Digitaliseringsstyrelsen – Violation Found (Denmark, 2023)
General GDPR enforcement action
This case relates to broader data protection obligations, not specifically to cookie or consent banner compliance. It is not included in cookie statistics or the Risk Calculator.
A Danish citizen complained about the Digitaliseringsstyrelsen's handling of personal data in a driving licence app that processed data for many who had not registered. The Danish DPA found that the agency was processing data excessively and did not comply with privacy rules. This case raises concerns about how government agencies manage personal data.
What happened
The Danish DPA found that the Digitaliseringsstyrelsen was processing personal data of many individuals who had not registered for the driving licence app.
Who was affected
Approximately 3.96 million Danish citizens were affected by the excessive data processing related to the app.
What the authority found
The DPA concluded that the agency violated privacy rules by processing data for individuals who did not use the app.
Why this matters
This ruling emphasizes the need for government agencies to ensure that they only collect and process necessary personal data. It serves as a warning for all organizations about the importance of data minimization.
GDPR Articles Cited
View original scraped data
Original data from scraper before AI verification against source document.
A Danish citizen lodged a complaint with the Danish DPA regarding the Danish Agency for Digital Government's (the controller) processing of his personal data in their Driving Licence app, which he had not registered for or used. The app is a digital alternative to the physical driving licence and contains information about the licence holder's name, birth data, place of birth, nationality, licence number, passport number, passport photo, social security number, health, and data relating to criminal convictions and offences. Following the complaint, on 7 September 2022, the DPA started an own-volition investigation of the matter. They found that the controller was processing the personal data of approximately 3.96 million Danish citizens with a driving licence, yet only 1.7 million had registered for the app, while the remaining group had not joined the app. The controller attributed the excessive processing to technical constraints of the driving licence database, built on an outdated mainframe system, which gave it access to all valid Danish driving licenses. They explained to have initially considered three possible solutions for the app but deemed only the one adopted realistically viable. The one adopted complied with certain operational and performance requirements while allowing for the digital driving licence, updated with the latest information, to be made accessible to citizens. Consequently, they claimed that the processing was in line with Article 5(1)(c) GDPR. The DPA concluded that the controller violated the data minimisation principle of Article 5(1)(c) GDPR. The principle should have been complied with despite the system being the only possible solution according to the current technical structure of the driving licence register. It further stated that the accessibility needs described by the controller and the mere fact that it is convenient for citizens to have the Driving Licence app, as they can leave their physical driving licence at home, ca
Outcome
Violation Found
The DPA found a violation but did not impose a fine.
Related Enforcement Actions (0)
No other enforcement actions found for Digitaliseringsstyrelsen in DK
This is the only recorded action for this entity in this jurisdiction.
Details
About this data
Cite as: Cookie Fines. Digitaliseringsstyrelsen - Denmark (2023). Retrieved from cookiefines.eu
Last updated: