Falck Danmark A/S – No Violation (Denmark, 2021)

The Danish DPA investigated a company's compliance with the GDPR information obligations. The company processed personal data in relation to rapid COVID-19 testing of children aged 12 or above in primary school. Information about the processing could be found in a privacy policy that had been forwarded to both the data subjects (the children) as well as their guardians through a digital communications platform used by the schools. The company had also attached an invitation to read the privacy policy. The DPA had to assess whether the controller had fulfilled its information obligations under Article 13(1)(a-f) GDPR and Article 13(2) GDPR. The DPA first noted that pursuant to Artilcle 12(1) GDPR, the information must be given in a "concise, transparent, intelligible and easily accessible form, using clear and plain language, in particular for any information addressed specifically to a child". The DPA held that the privacy policy contained all the information the controller had to provide. Furthermore, the DPA found that using a digital communications platform was sufficient to fulfil the information obligations. The DPA therefore found no violation of the GDPR. However, the DPA recommended that the controller prepares information more directly aimed at children, both in form and content.