Dansk Retursystem – Violation Found (Denmark, 2024)

On 6 July 2022, the Danish DPA (Datatilsynet) initiated an investigation on its own against Dansk Retursystem (a controller). The controller is an entity managing the system of cans and bottles deposits - pant. The DPA had been made aware that the controller had developed an application called "Pant" (the App) for the payment of deposit. In connection with the App, the controller processed a number of information about, among other things, the users' bank accounts, balances, loans, etc. The investigation showed that the App had a built-in component allowing a user to log in their bank to obtain the user's account information in order to pay out money to the right account. The component was made available by a third party and integrated with the App. The component could also collect information about e.g. user's balances, identity information and transaction history. However, this information was not passed on to the controller. The DPA decided to limit the investigation of the App to the questions of: (i) whether the controller's processing of personal data in connection with the use of the App took place in accordance with the principles for processing personal data, including the principle of legality, reasonableness and transparency in accordance with Article 5(1)(a) GDPR and the data minimization principle in Article 5(1)(c) GDPR; and (ii) whether the processing took place in accordance with Article 25 (1) GDPR, as regards the implementation of the data protection principles. Against this background, the DPA requested the controller for an opinion regarding the App. In his clarifications, the controller affirmed that they have developed the App to modernize the process of deposit payouts, transitioning from physical cards to direct bank transfers. The App required users to register and link a bank account for deposit payments. For this purpose the controller relied on services offered by [https://tink.com/de/ Tink AB], a payment-service-provider. The controller