Datatilsynet - 2019-432-0024

From GDPRhub
Datatilsynet - 2019-432-0024
LogoDK.png
Authority: Datatilsynet (Denmark)
Jurisdiction: Denmark
Relevant Law: Article 6(2) GDPR

Article 6(1)(c) GDPR

Article 14(2) GDPR

Article 14(5)(c) GDPR

Type: Investigation
Outcome: No violation found
Decided: n/a
Published: 21.11. 2019
Fine: none
Parties: VisitDenmark
National Case Number: 2019-432-0024
European Case Law Identifier: n/a
Appeal: n/a
Original Language: Danish
Original Source: Datatilsynet (in DK)

The Datatilsynet found that VisitDenmark was processing lawfully the cottage's owner personal data but warned the public authority regarding the obligations required under 14(2) GDPR.

English Summary[edit | edit source]

Facts and questions arising[edit | edit source]

VisitDenmark is a public authority which, in the performance of its tasks, was sending letters to inform cottage owners about new tax rules and more favorable conditions for holiday rental.

The Datatilsynet investigated to know if VisitDenmark processed personal data in connection to these information letters lawfully and if it did provide to the data subject enough information.

Holding[edit | edit source]

The DPA found that Visitdenmark's processing of personal data in connection with these letters was compliant with data protection rules, on the basis of Article 6(2) read in conjunction with Article 6(1)(e) GDPR.

Then, the Datatilsynet focused on two specific issues regarding the obligation to inform the data subject when the personal data is not obtained from the data subject. Regarding the collection of data subjects' names and their Building and Housing Register (BBR) information, Datatilsynet found that the authority did not sufficiently comply with the obligations under Article 14 (2) GDPR. Regarding the collection of social security numbers, Datatilsynet noted that the processing falls within the exception of Article 14(5)(c) GDPR, since such a collection is required by national law which is applicable to the authority and the legitimate interests of the data subjects are duly protected.

Comment[edit | edit source]

Share your comments here!

Further Resources[edit | edit source]

Share blogs or news articles here!

English Machine Translation of the Decision[edit | edit source]

The decision below is a machine translation of the original. Please refer to the Danish original for more details.

