EN
Technology

First fine to a public authority for breach of the data protection rules

logo
Legal news
calendar 1 May 2022
globus Denmark

Since the new data protection rules entered into force in 2018, the Danish Data Protection Agency has decided to fine a number of both private companies and public authorities for amounts of up to 1,5 million DKK. As the first in a series of cases at the courts, the District Court in Roskilde has decided that a municipality was to pay a fine of 50,000 DKK for having breached the data protection rules.

In a municipality’s department for children and young people, the normal practice was that summaries of meetings were uploaded to an internal employee platform. This employee platform worked as both an intranet for multiple departments and a case management system as an alternative to a shared drive. Meeting summaries contained sensitive information, including information on ethnicity, sexual relations, and health information regarding physical and medical conditions. Yet, most of the municipality’s up to 2000 employees had access to the meeting summaries if they wanted to, irrespective of whether they worked with that department.

The Danish Data Protection Agency reported the municipality to the police and proposed to issue a fine of 50,000 DKK. According to the Danish Data Protection Agency, the municipality had blatantly ignored its duty to protect confidential information with access control. In this connection, the Danish Data Protection Agency emphasized, among other things, that only employees who needed access in relation to their work should have been given access. The District Court in Roskilde agreed with this and highlighted that it did not play any role that it could not be proven that no one had actually unlawfully accessed the information when this was solely due to the fact that the municipality did not log access to the employee platform.

More fines on the way

In most other EU countries, national data protection agencies can issue administrative fines. This is not the case in Denmark. When the Danish Data Protection Agency has investigated a case that leads to a police report, it will be the police who examine whether there is a basis to initiate a case, etc. After this, it will be for the courts to decide whether to impose a fine or not. The case from the District Court in Roskilde is the first in a series of many where a court has definitively decided on the question of fining a public authority.

When the Danish Data Protection Agency decides that a breach should trigger a fine, the fine is defined in accordance with guidelines on how to establish the amount. The Data Protection Agency will start by establishing a base amount for the fine, which will be adjusted according to the nature, gravity, and duration of the matter. For example, whether the breach has occurred over several years or a few hours, whether the breach concerns hundreds of data subjects or a few, as well as what type of information is involved, will play a role. When that is done, the Danish Data Protection Agency will look into whether there are circumstances that make the case better or worse. Here, it will play a role if, for example, the data controller has reported the breach on its own initiative, repaired the breach, or cooperated with the Agency. Finally, the level will be adjusted according to the maximum of the rules and, potentially, the ability to pay.

IUNOs opinion

Companies should continuously assess whether there are necessary and appropriate safeguards in place for all types of personal data that is being processed. At the same time, it is a clear advantage if companies have clear guidelines ready in advance for how a potential breach should be handled.

IUNO recommends that companies are aware that it is still possible to affect the level of the fine when the damage is done. Companies that become aware of a breach can make sure to report it themselves before others do and repair the breach as quickly as possible so it doesn’t continue or happens again.

[The District Court in Roskilde’s judgement of 9 March 2022 in case 9A-8331/2020]

In a municipality’s department for children and young people, the normal practice was that summaries of meetings were uploaded to an internal employee platform. This employee platform worked as both an intranet for multiple departments and a case management system as an alternative to a shared drive. Meeting summaries contained sensitive information, including information on ethnicity, sexual relations, and health information regarding physical and medical conditions. Yet, most of the municipality’s up to 2000 employees had access to the meeting summaries if they wanted to, irrespective of whether they worked with that department.

The Danish Data Protection Agency reported the municipality to the police and proposed to issue a fine of 50,000 DKK. According to the Danish Data Protection Agency, the municipality had blatantly ignored its duty to protect confidential information with access control. In this connection, the Danish Data Protection Agency emphasized, among other things, that only employees who needed access in relation to their work should have been given access. The District Court in Roskilde agreed with this and highlighted that it did not play any role that it could not be proven that no one had actually unlawfully accessed the information when this was solely due to the fact that the municipality did not log access to the employee platform.

More fines on the way

In most other EU countries, national data protection agencies can issue administrative fines. This is not the case in Denmark. When the Danish Data Protection Agency has investigated a case that leads to a police report, it will be the police who examine whether there is a basis to initiate a case, etc. After this, it will be for the courts to decide whether to impose a fine or not. The case from the District Court in Roskilde is the first in a series of many where a court has definitively decided on the question of fining a public authority.

When the Danish Data Protection Agency decides that a breach should trigger a fine, the fine is defined in accordance with guidelines on how to establish the amount. The Data Protection Agency will start by establishing a base amount for the fine, which will be adjusted according to the nature, gravity, and duration of the matter. For example, whether the breach has occurred over several years or a few hours, whether the breach concerns hundreds of data subjects or a few, as well as what type of information is involved, will play a role. When that is done, the Danish Data Protection Agency will look into whether there are circumstances that make the case better or worse. Here, it will play a role if, for example, the data controller has reported the breach on its own initiative, repaired the breach, or cooperated with the Agency. Finally, the level will be adjusted according to the maximum of the rules and, potentially, the ability to pay.

IUNOs opinion

Companies should continuously assess whether there are necessary and appropriate safeguards in place for all types of personal data that is being processed. At the same time, it is a clear advantage if companies have clear guidelines ready in advance for how a potential breach should be handled.

IUNO recommends that companies are aware that it is still possible to affect the level of the fine when the damage is done. Companies that become aware of a breach can make sure to report it themselves before others do and repair the breach as quickly as possible so it doesn’t continue or happens again.

[The District Court in Roskilde’s judgement of 9 March 2022 in case 9A-8331/2020]

Receive our newsletter

Anders

Etgen Reitz

Partner

Kirsten

Astrup

Senior associate

Similar

logo
Technology

24 November 2022

Colored cookie consent can be illegal nudging

logo
Technology

10 November 2022

Deadline to create whistleblower schemes for medium-sized companies approaching

logo
Technology

27 October 2022

Criticism and order to correct processing activities on “No thank you-list”

logo
Technology

13 October 2022

Investigation criticized by the Danish Data Protection Agency

logo
Technology

22 September 2022

The Danish Data Protection Agency is testing the use of cloud solutions

logo
Technology

8 September 2022

Cyber-attack will become expensive for law firm

The team

Anders

Etgen Reitz

Partner

Kirsten

Astrup

Senior associate