Datatilsynet (Denmark) - 2019-441-1480

From GDPRhub
Revision as of 14:55, 3 May 2022 by Vadkub (talk | contribs) (updated the source link and added a comment about the case's development in 2022)
Datatilsynet - 2019-441-1480
LogoDK.png
Authority: Datatilsynet (Denmark)
Jurisdiction: Denmark
Relevant Law: Article 32 GDPR
Type: Investigation
Outcome: Violation Found
Started:
Decided: 04.08.2020
Published:
Fine: 150000 DKK
Parties: PrivatBo
National Case Number/Name: 2019-441-1480
European Case Law Identifier: n/a
Appeal: Not appealed
Original Language(s): Danish
Original Source: Datatilsynet (in DA)
Initial Contributor: n/a

The Danish DPA has fined PrivatBo DKK 150,000 (roughly 20,000 EUR) for distributing USB sticks containing information about properties for sale and personal data such as lease agreements to tenants in the context of a real estate sale.

English Summary

Facts

In 2018, the management company PrivatBo assisted a housing fund with the sale of three properties. PrivatBo had provided the documents necessary for the sale of the properties to the occupants of the properties via USB keys. However, the documents handed to the occupants contained personal data of a confidential nature, such as the leases of tenants, which should not have been handed out. The matter was brought before the Danish DPA.

Dispute

Was PrivatBo in breach of its obligations under GDPR Article 32?

Holding

Datatilsynet held that PrivatBo had not complied with the requirements of Article 32 of the GDPR to implement appropriate technical and organizational security measures. Datatilsynet also chose to report PrivatBo to the police for the unintentional disclosure of personal information that took place as part of the handing over of the 424 USB keys. Datatilsynet also expressed further criticism against PrivatBo for sharing information about outstanding deposits and prepaid rent with residents in a property other than that which was subject to the tender obligation in question.

Comment

On 14 December 2020, the police stopped the investigation by mistake and closed the criminal case. Subsequently, on 25 April 2022, the Danish DPA expressed serious criticism of PrivatBo for not complying with the requirement to implement appropriate technical and organizational security measures.

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Danish original. Please refer to the Danish original for more details.

The Danish Data Protection Agency has set PrivatBo AMBA of 1993 a fine of DKK 150,000 after passing on tenants' confidential information.

In 2018, PrivatBo - as a management company - assisted a housing fund with an intended sale of three properties. On that occasion, PrivatBo provided material for the properties in question, which was distributed to the occupants of the properties in question on a total of 424 USB keys. However, PrivatBo was not aware that for some of the leases handed out, documents were attached which contained personal data of a confidential nature and which should not have been disclosed.

“In a case like the one in question, it is our assessment that PrivatBo should at least have reviewed the offer material before it was handed out to others. In this connection, we pay particular attention to the fact that there was a risk of passing on information of a confidential nature to e.g. neighbors, and that this could involve significant discomfort for the tenants in question, including for loss of reputation, ”says Frederik Viksøe Siegumfeldt, office manager for the supervisory unit in the Danish Data Protection Agency, and adds:

“In general, when you as a company process people's personal information, you also have a responsibility to ensure that it does not come to the knowledge of unauthorized persons. In this case, we do not believe that PrivatBo has done enough to prevent the personal information from being passed on. ”

The Danish Data Protection Agency has thus assessed that PrivatBo has not complied with the requirements of Article 32 of the Data Protection Regulation to implement appropriate technical and organizational security measures. Based on the nature of the case, the Authority has therefore chosen to report PrivatBo to the police for the unintentional disclosure of personal information that took place as part of the handing over of the 424 USB keys.

In addition, the Danish Data Protection Agency has found grounds for expressing serious criticism that PrivatBo subsequently - in connection with the same offer obligation - unintentionally handed over an overview of outstanding deposits and prepaid rent, and in some cases information about outlays in deposits, distributed to the tenants' address to residents in a property other than that which was subject to the tender obligation in question. The unintentional disclosure of this information occurred despite the fact that PrivatBo had hired an external auditing company in order to ensure the quality of the material.