Næstved municipality: Public interest and cookies Summary The Danish Data Protection Agency’s In October 2020, the Danish DPA initiated an own- decision initiative case against Næstved Municipality regarding The Danish DPA criticized Næstved Municipality, in its processing of personal data about website visitors. connection with the processing of personal data about The website displayed the following text to visitors of the website visitors, which did not comply with GDPR, Article website: 5(1)(a) (personal data must be processed lawfully, fairly and in a transparent manner). ”This website uses cookies to improve your experience, to assess the use of the individual elements of the The Danish DPA also concluded that Næstved website, and to support the marketing of our services. Municipality’s processing of personal data about By clicking further on the website, you agree to the website visitors for statistical purposes was within the website’s use of cookies.” scope of GDPR, Article 6(1)(e) (processing is necessary for the performance of a task carried out in the public The basis for processing for Næstved Municipality’s interest or the exercise of official authority vested in the collection of personal data via cookies was stated as controller). GDPR, Article 6(1)(e) and was therefore for the purpose of performing a task carried out in the public interest, Our remarks including for the purpose of providing information about the municipality’s performance of municipal • The Danish DPA criticized Næstved Municipality for tasks. The purpose was pursued by, among other stating that cookies were collected for marketing things: purposes, even though this was not the case. Thus, • Maintaining the overall security of the website, for the data controller must ensure that their cookie example by identifying illegal and malicious traffic. information or a privacy policy accurately reflects the purposes of the personal data processing • Measuring the impact of communication efforts involved. based on data on the pages and links citizens use. • Public authorities may use their authority to The use of cookies on Næstved Municipality’s website perform official tasks as a legal basis for processing was set up in such a way that individual cookie data personal data by collecting statistical cookies, as set was collected by Siteimprove, which generated long as they can demonstrate that the cookies irreversibly anonymized statistics for the municipality. contribute to the performance of their tasks. In this case, measuring impact on communication and Siteimprove used Amazon Web Service (AWS) Frankfurt ensuring security on the website was within the task as a sub-processor, which was disclosed in the data of the municipality. processing agreement between Næstved Municipality • If personal data is processed for statistical and Siteimprove. The agreement ensured that personal purposes, it is good practice to anonymize the data data was only stored in the EU. AWS Frankfurt provided to ensure that personal data is not processed more guarantees in the agreements and publicly that this extensively than necessary. restriction would be maintained and that there was no • The Danish DPA concluded that Siteimprove did not transfer of data to countries outside the EU, including transfer to third countries in connection with its use the United States. of AWS. Published: 17-11-2021, Journal number: 2020-432-0047 Tags: 01 Legal basis for processing and principles of processing 108