Indenrigs- og Sundhedsministeriet – Complaint Upheld (Denmark, 2024)
The Danish Ministry of the Interior and Health refused a person's request to access a security log. This is important because it raises questions about transparency and the rights of individuals to access their own data.
What happened
Indenrigs- og Sundhedsministeriet denied a request for access to a security log that tracks searches in a civil registration system.
Who was affected
The individual who requested access to the security log was affected.
What the authority found
The Danish data protection authority upheld the ministry's refusal, citing national security concerns as a reason for denying access.
Why this matters
This case illustrates the tension between individual rights and national security. It reminds organizations to carefully consider how they handle access requests.
GDPR Articles Cited
View original scraped data
Original data from scraper before AI verification against source document.
National Law Articles
On 3 October 2023, the DPA received a complaint by a data subject. He complained about the fact that the Ministry of the Interior and Health (Indenrigs- og Sundhedsministeriet) had refused to give him access to the security log of the Civil Registration System (Centrale Personregister - CPR). This log contains information about the date and time of searches and also an ID associated to the natural person performing the search. On 20 November 2023 the DPA forwarded the complaint to the controller, so that it could reconsider its refusal in light of the CJEU case [https://gdprhub.eu/index.php?title=CJEU_-_C-579/21_-_Pankki_S C-579/21, Pankki S]. On 4 January 2024 the controller upheld the refusal. It argued that [https://danskelove.dk/databeskyttelsesloven/22 § 22 of the Data Protection Act], the national legislation implementing Article 23 GDPR, introduces an exception to the right to access in this case. More specifically, the controller argued that considerations relating, among others, to the protection of national security, including the prevention, investigation, detection or prosecution of criminal offences outweighed the data subject’s right to access information that can be derived from the CPR security log. For example, the controller pointed out that granting such an access would mean revealing information relating to searches made by the Police. Moreover, the controller argued that the refusal is particularly justified by the resources that would be involved in processing and responding to an access request to the CPR security log. Finally, the controller emphasised that the CPR security log on itself cannot be used to check whether a given processing of personal data is lawful as it does not contain information about the authority's or company's purpose for processing the data subject's data. First of all, the DPA agreed with the controller about the fact that [https://danskelove.dk/databeskyttelsesloven/22 § 22 of the Data Protection Act] contains a nu
Outcome
Complaint Upheld
A data subject complaint that was upheld by the DPA.
Related Enforcement Actions (0)
No other enforcement actions found for Indenrigs- og Sundhedsministeriet in DK
This is the only recorded action for this entity in this jurisdiction.
Details
About this data
Cite as: Cookie Fines. Indenrigs- og Sundhedsministeriet - Denmark (2024). Retrieved from cookiefines.eu
Last updated: