The Danish Data Protection Agency just published its inspection plan for 2022, which involves new areas, e.g. observation of the duty to inform in relation to unsolicited inquiries and the handling of requests for access and deletion by utility companies, as well as repeats, such as the processing of personal data of website visitors and auditing of data processors.

When the Danish Data Protection Agency carries out inspections in 2022 at its own initiative, it will focus on the following activities:

  • The Danish Archives Act
  • Authorisations to process sensitive personal data in the private sector
  • Observation of the duty to inform in relation to unsolicited inquiries
  • The handling of requests for access and deletion by utility companies
  • Processing of personal data of website visitors
  • Data security, including personal data breaches
  • Auditing of data processors
  • TV surveillance (CCTV)
  • Processing of personal data in pan-European information systems
  • The Danish Law Enforcement Act

Bech-Bruun's comments
The inspection plan involves new focus areas, but also repeats areas from previous years, which provide insight into the Danish Data Protection Agency's strategy and focus on the overall purpose of a more data-driven and resource-optimising approach from the Danish Data Protection Agency. Bech-Bruun has the following comments to the individual areas:

The Danish Archives Act
As a small branch of the much larger scope of the Danish Archives Act, the Danish Data Protection Agency explicitly states that "the handling of archives by a number of municipalities must be monitored, including the municipalities’ compliance with the special rules on access to archives before reaching the deadline for availability". Further, the area is closely related to the general data protection areas of retention and deletion, which is why it must be expected that there are natural derived questions between these areas in the event of an inspection. 

Authorisations to process sensitive personal data in the private sector
In accordance with common practice, the Danish Data Protection Agency continuously conducts inspections of areas and organisations that rely on an authorisation from the Danish Data Protection Agency to process personal data for certain purposes. The area is limited to very few organisations but will concern compliance with the terms of the authorisation to process sensitive information. 

Observation of the duty to disclose by unsolicited inquiries
The data subject has the right to receive various information on the data controller's processing of personal data (cf. GDPR Articles 13 and 14), which is a repeat from previous inspection plans. However, in 2022, the Danish Data Protection Agency focuses on how the data controller ensures this when the organisation performs unsolicited inquiries to data subjects. Consequently, data controllers should expect to be able to present a privacy policy covering this matter. We therefore recommend that you ensure that the privacy policy complies with the requirements determined in the Danish Data Protection Agency's guidelines on this matter, as well as ensure that consent forms comply with the regulatory requirements, if this is the legal basis for the processing. 

The handling by utility companies of requests for access and deletion
According to the Danish Data Protection Agency, the area was chosen because the utility companies regularly receive such requests. Consequently, utility companies should ensure that they are organisationally able to assess and, if necessary, comply with such requests. One should therefore expect to be able to present relevant written documentation for such procedures. The Danish Data Protection Agency’s as well as EDPB’s guidelines have more information about the requirements for access and deletion.

Processing of personal data of website visitors
Again, this year, the Danish Data Protection Agency focuses on the processing of personal data on websites, which emerges from the new requirements and supervisory cases that the supervisory authority dealt with in this area in 2021. In the DMI decision from the beginning of 2020, the Danish Data Protection Agency stated that the collection of data via cookies often will constitute a processing of personal data. You can read more about the decision in our previous news. 

Most recently, the Danish Data Protection Agency has published a decision on a municipality's processing of personal data for statistical purposes, which has clarified the possibilities for the use of public interest (GDPR Article 6(1)(e)) or legitimate interest (GDPR Article 6(1)(f)) as the legal basis. However,  the requirements generally imply that organisations that process personal data via cookies must comply with the data protection rules as well as the rules of the Danish Executive Order on Cookies. Consequently, organisations must implement a compliant cookie solution that satisfies the two rule sets, technically as well as legally. This is a difficult exercise and many organisations still have not managed to implement a fully compliant solution for the placement of cookies. It is against this background that the Danish Data Protection Agency has chosen to inspect the processing of personal data by organisations via cookies. Moreover, it is interesting that, for the first time, the Danish Business Authority has also started to monitor the parallel rules in the Danish Executive Order on Cookies. 

Personal data security, including data breaches
The focus on data security and data breaches are also repeats, but for 2022 the Danish Data Protection Agency has specified this to cover the following areas:

  • public IT solutions,
  • government IT solutions,
  • whether personal data breaches are handled and reported in accordance with the relevant rules,
  • whether there is a high risk for data subjects because of a breach of the personal data security
  • whether the necessary information to the concerned data subjects has been given; and
  • whether the data controllers in connection with the design, development, purchase or adaption of IT solutions comply with data protection rules through the design and preparation of impact analyses.

Thus, organisations must ensure to a large extent that the organisation has control over the internal documentation when developing relevant policies, procedures, guidelines, risk assessments and any impact analyses. Similarly, it is to be expected that organisations will be asked to provide relevant documentation on security breaches, e.g. logs, notifications of the data subjects, email correspondence, etc.

Auditing of data processors
The Danish Data Protection Agency has again decided to focus on the auditing of data processors. The obligation to carry out audits requires the controller to check whether the data processor complies with the data controller's instructions for processing. The continued focus of the Danish Data Protection Agency should, among other things, be seen as a result of the Danish National Audit Office’s conclusion from 2019 that many authorities still do not have sufficient control over the control of data processors, and that in October 2021 the Danish Data Protection Agency published the new "Guidelines on auditing of data processors", which officially introduces the possibility of using a risk-based approach by proposing a point scale and six audit concepts.

DPA Service (Data Processor Audit) is Bech-Bruun's take on how public authorities as well as private companies may audit their data processors through a digital solution. DPA Service is specially developed to effectively conduct and document control of data processors. You can read more here.

TV surveillance (CCTV) 
As yet another repeat, the choice of "TV surveillance" will again have to be seen in the context of the Danish TV Surveillance Act being amended on 1 July 2020. The changes to the Danish TV Surveillance Act extend the scope and possibility for TV surveillance in public areas, but also require private companies as well as public authorities to make the correct legal assessments in connection with TV surveillance. You can read more about the change in the law in Bech-Bruun's previous news.

It is not only the Danish Data Protection Agency that focuses on the processing of personal data through TV surveillance. One of the German Data Protection Agencies has previously issued a fine of EUR 10.4m for illegal TV surveillance of employees for a minimum period of two years. 

Processing of personal data in pan-European information systems
This concerns a small number of authorities and includes: The Schengen Information System (SIS), the Visa Information System (VIS), the EU Fingerprint Register (Eurodac), the Customs Information System (CIS) and the Internal Market Information System (IMI).

The Danish Law Enforcement Act
As a subject of inspection that only applies to the processing of personal data by the police, the public prosecutor, the probation and after-care service, the Independent Police Complaints Authority and the courts, the control of the Law Enforcement Act by the Danish Data Protection Agency must be considered to have a narrow scope, but on the other hand be of broad public interest. This is the case, since the inspection will look at areas such as the processing of personal data in relation to the authorities’ prevention, investigation, detection, or prosecution of criminal offences or the enforcement of criminal sanctions. 

data_bechbruun_persondata_dpo

Bech-Bruun assists before, during and after potential inspections
The Danish Data Protection Agency's inspection plan is an obvious opportunity to visit or revisit the organisation’s data protection set-up. At Bech-Bruun, we have extensive experience in preparing private companies and public authorities for inspection visits from the Danish Data Protection Agency.

Bech-Bruun has been involved in many supervisory and inspection cases from the Danish Data Protection Agency, and Bech-Bruun's experts have also carried out several test inspections - the so-called Data Protection Mock Audits - at organisations.

A way to prepare your organisation for a possible inspection could therefore be by doing a Data Protection Mock Audit, where your organisation is subjected to voluntary inspection from Bech-Bruun to test whether the organisation is ready for an inspection from the Danish Data Protection Agency. The Data Protection Mock Audit is carried out in accordance with the same procedure that the Danish Data Protection Agency would apply to proper inspection. Data Protection Mock Audit concludes with a report in which Bech-Bruun assesses your organisation's handling of the “test inspection” (before, during and after) as well as an assessment of your compliance with data protection rules in relation to the selected topics.

Furthermore, Bech-Bruun can assist with the review of your organisation's written documentation or general data flows for the entire organisation or selected areas of particular relevance or risk.

You are always welcome to contact Bech-Bruun's data protection team.