The Danish Data Protection Agency propose for large GDPR fines

During the summer of 2021, the Danish Data Protection Agency has imposed fines on three public authorities and two private companies in the range of DKK 150,000 – 600,000 for violating the GDPR legislation. The new size of the fines emphasizes the importance of companies ensuring an adequate level of security when processing personal data.
News
GDPR

The Danish Data Protection Agency propose for large GDPR fines

During the summer of 2021, the Danish Data Protection Agency has imposed fines on three public authorities and two private companies in the range of DKK 150,000 – 600,000 for violating the GDPR legislation. The new size of the fines emphasizes the importance of companies ensuring an adequate level of security when processing personal data.

The summer’s GDPR fines

Vejle municipality, Region of Southern Denmark, the Danish Immigration Service, Nordbornholms Byggeforretning ApS, and Charlottenlund Lægehus Medicals Nordic I/S have, among other, been fined as a result of breaches on the GDPR rules.

The level of fines has generally been lower for public authorities than for private companies. The case concerning the Region of Southern Denmark, which concerned the processing of health information about more than 30,000 children in psychiatry shows, however, that the Danish Data Protection Agency also issues significantly larger fines to public authorities when it comes to security breaches of a more serious nature.

The case in the Region of Southern Denmark in short

In the Region of Southern Denmark case, information about children has been processed for research and clinical purposes. Other citizens who were also registered in the database had for more than 1,5 years had the opportunity to access other people’s information by simply changing an URL. Considering the nature if the security breach, including the fact that there was a large number (30,000) of registered persons who constituted a group of vulnerable children, the Danish Data Protection Agency proposed a fine of DKK 500,000. The case emphasizes that when sensitive information is processed, then the security level should also reflect this.

Similarly, three of the other cases concerned inadequate security measures, while one of the cases concerned the disclosure of information on criminal offenses without authorization.

Larger fines for private companies?

It is to be expected that the level of fines will continue to be lower for public authorities than for private companies, which is partly due to a higher fine limit for private companies in the GDPR and the Data Protection Law. It would therefore be to be expected that a case such as the one mentioned above concerning the Region of Southern Denmark’s processing of sensitive information would have resulted in a higher fine setting if it was a private company.

If you have questions about the processing of personal data or the GDPR legislation, please do not hesitate to contact our GDPR specialist Associated Partner, Attorney Torsten Hylleberg.  

Contact
Torsten Hylleberg
Partner
Attorney

Related news

See all news
News

The Danish Data Protection Agency focuses on the processing of personal data in online competitions

In a recent case, the Danish Data Protection Agency has decided on a company’s processing and transfer of personal data in connection with offering competitions and questionnaires online.
GDPR
News

European Data Protection Agencies increase focus on cookie solutions and the use of Google Analytics

The Danish Data Protection Agency and other European data protection agencies currently have a strong focus on whether companies’ cookie solutions comply with the rules in the GDPR. It includes e.g. solutions within Google Analytics and IAB’s standard solution for cookies and advertisements, Transparency and Consent Framework (TCF), where there are many indications that Danish companies may prepare for alternative solutions.
GDPR
News

Lund Elmer Sandager strengthens its partnership with two new partners from its own ranks

It is a great pleasure that Attorney Sebastian Rungby and Attorney Torsten Hylleberg will both take up the roles as partners in Lund Elmer Sandager with retroactive effect from 1 January 2022.
GDPR
News

New Standard Contractual Clauses for transfers of personal data outside the EU/EEA

On 4 June 2021, the European Commission issued new Standard Contractual Clauses (“SCC”) for use in the transfer of personal data outside the EU/EEA, which e.g. may be for a (sub) data processor in the United States.
GDPR
News

COVID-19: Restaurants and cafés are encouraged to register visiting guests

On September 7 2020, the Government held a press conference on COVID-19, in which Minister of Health Magnus Heunicke requested that restaurants and cafés offer their visiting guests the possibility to register their contact information. A request that aims to increase contact tracing as the number of people infected with covid-19 is increasing, but at the same time raises some data protection law issues for you as a restaurateur or café owner.
GDPR
News

The Danish Data Protection Agency fines job agency for GDPR breach

The Danish Data Protection Agency (In Danish: Datatilsynet) states that companies must avoid deleting personal data if the right for access is requested.
GDPR