First fine to a public authority for breach of the data protection rules
Since the new data protection rules entered into force in 2018, the Danish Data Protection Agency has decided to fine a number of both private companies and public authorities for amounts of up to 1,5 million DKK. As the first in a series of cases at the courts, the District Court in Roskilde has decided that a municipality was to pay a fine of 50,000 DKK for having breached the data protection rules.
In a municipality’s department for children and young people, the normal practice was that summaries of meetings were uploaded to an internal employee platform. This employee platform worked as both an intranet for multiple departments and a case management system as an alternative to a shared drive. Meeting summaries contained sensitive information, including information on ethnicity, sexual relations, and health information regarding physical and medical conditions. Yet, most of the municipality’s up to 2000 employees had access to the meeting summaries if they wanted to, irrespective of whether they worked with that department.
The Danish Data Protection Agency reported the municipality to the police and proposed to issue a fine of 50,000 DKK. According to the Danish Data Protection Agency, the municipality had blatantly ignored its duty to protect confidential information with access control. In this connection, the Danish Data Protection Agency emphasized, among other things, that only employees who needed access in relation to their work should have been given access. The District Court in Roskilde agreed with this and highlighted that it did not play any role that it could not be proven that no one had actually unlawfully accessed the information when this was solely due to the fact that the municipality did not log access to the employee platform.
More fines on the way
In most other EU countries, national data protection agencies can issue administrative fines. This is not the case in Denmark. When the Danish Data Protection Agency has investigated a case that leads to a police report, it will be the police who examine whether there is a basis to initiate a case, etc. After this, it will be for the courts to decide whether to impose a fine or not. The case from the District Court in Roskilde is the first in a series of many where a court has definitively decided on the question of fining a public authority.
When the Danish Data Protection Agency decides that a breach should trigger a fine, the fine is defined in accordance with guidelines on how to establish the amount. The Data Protection Agency will start by establishing a base amount for the fine, which will be adjusted according to the nature, gravity, and duration of the matter. For example, whether the breach has occurred over several years or a few hours, whether the breach concerns hundreds of data subjects or a few, as well as what type of information is involved, will play a role. When that is done, the Danish Data Protection Agency will look into whether there are circumstances that make the case better or worse. Here, it will play a role if, for example, the data controller has reported the breach on its own initiative, repaired the breach, or cooperated with the Agency. Finally, the level will be adjusted according to the maximum of the rules and, potentially, the ability to pay.
IUNOs opinion
Companies should continuously assess whether there are necessary and appropriate safeguards in place for all types of personal data that is being processed. At the same time, it is a clear advantage if companies have clear guidelines ready in advance for how a potential breach should be handled.
IUNO recommends that companies are aware that it is still possible to affect the level of the fine when the damage is done. Companies that become aware of a breach can make sure to report it themselves before others do and repair the breach as quickly as possible, so it doesn’t continue or happens again.
[The District Court in Roskilde’s judgement of 9 March 2022 in case 9A-8331/2020]
In a municipality’s department for children and young people, the normal practice was that summaries of meetings were uploaded to an internal employee platform. This employee platform worked as both an intranet for multiple departments and a case management system as an alternative to a shared drive. Meeting summaries contained sensitive information, including information on ethnicity, sexual relations, and health information regarding physical and medical conditions. Yet, most of the municipality’s up to 2000 employees had access to the meeting summaries if they wanted to, irrespective of whether they worked with that department.
The Danish Data Protection Agency reported the municipality to the police and proposed to issue a fine of 50,000 DKK. According to the Danish Data Protection Agency, the municipality had blatantly ignored its duty to protect confidential information with access control. In this connection, the Danish Data Protection Agency emphasized, among other things, that only employees who needed access in relation to their work should have been given access. The District Court in Roskilde agreed with this and highlighted that it did not play any role that it could not be proven that no one had actually unlawfully accessed the information when this was solely due to the fact that the municipality did not log access to the employee platform.
More fines on the way
In most other EU countries, national data protection agencies can issue administrative fines. This is not the case in Denmark. When the Danish Data Protection Agency has investigated a case that leads to a police report, it will be the police who examine whether there is a basis to initiate a case, etc. After this, it will be for the courts to decide whether to impose a fine or not. The case from the District Court in Roskilde is the first in a series of many where a court has definitively decided on the question of fining a public authority.
When the Danish Data Protection Agency decides that a breach should trigger a fine, the fine is defined in accordance with guidelines on how to establish the amount. The Data Protection Agency will start by establishing a base amount for the fine, which will be adjusted according to the nature, gravity, and duration of the matter. For example, whether the breach has occurred over several years or a few hours, whether the breach concerns hundreds of data subjects or a few, as well as what type of information is involved, will play a role. When that is done, the Danish Data Protection Agency will look into whether there are circumstances that make the case better or worse. Here, it will play a role if, for example, the data controller has reported the breach on its own initiative, repaired the breach, or cooperated with the Agency. Finally, the level will be adjusted according to the maximum of the rules and, potentially, the ability to pay.
IUNOs opinion
Companies should continuously assess whether there are necessary and appropriate safeguards in place for all types of personal data that is being processed. At the same time, it is a clear advantage if companies have clear guidelines ready in advance for how a potential breach should be handled.
IUNO recommends that companies are aware that it is still possible to affect the level of the fine when the damage is done. Companies that become aware of a breach can make sure to report it themselves before others do and repair the breach as quickly as possible, so it doesn’t continue or happens again.
[The District Court in Roskilde’s judgement of 9 March 2022 in case 9A-8331/2020]
Similar
Expensive right of access requests
Seven commandments when closing the business e-mail account
Unfair design practices resulted in a 345 million euro fine
Accessible personnel files resulted in a data breach
Deadline to establish whistleblower schemes for medium-sized companies approaching
New guidance from the Danish Data Protection Agency on direct marketing