Investigation criticized by the Danish Data Protection Agency
A political party launched an investigation after allegations of sexual offenses committed by a member of the Danish Parliament were published in the press. The case ended with the Danish Data Protection Agency, as the member believed the investigation did not comply with the data protection rules. However, the only mistake was that insufficient information had been given. Therefore, the investigation “only” triggered criticism.
A political party initiated an outside counsel-led investigation of one of its members in the Danish Parliament. The investigation was necessary allegations of sexual offenses committed by the member were published to the press by five women. Therefore, the member’s future in the party depended on the result of the investigation.
The investigation consisted of voluntary interviews with the women and the member. The investigation constituted confidential advice to the party, which would not be shared externally.
Information on sexual relations and (potential) criminal offenses was processed as part of the investigation due to the circumstances relating to the case. The lawful basis for processing the data was legitimate interest and the need to establish a potential legal claim.
Insufficient information resulted in a breach of the rules
Although the lawful basis was in place, the member had not received sufficient information on the processing activities carried out as part of the investigation. This was a breach of the information obligation.
The member had received a general privacy policy upon joining the political party. He had also received a link to the outside counsel’s general privacy policy when the investigation was initiated. Both policies only contained general information, without any description of the processing activities relating to the investigation.
Consequently, the member had never received information on the reasons for applying legitimate interest as the lawful basis. He had, therefore, never received, among other things, information about the lawful basis on which most of the investigation was based.
IUNO’s opinion
As part of its assessment, the Danish Data Protection Agency emphasized that the scale and character of #MeToo investigations increase the transparency threshold when processing data. That means that information on the processing activities that are carried out must be extra clear and unambiguous.
IUNO recommends that companies are cautious about launching internal investigations on their own. This is particularly important where investigations involve sensitive information, such as information on sexual relations, criminal offenses, health, and similar personal data. Companies should establish procedures that include considerations relating to the information obligations that apply – as well as other data protection rules – to ensure compliance from the outset.
Read more about how IUNO can assist with whistleblower schemes in the Nordic region here.
[The Danish Data Protection Agency in case 2021-31-5542 of 6 September 2022]
A political party initiated an outside counsel-led investigation of one of its members in the Danish Parliament. The investigation was necessary allegations of sexual offenses committed by the member were published to the press by five women. Therefore, the member’s future in the party depended on the result of the investigation.
The investigation consisted of voluntary interviews with the women and the member. The investigation constituted confidential advice to the party, which would not be shared externally.
Information on sexual relations and (potential) criminal offenses was processed as part of the investigation due to the circumstances relating to the case. The lawful basis for processing the data was legitimate interest and the need to establish a potential legal claim.
Insufficient information resulted in a breach of the rules
Although the lawful basis was in place, the member had not received sufficient information on the processing activities carried out as part of the investigation. This was a breach of the information obligation.
The member had received a general privacy policy upon joining the political party. He had also received a link to the outside counsel’s general privacy policy when the investigation was initiated. Both policies only contained general information, without any description of the processing activities relating to the investigation.
Consequently, the member had never received information on the reasons for applying legitimate interest as the lawful basis. He had, therefore, never received, among other things, information about the lawful basis on which most of the investigation was based.
IUNO’s opinion
As part of its assessment, the Danish Data Protection Agency emphasized that the scale and character of #MeToo investigations increase the transparency threshold when processing data. That means that information on the processing activities that are carried out must be extra clear and unambiguous.
IUNO recommends that companies are cautious about launching internal investigations on their own. This is particularly important where investigations involve sensitive information, such as information on sexual relations, criminal offenses, health, and similar personal data. Companies should establish procedures that include considerations relating to the information obligations that apply – as well as other data protection rules – to ensure compliance from the outset.
Read more about how IUNO can assist with whistleblower schemes in the Nordic region here.
[The Danish Data Protection Agency in case 2021-31-5542 of 6 September 2022]
Similar
Expensive right of access requests
Seven commandments when closing the business e-mail account
Unfair design practices resulted in a 345 million euro fine
Accessible personnel files resulted in a data breach
Deadline to establish whistleblower schemes for medium-sized companies approaching
New guidance from the Danish Data Protection Agency on direct marketing