Datatilsynet (Denmark) - Lolland Kommune

From GDPRhub
Datatilsynet - Lolland Kommune
LogoDK.png
Authority: Datatilsynet (Denmark)
Jurisdiction: Denmark
Relevant Law: Article 32 GDPR
Type: Investigation
Outcome: Violation Found
Started: 01.12.2020
Decided: 11.08.2022
Published: 11.08.2022
Fine: 50000 DKK
Parties: Lolland Kommune
National Case Number/Name: Lolland Kommune
European Case Law Identifier: n/a
Appeal: n/a
Original Language(s): Danish
Original Source: Danish DPA (in DA)
Initial Contributor: Rie Aleksandra Walle

The Danish DPA proposed a €6,700 fine to a municipality for exposing citizens' personal data to unncessary risk through insufficient mobile device security measures. The police will investigate the case before a final decision is made in the courts.

English Summary

Facts

The DPA became aware of the case after a report from Lolland Kommune, a Danish municipality, in December 2020, when an employee had their work phone stolen. The phone was not protected with an access code, because it had been manually disabled by the employee, and it could therefore be used to access the employee's work email account, which contained information on several citizens' names, social security numbers, health information and substance abuse.

The municipality informed the DPA that employees, for several years, could manually disable the otherwise mandatory access code. Following this incident, the municipality had immediately taken remedial action in the form of new precautions and changes in the technical set-up of new employee phones.

Holding

The Danish DPA held that the municipality's personal data processing violated the rules on sufficient security measures. The DPA emphasized that a controller must assume that not every employee will follow an internal security policy at all times. Real and effective protection is thus contingent on security measures that cannot be circumvented, like forced use of access codes.

The DPA also noted that stolen mobile devices, before they're disposed of (like resold), are searched for personal data like credit card information and social security numbers, to a higher degree today than in the past.

In view of the potential risks to the data subjects, the DPA held that the municipality had acted irresponsibly in the case, and thus proposed a €6,700 fine for exposing citizens' personal data to unncessary risk through insufficient device security measures. The police will investigate the case before a final decision is made in the courts.

Comment

The process for GDPR fines in Denmark is different from most other EEA countries: after the DPA has filed their report, the police will investigate and determine if there are grounds to raise a formal charge. If so, the case is then referred to the courts, who will assess the case and determine the level of the fine - if any. In addition, whenever a case is referred to the police, the only information the DPA will publish is the press release.

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Danish original. Please refer to the Danish original for more details.

Police report

Lolland Municipality is recommended for a fine

Date: 11-08-2022

News

Citizens' information was exposed to an unnecessary risk, as Lolland Municipality's employees were able to disable access codes on phones and tablets. The Danish Data Protection Authority has reported the municipality to the police and recommended a fine of DKK 50,000.

Lolland Municipality has been fined DKK 50,000 for not having implemented basic security measures in the form of unavoidable requirements for access codes on the municipality's mobile devices.

"Municipalities process large amounts of sensitive information about citizens, and therefore they also have a responsibility to look after this information properly. Mobile devices are occasionally stolen, forgotten or lost, and if unauthorized persons can easily access the information on them, then you are not living up to that responsibility," says Betty Husted, deputy in the Danish Data Protection Authority.

The Danish Data Protection Authority became aware of the situation through a notification from Lolland Municipality in December 2020, when an employee in the municipality had a work phone stolen. Via the phone, there was access to the employee's work email account, which contained information about several citizens' names, social security numbers, health information and abuse.

The phone was not protected by a code as it was switched off. Therefore, there was access to the information that was on the phone. The municipality stated that over a number of years it had been possible for employees to remove the otherwise mandatory access codes, so that telephones could be used without the use of a code. The municipality had immediately initiated restorative measures in the form of new precautions and changes in the technical set-up of telephones handed out.

Lack of technical measures

The Norwegian Data Protection Authority finds that Lolland Municipality's processing of personal data was not in accordance with the rules on adequate security.

In the assessment, the Danish Data Protection Authority has, among other things, emphasized that a data controller must assume that not all employees at all times follow internal guidelines that mobile devices must always be protected by a password. Really effective protection is thus dependent on such a password not being bypassed, e.g. in that the individual user can switch off the code.

It is also the Danish Data Protection Authority's assessment that stolen mobile devices are generally examined for personal data to a greater extent than previously, such as e.g. credit card information and social security numbers before they are disposed of, e.g. on resale.

Considering the risks for citizens linked to Lolland Municipality's processing of personal data, the Danish Data Protection Authority is of the opinion that it is unjustifiable that the municipality had not protected its mobile devices with a password that the employees could not turn off themselves.

Why report to the police?

The Danish Data Protection Authority always makes a concrete assessment of the case in accordance with the regulation's article 83, subsection 2, when assessing which reaction is, in the opinion of the supervisory authority, the most appropriate.

In making the recommendation to the police, the Data Protection Authority has, among other things, emphasis has been placed on the fact that this is a public authority which generally has a special responsibility to protect citizens' information, and that Lolland Municipality processes large amounts of confidential and sensitive information in that capacity, and that, in the opinion of the inspectorate, there is a lack of implementation of a general and basic technical measure.