Datatilsynet (Denmark) - Civilstyrelsen indstilles til bøde

From GDPRhub
Datatilsynet - Civilstyrelsen indstilles til bøde
LogoDK.png
Authority: Datatilsynet (Denmark)
Jurisdiction: Denmark
Relevant Law: Article 32(1) GDPR
Article 33(1) GDPR
Type: Complaint
Outcome: Upheld
Started:
Decided:
Published: 12.05.2022
Fine: 100,000 DKK
Parties: Civilstyrelsen
National Case Number/Name: Civilstyrelsen indstilles til bøde
European Case Law Identifier: n/a
Appeal: n/a
Original Language(s): Danish
Original Source: Datatilsynet (in DA)
Initial Contributor: Vadym Kublik

The Danish DPA suggested to issue a fine of 100,000 DKK against an agency of the Danish Ministry of Justice. The DPA held that the agency violated security obligations under GDPR by not encrypting a USB flash drive which contained personal data, and Article 33(1) GDPR by not reporting the data breach to the DPA after the USB flash drive was lost.

English Summary[edit | edit source]

Facts[edit | edit source]

The Civil Affairs Agency (controller) is a part of the Danish Ministry of Justice. Its mission is to guarantee the basic principles of the rule of law by, for instance, offering compensation to victims of criminal offenses and supporting access to justice. The nature of its work involves processing large volumes of sensitive and confidential information regarding the parties in the proceedings.

The Agency returned a USB flash drive with more than 800 pages of personal information to a representative of a data subject. However, the flash drive was later lost under undisclosed circumstances. Notably, the USB flash drive was not encrypted, and the Agency did not have any guidelines for its caseworkers regarding the handling of removable storage devices and portable media.

Furthermore, the Agency learned about the data breach on 26 August 2020 but did not report it to the supervisory authority as required under Article 33(1) GDPR. Eventually, the data subject's representative complained to the Danish DPA about the controller's way of handling personal data.

Holding[edit | edit source]

The Danish DPA held that removable storage devices (including USB flash drives) pose a higher risk for data subjects. At the same time, encryption is a relatively easy security measure for the controller to implement. Therefore, especially in these cases, encryption must be regarded as a necessary and required security measure. Moreover, the DPA emphasized that where the controller processes large volumes of sensitive and confidential information, appropriate guidelines for the use of USB flash drives must be provided to whoever handles them. Hence, the DPA held that by not encrypting the personal data in question, and by not having any guidelines on the use of removable storage devices and portable media, the Agency was in violation of its security obligations under the GDPR. In addition, the DPA held that the Agency was in violation of Article 33(1) GDPR for not reporting the breach after it became aware of it.

Comment[edit | edit source]

Datatilsynet repeatedly sanctioned the Civil Affairs Agency for mishandling personal data in the past. See the most recent reprimand in the case 2021-32-2096.

NB. The DPA in Denmark does not impose fines directly but refers such cases to the police. The police then investigate whether there are grounds for raising a charge, and finally, a possible fine will be decided by a court.

NB. The press release on the decision does not explicitly refer to Article 32 GDPR violations but such an outcome may be inferred from the reference to a violation of the security obligations under the GDPR.

Further Resources[edit | edit source]

Share blogs or news articles here!

English Machine Translation of the Decision[edit | edit source]

The decision below is a machine translation of the Danish original. Please refer to the Danish original for more details.

Police report
The National Board of Health and Welfare is fined
Date: 12-05-2022
News
The Danish Data Protection Agency notifies the National Board of Health and Welfare to the police and recommends a fine of DKK 100,000. The Authority assesses that the National Board of Health and Welfare has not complied with the requirements for an appropriate level of security

The Danish Data Protection Agency became aware of the case when a complainant's party representative complained about the Danish Civil Agency's handling of complainant's information.

It appears from the case that the National Board of Health and Welfare v / Erstatningsnævnet returned a USB connector for complaints, which contained more than 800 pages of information about complaints of a sensitive and confidential nature, which had been lost when the complainant was received.

The USB connector was not encrypted, and the agency did not have guidelines targeted at the agency's caseworkers regarding any handling of removable storage devices and portable media.

The Danish Civil Agency became aware of the breach on 26 August 2020, but did not report the breach to the Danish Data Protection Agency in violation of the rules in Article 33 of the Data Protection Ordinance.

Lack of technical and / or organizational measures
The Danish Data Protection Agency finds that the Danish Civil Agency's processing of personal data has not been in accordance with the rules on appropriate security.

In its assessment, the Danish Data Protection Agency has emphasized that encryption of removable storage devices that contain personal data (including USB connectors) must be regarded as a necessary and required security measure.

In continuation of this, the Authority has attached importance to the fact that removable storage means with personal data have a sharpened risk profile in relation to the handling of personal data, and that encryption is a measure that is relatively easy for the data controller to implement.

In addition, the Danish Data Protection Agency has emphasized that the agency did not have guidelines targeted and known by the agency's case officers in relation to any handling of USB connectors, including dispatch.

Why police report?
The Danish Data Protection Agency always makes a concrete assessment of the seriousness of the case pursuant to Article 83 (1) of the Regulation. 2, in assessing which sanction is, in the Authority's opinion, the most appropriate.

In its recommendation to the police, the Danish Data Protection Agency has, among other things, emphasized that it is an essential security measure to have procedures that cover all treatments and to ensure encryption of USB connectors. In addition, encryption has been a widespread and recognized technical measure for many years that should be easily counteracted by the data controller.

In addition, it is a board of a state authority that must generally be assumed to process large amounts of sensitive and confidential information, and where it must be considered essential that a guide has been prepared targeted at the agency's case officers in relation to any handling of USB -stick.

Do you want to know more?
Press inquiries can be directed to communications consultant Anders Due on tel. +45 29 49 32 83