Datatilsynet (Denmark) - Civilstyrelsen indstilles til bøde: Difference between revisions

From GDPRhub
(Great summary! I mostly just slightly rephrased the short summary, removed references to Article 32 in the body of the text (as we agreed in this particular case) and added a reference to that in the Comments section. I also added "DPA held the Agency violated" etc to the Holding section just to make it a little more clearer but otherwise I really liked it :-))
 
(One intermediate revision by one other user not shown)
Line 63: Line 63:
}}
}}


The Danish DPA suggested to issue a fine of 100,000 DKK against an agency of the Danish Ministry of Justice. The DPA held that the agency violated security obligations under GDPR by not encrypting a USB flash drive which contained personal information, and [[Article 33 GDPR#1|Article 33(1) GDPR]] by not reporting the data breach to the DPA after the USB flash drive was lost.  
The Danish DPA suggested to issue a fine of 100,000 DKK against an agency of the Danish Ministry of Justice. The DPA held that the agency violated security obligations under GDPR by not encrypting a USB flash drive which contained personal data, and [[Article 33 GDPR#1|Article 33(1) GDPR]] by not reporting the data breach to the DPA after the USB flash drive was lost.  


== English Summary ==
== English Summary ==
Line 70: Line 70:
The Civil Affairs Agency (controller) is a part of the Danish Ministry of Justice. Its mission is to guarantee the basic principles of the rule of law by, for instance, offering compensation to victims of criminal offenses and supporting access to justice. The nature of its work involves processing large volumes of sensitive and confidential information regarding the parties in the proceedings.
The Civil Affairs Agency (controller) is a part of the Danish Ministry of Justice. Its mission is to guarantee the basic principles of the rule of law by, for instance, offering compensation to victims of criminal offenses and supporting access to justice. The nature of its work involves processing large volumes of sensitive and confidential information regarding the parties in the proceedings.


The Agency returned a USB flash drive with more than 800 pages of personal information to a representative of a data subject. However, the flash drive was later lost under undisclosed circumstances.
The Agency returned a USB flash drive with more than 800 pages of personal information to a representative of a data subject. However, the flash drive was later lost under undisclosed circumstances. Notably, the USB flash drive was not encrypted, and the Agency did not have any guidelines for its caseworkers regarding the handling of removable storage devices and portable media.


Notably, the USB flash drive was not encrypted, and the Agency did not have any guidelines for its caseworkers regarding the handling of removable storage devices and portable media.
Furthermore, the Agency learned about the data breach on 26 August 2020 but did not report it to the supervisory authority as required under [[Article 33 GDPR#1|Article 33(1) GDPR]]. Eventually, the data subject's representative complained to the Danish DPA about the controller's way of handling personal data.
 
Furthermore, the Agency learned about the data breach on 26 August 2020 but did not report it to the supervisory authority as required under [[Article 33 GDPR#1|Article 33(1) GDPR]].
 
Eventually, the data subject's representative complained to the Danish DPA about the controller's way of handling personal data.


=== Holding ===
=== Holding ===
The Danish DPA held that removable storage devices (including USB flash drives) pose a higher risk for data subjects. At the same time, encryption is a relatively easy security measure for the controller to implement. Therefore encryption of such devices that contain personal data must be regarded as a necessary and required security measure. Moreover, the DPA emphasized that where the controller processes large volumes of sensitive and confidential information, it must have guidelines for its personnel about using USB flash drives. Hence, the DPA held that by not encrypting the personal data in question, and not having any guidelines on the use of removable storage devices and portable media, the Agency was in violation of the security obligations under the GDPR.  
The Danish DPA held that removable storage devices (including USB flash drives) pose a higher risk for data subjects. At the same time, encryption is a relatively easy security measure for the controller to implement. Therefore, especially in these cases, encryption must be regarded as a necessary and required security measure. Moreover, the DPA emphasized that where the controller processes large volumes of sensitive and confidential information, appropriate guidelines for the use of USB flash drives must be provided to whoever handles them. Hence, the DPA held that by not encrypting the personal data in question, and by not having any guidelines on the use of removable storage devices and portable media, the Agency was in violation of its security obligations under the GDPR. In addition, the DPA held that the Agency was in violation of [[Article 33 GDPR|Article 33(1) GDPR]] for not reporting the breach after it became aware of it.  
 
In addition, the DPA held that the Agency was in violation of [[Article 33 GDPR|Article 33(1) GDPR]] by not reporting the breach after it became aware of it.  


== Comment ==
== Comment ==

Latest revision as of 13:32, 18 May 2022

Datatilsynet - Civilstyrelsen indstilles til bøde
LogoDK.png
Authority: Datatilsynet (Denmark)
Jurisdiction: Denmark
Relevant Law: Article 32(1) GDPR
Article 33(1) GDPR
Type: Complaint
Outcome: Upheld
Started:
Decided:
Published: 12.05.2022
Fine: 100,000 DKK
Parties: Civilstyrelsen
National Case Number/Name: Civilstyrelsen indstilles til bøde
European Case Law Identifier: n/a
Appeal: n/a
Original Language(s): Danish
Original Source: Datatilsynet (in DA)
Initial Contributor: Vadym Kublik

The Danish DPA suggested to issue a fine of 100,000 DKK against an agency of the Danish Ministry of Justice. The DPA held that the agency violated security obligations under GDPR by not encrypting a USB flash drive which contained personal data, and Article 33(1) GDPR by not reporting the data breach to the DPA after the USB flash drive was lost.

English Summary

Facts

The Civil Affairs Agency (controller) is a part of the Danish Ministry of Justice. Its mission is to guarantee the basic principles of the rule of law by, for instance, offering compensation to victims of criminal offenses and supporting access to justice. The nature of its work involves processing large volumes of sensitive and confidential information regarding the parties in the proceedings.

The Agency returned a USB flash drive with more than 800 pages of personal information to a representative of a data subject. However, the flash drive was later lost under undisclosed circumstances. Notably, the USB flash drive was not encrypted, and the Agency did not have any guidelines for its caseworkers regarding the handling of removable storage devices and portable media.

Furthermore, the Agency learned about the data breach on 26 August 2020 but did not report it to the supervisory authority as required under Article 33(1) GDPR. Eventually, the data subject's representative complained to the Danish DPA about the controller's way of handling personal data.

Holding

The Danish DPA held that removable storage devices (including USB flash drives) pose a higher risk for data subjects. At the same time, encryption is a relatively easy security measure for the controller to implement. Therefore, especially in these cases, encryption must be regarded as a necessary and required security measure. Moreover, the DPA emphasized that where the controller processes large volumes of sensitive and confidential information, appropriate guidelines for the use of USB flash drives must be provided to whoever handles them. Hence, the DPA held that by not encrypting the personal data in question, and by not having any guidelines on the use of removable storage devices and portable media, the Agency was in violation of its security obligations under the GDPR. In addition, the DPA held that the Agency was in violation of Article 33(1) GDPR for not reporting the breach after it became aware of it.

Comment

Datatilsynet repeatedly sanctioned the Civil Affairs Agency for mishandling personal data in the past. See the most recent reprimand in the case 2021-32-2096.

NB. The DPA in Denmark does not impose fines directly but refers such cases to the police. The police then investigate whether there are grounds for raising a charge, and finally, a possible fine will be decided by a court.

NB. The press release on the decision does not explicitly refer to Article 32 GDPR violations but such an outcome may be inferred from the reference to a violation of the security obligations under the GDPR.

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Danish original. Please refer to the Danish original for more details.

Police report
The National Board of Health and Welfare is fined
Date: 12-05-2022
News
The Danish Data Protection Agency notifies the National Board of Health and Welfare to the police and recommends a fine of DKK 100,000. The Authority assesses that the National Board of Health and Welfare has not complied with the requirements for an appropriate level of security

The Danish Data Protection Agency became aware of the case when a complainant's party representative complained about the Danish Civil Agency's handling of complainant's information.

It appears from the case that the National Board of Health and Welfare v / Erstatningsnævnet returned a USB connector for complaints, which contained more than 800 pages of information about complaints of a sensitive and confidential nature, which had been lost when the complainant was received.

The USB connector was not encrypted, and the agency did not have guidelines targeted at the agency's caseworkers regarding any handling of removable storage devices and portable media.

The Danish Civil Agency became aware of the breach on 26 August 2020, but did not report the breach to the Danish Data Protection Agency in violation of the rules in Article 33 of the Data Protection Ordinance.

Lack of technical and / or organizational measures
The Danish Data Protection Agency finds that the Danish Civil Agency's processing of personal data has not been in accordance with the rules on appropriate security.

In its assessment, the Danish Data Protection Agency has emphasized that encryption of removable storage devices that contain personal data (including USB connectors) must be regarded as a necessary and required security measure.

In continuation of this, the Authority has attached importance to the fact that removable storage means with personal data have a sharpened risk profile in relation to the handling of personal data, and that encryption is a measure that is relatively easy for the data controller to implement.

In addition, the Danish Data Protection Agency has emphasized that the agency did not have guidelines targeted and known by the agency's case officers in relation to any handling of USB connectors, including dispatch.

Why police report?
The Danish Data Protection Agency always makes a concrete assessment of the seriousness of the case pursuant to Article 83 (1) of the Regulation. 2, in assessing which sanction is, in the Authority's opinion, the most appropriate.

In its recommendation to the police, the Danish Data Protection Agency has, among other things, emphasized that it is an essential security measure to have procedures that cover all treatments and to ensure encryption of USB connectors. In addition, encryption has been a widespread and recognized technical measure for many years that should be easily counteracted by the data controller.

In addition, it is a board of a state authority that must generally be assumed to process large amounts of sensitive and confidential information, and where it must be considered essential that a guide has been prepared targeted at the agency's case officers in relation to any handling of USB -stick.

Do you want to know more?
Press inquiries can be directed to communications consultant Anders Due on tel. +45 29 49 32 83