Datatilsynet - To kommuner indstillet til bøde

From GDPRhub
Datatilsynet - To kommuner indstillet til bøde
LogoDK.png
Authority: Datatilsynet (Denmark)
Jurisdiction: Denmark
Relevant Law: Article 32 GDPR
Type: Investigation
Outcome: Violation Found
Started:
Decided:
Published: 10.03.2020
Fine: 150,000 DKK
Parties: The muncipalities "Gladsaxe Kommune" and "Hørsholm Kommune".
National Case Number/Name: To kommuner indstillet til bøde
European Case Law Identifier: n/a
Appeal: Not appealed
Original Language(s): Danish
Original Source: Datatilsynet News (in DA)
Initial Contributor: n/a

The Danish DPA imposed fines on two municipalities for the lack of data security on laptops. The accumulated amount of the fines is DKK 150,000 (approx. EUR 20,000).

English Summary

Facts

One laptop belonging to the municipality Gladsaxe has been stolen from the city hall. The laptop was not encrypted. Personal data from more than 20,620 citizen were stored on the device, including information of sensitive nature and personal identification numbers.

The working laptop from one employee of the municipality Hørsholm has been other stolen from the car. It was also not encrypted. The data stored on the laptop referred to 1,600 employees of the municipality and contained social security numbers and other information of a sensitive nature.

Dispute

Whether municipalities have to encrypt devices with personal information.

Holding

The Danish DPA emphasized the great responsibility of municipalities, since processing of personal data happens in a large scale and also refers to sensitive data. According to the DPA the lack of encryption of devices means an unnecessary high risk to all citizen and, therefore, an actual breach of data security.

The DPA imposed a fine of DKK 100,00 against the municipality Gladsaxe and a fine of DKK 50,000 against the municipality Hørsholm.

Comment

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Danish original. Please refer to the Danish original for more details.

Two municipalities fined 
Published 10-03-2020 
news 
The Data Inspectorate reports Gladsaxe Municipality and Hørsholm Municipality to the police as the Authority assesses that the municipalities have not complied with the requirements for an appropriate level of security in the Data Protection Regulation (GDPR). 
Gladsaxe Municipality and Hørsholm Municipality have been fined respectively. DKK 100,000 and DKK 50,000 
The Data Inspectorate became aware of the cases when both municipalities reported breaches of the personal data security in connection with the theft of one of the municipalities' computers, which contained personal data. 
Neither Gladsaxe Municipality nor Hørsholm Municipality's computers were protected by encryption, and the municipalities' loss of personal data therefore posed an unnecessarily high risk to citizens. 
In one of the cases, the inadequate security caused a serious breach of the personal data security when a computer containing personal data on 20,620 citizens, including information of sensitive nature and personal identification numbers, was stolen from Gladsaxe City Hall. 
The second security breach occurred when an employee from Hørsholm Municipality had his worker computer stolen from his car. The computer contained personal information about approximately 1,600 employees at Hørsholm Municipality , including information of a sensitive nature and information about social security numbers. 
The actual breaches of security are some of the possible consequences of the insufficient security. The insufficient security poses a high risk to all the citizens about whom the municipality processes information. 
Municipalities have a great responsibility 
“A municipality processes very large amounts of personal data about the municipality's citizens, including information of a sensitive nature. As a citizen you are not able to opt out of the municipality's processing of information about one, and therefore the municipality has a great responsibility to prevent the information from coming to unknowable persons, "says Frederik Viksøe Siegumfeldt, head of the supervisory unit of the Data Inspectorate, and elaborates: 
"It's easy to access the files stored on your computer when one computer's hard drive is not encrypted, for example by moving the hard drive to another computer. Therefore, when personal data is stored locally on the computer, it is extremely careless that the municipalities had not protected the computers with encryption. " 
Fine setting 
The Data Inspectorate has decided to report Gladsaxe Municipality and Hørsholm Municipality to the police and recommends that the two municipalities be fined respectively. DKK 100,000 and DKK 50,000 
In its fine size recommendation, the Data Inspectorate has emphasized, among other things, the nature of the infringement (lack of security of processing) and that failure to encrypt the municipality's computers is a general measure. In addition, emphasis has been placed on the size of municipalities in terms of population and total operating allowance. 
In most European countries, national data supervision may itself impose administrative fines, but the rules are different in, among other things. Denmark. 
Here it works in such a way that the Data Inspectorate, after elucidating and assessing the case, reports to the police officer the data controller. The police then investigate whether there is a basis for a charge, etc., and finally a possible fine will be decided by a court.