Datatilsynet (Denmark) - Datatilsynet - Vejle Kommune indstilles til bøde

From GDPRhub
Datatilsynet (Denmark) - Vejle Kommune indstilles til bøde
Authority: Datatilsynet (Denmark)
Jurisdiction: Denmark
Relevant Law: Article 83 GDPR
§41(6) Danish Data Protection Act (Databeskyttelsesloven)
Type: Investigation
Outcome: Violation Found
Published: 16.06.2021
Fine: 200.000 DKK
Parties: Vejle Kommune
National Case Number/Name: Vejle Kommune indstilles til bøde
European Case Law Identifier: n/a
Appeal: Unknown
Original Language(s): Danish
Original Source: Datatilsynet (in DA)
Initial Contributor: Tetyana Porokhonko

The Danish DPA has reported Vejle Municipality (Danish: Vejle Kommune) to the police for the failure to implement appropriate security measures and proposed a fine of DKK 200.000.

English Summary


Following the data breach notification submitted by Vejle Municipality, the DPA assessed the case and found that Vejle Municipality has not complied with the rules of the GDPR.

On the basis of the assessment of the case, the DPA found that the municipality dental care used an automatic process to send a welcome letter that contains addresses of both parents. The DPA concluded that the municipality failed to assess on case-by-case basis whether only the necessary information included in the letters and whether the personal data may be disclosed to the other parent. Thus, in several cases a parent received information about the other parent and/or child address, even though their name and address has been protected.

On 16 June 2021 the DPA has published a press release to inform that Vejle Municipality has been reported to the police and a fine of DKK 200.000 has been proposed.


The DPA assessed whether Vejle Municipality has processed personal data in violation of the GDPR.


The Danish DPA has chosen to report Vejle Municipality to the police for breach of the GDPR, namely, the failure to implement appropriate security measures when processing personal data of patients and recommended a fine of DKK 200.000.


Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Danish original. Please refer to the Danish original for more details.

Vejle Municipality is set to a fine
Date: 16-06-2021

The Danish Data Protection Authority notifies Vejle Municipality to the police, as the authority assesses that the municipality has not complied with the requirements for an appropriate level of security in the Data Protection Ordinance.

Vejle Municipality has been set a fine of DKK 200,000 for not having complied with its obligation as data controller to implement appropriate security measures.
The Danish Data Protection Agency became aware of the case when the municipality reported a breach of personal data security. It appeared from the case that the municipal dental care had had a fixed practice where welcome letters containing both parents' addresses had been automatically sent to both custodians. The municipality had in the individual cases not assessed whether the information had to be passed on to the other parent.
This meant that in several cases parents received information about the other parent's (and the child's) address, regardless of whether he or she had name and address protection.
Requirements for adequate security
“When setting up an automatic process for sending letters with personal information, e.g. addresses, it must be taken into account that the disclosure of the information in each individual case must not expose the rights of citizens, including children, to a risk. You must also always assess whether it is at all necessary for the information to appear in the letters, ”explains Eva Volfing, chief consultant at the Danish Data Protection Agency.
Setting for fine
The Danish Data Protection Agency has decided to report Vejle Municipality to the police and recommends that a claim be filed that the municipality be fined DKK 200,000.
In its recommendation on the size of the fine, the Danish Data Protection Agency has, among other things, emphasized the nature and seriousness of the infringement as well as the regulation's requirement that a fine in each individual case must be effective, proportionate to the infringement and have a deterrent effect. Emphasis has also been placed on the size of the municipality in terms of population and the total operating license.
Do you want to know more?
Press inquiries can be directed to communications consultant Anders Due on tel. +45 29 49 32 83.