Datatilsynet - 2019-441-1480 | |
---|---|
Authority: | Datatilsynet (Denmark) |
Jurisdiction: | Denmark |
Relevant Law: | Article 32 GDPR |
Type: | Investigation |
Outcome: | Violation Found |
Started: | |
Decided: | 04.08.2020 |
Published: | |
Fine: | 150000 DKK |
Parties: | PrivatBo |
National Case Number/Name: | 2019-441-1480 |
European Case Law Identifier: | n/a |
Appeal: | Not appealed |
Original Language(s): | Danish |
Original Source: | Datatilsynet (in DA) |
Initial Contributor: | n/a |
The Danish DPA has fined PrivatBo DKK 150,000 (roughly 20,000 EUR) for distributing USB sticks containing information about properties for sale and personal data such as lease agreements to tenants in the context of a real estate sale.
English Summary
Facts
In 2018, the management company PrivatBo assisted a housing fund with the sale of three properties. PrivatBo had provided the documents necessary for the sale of the properties to the occupants of the properties via USB keys. However, the documents handed to the occupants contained personal data of a confidential nature, such as the leases of tenants, which should not have been handed out. The matter was brought before the Danish DPA.
Dispute
Was PrivatBo in breach of its obligations under GDPR Article 32?
Holding
Datatilsynet held that PrivatBo had not complied with the requirements of Article 32 of the GDPR to implement appropriate technical and organizational security measures. Datatilsynet also chose to report PrivatBo to the police for the unintentional disclosure of personal information that took place as part of the handing over of the 424 USB keys. Datatilsynet also expressed further criticism against PrivatBo for sharing information about outstanding deposits and prepaid rent with residents in a property other than that which was subject to the tender obligation in question.
Comment
On 14 December 2020, the police stopped the investigation by mistake and closed the criminal case. Subsequently, on 25 April 2022, the Danish DPA reprimanded PrivatBo for not complying with the requirement to implement appropriate technical and organisational security measures. See the updated decision 2019-441-1480 here.
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Danish original. Please refer to the Danish original for more details.
The Danish Data Protection Agency has set PrivatBo AMBA of 1993 a fine of DKK 150,000 after passing on tenants' confidential information. In 2018, PrivatBo - as a management company - assisted a housing fund with an intended sale of three properties. On that occasion, PrivatBo provided material for the properties in question, which was distributed to the occupants of the properties in question on a total of 424 USB keys. However, PrivatBo was not aware that for some of the leases handed out, documents were attached which contained personal data of a confidential nature and which should not have been disclosed. “In a case like the one in question, it is our assessment that PrivatBo should at least have reviewed the offer material before it was handed out to others. In this connection, we pay particular attention to the fact that there was a risk of passing on information of a confidential nature to e.g. neighbors, and that this could involve significant discomfort for the tenants in question, including for loss of reputation, ”says Frederik Viksøe Siegumfeldt, office manager for the supervisory unit in the Danish Data Protection Agency, and adds: “In general, when you as a company process people's personal information, you also have a responsibility to ensure that it does not come to the knowledge of unauthorized persons. In this case, we do not believe that PrivatBo has done enough to prevent the personal information from being passed on. ” The Danish Data Protection Agency has thus assessed that PrivatBo has not complied with the requirements of Article 32 of the Data Protection Regulation to implement appropriate technical and organizational security measures. Based on the nature of the case, the Authority has therefore chosen to report PrivatBo to the police for the unintentional disclosure of personal information that took place as part of the handing over of the 424 USB keys. In addition, the Danish Data Protection Agency has found grounds for expressing serious criticism that PrivatBo subsequently - in connection with the same offer obligation - unintentionally handed over an overview of outstanding deposits and prepaid rent, and in some cases information about outlays in deposits, distributed to the tenants' address to residents in a property other than that which was subject to the tender obligation in question. The unintentional disclosure of this information occurred despite the fact that PrivatBo had hired an external auditing company in order to ensure the quality of the material.