The Norwegian Data Protection Authority has completed its investigation of www.boliglag.dk. In its decision, the supervisory authority expresses criticism that the processing of information about home owners did not have a legal basis according to the data protection rules.
In March 2024, the Danish Data Protection Authority initiated a case of its own initiative against Boliglag ApS regarding the processing of personal data on the website www.boliglag.dk .
The investigation was initiated on the basis of a number of complaints and inquiries that the Danish Data Protection Authority had received.
In this connection, the Danish Data Protection Authority found that it was possible to search for information about properties on the website by searching either at a specific address or by searching directly at the name of a natural person. The search results showed the home’s profile, which contained information about e.g. name, gender and age of current and former owners of the home, as well as the home’s sales history and sales value.
The Norwegian Data Protection Authority has now made a decision in the case and expresses criticism of Boliglag ApS.
It will often be legal for a data controller to process – including publish – personal data that has been obtained from one or more publicly available registers and that has already been published.
However, after a concrete assessment in the case of www.boliglag.dk, the Danish Data Protection Authority found that the processing of personal data on the website cannot take place within the framework of the “balancing of interests rule” in Article 6, paragraph 1 of the Data Protection Regulation. 1, letter f.
The Danish Data Protection Authority emphasized that although the objective of making housing data easily accessible and creating transparency in the housing market is factual and relevant, this objective can only be achieved in a way that is less intrusive on the privacy of the persons concerned.
The Danish Data Protection Authority also emphasized that the data subjects cannot reasonably expect such extensive collation and publication of their personal data as the solution at www.boliglag.dk entailed. The publication had a particularly intrusive nature as a result of the fact that the information could be sought by a search on the individual person’s name.