Bolilag – Violation Found (Denmark, 2024)

In March 2024, the DPA initiated an investigation of Boliglag.dk (the controller) after receiving multiple complaints from property owners (data subjects). Upon searching for addresses or a person’s name, the website shows information on property. Results include information such as name, gender and age of present and former owners of a respective property. It also showed historical data on property sales and sales values, neighborhood information, property values, estimated property taxes and titles against the property. The data was compiled from multiple public registries. The DPA submitted a request for comment to the controller. The controller stated, that all personal information such as name and gender would be temporarily removed from the website, while the DPA was investigating the matter.
 The controller explained that the purpose of his website is to create transparency on the Danish property market through an easy, simple and freely accessible overview of publicly available property information on a single platform. The controller stated that similar paid platforms already exist for realty professionals and argued that through these platforms realtors achieved an advantage over consumers who had no access to such information. Much of the information could also be found on other websites. The controller maintained that the processing was within the scope of legitimate interest (Article 6(1)(f)) after receiving the DPA’s guidance on access to public registers and a number of telephone conversations with the DPA. The controller believed that it's legitimate interest was not overridden by the interest or fundamental rights and freedoms of the data subjects. The DPA found that it's generally legal to process data from one or multiple public registers, which have already been publicised, for the purpose of furthering transparency on the property market according to the Article 6(1)(f) GDPR. However, the DPA did not find it necessary to process personal d