The Danish data protection authority ('Datatilsynet') published on, 31 May 2022, its decision in Case No. 2021-441-9224, as issued on 11 May 2022, in which it expressed criticism against the insurance fund, 3F Østfyn, for the violation of Articles 5(1)(d) and 32(1) of the General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR'), following a breach of data security reported by the 3F.  

Background to the case

In particular, the Datatilsynet stated that the case concerns a member of 3F who changed their name and address, after receiving address protection in the Danish Civil Registration System ('the CPR Register') when they moved away from their violent cohabitant. In this regard, the Datatilsynet noted that 3F updated its members' names and addresses on the basis of the CPR Register, however, since the member had address protection in the CPR Register, 3F could no longer receive information about the member's address. As such, the Datatilsynet specified that the member had contacted 3F to have their name and address information updated manually, and noted that, due to a human error, only the name was updated. Thereafter, the Datatilsynet expressed that when the 3F newsletter was sent out, the member's name change was listed but the newsletter was sent to the member's original address, thereby informing the cohabitant of the member's new name.

Findings of the Datatilsynet

Notably, following its investigation, the Datatilsynet found that the retaining of the member's original address after their information was deemed protected in the CPR Register, without secure verification of the accuracy of the member's information on 3F's CRM system, amounted to a breach of Article 5(1)(d) of the GDPR.

Additionally, the Datatilsynet found that 3F was in breach of Article 32(1) of the GDPR for failing to implement technical and organisational security measures proportionate to the risk posed by processing the member's information. In this regard, the Datatilsynet stated that the requirement under Article 32(1) will normally mean that the controller must have procedures to ensure that information is updated correctly when the controller becomes aware of the inaccuracy of the information, including instructing employees about such procedures, and checking whether the employees update the information correctly. As such, the Datatilsynet noted that this may mean that the controller may need to implement additional measures to compensate for human error.

Outcomes

Ultimately, the Datatilsynet expressed criticism against 3F for its breach of Articles 5(1)(d) and 32 of the GDPR. 

You can read the press release here and the decision here, both only available in Danish.