Holiday did not excuse delayed communication of data breach
The Danish Data Protection Authority recently expressed serious criticism towards the Danish Tax Agency’s data processing activities. This criticism was triggered by a data breach at the Tax Agency, which later led to a wrongful notification to the Data Protection Authority that the breach had been communicated to the data subject. However, due to “extraordinary circumstances in the holiday period” that mistake was not discovered before about 40 days later.
The case concerned a data breach at the Danish Tax Agency due to an error made by an employee, which resulted in a letter with a tax approval was sent to the wrong recipient. The letter contained identification information, information regarding the data subject’s finances and personal identification number (CPR).
The Tax Agency did not become aware of the data breach until after a couple of months, when the recipient made contact and the error was investigated. In accordance with the applicable data protection rules, the Tax Agency then notified the Danish Data Protection Authority. Among other things, the notification included information on the fact that the data breach had been communicated to the affected data subject.
However, after the summer holiday, the Tax Agency contacted the Data Protection Authority again. This time, the Tax Agency notified the Data Protection Authority that the data breach had never been communicated to the data subject after all, but that after the mistake had been discovered after the holiday, the information had been communicated to the data subject. Pursuant to the Tax Agency, extraordinary circumstances in the holiday period were the reason the error had occurred. On this basis, the Data Protection Authority decided to investigate the matter.
“Extraordinary circumstances in the holiday period” did not justify the error
When a data breach occurs, and it is likely that it will entail a high risk to the rights and freedoms of the data subject, then it must be communicated to those affected immediately. At the Tax Agency, the data breach did constitute a high risk because the category of data could both in itself but also combined have serious consequences for the affected data subject.
Consequently, the Data Protection Authority expressed serious criticism towards the manner the Tax Agency had handled its processing activities. The data breach had not been communicated to the data subject until about 40 days after the Data Protection Authority received notification, due to an internal mistake at the Tax Agency. The Tax Agency referred to extraordinary circumstances in the holiday period as being the reason for the mistake, but it did not change the Data Protection Authority’s assessment of the circumstances.
On the contrary, the seriousness of the issue increased further due to the fact that the Tax Agency wrongfully had informed the Data Protection Authority that the data breach had been communicated to the data subject, but also because several months had passed before the Tax Agency even became aware of the data breach.
IUNO’s opinion
This decision shows just how important it is for companies to have clear and appropriate procedures, guidelines and action plans in place, to allow for the necessary reports and communication to be made when needed – irrespective of whether employees are on holiday or not.
IUNO recommends that companies review established procedures on an ongoing basis, and ensures proper training internally, to ensure that both new and existing employees knows how to handle a data breach within the statutory deadlines.
Read more of how we can help ensure GDPR compliance here.
[The Danish Data Protection Authority’s decision of 22 September 2021]
The case concerned a data breach at the Danish Tax Agency due to an error made by an employee, which resulted in a letter with a tax approval was sent to the wrong recipient. The letter contained identification information, information regarding the data subject’s finances and personal identification number (CPR).
The Tax Agency did not become aware of the data breach until after a couple of months, when the recipient made contact and the error was investigated. In accordance with the applicable data protection rules, the Tax Agency then notified the Danish Data Protection Authority. Among other things, the notification included information on the fact that the data breach had been communicated to the affected data subject.
However, after the summer holiday, the Tax Agency contacted the Data Protection Authority again. This time, the Tax Agency notified the Data Protection Authority that the data breach had never been communicated to the data subject after all, but that after the mistake had been discovered after the holiday, the information had been communicated to the data subject. Pursuant to the Tax Agency, extraordinary circumstances in the holiday period were the reason the error had occurred. On this basis, the Data Protection Authority decided to investigate the matter.
“Extraordinary circumstances in the holiday period” did not justify the error
When a data breach occurs, and it is likely that it will entail a high risk to the rights and freedoms of the data subject, then it must be communicated to those affected immediately. At the Tax Agency, the data breach did constitute a high risk because the category of data could both in itself but also combined have serious consequences for the affected data subject.
Consequently, the Data Protection Authority expressed serious criticism towards the manner the Tax Agency had handled its processing activities. The data breach had not been communicated to the data subject until about 40 days after the Data Protection Authority received notification, due to an internal mistake at the Tax Agency. The Tax Agency referred to extraordinary circumstances in the holiday period as being the reason for the mistake, but it did not change the Data Protection Authority’s assessment of the circumstances.
On the contrary, the seriousness of the issue increased further due to the fact that the Tax Agency wrongfully had informed the Data Protection Authority that the data breach had been communicated to the data subject, but also because several months had passed before the Tax Agency even became aware of the data breach.
IUNO’s opinion
This decision shows just how important it is for companies to have clear and appropriate procedures, guidelines and action plans in place, to allow for the necessary reports and communication to be made when needed – irrespective of whether employees are on holiday or not.
IUNO recommends that companies review established procedures on an ongoing basis, and ensures proper training internally, to ensure that both new and existing employees knows how to handle a data breach within the statutory deadlines.
Read more of how we can help ensure GDPR compliance here.
[The Danish Data Protection Authority’s decision of 22 September 2021]
Similar
Expensive right of access requests
Seven commandments when closing the business e-mail account
Unfair design practices resulted in a 345 million euro fine
Accessible personnel files resulted in a data breach
Deadline to establish whistleblower schemes for medium-sized companies approaching
New guidance from the Danish Data Protection Agency on direct marketing