Datatilsynet (Denmark) - Vejen Municipality

Datatilsynet - Vejen Municipality
Authority:	Datatilsynet (Denmark)
Jurisdiction:	Denmark
Relevant Law:	Article 32(1)(a) GDPR
Type:	Investigation
Outcome:	Violation Found
Started:
Decided:
Published:	14.08.2024
Fine:	200,000 NOK
Parties:	municipality of Vejen
National Case Number/Name:	Vejen Municipality
European Case Law Identifier:	n/a
Appeal:	n/a
Original Language(s):	Danish
Original Source:	Datatilsynet (in DA)
Initial Contributor:	ec

The DPA reported the municipality of Vejen to the police with a recommended fine of €26,803.20 (DKK 200,000) for not encrypting computers with personal data of children.

English Summary

Facts

The municipality of Vejen (the controller) reported a personal data breach at the Danish DPA (“Datatilsynet”) because five laptops had been stolen.

The computers were only intended for use by teachers and students as part of the teaching programme. In practice, however, they were also used by teachers for things such as student progress reports and class handovers. Therefore, the computers contained more information about the students, including if they had for example special challenges. None of the computers were encrypted.

After the DPA’s investigation on the breach, they found that there were up to 300 computers in the municipality that were not encrypted and also contained personal data of children.

Holding

The DPA reported the controller to the police for inadequate security measures. The DPA recommended a fine of €26,803.20 (DKK 200,000) against the controller.

Comment

The DPA in Denmark does not impose fines directly but refers such cases to the police. The police then investigate whether there are grounds for raising a charge, and finally, a possible fine will be decided by a court. The press release does not refer to a specific GDPR Article, but the decision seems to concern a violation of Article 32(1)(a) GDPR.

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Danish original. Please refer to the Danish original for more details.

Skip the main navigation

Search

Another municipality set to be fined for lack of encryption

Date: 14-08-2024

Decision Public authorities Police report Reported breach of personal data security Processing security Children

The Danish Data Protection Authority has reported Vejen Municipality to the police for insufficient security measures. Three stolen computers with information about children were not encrypted - and the same turned out to be the case with up to 300 other computers in the municipality. The Norwegian Data Protection Authority emphasizes that encryption is very often required.

The Danish Data Protection Authority has reported Vejen Municipality to the police and recommended a fine of DKK 200,000. This is the conclusion of a case that started when the municipality reported a breach of personal data security because five laptops had been stolen.

The computers were only intended for use by teachers and students as part of teaching. In practice, however, they were also used by teachers to make status descriptions of students, class handovers, etc., and therefore there were, among other things, more information about students with special challenges on the computers. None of the computers were encrypted.

In the Danish Data Protection Authority's subsequent investigation into the matter, it emerged that there were up to 300 computers in the municipality which risked being used in the same way, and which were also not encrypted.

"I must say that I am surprised that we continue to see these cases in the municipalities. We have received notifications about this kind of breach for several years, we have been out and warned several times, and we have also proposed to fine in previous cases," says Vibeke Dyssemark Thomsen, chief consultant at the Danish Data Protection Authority, and continues:

"Encryption is a very basic security measure which is relatively easy and not very expensive to implement. We therefore encourage all municipalities to take a thorough look at their portable devices and get a handle on encryption now."

There has been a focus on encryption in the municipalities in maturity supervision in both 2021 and 2022, and the Data Protection Authority has previously recommended fines in cases regarding the lack of encryption of portable devices in Favrskov Municipality, Gladsaxe Municipality, Hørsholm Municipality, Odsherred Municipality and the Civil Agency. In addition, processing security at municipalities - including encryption of portable devices - is also a special focus area for the Danish Data Protection Authority's targeted supervisory efforts in 2024.

Do you want to know more?

Below you can read more about recommendations and requirements for encrypting disks on devices issued to employees:

Security measures that can prevent breaches of personal data security in the event of loss/theft of transportable devices with unencrypted data Technical minimum requirements for governmental authorities 2023, sikkerdigital.dk Technical minimum requirements for governmental authorities 2024, sikkerdigital.dk The Association of Municipalities' (KL) recommendations from 2023 on minimum technical standards in municipalities Cyber defense that works, Center for Cyber Security, July 2023 Guidance on Cyber security on travel – the organization's responsibility, Center for Cyber Security, January 2022 Advice on security on mobile devices, Center for Cyber Security and PET 2018 National strategy for cyber and information security, Ministry of Finance, May 2018 NIST SP 800-111, Guide to Storage Encryption Technologies for End User Devices

Press inquiries can be directed to communications consultant Anders Due at ad@datatilsynet.dk or tel. 29 49 32 83.

Can I have access to documents in the case?

The right to access documents does not include cases within the criminal justice system. Therefore, as a clear starting point, you cannot get access to the case or the case documents.

