The fight ended draw: Understandable frustrations were met by good answers.
In addition to not having students cut out of pictures when they change school, we were once again made aware that consent is always the worst conceivable home. Use something else - anything else, just use something else. For example, the exercise of authority.
Public authorities should simply never think of consent first, but always start exercising authority. Thus, it is often assumed that special legislation in the social, school or service areas must be assumed to be fully sufficient for the processing of personal data that is relevant and necessary to carry out the tasks that are the purpose of the special legislation.
And then the message was centralized! Centralize internally so that it is never the individual caseworker to decide on the GDPR, the risk assessment and what needs to be addressed:
The in the opinion of the Danish Data Protection Agency should not be the individual educator, health nurse or caseworker tasked with documenting lawful handling of citizens' data. The municipality must ensure that proper processing of personal data in daily work is supported both technically and organizationally.
The Data Inspectorate also pointed out that KL should be at the forefront of a code of conduct so that the municipalities feel more secure in the daily application of the regulation:
One possibility is also that KL draws up a code of conduct. A code of conduct is a set of guidelines that should help ensure that the authorities that adhere to the code apply the data protection rules correctly.
In relation to the data processors, the message was also central: this applies especially to the conclusion of data processing agreements and supervision and control. KL can do a lot here. Saw the ball back on KL's course half. KL states:
Municipalities find it extremely resource-intensive to comply with the GDPR requirement that they - or expensive auditors on their behalf - must supervise their data processors. For each municipality, there are several hundred agreements. In addition, many municipalities have to carry out exactly the same control with the same data processor, which does not increase data security.
The Danish Data Protection Agency's answer seems to be straightforward:
When processing personal data, and especially when disclosing it to others, including data processors, a responsibility is included, e.g. to oversee its data processors. This is a specific requirement under the Regulation. To facilitate this work, the Danish Data Protection Agency has issued a guide specifically related to supervision of data processors. It appears, among other things, of the supervision guidance that the data controller can advantageously organize his supervision on the basis of the risk assessment carried out by the data controller. Therefore, how often and how to supervise data processors can vary according to the risk of citizens' rights and freedoms. In this context, the Data Inspectorate also welcomes any cooperation between the authorities.
If the municipalities just want more time for the hot tasks, you have to call for pooling the cold. Then it is also easier to point out that the bill should be passed on to the state, since the expense of the cold is not exactly defined by the level of service and local decisions, but by legislation that comes from a long way. But we may now be too optimistic here. Centralizing IT is usually not that easy even.
However, it must be remembered here that this is not a matter of centralizing IT in the traditional sense. It's just the compliance part that needs to be assembled. And it must be possible. This can be done in a very impractical way by sharing information digitally - it can also be done by creating a special GDPR-shared service for the municipalities with a defined task portfolio.
As everywhere where compliance pops up on the horizon, after outsourcing IT (without considering the consequences of compiance), one finds that the technicians in the basement need to be quickly replaced by grinding animals in the hallways. No one has said it should be easy - and it never will be. It's just getting started!