Rigspolitiet – Complaint Upheld (Denmark, 2023)

Danish police authorities had shared personal data of speeding ticket recipients with Aalborg University. The data was used in the university's research project "Intervention Against Speed Offenders" (EASE). The complainant had contested the ticket, and the case was awaiting trial in a court of law. The complainant was nonetheless contacted to participate in the research project. In its remarks to the complaint, the Danish police authorities confirmed that information about all speeding offences registered in their systems had been forwarded to the university, regardless of whether the speeding ticket had been accepted or not. The DPA first noted that, in principle, the sharing of personal data about traffic law violations for the purposes of research was lawful under art. 10 (1) GDPR. The DPA did however find that the police authorities' execution meant that personal data was being shared without a relevant and legitimate purpose in all cases. The DPA highlighted: # that the relevant target group of the EASE project was people that had undoubtedly violated traffic laws, and; # that one could not assume that such a violation had taken place until the case had been concluded in the legal system. Since personal data had been shared while the complainant's case was still awaiting trial, the DPA concluded that the police authorities had violated the principles of purpose limitation and data minimisation in art. 5 (1)(b) and (c) GDPR. As a result, the DPA reprimanded the police authorities' data sharing activities. The DPA also ordered the police authorities to stop sharing data about tickets that had been contested when a final judicial decision regarding the ticket had not yet been reached.