Datatilsynet (Denmark) - Datatilsynet - Vejle Kommune indstilles til bøde

From GDPRhub
Datatilsynet (Denmark) - Vejle Kommune indstilles til bøde
LogoDK.png
Authority: Datatilsynet (Denmark)
Jurisdiction: Denmark
Relevant Law: Article 83 GDPR
§41(6) Danish Data Protection Act (Databeskyttelsesloven)
Type: Investigation
Outcome: Violation Found
Started:
Decided:
Published: 16.06.2021
Fine: 200,000 DKK
Parties: Vejle Kommune
National Case Number/Name: Vejle Kommune indstilles til bøde
European Case Law Identifier: n/a
Appeal: Unknown
Original Language(s): Danish
Original Source: Datatilsynet (in DA)
Initial Contributor: Tetyana Porokhonko

The Danish DPA (Datatilsynet) reported the Vejle Municipality (Vejle Kommune) to the police for the failure to implement appropriate security measures and proposed a fine of approximately €26,900 (DKK 200,000).

English Summary

Facts

Following a data breach notification submitted by Vejle Municipality, the DPA assessed the case.

Thereby, the DPA found that the municipality dental care used an automatic process to send welcome letters to custodians that contain addresses of both parents. The DPA concluded that the municipality failed to assess on case-by-case basis whether only the necessary information included in the letters and whether the personal data may be disclosed to the other parent. Thus, in several cases a parent received information about the other parent and/or child address, even though their name and address have been protected.

On 16 June 2021 the DPA has published a press release to announce that the Vejle Municipality has been reported to the police and a fine of DKK 200,000 has been proposed.

Holding

The Danish DPA chose to report Vejle Municipality to the police for breach of the GDPR, namely, the failure to implement appropriate security measures when processing personal data of patients and recommended a fine of DKK 200,000.

The municipality failed to assess whether it is at all necessary for the information to appear in the letters.

In determining the amount of the fine, the DPA considered inter alia the following aspects:

  • the nature and seriousness of the infringement
  • the GDPR's requirement that a fine in each individual case must be effective, proportionate to the infringement, and have a deterrent effect
  • the size of the municipality in terms of population and the total operating license

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Danish original. Please refer to the Danish original for more details.



Vejle Municipality is set to a fine
Date: 16-06-2021
News

The Danish Data Protection Authority notifies Vejle Municipality to the police, as the authority assesses that the municipality has not complied with the requirements for an appropriate level of security in the Data Protection Ordinance.

Vejle Municipality has been set a fine of DKK 200,000 for not having complied with its obligation as data controller to implement appropriate security measures.
The Danish Data Protection Agency became aware of the case when the municipality reported a breach of personal data security. It appeared from the case that the municipal dental care had had a fixed practice where welcome letters containing both parents' addresses had been automatically sent to both custodians. The municipality had in the individual cases not assessed whether the information had to be passed on to the other parent.
This meant that in several cases parents received information about the other parent's (and the child's) address, regardless of whether he or she had name and address protection.
Requirements for adequate security
“When setting up an automatic process for sending letters with personal information, e.g. addresses, it must be taken into account that the disclosure of the information in each individual case must not expose the rights of citizens, including children, to a risk. You must also always assess whether it is at all necessary for the information to appear in the letters, ”explains Eva Volfing, chief consultant at the Danish Data Protection Agency.
Setting for fine
The Danish Data Protection Agency has decided to report Vejle Municipality to the police and recommends that a claim be filed that the municipality be fined DKK 200,000.
In its recommendation on the size of the fine, the Danish Data Protection Agency has, among other things, emphasized the nature and seriousness of the infringement as well as the regulation's requirement that a fine in each individual case must be effective, proportionate to the infringement and have a deterrent effect. Emphasis has also been placed on the size of the municipality in terms of population and the total operating license.
Do you want to know more?
Press inquiries can be directed to communications consultant Anders Due on tel. +45 29 49 32 83.