Clemens Bar ApS – Complaint Upheld (Denmark, 2024)

A data subject filed an access request under Article 15 GDPR with Clemens Bar ApS (a controller). The data subject wished to access CCTV footage. The controller refused the request, claiming the CCTV was installed in response to an order from [https://www.kk.dk/politik/lokaludvalg-saerlige-udvalg-raad-og-naevn/naevn/bevillingsnaevnet the Licensing Board] (Bevillingsnævnet). The Licensing Board is a body responsible for granting alcohol license to bars. As explained by the controller, the CCTV served the purpose of crime prevention and the recordings were used by Police to criminal activity. The access to the CCTV footage would then disclose the location of CCTV and jeopardise its purpose. Thus, the controller called upon Article 22(2)(3)(4) of [https://www.datatilsynet.dk/media/7753/danish-data-protection-act.pdf Data protection act], allowing for restricting access request, in particular, when the data subject interest was overridden by public interest, namely public security and crime prevention. The data subject filed a complaint with the Danish DPA (Datatilsynet). After receiving the complaint, forwarded by the DPA, the controller again refused to provide access to the data. Hence, the data subject filed another complaint against the controller. During the proceedings, the controller sustained their reasoning. Additionally, the controller also mentioned that the answer to access request was not technically feasible, since the controller was unable to anonymise the image of other data subjects (blurring), without blurring the image of the data subject too. Afterwards, the controller stated a human error caused deletion of the data. The data subject claimed the access request was related to potential violation of Article 244 of the Criminal Code. The DPA upheld the complaint. The DPA expressed “serious criticism” over deletion of data subject’s data. Once the controller deleted the data, the data subject lost possibility to lodge an effective complaint aga