Datatilsynet (Denmark) - 2021-423-0241: Difference between revisions
(Created page with "{{DPAdecisionBOX |Jurisdiction=Denmark |DPA-BG-Color= |DPAlogo=LogoDK.png |DPA_Abbrevation=Datatilsynet |DPA_With_Country=Datatilsynet (Denmark) |Case_Number_Name=2021-423-0241 |ECLI= |Original_Source_Name_1=Datatilsynet |Original_Source_Link_1=https://www.datatilsynet.dk/afgoerelser/afgoerelser/2023/aug/hedensted-kommune |Original_Source_Language_1=Danish |Original_Source_Language__Code_1=DA |Original_Source_Name_2= |Original_Source_Link_2= |Original_Source_Language_...") |
m (→Facts) |
||
Line 61: | Line 61: | ||
}} | }} | ||
The Danish DPA found no violation of [[Article 32 GDPR#1|Article 32(1) GDPR]] in an investigation procedure conducted at a municipality. The DPA found that | The Danish DPA found no violation of [[Article 32 GDPR#1|Article 32(1) GDPR]] in an investigation procedure conducted at a municipality. The DPA found that the measures taken to prevent unintentional data breaches and mititage the risks in case of accidental disclosure were appropriate. | ||
== English Summary == | == English Summary == | ||
=== Facts === | === Facts === | ||
In 2021 the Danish DPA conducted inspections in multiple public authorities to see if they are complying with data protection rules. Among the inspected public authorities was Hedensted Kommune (Hedensted | In 2021 the Danish DPA conducted inspections in multiple public authorities to see if they are complying with data protection rules. Among the inspected public authorities was Hedensted Kommune (Municipality of Hedensted). The inspection was due to the fact that the controller sent more notifications of data breaches than the national average. | ||
The DPA carried out the inspection in 'written form', focusing especially on the implementation of [[Article 32 GDPR#1|Article 32(1) GDPR]]. On 21 June 2021, the DPA sent a letter to the controller notifying them about the investigation and formulating questions for them to answer. The controller was also asked to submit an example of how its employees are instructed to handle personal data. | |||
On 9 August 2021, the controller submitted a statement with the relevant information to the DPA. | |||
=== Holding === | === Holding === | ||
The DPA found no violation. | The DPA found no violation. The element that the DPA took into account to exclude the existence of a GDPR infringement were le following. | ||
In its reply, the controller had stated that in case of data breach the person affected would be informed immediately via a phone contact (where possible). Further, the controller had also emphasized that they put an effort to find the cause of the breach and to learn from their mistakes, especially discussing the accident directly with the employees involved. The DPA thus found that the controller was aware of the damage a breach can cause and willing to adopt sufficient remedial actions. | |||
In | In order to prevent breaches, the conroller had also declared that they were continuously implementing new measures. If recurring incidents happened in a department, the controller's Data Protection Officer was in a dialogue with the departement concerned. From this perspective, the DPA observed that the controller took measures after data breaches happened in the past. For example, the controller set up a group that screened the access to documents before they are submitted in the context of an access request. The controller also implemented a scanning tool that can correctly blur documents containing personal data. In general, the DPA got an impression of a strong focus on avoiding unintentional data breaches from the controller. | ||
The | |||
Therefore, the DPA found that appropriate measures according to [[Article 32 GDPR#1|Article 32(1) GDPR]] have been taken. | Therefore, the DPA found that appropriate measures according to [[Article 32 GDPR#1|Article 32(1) GDPR]] have been taken. | ||
Finally, the DPA found a decrease of notifications of data breaches from the controller since 22 June 2021. | |||
== Comment == | == Comment == |
Revision as of 08:12, 9 October 2023
Datatilsynet - 2021-423-0241 | |
---|---|
Authority: | Datatilsynet (Denmark) |
Jurisdiction: | Denmark |
Relevant Law: | Article 32(1) GDPR |
Type: | Investigation |
Outcome: | No Violation Found |
Started: | |
Decided: | |
Published: | 31.08.2023 |
Fine: | n/a |
Parties: | Hedensted Kommune |
National Case Number/Name: | 2021-423-0241 |
European Case Law Identifier: | n/a |
Appeal: | Unknown |
Original Language(s): | Danish |
Original Source: | Datatilsynet (in DA) |
Initial Contributor: | nho23 |
The Danish DPA found no violation of Article 32(1) GDPR in an investigation procedure conducted at a municipality. The DPA found that the measures taken to prevent unintentional data breaches and mititage the risks in case of accidental disclosure were appropriate.
