Joannahuset – No Violation (Denmark, 2022)

Joannahuset (the controller) is a crisis center offering shelter and support to children and young people in vulnerable situations. On one occasion, in connection with obtaining consent for a child's registration for shelter, the controller requested to receive the child's name and social security number via SMS. The Danish DPA (Datatilsynet) became aware of this situation and started an ex officio investigation. According to the controller, the event occurred in the evening, when the child's custodian was no longer in the office and therefore could only be reached via SMS, and not by secure mail or any other equivalent secure communication method. The controller argued that it was legally obliged to check the identity of the child and receive the custodian's consent before accepting the child to the shelter. If it would not have reached out to the custodian via SMS, the child would have been left to spend the night on the street. The DPA held that the requirement of appropriate security pursuant to Article 32 GDPR normally implies that the controller must offer the data subject a sufficiently secure communication method when transmitting confidential information. Moreover, the DPA found that the obligations placed on the controller under Article 32 GDPR cannot be waived by the data subject consenting to the unsecure transmission. However, the DPA found that under exceptional circumstances, data protection requirements can be outweighed by other considerations, including, for example, the need to urgently ensure life and health concerning particularly vulnerable groups of people. Therefore, the controller must conduct a specific assessment and document its considerations when balancing such conflicting interests. Consequently, the DPA found that in this case it was acceptable to use SMS communication for receiving the child's name and social security number.