On September 25, 2023, the Danish data protection authority (Datatilsynet) published its decision in Case No. 2023-832-0081, as issued on the same date, in which it expressed criticism against Dagrofa ApS, for violations of Act No. 502 of 23 May 2018 on Supplementary Provisions to the Regulation on the Protection of Natural Persons with Regard to the Processing of Personal Data and on the Free Movement of Such Data (the Act), following a complaint made by an individual.

Background to the decision

The complainant claimed that a merchant at a Meny store, owned and operated by Dagrofa, had passed on personal data about the complainant, including information on criminal offenses, to the complainant's former supervisor without authorization. As a result, the complainant stated that they were dismissed from their workplace.

Findings of the Datatilsynet

The Datatilsynet determined that Dagrofa was the data controller for the processing of personal data in question in the case. Further, the Datatilsynet held that the disclosure of information that the complainant had committed criminal offenses was not necessary for Dagrofa to safeguard its legitimate interest. Therefore, the Datatilsynet found that Dagrofa's processing of personal data violated Section 8(4) of the Act.

Outcomes

The Datatilsynet issued criticism against Dagrofa for the aforementioned violations.

You can read the press release here and the decision here, both only available in Danish.