Datatilsynet - Fine against Lejre Municipality
|Datatilsynet - Fine against Lejre Municipality
|Article 32 GDPR
|National Case Number/Name:
|Fine against Lejre Municipality
|European Case Law Identifier:
|Datatilsynet (in DA)
The Danish Data Protection Authority (Datatilsynet) fined Lejre Municipality in Denmark DKK 50.000 (approx. € 6.700) for failing to implement appropriate security measures following the latter's notification of a data breach.
English Summary[edit | edit source]
Facts[edit | edit source]
Lejre Municipality in Denmark reported a personal data breach and the Danish DPA asked the police to investigate the matter. It was found that a department of the Municipality uploaded minutes of meetings which contained personal data including sensitive data of adults and minors to a portal where employees had access without any control. Moreover, the Municipality did not notify the data subjects about the breach.
Dispute[edit | edit source]
Holding[edit | edit source]
The DPA found that the Municipality had failed to comply with its obligation to take appropriate measures and that it should establish an access control system. It also emphasised the nature of the violation, the amount of the personal data that was exposed to the breach and the size of the municipality.
Comment[edit | edit source]
Share your comments here!
Further Resources[edit | edit source]
Share blogs or news articles here!
English Machine Translation of the Decision[edit | edit source]
The decision below is a machine translation of the Danish original. Please refer to the Danish original for more details.
Lejre Municipality is fined Published 30-06-2020 news The Data Inspectorate reports the Municipality of Lejre to the police as the Authority assesses that the municipality has not complied with the requirements for an appropriate level of security in the Data Protection Regulation. Lejre Municipality has been fined DKK 50,000 for failing to comply with its obligation as a data controller to implement appropriate security measures. The Data Inspectorate became aware of the matter when the municipality reported a breach of the personal data security. The case showed that Lejre Municipality's department, Center for Children and Young People, has had a regular practice, whereby minutes of meetings containing personal data of a particularly sensitive and protective nature, including about citizens under 18, have been uploaded on the municipality's staff portal. On the staff portal, there was potential access to the information for a large part of the municipality's employees, irrespective of whether the employees in question worked with these types of cases. In the same case, the Data Inspectorate has made serious criticism that Lejre Municipality has not complied with the requirement to notify the data subjects of the breach of personal data security. Appropriate security requirements “It is our general opinion that municipalities' processing of confidential information should at least be protected with access control. In principle, only employees with a work-related need should have access to the information. In addition, logging - ie. machine registration of all uses - usually a necessary and appropriate security measure when processing such information as a municipality, "states Frederik Viksøe Siegumfeldt, head of the supervisory unit of the Data Inspectorate. Fine option The Data Inspectorate has decided to report the Municipality of Lejre to the police and recommends that the municipality be fined DKK 50,000. In determining the fine, the Data Inspectorate emphasized the nature of the violation (lack of security of processing) and the nature and amount of personal data that has been the subject of the breach. Furthermore, emphasis has been placed on the size of the municipality in terms of population and total operating allowance. In most European countries, national data supervision may itself impose administrative fines. Denmark. In Denmark, it works in such a way that the Data Inspectorate, after elucidating and assessing the case, reports the police report to the data controller. The police then investigate whether there is a basis for a charge, etc., and finally a possible fine will be decided by a court.