of Digital Post.
The Data Inspectorate has no comments on this.
5. Conclusion
Following the audit of the City of Odense, the Data Inspectorate finds a reason to conclude:
That the Municipality of Odense has to some extent drawn up guidelines, procedures, etc. for the municipality's compliance with Article 15 of the Data Protection Regulation.
That the Municipality of Odense has to a certain extent prepared templates that can help ensure and facilitate the municipality's compliance with Article 15 of the Data Protection Regulation.
That the Municipality of Odense received and responded to 9 requests for access in the period 25 May 2018 to the time of notification of the supervision, and that in three cases the municipality did not respond to a request for access in accordance with the deadlines set in Article 12 (2) of the Data Protection Regulation. 3
In relation to point 3, the Data Inspectorate finds grounds for criticizing the fact that the municipality of Odense's processing of personal data has not taken place in accordance with the rules in Article 12 (2) of the Data Protection Regulation. Third
The Data Inspectorate then considers the audit to be complete and does not take any further action in this regard.
