Bord Ewropew għall-Protezzjoni tad-Data

Fine proposed for Danish recruitment company

Friday, 15 May, 2020
dk

The Danish Data Protection Authority considers that in a case on the right of access, the Danish recruitment company JobTeam has not met the basic requirements of the General Data Protection Regulation (GDPR) that personal data must be processed lawfully, fairly and transparently.

JobTeam has been reported to the police and a fine of DKK 50.000 has been proposed. The company had erased personal data subject to the access request of a data subject during the period after the request was submitted and prior to the company's reply. The Data Protection Authority became aware of the case on the basis of a complaint.

Good data processing

‘Where a controller deletes information on the individual directly linked to the failure to meet an access request, the controller unlawfully denies the possibility of a review of the right of access by the data by the Data Protection Authority and the Courts. This is a violation of the citizen’s fundamental rights and is not an example of good data processing,” says Astrid Mavrogenis, Head of Unit in the Danish Data Protection Authority.

Fine proposal

The Data Protection Agency has decided to report JobTeam to the police and recommended that the company should pay a fine.

It is the view of the Danish Data Protection Agency that a breach of the fundamental principles of the regulation concerning processing security for an company in a case such as the one in question cannot, in principle, be penalised by a fine lower than DKK 50.000, if the basic requirement of effective and dissuasive penalties laid down by the regulation must be complied with at the same time. At the same time, when setting the amount of the fine, the Authority emphasises that the fine must be proportionate.

In most European countries, national data protection authorities can issue administrative fines themselves, but the rules are different in, inter alia, Denmark.

After having clarified and assessed the case, the Data Protection Authority (DPA) reports the data controller to the police. The police then considers whether there are grounds for bringing a charge, and finally any financial penalty will be decided by a court.

To read the press release in Danish, click here

For further information, please contact the Danish SA: dt@datatilsynet.dk

The press release published here does not constitute official EDPB communication, nor an EDPB endorsement. This press release was originally published by the national supervisory authority and was published here at the request of the SA for information purposes. As the press release is represented here as it appeared on the SA's website or other channels of communication, the news item is only available in English or in the Member State's official language with a short introduction in English. Any questions regarding this press release should be directed to the supervisory authority concerned.