Rigsrevisionen – No Violation (Denmark, 2023)
Rigsrevisionen was investigated, but the Danish DPA found no violations in their data processing practices. This is significant because it shows that organizations can operate within the law while handling personal data, as long as they follow the necessary guidelines. It reassures other companies that proper compliance can lead to positive outcomes.
What happened
Rigsrevisionen was investigated for their data processing practices but was found to be compliant with data protection rules.
Who was affected
The investigation involved Rigsrevisionen, which conducts audits and handles personal data as part of its duties.
What the authority found
The Danish DPA concluded that Rigsrevisionen's data processing was necessary for their public tasks and complied with data protection rules.
Why this matters
This ruling demonstrates that organizations can successfully manage personal data while adhering to legal requirements. It encourages other companies to maintain compliance to avoid penalties.
GDPR Articles Cited
View original scraped data
Original data from scraper before AI verification against source document.
National Law Articles
On 29 August 2023, the Danish DPA started a probe into Rigsrevisionen's data processing practices. Rigsrevisionen is an independent institution placed under the Danish parliament conducting audits to determine whether the public accounts are correct and whether government-funded agencies and enterprises comply with current laws and regulations. Because of this function, the DPA considered Rigsrevisionen to be a processor. The DPA aimed to assess the legal basis of the data processing under Article 6 GDPR and how the processor ensures compliance with the principle of data minimisation of Article 5(1)(c) GDPR. The processor stated that its tasks follow the Danish Auditor General Act and special legislation, which also gives it authorisation to obtain material containing personal data by terminal access to the audited authority's systems. It emphasised that its processing is considered necessary for the performance of a task carried out in the public interest or the exercise of official authority under Article 6(1)(e) GDPR and Article 9(2)(g) GDPR. Although the processor further stated that it is not always relevant and necessary for its auditing activities to obtain personal data, its employees are instructed to justify and document if personal data is to be collected. Following the report, the Danish DPA asked the processor to clarify its utilisation of terminal access to access personal data. The processor explained that, in practice, terminal access is primarily used in connection with financial audits and that this system allows it to search for specific accounting documents and data, avoiding retrieving entire cases. It clarified that that it does not have unlimited terminal access to all the auditee's systems or cases, as the audited authority decides whether terminal access should be made available to the processor and there needs to be an agreement. For example, an agreement is in place with the Danish Agency for Public Finance and Management. From the agreeme
Outcome
No Violation
The DPA investigated and found no violation.
Related Enforcement Actions (0)
No other enforcement actions found for Rigsrevisionen in DK
This is the only recorded action for this entity in this jurisdiction.
Details
About this data
Cite as: Cookie Fines. Rigsrevisionen - Denmark (2023). Retrieved from cookiefines.eu
Last updated: