Udviklings- og Forenklingsstyrelsen – Complaint Upheld (Denmark, 2024)

In 2020 a data breach occurred within the Danish Agency for Development and Simplification ([https://ufst.dk/ Udviklings- og Forenklingsstyrelsen], the controller). The controller erroneously shared the data of other data subjects (two persons) in response to an accountant request. The accountant's request was filed on behalf of their client. The accountant then disclosed the data to that client. The controller notified two data subjects about the breach by sending a letter in 2023. In response, the data subjects requested access to the identity of the accountant. The controller refused to provide the data subject with exact identity, calling upon the controller’s confidentiality obligation. Instead, the controller informed that data was shared with a Danish accountant, who disclosed the data to their Danish client. The data subjects filed complaints with the Danish DPA (Datatilsynet). According to the DPA the identity of unauthorised data recipient was, in principle, covered by Article 15(1)(c) GDPR. The DPA rejected the controller’s interpretation of its confidentiality obligation under [https://www.retsinformation.dk/eli/lta/2018/678 Article 17(1) of the Tax Administration Act] (skatteforvaltningsloven). The fact that the accountant was granted access to the data had no relation to professional or business secrecy, as it was “common knowledge” that accountants were able to request and access the documents on behalf of their clients. Nevertheless, the DPA considered that the identity of the accountant's client with whom the data was shared is subject to the controller's confidentiality obligation. The DPA found no interest that had overridden the confidentiality obligation in relation to the client’s identity. Hence, it fell within the scope of professional secrecy under Article 17(1) of the Tax Administration Act. Consequently, for the DPA the data subject was entitled to access the accountant's identity, but not the client one.