Datatilsynet - 2019-41-0026

From GDPRhub
Datatilsynet - 2019-41-0026
LogoDK.png
Authority: Datatilsynet (Denmark)
Jurisdiction: Denmark
Relevant Law: Article 32 GDPR
Type: Investigation
Outcome: No violation found
Decided: n/a
Published: 5.11. 2019
Fine: None
Parties: unknown law firms
National Case Number: 2019-41-0026
European Case Law Identifier: n/a
Appeal: n/a
Original Language: Danish
Original Source: Datatilsynet (in DK)

The Datatilsynet carried out investigation in a group of law firms and found that they had implemented sufficient safeguards in order to comply with Article 32 GDPR.

English Summary[edit | edit source]

Facts and questions arising[edit | edit source]

After carrying out investigations at its own initiative, the Datatilsynet found that the law firm was transmitting confidential and sensitive personal data via e-mail using end-to-end encryption and had carried out a prior risk assessment.

Holding[edit | edit source]

The Datatilsynet found that the law firms complies with the GDPR and its guidelines.

Comment[edit | edit source]

Share your comments here!

Further Resources[edit | edit source]

Share blogs or news articles here!

English Machine Translation of the Decision[edit | edit source]

The decision below is a machine translation of the original. Please refer to the Danish original for more details.

Supervision of treatment safety at law firm
Published 05-11-2019
Decision Private companies
Journal number 2019-41-0026Agency
Summary
In 2019, the Danish Data Protectioncarried out a planned supervision at a law firm. The audit focused on security of processing, including in particular email encryption, cf. Article 32 of the. The
Data Protection RegulationData Inspectorate found that the law firm's processing of personal data in relation to the transmission of confidential and sensitive personal data via email over the Internet complied with the rules of the Data Protection Regulation and The Danish Data Protection Agency's guidelines.
The Data Inspectorate's final opinion states, among other things, that the law firm uses end-to-end encryption with S / MIME certificates as well as transmission with compulsory TLS 1.2 when the law firm sends e-mails with confidential and sensitive personal information to municipalities, companies, clients, relatives. , etc.
In addition, the opinion states that the law firm has demonstrated that it has prepared a risk assessment which assesses the risks associated with the transmission of confidential and sensitive personal data over the Internet.
You can read the Danish Data Protection Agency Guidance text on email encryption here.
Decision
A law firm was among the companies selected by the Danish Data Protection Agency for supervision in spring 2019. The Danish
Data Protection Authority's planned supervision focused on processing security, including in particular the encryption of emails, cf. Article 32
of the Data Protection Regulation, at the request of the Data Protection Authority in spring 2019. with the supervisory visit filled out a questionnaire and submitted this as well as additional material for the audit. The audit took place on April 8, 2019.
Following the supervision of the law firm, the Data Inspectorate finds a summary to conclude:
That the law firm - in accordance with Article 32 of the Data Protection Regulation - uses end-to-end encryption when exchanging the S / MIME certificate over the tunnel mail community for transmission. of confidential and sensitive personal information over the Internet to municipalities, businesses and other recipients on the public tunnel list.
Furthermore, the law firm - in accordance with Article 32 of the Data Protection Regulation - uses encryption on the transport layer via forced TLS 1.2 for the transmission of confidential and sensitive personal data to clients and relatives etc. over the Internet.
That the law firm - in accordance with Article 5 (1) of the Data Protection Regulation. 2, cf. Article 32 (1) (f), cf. 1 and 2 - has demonstrated that a risk assessment has been prepared which assesses the risks associated with the transmission of confidential and sensitive personal data over the Internet.
That the law firm is not aware of cases where confidential or sensitive personal data has been sent unencrypted over the Internet since January 1, 2019.
On this basis, the Danish Data Protection Agency considers the supervision closed and does not take any further action on this matter.
The following is a detailed review of the Danish Data Protection Agency's conclusions.
1. Using encryption when transmitting confidential and sensitive personal data over the Internet The
law firm has stated prior to the visit that the law firm sends confidential and sensitive personal information via e-mail over the Internet.
2. About the encryption solution The
law firm has stated that the encryption solution used works by sending all e-mail traffic through their data processor over a TLS 1.2 connection. Here the traffic will pass through two layers. The first layer scans for viruses and spam, and the second layer tries to encrypt the email in the following order of priority:
Via tunnel mail to the recipient's domain, so the email is sent end-to-end encrypted.
It is investigated whether the recipient has published an S / MIME certificate on the public tunnel mail list, in which case the e-mail is encrypted using that certificate.
It is being investigated whether the email can be sent with encryption on the transport layer via a forced TLS 1.2 connection.
The law firm's data processor has also stated that a "secure recipient's list" is used in addition - ie. a list of specific compatible recipient domains - to which end-to-end encryption automatically occurs.
3. E-mails to clients The
law firm has stated that communication with clients typically takes place by telephone and that e-mail correspondence with clients is very limited. To the extent that the law firm sends confidential or sensitive personal information to clients, the transmission is encrypted via a forced TLS 1.2 connection, if available. Emails sent encrypted to clients are typically emails with order confirmation / pricing information / privacy policy, which may also include information about the time of court hearings, etc. The
law firm has also stated that the law firm - in the rare case that an email does not can be sent encrypted to a client via the solution mentioned - makes a concrete assessment of whether the email contains information that could be sent via regular email.
Finally, the law firm has stated that the law firm sends confidential and sensitive personal information by regular mail to clients who cannot receive encrypted email.
3.1. Summary
On the basis of the information provided by the law firm, the Data Inspectorate assumes that the law firm uses compulsory TLS when emails containing confidential or sensitive personal data are sent to clients. Thus, the Data Inspectorate finds that the law firm uses adequate processing security when sending such emails.
4. E-mails to other recipients The
law firm has stated that communication with the media, relatives and potential clients is rarely carried out via e-mail, the communication being primarily by telephone. To the extent that the law firm communicates with these recipients via email, this is usually done via encrypted email.
The law firm has further stated that the law firm communicates encrypted with the police and the court via tunnel mail, and it may occasionally happen that the law firm communicates directly with judges via tunnel mail.
Finally, the law firm has stated that the law firm also sends emails via mobile phone. During a staff meeting on December 8, 2018, the employees were informed that encrypted e-mail could now be sent via the phone internally in the organization as well as to other domains that have tunnel mail. The law firm has stated that the law firm therefore assumes that employees only send emails with confidential and sensitive personal information from the phone if the recipient has tunnel mail.
4.1. Summary The Danish
Data Protection Agency assumes, on the basis of what the law firm stated, that the law firm primarily communicates with media, relatives and potential clients by telephone, and that if e-mail is used, it is encrypted.
Furthermore, on the basis of the information provided by the law firm, the Danish Data Protection Agency assumes that the law firm uses end-to-end encryption with S / MIME certificates via tunnel mail when emails containing confidential or sensitive personal data are sent to professional actors, including the police, courts and others. recipients on the public tunnel list.
Thus, the Data Inspectorate finds that the law firm uses adequate processing security when sending such emails.
5. Cases where encryption has not been used
Prior to the audit, the law firm stated that since January 1, 2019, the law firm has used encryption in all cases when confidential and sensitive personal information is sent via email over the Internet.
The law firm adds that the law firm has sent virtually nothing over the Internet since January 1, 2019, which has not been encrypted, and that the law firm is not aware of cases where confidential or sensitive personal information has been sent unencrypted over the Internet since January 1, 2019. 2019.
5.1. Summary
Based on the information provided by the law firm, the Danish Data Protection Agency assumes that the law firm is not aware of cases where confidential and sensitive personal data has been sent unencrypted over the Internet since 1 January 2019.
6. Risk assessment The
law firm has submitted a risk assessment to the supervision prior to the audit visit. dated March 10, 2019. The law firm has since - at the request of the Data Protection Authority - submitted a version of the risk assessment, which was applicable prior to the notification of the supervision visit on February 28, 2019, which takes into account the transmission of confidential and sensitive personal data over the Internet.
The law firm's risk assessment shows that the risk associated with the transmission of confidential or sensitive personal information via email is a means. The risk assessment also shows how this risk is reduced to an appropriate level by using tunnel mail or forced TLS if possible, and otherwise by assessing whether the email can be forwarded with opportunistic TLS or whether anonymization or forwarding should be used instead. by ordinary mail.
The law firm has also stated that the method of sending e-mails via secure mail has been reviewed at a staff meeting, that instructions are regularly sent to the staff on the use of encrypted e-mail, and that the law firm has an instruction that employees must inform a particular law firm consultant whose confidential and sensitive information is sent unencrypted over the Internet.
6.1. Summary
It is the opinion of the Danish Data Protection Agency that, in accordance with Article 5 (1) of the Data Protection Regulation, the law firm. 2, cf. Article 32 (1) (f), cf. Paragraphs 1 and 2, have demonstrated that a risk assessment has been prepared in which the risk associated with the transmission of confidential and sensitive personal data over the Internet is considered.
7. Conclusion
Following the supervision of the law firm, the Data Inspectorate finds a summary to conclude:
That the law firm - in accordance with Article 32 of the Data Protection Regulation - uses end-to-end encryption when exchanging S / MIME certificate over the tunnel email community for the transmission of confidential and sensitive personal data. the Internet to municipalities, businesses and other recipients on the public tunnel list.
Furthermore, the law firm - in accordance with Article 32 of the Data Protection Regulation - uses encryption on the transport layer via compulsory TLS 1.2 to transmit confidential and sensitive personal data to clients and relatives etc. over the Internet.
That the law firm - in accordance with Article 5 (1) of the Data Protection Regulation. 2, cf. Article 32 (1) (f), cf. 1 and 2 - has demonstrated that a risk assessment has been prepared which assesses the risks associated with the transmission of confidential and sensitive personal data over the Internet.
That the law firm is not aware of cases where confidential or sensitive personal information has been sent unencrypted over the Internet since January 1, 2019.