Datatilsynet (Denmark) - Civilstyrelsen indstilles til bøde

From GDPRhub
Revision as of 22:49, 16 May 2022 by Vadkub (talk | contribs) (Created page with "{{DPAdecisionBOX |Jurisdiction=Denmark |DPA-BG-Color= |DPAlogo=LogoDK.png |DPA_Abbrevation=Datatilsynet |DPA_With_Country=Datatilsynet (Denmark) |Case_Number_Name=Civilstyre...")
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Datatilsynet - Civilstyrelsen indstilles til bøde
LogoDK.png
Authority: Datatilsynet (Denmark)
Jurisdiction: Denmark
Relevant Law: Article 32(1) GDPR
Article 33(1) GDPR
Type: Complaint
Outcome: Upheld
Started:
Decided:
Published: 12.05.2022
Fine: 100,000 DKK
Parties: Civilstyrelsen
National Case Number/Name: Civilstyrelsen indstilles til bøde
European Case Law Identifier: n/a
Appeal: n/a
Original Language(s): Danish
Original Source: Datatilsynet (in DA)
Initial Contributor: Vadym Kublik

The Danish DPA notified the controller to the police and suggested a 100,000 DKK fine for not encrypting a USB flash drive with personal information (Article 32(1) GDPR) and not reporting the data breach after it was lost (Article 33(1) GDPR).

English Summary

Facts

The Civil Affairs Agency (controller) is part of the Danish Ministry of Justice. Its mission is to guarantee the basic principles of the rule of law by offering compensation to victims of criminal offenses, supporting citizens with financial assistance to access the courts, offering grants to legal aid institutions, etc. The nature of its work involves processing large volumes of sensitive and confidential information regarding the parties in the proceedings.

It appears from the case that the Agency returned a USB flash drive with more than 80 pages of personal information to a representative of a data subject. However, the flash drive was later lost under undisclosed circumstances.

Notably, the USB flash drive was not encrypted, and the Agency did not have any guidelines for its caseworkers regarding the handling of removable storage devices and portable media.

Furthermore, the Agency learned about the data breach on 26 August 2020 but did not report it to the supervisory authority as required under Article 33(1) GDPR.

Eventually, the data subject's representative complained to the Datatilsynet (the Danish DPA) about the controller's way of handling personal data.

Holding

The Danish DPA held that removable storage devices (including USB flash drives) pose a higher risk for data processing. At the same time, encryption is a relatively easy security measure for the controller to implement. Therefore encryption of such devices that contain personal data must be regarded as a necessary and required security measure.

Moreover, the DPA emphasized that where the controller processes large volumes of sensitive and confidential information, it must have guidelines for its personnel about using USB flash drives.

Comment

Datatilsynet repeatedly sanctioned the Civil Affairs Agency for mishandling personal data in the past. See the most recent reprimand in the case 2021-32-2096.

NB. The DPA in Denmark does not impose fines directly but refers such cases to the police. The police then investigate whether there are grounds for raising a charge, etc., and finally, a possible fine will be decided by a court.

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Danish original. Please refer to the Danish original for more details. 

Police report
The National Board of Health and Welfare is fined
Date: 12-05-2022
News
The Danish Data Protection Agency notifies the National Board of Health and Welfare to the police and recommends a fine of DKK 100,000. The Authority assesses that the National Board of Health and Welfare has not complied with the requirements for an appropriate level of security

The Danish Data Protection Agency became aware of the case when a complainant's party representative complained about the Danish Civil Agency's handling of complainant's information.

It appears from the case that the National Board of Health and Welfare v / Erstatningsnævnet returned a USB connector for complaints, which contained more than 800 pages of information about complaints of a sensitive and confidential nature, which had been lost when the complainant was received.

The USB connector was not encrypted, and the agency did not have guidelines targeted at the agency's caseworkers regarding any handling of removable storage devices and portable media.

The Danish Civil Agency became aware of the breach on 26 August 2020, but did not report the breach to the Danish Data Protection Agency in violation of the rules in Article 33 of the Data Protection Ordinance.

Lack of technical and / or organizational measures
The Danish Data Protection Agency finds that the Danish Civil Agency's processing of personal data has not been in accordance with the rules on appropriate security.

In its assessment, the Danish Data Protection Agency has emphasized that encryption of removable storage devices that contain personal data (including USB connectors) must be regarded as a necessary and required security measure.

In continuation of this, the Authority has attached importance to the fact that removable storage means with personal data have a sharpened risk profile in relation to the handling of personal data, and that encryption is a measure that is relatively easy for the data controller to implement.

In addition, the Danish Data Protection Agency has emphasized that the agency did not have guidelines targeted and known by the agency's case officers in relation to any handling of USB connectors, including dispatch.

Why police report?
The Danish Data Protection Agency always makes a concrete assessment of the seriousness of the case pursuant to Article 83 (1) of the Regulation. 2, in assessing which sanction is, in the Authority's opinion, the most appropriate.

In its recommendation to the police, the Danish Data Protection Agency has, among other things, emphasized that it is an essential security measure to have procedures that cover all treatments and to ensure encryption of USB connectors. In addition, encryption has been a widespread and recognized technical measure for many years that should be easily counteracted by the data controller.

In addition, it is a board of a state authority that must generally be assumed to process large amounts of sensitive and confidential information, and where it must be considered essential that a guide has been prepared targeted at the agency's case officers in relation to any handling of USB -stick.

Do you want to know more?
Press inquiries can be directed to communications consultant Anders Due on tel. +45 29 49 32 83
Retrieved from "https://gdprhub.eu/index.php?title=Datatilsynet_(Denmark)_-_Civilstyrelsen_indstilles_til_bøde&oldid=25882"
Creative Commons Attribution-NonCommercial-ShareAlike
Powered by MediaWiki