Privacy Corner

The Danish Data Protection Agency (Datatilsynet) has continued to focus on cloud services and transfers to third countries, in particular transfers to the United States.

In particular, Datatilsynet has forbidden the municipality of Helsingør from using Google Chromebooks in schools (link).

The reason for this decision was that the municipality was not able to establish whether the personal information of the school children could be used by third parties. By allowing the children to use Gmail, Google Docs, Calendar and Google Drive, Datatilsynet found that the data processing agreement in use allowed for data to be transferred to other countries for support purposes.Datatilsynet writes that even if the case pertains Helsingør, the same principles will apply also to other municipalities. The municipality has been given until 3 August 2022 to delete all user data.

An English article on the topic is also available here. 

[The Norwegian Data Protection Authority has not (yet?) made a similar decision, but has commented favourably on the decision of the Danish Datatilsynet (link).

The Danish Datatilsynet has also announced that it is conducting investigations on third country transfers with two private companies in Denmark, one within the insurance sector and one within the healthcare sector, to see if these companies followed all the guidance on the transfer of data (link). It will be highly interesting to see how this unfolds.

The Norwegian Data Protection Authority (also called Datatilsynet) has opened an investigation into one of the largest consumer electronic groups in Norway, Elkjøp. The Norwegian Datatilsynet has completed an on-site inspection of Elkjøp's offices. This is done by Datatilsynet sometimes, but it is unusual.

The background for the inspection is that the Norwegian Datatilsynet has received several complaints on the handling of personal (i.e. customer) information by Elkjøp (link).

Datatilsynet has publicised that, alongside more common measures (e.g., looking through privacy documents), they undertook a more significant investigation of Elkjøp. This included random searches of customer cases, as well as interviews with employees, to establish if wrongdoing had occurred and, if so, whether it was widespread.

Focus was also on processing of personal data in a group where there are franchisees and arrangements on joint controllership. They also had focus on information security where smart products being used by one customer are sold further.

Read more on the case here. 

Learning point from this? Well, we must wait to see what the conclusions from Datatilsynet will be. But it is evident there is an increasing focus on handling of customer data and, if customers complain about the processing of their data, all retail businesses are at risk of an investigation by the Norwegian Datatilsynet.

The Danish Datatilsynet has also recently given a relevant decision on loyalty programs which differ substantially from what has been the general view in Norway and other countries. The Danish Datatilsynet received a complaint stating that the consent obtained by the department store Magasin was not voluntary because Magasin "bundled" receiving newsletters with membership to a loyalty programme. If the consumer did not want a newsletter, the consumer could not be part of the loyalty programme. However, Datatilsynet found this to be acceptable, much beacuse the consumer weas free to buy products from Magasin at ordinary terms. Read the decision here. 

This decision is important for many retail businesses, but we will wait to see if it will be upheld by data protection authorities in other jurisdictions.

The Danish Datatilsynet has also recently made a decision relating to the gathering of references for job applicants. A school (School A) considered hiring a new employee and talked to another school (School B) where the employee had worked previously. The employee complained about this. Datatilsynet found that because School A did not take any written notes of the conversation, the processing of personal information was outside the scope of GDPR. The information was simply not gathered in order to be processed by electronic means nor meant to be part of a register. As for the information given by School B, Datatilsynet found that they had legal basis to provide this information under GDPR article 6 (1)(f). Read the decisions here. 

The Swedish data protection authority, IMY, has established a whistle-blower facility for employees who want to notify IMY that  privacy rules are not being followed by their employer. IMY is obligated to establish such a channel due to a new act in Sweden on this that entered into force in 2021. See their article on this here.

A similar facility is available in Norway, where by employees can send anonymous information to Datatilsynet (link).

There are definitely pros and cons on anonymous whistle-blowing, and this has been discussed much in other legal areas like employment relationships. Given that privacy is becoming a more  important issue, where a large amount of money is involved, it is maybe not surprising that there comes a possibility for whistle-blowing also in this arena. But it is fair to say that it will likely heighten the general level of conflict in the area.