EN
Technology

Holiday did not excuse delayed communication of data breach

logo
Legal news
calendar 7 October 2021
globus Denmark

The Danish Data Protection Authority recently expressed serious criticism towards the Danish Tax Agency’s data processing activities. This criticism was triggered by a data breach at the Tax Agency, which later led to a wrongful notification to the Data Protection Authority that the breach had been communicated to the data subject. However, due to “extraordinary circumstances in the holiday period” that mistake was not discovered before about 40 days later.

The case concerned a data breach at the Danish Tax Agency due to an error made by an employee, which resulted in a letter with a tax approval was sent to the wrong recipient. The letter contained identification information, information regarding the data subject’s finances and personal identification number (CPR).

The Tax Agency did not become aware of the data breach until after a couple of months, when the recipient made contact and the error was investigated. In accordance with the applicable data protection rules, the Tax Agency then notified the Danish Data Protection Authority. Among other things, the notification included information on the fact that the data breach had been communicated to the affected data subject.

However, after the summer holiday, the Tax Agency contacted the Data Protection Authority again. This time, the Tax Agency notified the Data Protection Authority that the data breach had never been communicated to the data subject after all, but that after the mistake had been discovered after the holiday, the information had been communicated to the data subject. Pursuant to the Tax Agency, extraordinary circumstances in the holiday period was the reason the error had occurred. On this basis, the Data Protection Authority decided to investigate the matter.

“Extraordinary circumstances in the holiday period” did not justify the error

When a data breach occurs, and it is likely that it will entail a high risk to the rights and freedoms of the data subject, then it must be communicated to those affected immediately. At the Tax Agency, the data breach did constitute a high risk because the category of data could both in itself but also combined have serious consequences for the affected data subject.

Consequently, the Data Protection Authority expressed serious criticism towards the manner the Tax Agency had handled its processing activities. The data breach had not been communicated to the data subject until about 40 days after the Data Protection Authority received notification, due to an internal mistake at the Tax Agency. The Tax Agency referred to extraordinary circumstances in the holiday period as being the reason for the mistake, but it did not change the Data Protection Authority’s assessment of the circumstances.

On the contrary, the seriousness of the issue increased further due to the fact that the Tax Agency wrongfully had informed the Data Protection Authority that the data breach had been communicated to the data subject, but also because several months had passed before the Tax Agency even became aware of the data breach.

IUNO’s opinion

This decision shows just how important it is for companies to have clear and appropriate procedures, guidelines and action plans in place, to allow for the necessary reports and communication to be made when needed – irrespective of whether employees are on holiday or not.

IUNO recommends that companies review established procedures on an ongoing basis, and ensures proper training internally, to ensure that both new and existing employees knows how to handle a data breach within the statutory deadlines.

Read more of how we can help ensure GDPR compliance here.

[The Danish Data Protection Authority’s decision of 22 September 2021]

The case concerned a data breach at the Danish Tax Agency due to an error made by an employee, which resulted in a letter with a tax approval was sent to the wrong recipient. The letter contained identification information, information regarding the data subject’s finances and personal identification number (CPR).

The Tax Agency did not become aware of the data breach until after a couple of months, when the recipient made contact and the error was investigated. In accordance with the applicable data protection rules, the Tax Agency then notified the Danish Data Protection Authority. Among other things, the notification included information on the fact that the data breach had been communicated to the affected data subject.

However, after the summer holiday, the Tax Agency contacted the Data Protection Authority again. This time, the Tax Agency notified the Data Protection Authority that the data breach had never been communicated to the data subject after all, but that after the mistake had been discovered after the holiday, the information had been communicated to the data subject. Pursuant to the Tax Agency, extraordinary circumstances in the holiday period was the reason the error had occurred. On this basis, the Data Protection Authority decided to investigate the matter.

“Extraordinary circumstances in the holiday period” did not justify the error

When a data breach occurs, and it is likely that it will entail a high risk to the rights and freedoms of the data subject, then it must be communicated to those affected immediately. At the Tax Agency, the data breach did constitute a high risk because the category of data could both in itself but also combined have serious consequences for the affected data subject.

Consequently, the Data Protection Authority expressed serious criticism towards the manner the Tax Agency had handled its processing activities. The data breach had not been communicated to the data subject until about 40 days after the Data Protection Authority received notification, due to an internal mistake at the Tax Agency. The Tax Agency referred to extraordinary circumstances in the holiday period as being the reason for the mistake, but it did not change the Data Protection Authority’s assessment of the circumstances.

On the contrary, the seriousness of the issue increased further due to the fact that the Tax Agency wrongfully had informed the Data Protection Authority that the data breach had been communicated to the data subject, but also because several months had passed before the Tax Agency even became aware of the data breach.

IUNO’s opinion

This decision shows just how important it is for companies to have clear and appropriate procedures, guidelines and action plans in place, to allow for the necessary reports and communication to be made when needed – irrespective of whether employees are on holiday or not.

IUNO recommends that companies review established procedures on an ongoing basis, and ensures proper training internally, to ensure that both new and existing employees knows how to handle a data breach within the statutory deadlines.

Read more of how we can help ensure GDPR compliance here.

[The Danish Data Protection Authority’s decision of 22 September 2021]

Receive our newsletter

Anders

Etgen Reitz

Partner

Kirsten

Astrup

Senior associate

Similar

logo
Technology

16 June 2022

Unfortunate software update gave thousands of employees access to job applications

logo
Technology

2 June 2022

Failure to inform shareholder breached the data protection rules

logo
Technology

28 April 2022

First fine to a public authority for breach of the data protection rules

logo
Technology

31 March 2022

New guidelines clarify when processing is an international data transfer

logo
Technology

31 March 2022

24/7 CCTV monitoring at the workplace was a breach of the data protection rules

logo
Technology

24 February 2022

No unconditional right of access under whistleblower schemes

The team

Anders

Etgen Reitz

Partner

Kirsten

Astrup

Senior associate