Denmark: Issued Data Protection Authority ruling in investigation into Telmore A/S's Data Sharing with Meta Ireland

On 29 April 2024, the Danish Data Protection Authority (DPA) concluded its investigation into Telmore A/S for disclosing a citizen's email address to Meta Ireland for the purpose of targeted marketing. The investigation found that Telmore A/S and Meta Ireland were joint data controllers in this context, contrary to Telmore's assertion that Meta Ireland acted merely as a data processor. The DPA ruled that the data-sharing practice could not be justified under the balancing of interests rule and noted that Telmore's actions did not comply with the General Data Protection Regulation (GDPR) requirements for joint data controllers. Furthermore, the DPA stated that Telmore had ceased sharing the complainant's email address with Meta Ireland in response to the complaint. The DPA advised Telmore that any future use of Meta Ireland's Custom Audience tool must ensure a clear arrangement for joint data responsibility, in line with GDPR obligations, particularly concerning data transfers to third countries. The DPA has determined that further investigation into other complaints against Telmore A/S is not appropriate.