English Summary
Facts
In 2021 the Danish DPA conducted inspections in multiple public authorities to see if they are complying with data protection rules. Among the inspected public authorities was Hedensted Kommune (Municipality of Hedensted). The inspection was due to the fact that the controller sent more notifications of data breaches than the national average.
The DPA carried out the inspection in 'written form', focusing especially on the implementation of Article 32(1) GDPR. On 21 June 2021, the DPA sent a letter to the controller notifying them about the investigation and formulating questions for them to answer. The controller was also asked to submit an example of how its employees are instructed to handle personal data.
On 9 August 2021, the controller submitted a statement with the relevant information to the DPA.
Holding
The DPA found no violation. The element that the DPA took into account to exclude the existence of a GDPR infringement were le following.
In its reply, the controller had stated that in case of data breach the person affected would be informed immediately via a phone contact (where possible). Further, the controller had also emphasized that they put an effort to find the cause of the breach and to learn from their mistakes, especially discussing the accident directly with the employees involved. The DPA thus found that the controller was aware of the damage a breach can cause and willing to adopt sufficient remedial actions.
In order to prevent breaches, the conroller had also declared that they were continuously implementing new measures. If recurring incidents happened in a department, the controller's Data Protection Officer was in a dialogue with the departement concerned. From this perspective, the DPA observed that the controller took measures after data breaches happened in the past. For example, the controller set up a group that screened the access to documents before they are submitted in the context of an access request. The controller also implemented a scanning tool that can correctly blur documents containing personal data. In general, the DPA got an impression of a strong focus on avoiding unintentional data breaches from the controller.
Therefore, the DPA found that appropriate measures according to Article 32(1) GDPR have been taken.
Finally, the DPA found a decrease of notifications of data breaches from the controller since 22 June 2021.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Danish original. Please refer to the Danish original for more details.
Supervision of notification of breaches of personal data security Date: 31-08-2023 Decision Public authorities No criticism Supervision / self-operating case Notification of breach of personal data security The Danish Data Protection Authority has carried out 16 planned inspections with a focus on municipalities' and banks' handling of breaches of personal data security. The Norwegian Data Protection Authority found occasion to express criticism in two cases. Journal number: 2021-423-0241. Hedensted Municipality was among the public authorities that the Data Protection Authority had selected in the spring of 2021 to supervise according to the data protection regulation[1] and the data protection act[2]. The Danish Data Protection Authority's inspection was a written inspection which, among other things, focused on whether Hedensted Municipality had taken appropriate security measures in accordance with the data protection regulation, article 32, subsection 1, with a view to reducing the number of breaches of personal data security where unauthorized disclosure of personal data took place, including in relation to citizens with name and address protection. The inspection was notified to Hedensted Municipality by letter of 21 June 2021, and the municipality was requested on the same occasion to answer a number of questions and to send an example of an instruction to the municipality's employees on the handling of personal data, including in connection with the sending of information for e.g. citizens, authorities, etc. The Danish Data Protection Authority informed about the background for the inspection that, in a review of the Danish Data Protection Authority's cases regarding notifications of breaches of personal data security, it could be established that Hedensted Municipality had notified significantly more breaches of personal data security per inhabitant of the municipality than Denmark's other municipalities. The Norwegian Data Protection Authority noted in this connection that the higher number of notifications does not necessarily indicate that the municipality complies with the data protection rules to a lesser extent than municipalities that have significantly fewer notifications per year. inhabitant. By letter of 9 August 2021, Hedensted Municipality sent a statement in which the municipality responded to the Data Protection Authority's questions. The municipality's response also included examples of relevant procedures and guidelines. 1. Decision After a review of the submitted material, the Data Protection Authority finds, on the basis of the present data, that Hedensted Municipality has taken appropriate security measures in accordance with the data protection regulation, article 32, subsection 1, with a view to reducing the number of breaches of personal data security where unauthorized disclosure of personal data takes place, including in relation to citizens with name and address protection. Below follows a closer review of the information that has come to light in connection with the inspection, and a justification for the Data Protection Authority's decision. 