Digitaliseringsstyrelsen – Violation Found (Denmark, 2023)
The Danish Data Protection Authority found that the Digitaliseringsstyrelsen was processing personal data of millions of people who had not registered for their driving licence app. This is important because it raises concerns about how companies handle personal data and whether they have the right to collect it from everyone.
What happened
The Danish Data Protection Authority discovered that the Digitaliseringsstyrelsen was processing data of approximately 3.96 million citizens, even though only 1.7 million had registered for the app.
Who was affected
Approximately 3.96 million Danish citizens whose personal data was processed by the driving licence app were affected.
What the authority found
The authority found that the processing of personal data was excessive and did not comply with GDPR's principle of data minimization.
Why this matters
This finding emphasizes the importance of only collecting necessary data and highlights the risks of outdated systems leading to excessive data processing. Website operators should ensure they only collect data from users who have explicitly consented.
GDPR Articles Cited
View original scraped data
Original data from scraper before AI verification against source document.
A Danish citizen lodged a complaint with the Danish DPA regarding the Danish Agency for Digital Government's (the controller) processing of his personal data in their Driving Licence app, which he had not registered for or used. The app is a digital alternative to the physical driving licence and contains information about the licence holder's name, birth data, place of birth, nationality, licence number, passport number, passport photo, social security number, health, and data relating to criminal convictions and offences. Following the complaint, on 7 September 2022, the DPA started an own-volition investigation of the matter. They found that the controller was processing the personal data of approximately 3.96 million Danish citizens with a driving licence, yet only 1.7 million had registered for the app, while the remaining group had not joined the app. The controller attributed the excessive processing to technical constraints of the driving licence database, built on an outdated mainframe system, which gave it access to all valid Danish driving licenses. They explained to have initially considered three possible solutions for the app but deemed only the one adopted realistically viable. The one adopted complied with certain operational and performance requirements while allowing for the digital driving licence, updated with the latest information, to be made accessible to citizens. Consequently, they claimed that the processing was in line with Article 5(1)(c) GDPR. The DPA concluded that the controller violated the data minimisation principle of Article 5(1)(c) GDPR. The principle should have been complied with despite the system being the only possible solution according to the current technical structure of the driving licence register. It further stated that the accessibility needs described by the controller and the mere fact that it is convenient for citizens to have the Driving Licence app, as they can leave their physical driving licence at home, ca
Outcome
Violation Found
The DPA found a violation but did not impose a fine.
Related Enforcement Actions (0)
No other enforcement actions found for Digitaliseringsstyrelsen in DK
This is the only recorded action for this entity in this jurisdiction.
Details
About this data
Cite as: Cookie Fines. Digitaliseringsstyrelsen - Denmark (2023). Retrieved from cookiefines.eu
Last updated: