EN
Technology

Investigation criticized by the Danish Data Protection Agency

logo
Legal news
calendar 13 October 2022
globus Denmark

A political party launched an investigation after allegations of sexual offenses committed by a member of the Danish Parliament were published in the press. The case ended with the Danish Data Protection Agency, as the member believed the investigation did not comply with the data protection rules. However, the only mistake was that insufficient information had been given. Therefore, the investigation “only” triggered criticism.

A political party initiated an outside counsel-led investigation of one of its members in the Danish Parliament. The investigation was necessary allegations of sexual offenses committed by the member were published to the press by five women. Therefore, the member’s future in the party depended on the result of the investigation.

The investigation consisted of voluntary interviews with the women and the member. The investigation constituted confidential advice to the party, which would not be shared externally.

Information on sexual relations and (potential) criminal offenses was processed as part of the investigation due to the circumstances relating to the case. The lawful basis for processing the data was legitimate interest and the need to establish a potential legal claim.

Insufficient information resulted in a breach of the rules

Although the lawful basis was in place, the member had not received sufficient information on the processing activities carried out as part of the investigation. This was a breach of the information obligation.

The member had received a general privacy policy upon joining the political party. He had also received a link to the outside counsel’s general privacy policy when the investigation was initiated. Both policies only contained general information, without any description of the processing activities relating to the investigation.

Consequently, the member had never received information on the reasons for applying legitimate interest as the lawful basis. He had, therefore, never received, among other things, information about the lawful basis on which most of the investigation was based.

IUNO’s opinion

As part of its assessment, the Danish Data Protection Agency emphasized that the scale and character of #MeToo investigations increase the transparency threshold when processing data. That means that information on the processing activities that are carried out must be extra clear and unambiguous.

IUNO recommends that companies are cautious about launching internal investigations on their own. This is particularly important where investigations involve sensitive information, such as information on sexual relations, criminal offenses, health, and similar personal data. Companies should establish procedures that include considerations relating to the information obligations that apply – as well as other data protection rules – to ensure compliance from the outset.

Read more about how IUNO can assist with whistleblower schemes in the Nordic region here.

[The Danish Data Protection Agency in case 2021-31-5542 of 6 September 2022]

A political party initiated an outside counsel-led investigation of one of its members in the Danish Parliament. The investigation was necessary allegations of sexual offenses committed by the member were published to the press by five women. Therefore, the member’s future in the party depended on the result of the investigation.

The investigation consisted of voluntary interviews with the women and the member. The investigation constituted confidential advice to the party, which would not be shared externally.

Information on sexual relations and (potential) criminal offenses was processed as part of the investigation due to the circumstances relating to the case. The lawful basis for processing the data was legitimate interest and the need to establish a potential legal claim.

Insufficient information resulted in a breach of the rules

Although the lawful basis was in place, the member had not received sufficient information on the processing activities carried out as part of the investigation. This was a breach of the information obligation.

The member had received a general privacy policy upon joining the political party. He had also received a link to the outside counsel’s general privacy policy when the investigation was initiated. Both policies only contained general information, without any description of the processing activities relating to the investigation.

Consequently, the member had never received information on the reasons for applying legitimate interest as the lawful basis. He had, therefore, never received, among other things, information about the lawful basis on which most of the investigation was based.

IUNO’s opinion

As part of its assessment, the Danish Data Protection Agency emphasized that the scale and character of #MeToo investigations increase the transparency threshold when processing data. That means that information on the processing activities that are carried out must be extra clear and unambiguous.

IUNO recommends that companies are cautious about launching internal investigations on their own. This is particularly important where investigations involve sensitive information, such as information on sexual relations, criminal offenses, health, and similar personal data. Companies should establish procedures that include considerations relating to the information obligations that apply – as well as other data protection rules – to ensure compliance from the outset.

Read more about how IUNO can assist with whistleblower schemes in the Nordic region here.

[The Danish Data Protection Agency in case 2021-31-5542 of 6 September 2022]

Receive our newsletter

Anders

Etgen Reitz

Partner

Kirsten

Astrup

Senior associate

Similar

logo
Technology

26 January 2023

DPO across the Nordics

logo
Technology

8 December 2022

Company spilled the tea and got reported to the police

logo
Technology

24 November 2022

Colored cookie consent can be illegal nudging

logo
Technology

10 November 2022

Deadline to create whistleblower schemes for medium-sized companies approaching

logo
Technology

27 October 2022

Criticism and order to correct processing activities on “No thank you-list”

logo
Technology

22 September 2022

The Danish Data Protection Agency is testing the use of cloud solutions

The team

Anders

Etgen Reitz

Partner

Kirsten

Astrup

Senior associate