2. Reason for the Data Protection Authority's decision This appears from the data protection regulation's article 32, subsection 1, that the data controller must implement appropriate technical and organizational measures to ensure a level of security appropriate to the risks involved in the data controller's processing of personal data. The data controller thus has a duty to identify the risks that the data controller's processing poses to the data subjects and to ensure that appropriate security measures are introduced to protect the data subjects against these risks. The Danish Data Protection Authority is of the opinion that the requirement cf. Article 32 for adequate security will normally entail that the data controller must ensure that information about registered users, including particularly confidential and sensitive personal data, does not come to the knowledge of unauthorized parties, and that the data controller in this connection, among other things, .a. must ensure that all employees in the organization are, to the extent necessary, familiar with any internal procedures for handling personal data, including in relation to sending personal data to e.g. citizens, authorities, etc., and that procedures, guidelines, workflows, technical security measures, etc. continuously updated or introduced, including as a result of detected breaches of personal data security. In the opinion of 9 August 2021, Hedensted Municipality has forwarded an example of an instruction to the municipality's employees regarding the transmission of personal data to, among others, citizens, authorities, etc. Hedensted Municipality has stated that consideration of the protection of name and address information is a natural part of the processing of personal data everywhere in the municipality. It is stated that it is implicit in the understanding of good data processing customs and behavior to ensure extra protection when name and address protection is desired. Should information about persons with name and address protection be inadvertently passed on, it will be dealt with quickly and always – if possible – trigger a telephone contact with those concerned. The municipality will also seek to find out the cause with a view to learning and thus avoid similar incidents. The municipality is therefore particularly aware that such a disclosure may lead to a potentially dangerous situation for those affected. The municipality has also stated that measures are being implemented on an ongoing basis to avoid repetition of breaches of personal data security where accidental disclosure occurs. In this connection, Hedensted Municipality has stated that specific incidents are discussed with the individual employee with a view to determining further measures that can prevent repeat cases. In the event of repetitions in a department, the municipality's data protection advisor is involved in a dialogue with the department to avoid future incidents. It also appears from the case that Hedensted Municipality has considered following past breaches of personal data security, where there has been an accidental disclosure of personal data. Based on the considerations, the municipality has continuously implemented organizational measures, such as to set up a group that screens access to documents before forwarding. Furthermore, the municipality has implemented technical measures, including the purchase of a scanning tool whose purpose is to properly obscure documents from personal data. Hedensted Municipality has also stated that the municipality continuously implements technical and organizational measures with a view to reducing the number of breaches of personal data security where personal data is inadvertently disclosed. This is – regardless of the fact that the Norwegian Data Protection Authority has not had the opportunity to take a concrete position on whether the municipality has been in dialogue with all relevant employees and departments, and that the Norwegian Data Protection Authority is not aware of the full content of all training material etc. - on the present basis, the supervisory authority's assessment that Hedensted Municipality has taken appropriate security measures in accordance with the data protection regulation, article 32, subsection 1, with a view to reducing the number of breaches of personal data security where unauthorized disclosure of personal data takes place, including in relation to citizens with name and address protection. In its assessment, the Danish Data Protection Authority has placed emphasis on the information provided by the municipality, including that procedures have been drawn up for the transmission of personal data to external parties, that the municipality has considered and introduced both technical and organizational measures in continuation of past breaches of personal data security in order to eliminate similar breaches, and that there is a strong focus on avoiding the accidental disclosure of name and address protected information. In a renewed review of the Authority's cases regarding notifications of breaches of personal data security, the Danish Data Protection Authority can ascertain that since 22 June 2021 there appears to have been a decrease in the number of reported breaches of personal data security from Hedensted Municipality. However, as a number of breaches of personal data security continue to be reported, where unauthorized disclosure of personal data has taken place, the Data Protection Authority recommends that the municipality continues to continuously focus on carrying out training and awareness activities, etc. as well as to ensure and that procedures, guidelines, workflows, technical safety measures, etc. continuously updated or introduced, including as a result of detected breaches of personal data security. In conclusion, the Danish Data Protection Authority notes that the supervisory authority – typically if the supervisory authority receives new notifications about breaches of personal data security – will be able to resume processing previously reported breaches or allow them to be included in the assessment of any future breaches or complaints. [1] Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons in connection with the processing of personal data and on the free exchange of such data and on the repeal of Directive 95/46/EC (general data protection regulation) [2] Act No. 502 of 23 May 2018 on supplementary provisions to the regulation on the protection of natural persons in connection with the processing of personal data and on the free exchange of such information. (Data Protection Act)