Read more about access to documents in criminal cases here

Facts

Fines according to the GDPR

In most European countries, the national data supervisory authorities themselves can issue administrative fines for violations of the common European rules in the General Data Protection Regulation (GDPR). In Denmark, fines according to the regulation must so far be decided by the courts.  

The Danish Data Protection Authority can recommend both private actors and public authorities to fines. In connection with the notification of the case to the police, the Data Protection Authority assesses the amount of the fine, and it is then up to the police and the prosecution to bring charges and conduct the criminal case in the courts.

According to the rules, a fine must be effective, proportionate to the infringement and have a deterrent effect. The Danish Data Protection Authority therefore takes into account a number of considerations and considerations in both aggravating and mitigating directions when the supervisory authority makes a statement on the size of the fine. You can read more about what the Danish Data Protection Authority attaches importance to in the guidelines on setting fines, which the Danish Data Protection Authority has prepared in collaboration with the National Police and the Attorney General, as well as in the European Data Protection Board's guidelines on setting fines. 

Fine guidance - assessment of fines for natural persons Fine guidance - assessment of fines for companies EDPB's guidance on calculating fines under GDPR

It is assumed in the rules that the level of fines for public authorities is generally lower than for private actors.

See an overview of fine settings according to GDPR

How can this type of breakup be avoided?

Loss of portable devices with unencrypted data is one of the most widespread breaches of personal data security. Here you can read about some of the safety measures that can prevent this type of break.

The Norwegian Data Protection Authority

Carl Jacobsens Vej 35
2500 Valby
Tel. 33 19 32 00
dt@datatilsynet.dk

About us

About the Norwegian Data Protection AuthorityPresseHome pagePrivacy policyAvailability statement

Shortcuts

Guidance on GDPRCall usNewsletterThe National Whistleblower Scheme

Follow us

The Norwegian Data Protection Authority on LinkedIn

Another municipality set to be fined for lack of encryption

Date: 14-08-2024

Decision Public authorities Police report Reported breach of personal data security Processing security Children

The Danish Data Protection Authority has reported Vejen Municipality to the police for insufficient security measures. Three stolen computers with information about children were not encrypted - and the same turned out to be the case with up to 300 other computers in the municipality. The Norwegian Data Protection Authority emphasizes that encryption is very often required.

The Danish Data Protection Authority has reported Vejen Municipality to the police and recommended a fine of DKK 200,000. This is the conclusion of a case that started when the municipality reported a breach of personal data security because five laptops had been stolen.

The computers were only intended for use by teachers and students as part of teaching. In practice, however, they were also used by teachers to make status descriptions of students, class handovers, etc., and therefore there were, among other things, more information about students with special challenges on the computers. None of the computers were encrypted.

In the Danish Data Protection Authority's subsequent investigation into the matter, it emerged that there were up to 300 computers in the municipality which risked being used in the same way, and which were also not encrypted.

"I must say that I am surprised that we continue to see these cases in the municipalities. We have received notifications about this kind of breach for several years, we have been out and warned several times, and we have also proposed to fine in previous cases," says Vibeke Dyssemark Thomsen, chief consultant at the Danish Data Protection Authority, and continues:

"Encryption is a very basic security measure which is relatively easy and not very expensive to implement. We therefore encourage all municipalities to take a thorough look at their portable devices and get a handle on encryption now."

There has been a focus on encryption in the municipalities in maturity supervision in both 2021 and 2022, and the Data Protection Authority has previously recommended fines in cases regarding the lack of encryption of portable devices in Favrskov Municipality, Gladsaxe Municipality, Hørsholm Municipality, Odsherred Municipality and the Civil Agency. In addition, processing security at municipalities - including encryption of portable devices - is also a special focus area for the Danish Data Protection Authority's targeted supervisory efforts in 2024.

Do you want to know more?

Below you can read more about recommendations and requirements for encrypting disks on devices issued to employees:

Security measures that can prevent breaches of personal data security in the event of loss/theft of transportable devices with unencrypted data Technical minimum requirements for governmental authorities 2023, sikkerdigital.dk Technical minimum requirements for governmental authorities 2024, sikkerdigital.dk The Association of Municipalities' (KL) recommendations from 2023 on minimum technical standards in municipalities Cyber defense that works, Center for Cyber Security, July 2023 Guidance on Cyber security on travel – the organization's responsibility, Center for Cyber Security, January 2022 Advice on security on mobile devices, Center for Cyber Security and PET 2018 National strategy for cyber and information security, Ministry of Finance, May 2018 NIST SP 800-111, Guide to Storage Encryption Technologies for End User Devices

Press inquiries can be directed to communications consultant Anders Due at ad@datatilsynet.dk or tel. 29 49 32 83.