The Danish Data Protection Agency recently issued new guidelines on data subjects’ rights, e.g. offering guidance on employers’ compliance with employees’ right of access.
The General Data Protection Regulation is fast approaching. The Danish Data Protection Agency has now issued guidelines on data subjects’ rights.
Pursuant to the GDPR, data subjects have a wide range of rights which, as a starting point, must be respected by the data controller such as the right to be informed, the right to erasure and the right to object in relation to personal data. The guidelines describe a number of procedural requirements which the data controller must always bear in mind to ensure compliance with the data subjects’ rights.
With regard to employers, the guidance e.g. establishes that the employer cannot comply with an employee’s right of access in relation to employee data processed by the employer simply by informing the employee of where the data can be found. The employer must provide a copy of the specific information processed.
You can read the guidelines here (in Danish).
The content of the above is not, and should not be a substitute for legal advice.
Must the Data Protection Agency be notified in case of an “internal” personal data breach?
The Data Protection Agency has expressed criticism of a municipality, inter alia, because the municipality had failed to notify a personal data breach to the Agency or communicate the breach to the affected employee.
Access to work emails? Can a request to access data be too extensive?
Under the GDPR, a data controller must provide a data subject with access to all personal data which the data controller processes about him or her, if the data subject requests it. However, the data controller may refuse to act on such a request if, for example, the scope of the request for access is excessive.