The Danish Data Protection Agency fines job agency for GDPR breach

The Danish Data Protection Agency (In Danish: Datatilsynet) states that companies must avoid deleting personal data if the right for access is requested.
News
GDPR

BACKGROUND OF THE CASE

The case arises from a person who had requested access to his/her personal data at the company JobTeam A/S. However, after the request and before the company had responded to his request, JobTeam chose to delete the citizen's personal data. JobTeam A/S were thus unable to give the citizen the requested access to his/her personal data.

The company’s action deprives the citizen of his/her right for access – a right which in general includes that people have the right to access any personal data processed about them. For instance, people have the right to be informed about:

  • How the personal data is processed
  • What the purpose of the processing is
  • With who the information is shared with
  • Where the information derives from
  • The period in which the information is stored

THE DATA PROTECTION AGENCY’S ASSESSMENT  

In the assessment, the Data Protection Agency emphasized that JobTeam showed poor behavior when the company prevented the person from being informed about which data the company were processing or had processed about the person. On this basis, it was the Data Protection Agency’s opinion that JobTeam violated the citizen's fundamental rights to access the personal data being processed about him/her.

The Data Protection Agency reported JobTeam to the police with a proposed fine of DKK 50,000. The fine level was determined based on the fact that the Data Protection Regulation (GDPR) basically requires fines to be effective and have a deterrent effect for companies to comply with the rules. The Data Protection Agency has therefore assessed that the case in principle cannot be sanctioned with a fine lower than DKK 50,000, as the fine must be effective.

LUND ELMER SANDAGER’S COMMENTS

The case once again emphasizes the importance of companies complying with the fundamental GDPR requirements and processing of personal data in accordance with the rules. The police report is also an indication that companies cannot deprive a citizen of their right by deleting information after a request has been made.

If you have any questions about the GDPR requirements or need help to ensure that you comply with the rules on the processing of personal data, please do not hesitate to contact Lund Elmer Sandager's specialists in GDPR Associate Partner, Attorney Torsten Hylleberg and Attorney Anders Linde Reislev.

Contact
Torsten Hylleberg
Partner
Attorney

Related news

See all news
News

The Danish Data Protection Agency focuses on the processing of personal data in online competitions

In a recent case, the Danish Data Protection Agency has decided on a company’s processing and transfer of personal data in connection with offering competitions and questionnaires online.
GDPR
News

European Data Protection Agencies increase focus on cookie solutions and the use of Google Analytics

The Danish Data Protection Agency and other European data protection agencies currently have a strong focus on whether companies’ cookie solutions comply with the rules in the GDPR. It includes e.g. solutions within Google Analytics and IAB’s standard solution for cookies and advertisements, Transparency and Consent Framework (TCF), where there are many indications that Danish companies may prepare for alternative solutions.
GDPR
News

Lund Elmer Sandager strengthens its partnership with two new partners from its own ranks

It is a great pleasure that Attorney Sebastian Rungby and Attorney Torsten Hylleberg will both take up the roles as partners in Lund Elmer Sandager with retroactive effect from 1 January 2022.
GDPR
News

The Danish Data Protection Agency propose for large GDPR fines

During the summer of 2021, the Danish Data Protection Agency has imposed fines on three public authorities and two private companies in the range of DKK 150,000 – 600,000 for violating the GDPR legislation. The new size of the fines emphasizes the importance of companies ensuring an adequate level of security when processing personal data.
GDPR
News

New Standard Contractual Clauses for transfers of personal data outside the EU/EEA

On 4 June 2021, the European Commission issued new Standard Contractual Clauses (“SCC”) for use in the transfer of personal data outside the EU/EEA, which e.g. may be for a (sub) data processor in the United States.
GDPR
News

COVID-19: Restaurants and cafés are encouraged to register visiting guests

On September 7 2020, the Government held a press conference on COVID-19, in which Minister of Health Magnus Heunicke requested that restaurants and cafés offer their visiting guests the possibility to register their contact information. A request that aims to increase contact tracing as the number of people infected with covid-19 is increasing, but at the same time raises some data protection law issues for you as a restaurateur or café owner.
GDPR