The Danish Data Protection Agency issued an order on Monday for the National Police to delete problematic personal data after it investigated the National Police’s processing of personal data.  

The Danish Data Protection Agency criticized the National Police for violating the EU General Data Protection Regulation (GDPR) rules, specifically the regulations under the Law Enforcement Act. The regulations under the Law Enforcement Act apply to “the processing of personal data by the police, the prosecution, including the military prosecution, the penitentiary, the Independent Police Prosecution Service and the courts.”

In 2019, the National Police discovered a system error within the program used to convert raw cell phone data from telecommunications companies. The program was used to obtain geolocation records, among other teledata. The National Police used this data in criminal cases.

It is suspected that 10,000 criminal cases may have relied on false data. The cases had to be reviewed due to the possibility of wrongful conviction. In February 2021, the Ministry of Justice stated that the independent audit indicated that 5,000 criminal cases had been reviewed and had “no basis for continuation.”

The Danish Data Protection Agency’s IT security specialist, Allan Frank, asserted “it’s about making sure that you have the right data, and if not, to correct it. If you cannot, you delete it. They are the most basic provisions of the law and the police violated them. It may sound lofty but a fair trial is an essential human right. The National Police’s data processing jeopardizes that.”

Police Inspector at the National Police’s National Cyber Crime Center, Lars Mortensen, stated that “the National Police always takes criticism seriously.”