Data Erasure Request denied by Denmark’s DPA
| Data Processing – Establishing lawful grounds for processing personal data.
Denmark’s Data Protection Authority (DPA) investigated a complaint against a Danish company, claiming personal data processing was in violation of the GDPR.
The individual concerned alleged that the company failed to comply with a request to erase their personal data, which apparently:
a) included information from the Central Business Register (CBR) concerning previous affiliations with several companies; and
b) was publicly accessible on the company’s website.
What is the Legal Basis for Processing Personal Data
The ICO has provided an ‘at-a-glance’ list of conditions, which define the lawful basis for processing personal data.
First and foremost, you must have a valid lawful basis in order to process an individual’s personal data. There are six available lawful bases for processing. Which basis is most appropriate to use will depend on your purpose and relationship with the individual.
Most lawful bases require that processing is ‘necessary’. If you can reasonably achieve the same purpose without the processing, you will not have a lawful basis.
It is essential that you determine your lawful basis before processing begins. You must also document your lawful bases.
Take great care to get it right first time. Particularly if you want to avoid data erasure request problems later. You should not switch to a different lawful basis at a later date without good reason. In particular, you cannot usually swap from consent to a different basis.
Ensure that your privacy notice includes your lawful basis for processing as well as the purposes of the processing. If your purposes change, you may be able to continue processing under the original lawful basis. But only if your new purpose is compatible with your initial purpose (unless your original lawful basis was consent).
If you are processing special category data you need to identify both a lawful basis for general processing and an additional condition for processing this type of data.
If you are processing criminal conviction data or data about offences you need to identify both a lawful basis for general processing and an additional condition for processing this type of data.
Why did DPA reject this data erasure request?
The complaint was made against a company that provides information about business owners, and shareholders in Danish businesses. When searches are made on the company’s website, the resulting information is displayed in real time from the Central Business Registry. The information is not stored on the company’s website.
The Central Business Registry website is publicly accessible. Similarly, information about UK business owners and directors is publicly available directly from the Companies House website.
It is not mandatory for business registry services to comply with a request to erase an individual’s personal data relating to company affiliations. The complainant gave no specific reasons to justify deletion, which would outweigh the company’s legitimate interest in processing their data.
In this particular case, the company’s processing was legitimate. Therefore the data erasure request was denied by the DPA.
Under GDPR law EU residents have legal rights regarding data erasure requests.