Rigsrevisionen – No Violation (Denmark, 2023)

On 29 August 2023, the Danish DPA started a probe into Rigsrevisionen's data processing practices. Rigsrevisionen is an independent institution placed under the Danish parliament conducting audits to determine whether the public accounts are correct and whether government-funded agencies and enterprises comply with current laws and regulations. Because of this function, the DPA considered Rigsrevisionen to be a processor. The DPA aimed to assess the legal basis of the data processing under Article 6 GDPR and how the processor ensures compliance with the principle of data minimisation of Article 5(1)(c) GDPR. The processor stated that its tasks follow the Danish Auditor General Act and special legislation, which also gives it authorisation to obtain material containing personal data by terminal access to the audited authority's systems. It emphasised that its processing is considered necessary for the performance of a task carried out in the public interest or the exercise of official authority under Article 6(1)(e) GDPR and Article 9(2)(g) GDPR. Although the processor further stated that it is not always relevant and necessary for its auditing activities to obtain personal data, its employees are instructed to justify and document if personal data is to be collected. Following the report, the Danish DPA asked the processor to clarify its utilisation of terminal access to access personal data. The processor explained that, in practice, terminal access is primarily used in connection with financial audits and that this system allows it to search for specific accounting documents and data, avoiding retrieving entire cases. It clarified that that it does not have unlimited terminal access to all the auditee's systems or cases, as the audited authority decides whether terminal access should be made available to the processor and there needs to be an agreement. For example, an agreement is in place with the Danish Agency for Public Finance and Management. From the agreeme