Selected GDPR decisions from the month of March – Two Danish municipalities facing fines

Henrik Christian StrandAssociate Partner, Holst, Advokater

Two municipalities north of Copenhagen are to expect fines in the amount of DKK 100,000 and DKK 50,000, respectively.

The Danish Data Protection Agency became aware of the matters when both municipalities reported data breaches in connection with the theft of computers containing personal data.

Neither of the municipalities’ computers was protected with encryption, and the municipalities’ loss of personal data, therefore, constituted an unnecessarily high risk to citizens. In the one matter, the lack of security resulted in a serious personal data breach, when a computer containing personal data on 20,620 citizens, including sensitive data and personal ID numbers, was stolen from the city hall in Gladsaxe.

The other security breach happened when an employee from the Municipality of Hørsholm had his work computer stolen from his car. Personal data on approximately 1,600 employees at the Municipality of Hørsholm was stored on the computer, including information of a sensitive nature and personal ID numbers.

The said security breaches reflect some of the possible consequences of inadequate security. The lack of security constitutes a high risk for all citizens on whom the municipality processes data.

The Danish DPA decided to report both municipalities to the police and is recommending that the two municipalities be fined DKK 100,000 and DKK 50,000, respectively.

In its recommendation, the DPA has i.a. taken into account the nature of the breach (failure to comply with the security principle), and the fact that encryption of a work computer owned by a municipality ought to be an obvious measure. Importance has also been attached to the size of the municipalities with respect to population and to the aggregate operation grant.

Pursuant to Section 41 (6) of the Danish Data Protection Act, public authorities shall be subject to penalties/punishment in the same way as for private operators. Nevertheless, the maximum fines for all public authorities are lower than those set out in Article 83 (4-6) of the GDPR.