On May 15, the Danish Data Protection Authority announced that it has reported the recruitment company JobTeam to the Police along with a DKK 50,000 fine proposal for erasing personal data before responding to a data subject’s access request.
Following a complaint, the Danish Supervisory Authority found that JobTeam had deleted personal information before replying to a subject access request. As a result, it considered that JobTeam had breached its GDPR obligation of processing personal data lawfully, fairly and transparently.
Indeed Astrid Mavrogenis, Head of Unit at the Danish Authority stated that ‘Where a controller deletes information on the individual directly linked to the failure to meet an access request, the controller unlawfully denies the possibility of a review of the right of access by the data by the Data Protection Authority and the Courts. This is a violation of the citizen’s fundamental rights and is not an example of good data processing.”
Unlike in most Member States, the Danish Supervisory Authority cannot issue a fine directly and must report the case to the police. On the basis of the Authority report, the police services then decide whether there is a ground for bringing a charge against the company and eventually, a court may serve the proposed financial penalty.
It is surprising the authority only raised the breach of the transparency principle, as the company, by erasing the data following a subject access request, has denied the individual’s right of access (Article 15 GDPR). Indeed, the controller should have provided all the data it holds about the data subject at the time the request was made.
In any event, it is a good reminder that organisations should not be tempted to delete information following a subject access request and should keep a record of its responses in order to demonstrate compliance with its GDPR obligations.