Letters in e-Box from Visitdenmark
Published 21-11-2019
Decision Public authorities
It was not contrary to the data protection rules that Visitdenmark sent letters via e-Box under the topic "Important information for you with a cottage". Visitdenmark is a public authority and the letters were sent for the purpose of informing cottage owners of new tax rules and more favorable conditions for holiday rental. However, the Data Inspectorate criticizes Visitdenmark's failure to adequately comply with the authority's disclosure obligation.
Journal number: 2019-432-0024
Summary
In April 2019, the Data Inspectorate initiated a case of its own operation against Visitdenmark, when the Danish Data Protection Agency, through media coverage and a number of citizen inquiries, had become aware of Visitdenmark's distribution of letters via e-Box under the topic "Important information for you with cottage. ”
On November 21, the Data Inspectorate decided on the case. The Data Inspectorate found that Visitdenmark's processing of personal data in connection with the sending of the letters took place within the framework of the data protection rules.
However, the Data Inspectorate found that Visitdenmark did not sufficiently comply with the disclosure obligation of the Authority pursuant to Article 14 of the
Data Protection Regulation. The Data Protection Authority emphasized in the decision that Visitdenmark is, according to Act No. 648 of 15 June 2010, a public authority. The Data Inspectorate also emphasized that the processing was carried out as part of Visitdenmark's exercise of authority, as Visitdenmark was required to organize a campaign aimed at getting more Danes to rent out their cottages on the basis of an agreement concluded in the Folketing on 17 May 2018. .
Decision The Danish
Data Protection Agency hereby returns to the case where, on the basis of media coverage and a number of inquiries from citizens regarding Visitdenmark's sending of a letter with Digital Post under the topic "Important information to you with a cottage", the Authority has chosen to investigate the case more in-house.
1. Decision
After a review of the case, the Data Inspectorate finds that Visitdenmark's processing of personal data in connection with the sending of a letter with Digital Post has taken place within the framework of the rules ofof the Data Protection Regulation1)[1] Article 6 (. 1 and1) of the Data Protection Act[2] section 11 (. 1.
However, the Data Inspectorate finds that Visitdenmark has not sufficiently complied with the disclosure obligation of the Authority in accordance with Article 14 of the Data Protection Regulation, which gives rise to criticism.
The following is a detailed examination of the case and a justification for the Danish Data Protection Agency's decision.
2.
Case making Following media coverage and a number of specific citizen inquiries, the Data Inspectorate became aware of Visitdenmark's processing of personal data in connection with the sending of letters with Digital Post under the topic "Important information for you with a cottage".
2.1. Visitdenmark's comments
Visitdenmark has stated in the case that, on the basis of an agreement entered into by the Folketing on 17 May 2018,[3] the authority was required to organize a campaign aimed at getting more Danes to rent out their cottages.
Visitdenmark has stated that in connection with the campaign, information about name, social security numbers and information in the form of property and owner information from the BBR register was processed. During the collection in BBR, four unit use codes were identified which identified approx. 234,000 households / unique addresses. Visitdenmark has further stated that a subsequent sorting took place based on a set of criteria. Subsequently, the size of the holiday homes / holiday home owners was reduced to approx. 180,000.
The list of owner and property information was then handed over to the CPR register, which provided the list of personal numbers for use by e-mail.
Visitdenmark submits that the processing of the personal data in question was carried out in accordance with Article 6 (1) of the Data Protection Regulation. (1) (e), the treatment being governed by public authority. The processing of information about social security numbers has been carried out pursuant to section 11 (1) of the Data Protection Act. 1, since the processing is necessary for the unambiguous identification of the data subjects in connection with sending letters via Digital Post.
Visitdenmark also states that the processing was carried out in accordance with the basic principles of Article 5 of the Data Protection Regulation, including the principle of purpose limitation (paragraph 1 (b)).
On observance of Visitdenmark's disclosure obligation, the Authority stated that in connection with the sending of the letters, no separate notification was made to the data subjects under Article 14 of the Data Protection Regulation. Visitdenmark states that the failure to comply with the disclosure obligation is due to an internal misunderstanding at Visitdenmark.
However, according to Visitdenmark, the disclosure obligation was partially fulfilled, as the letter contained some of the information to be provided pursuant to Article 14 of the Regulation, including information from which the information was collected, contact information on Visitdenmark and the purpose of processing personal data.
After Visitdenmark became aware that the disclosure requirement was not fulfilled, a letter of information was prepared in accordance with Article 14 of the Regulation, which was sent to the citizens who subsequently applied to Visitdenmark.
In light of the specific case, Visitdenmark has also found the opportunity to disseminate targeted information to employees regarding the fulfillment of the disclosure obligation, so that the disclosure obligation is observed in the future when collecting personal data.
3. Justification for the Authority's decision
3.1. Basis of processing
Processing of personal data shall be in accordance with Article 6 (2) of the Data Protection Regulation. 1, subparagraph 1. It is clear from Article 6 (2). (1) (e) may be done if the processing is necessary for the performance of a task in the public interest or which falls under the exercise of public authority imposed by the data controller, pursuant to Article 6 (2). In addition,
public authorities may process information on social security numbers for the purpose of unambiguous identification or as a journal number pursuant to section 11 (1) of the Data Protection Act. 1.
According to Act No. 648 of 15 June 2010, Visitdenmark is a public authority.
The Data Inspectorate finds no basis for overriding Visitdenmark's assessment that the processing of the information in question was necessary for the purpose of carrying out a task that falls under the public authority exercised by Visitdenmark in accordance with Article 6 (2) of the Data Protection Regulation. 1 point e. 
After reviewing the case, the Data Protection Agency also that VisitDenmarks treatment of information on civil happened in accordance with the Data Protection Act § 11
Data Protection Agency has thus emphasized that Visitdenmark processed the information for unique identification for the purpose of sending Digital Post.
Against this background, the Data Inspectorate finds that Visitdenmark's processing of personal data has taken place in accordance with the rules in Article 6 (2) of the Data Protection Regulation. 1 (e) and section 11 (1) of the Data Protection Act. 1.
3.2. Obligation to provide information when collecting names and BBR information
In cases where personal data is not collected from the data subject, it follows from Article 14 (1) of the Data Protection Regulation. 1, that it is incumbent on the data controller to provide the data subject with a number of information.
In addition, in accordance with Article 14 (2) of the Regulation, the data controller must: 2, provide the data subject with a number of additional information necessary to ensure a fair and transparent treatment of the data subject.
Since Visitdenmark has stated in the case that, when collecting the personal data in question, the authority did not notify the data subjects, which in the Authority's opinion should be given, it is the opinion of the Data Inspectorate that Visitdenmark did not sufficiently comply with the duty of disclosure of the authority pursuant to Article of the Data Protection Regulation 14, which gives the Authority the opportunity to express criticism.
The Data Inspectorate has noted that Visitdenmark has, on the basis of the specific case, found the opportunity to disseminate targeted information to employees regarding the fulfillment of the disclosure obligation, so that the disclosure obligation is observed in the future when personal data is collected.
3.3. Obligation to provide information when collecting personal numbers in the CPR register The Danish
Data Protection Agency must note that this is stated in Article 14 (2) of the Data Protection Regulation. Article 5 (5) (c) does not apply to the extent that the collection or disclosure is expressly provided for in EU or national law to which the data controller is subject and which establishes appropriate measures to protect the legitimate interests of data subjects.
In view of the above, it is the opinion of the Data Inspectorate that the obligation to provide information in connection with the collection of personal numbers in the CPR register could be exempted pursuant to Article 14 (2). 5 (c), since the collection of social security numbers for the purpose of sending letters via Digital Post is expressly provided for by law which Visitdenmark is subject to, as provided by Section 7 (1) of the Digital Post Act. 1, states that public senders are entitled to use Digital Post for communication with natural persons.
 
[1]Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such information and repealing Directive 95/46 / EC
[2 ]Act 502 of 23 May 2018 on additional provisions for a regulation on the protection of individuals with regard to the processing of personal data and on the free exchange of such information (Data Protection Act)
[3] Agreement on Better conditions for growth and correct tax payment in parts and Platform Economics of May 17, 2018 https://em.dk/aftaler-og-udspil/2018/aftale-om-dele-og-platformsoekonomien/