1. The Danish Data Protection Agency (DPA) has trough a documentary in the Danish media1 become aware of the fact that Exact Data as a data broker allegedly processes personal data about people from Denmark.
According to the documentary Exact Data offers to sell these personal data to companies, which target their marketing to certain target groups.
The documentary states as an example that Exact Data offers the list "Online Gamblers", which contains the names and contact details of 5,522 Danes.
The documentary also states that Exact Data all together offers data on 359,000 Danes.
Subsequently it is furthermore stated2, that Exact Data offers data concerning names and health on 2,500 Danes with diabetes.
The article also states that Exact Data will not give any information on where the data in question is collected.
1.1. The Danish DPA supervises on its own initiative or acting on a complaint from a data subject that the processing of personal data is carried out in compliance with the provisions in the Danish Act of 429 of 31 May 2000 with later amendments on Processing of Personal Data (the Act)3 and rules issued by virtue of the Act, see section 58(1) of the Act.
2. The Danish DPA shall draw Exact Data’s attention to the following sections of the Act:
2.1. The Act applies to processing of data carried out on behalf of a controller4 who is established in Denmark, if the activities are carried out within the territory of the European Community, see section 4(1) of the Act.
Furthermore, the Act applies to a controller who is established in a third country, if
the processing of data is carried out with the use of equipment situated in Denmark, unless such equipment is used only for the purpose of transmitting data through the territory of the European Community; or
the collection of data in Denmark takes place for the purpose of processing in a third country.
See section 4(3) of the Act.
A third country is a country which is not a member of the European Community and which has not entered into an agreement with the European Community which contains rules corresponding to Directive 95/46/EEC of 24 October 1995 on the protection of physical persons in connection with the processing of personal data and on the free exchange of such data – i.e. the European Economic Area (EEA) countries. The USA is considered a third country.
Due to section 4(3) of the Act a company – which is not established in the EU – will be subject to the Act, provided that the company applies equipment situated in Denmark or collects data in Denmark for the purpose of processing the data.
The Danish DPA can state that such a company can be subject to the Act, if the company e.g. uses cookies or similar functions situated at Danish home¬pages, wherefrom personal data are collected.
Furthermore the company can be subject to the Act, if the company e.g. collects data directly from persons located in Denmark or from a Danish public filing system.
The Danish DPA shall therefore recommend that Exact Data assess whether the company is subject to the Act and accordingly is obliged to process personal data from Denmark in accordance with the Act.
2.2. The Danish DPA can furthermore point out that it is stated in section 12(1) of the Act that controllers who sell lists of groups of persons for marketing purposes or who perform mailing or posting of messages to such groups on behalf of a third party may only process:
data concerning name, address, position, occupation, e-mail address, telephone and fax number;
data contained in trade registers which according to law or regulations are intended for public information; and other data if the data subject has given his explicit consent. The consent shall be obtained in accordance with section 6 of the Danish Marketing Act.
Section 12(2) of the Act adds that processing of data as mentioned in section 7 (1), or section 8, may, however, not take place.
Section 7(1) regulates processing of sensitive data such as racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, or data concerning health and sex life.
Section 8 regulates processing of sensitive data such as criminal offences, serious social problems and other purely private matters than those mentioned in section 7 (1).
Provided that a company processes data in violation of section 12, the processed data will basically be regarded as unlawful data.
3. The Danish DPA shall call attention to the DPA’s possibility to supervise on its own initiative that a processing of data is carried out in compliance with the Act.
If a Danish controller should receive or buy personal data from a company, which has processed the data in violation of the Act, e.g. section 12, the data will (also) be regarded as unlawful in the possession of the Danish controller.
Should such unlawful data be received by a Danish controller the Danish DPA will take action toward the Danish controller.
In continuance of this the Danish DPA may order a private data controller to discontinue a processing operation which may not take place under the Act and to rectify, erase or block specific data undergoing such processing, see section 59(1) of the Act.
4. If Exact Data has any questions the company are welcome to contact the Danish DPA either by phone + 45 33 19 32 00 or e-mail dt@remove-this.datatilsynet.dk.
The Danish PDA has sent a copy of this letter to The Federal Trade Commission. Furthermore, the DPA intend to publish this letter on the DPA’s home-page.
1 See e.g. www.dr.dk/Nyheder/Andre_sprog/English/2015/03/16/132847.htm
2 See e.g. www.dr.dk/Nyheder/Indland/2015/04/04/04174355.htm
3 See a compiled version of the Act on Processing of Personal Data in English on the Danish
DPA’s homepage: www.datatilsynet.dk/english/the-act-on-processing-of-personal-data/read-the-act-on-processing-of-personal-data/compiled-version-of-the-act-on-processing-of-personal-data/
4 A ‘controller’ means the natural or legal person, public authority, agency or any other body which alone or jointly with others determines the purposes and means of the processing of personal data