Statens Serum Institute – Violation Found (Denmark, 2023)
General GDPR enforcement action
This case relates to broader data protection obligations, not specifically to cookie or consent banner compliance. It is not included in cookie statistics or the Risk Calculator.
The Danish Data Protection Authority found that Statens Serum Institute didn't properly inform people about how their biological samples were used. The institute argued that notifying everyone would be too costly and difficult. This decision highlights the importance of transparency in handling personal data, even for medical research.
What happened
Statens Serum Institute failed to inform individuals about the use of their biological samples and personal data as required by GDPR.
Who was affected
Patients whose biological samples and personal data were processed by Statens Serum Institute for diagnostic and research purposes.
What the authority found
The Danish DPA concluded that Statens Serum Institute did not meet its obligation to inform individuals about data processing, as required by GDPR.
Why this matters
This case emphasizes the need for organizations, including medical institutions, to ensure transparency and proper communication about data use. It serves as a reminder that exceptions to GDPR's information requirements are not easily granted.
GDPR Articles Cited
Following a citizen’s inquiry, the Danish DPA initiated an investigation regarding a medical institute’s (Statens Serum Institut or SSI) fulfillment of the obligation to provide information under Article 14(1) to 14(4) GDPR with regard to certain operations carried out by the SSI. The SSI receives and analyses biological samples taken from patients (for example blood samples) for diagnostic analysis purposes which is done as part of the institute's exercise of authority pursuant to Section 222 of the Danish Health Act. In addition, SSI processes other information about the person (e.g. the person’s name and ID number). After a diagnostic analysis has been carried out, often resulting excess biological material is stored in Denmark's National Biobank for future research purposes. The SSI argued that the exception under Article 14(5)(b) of said information obligations applies, as informing would require a disproportionately large effort in the form of large administrative and financial costs. The SSI's laboratory information system is over 20 years old and does not currently support automatic notifications which means that the SSI would need to inform individuals manually. Additionally, the SSI viewed that the concerned persons’ interests were covered by making general information about the collection available online on their websites. With regard to storing data in the national biobank for further research purposes, the SSI argued that the processing is compliant with the GDPR, as the further processing is not seen incompatible with the original processing purposes pursuant to Article 5(1)(b) GDPR. The Danish DPA made the assessment separately regarding when the SSI a) received biological samples for analysis and b) where residual material is stored in the national biobank. Firstly, the DPA considered that a balancing of interests must be done when assessing whether compliance with the obligation to provide information can be considered to require a disproportio
Outcome
Violation Found
The DPA found a violation but did not impose a fine.
Related Enforcement Actions (0)
No other enforcement actions found for Statens Serum Institute in DK
This is the only recorded action for this entity in this jurisdiction.
Details
About this data
Cite as: Cookie Fines. Statens Serum Institute - Denmark (2023). Retrieved from cookiefines.eu
Last updated: