Denmark: Datatilsynet fines PrivatBo DKK 150,000 and reports it to the police for violating Article 32 of the GDPR
The Danish data protection authority ('Datatilsynet') announced, on 4 August 2020, that it had fined PrivatBo AmbA DKK 150,000 (approx. €20,100) and reported it to the police after it had transferred tenants' confidential information and therefore not implemented appropriate technical and organisational security measures in violation of Article 32 of the General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR'). In particular, the Datatilsynet noted that PrivatBo, a management company, assisted a housing fund with the intended sale of three properties, and that PrivatBo had provided material for the properties in question, which was distributed to the occupants of the properties in a total of 424 USB keys. However, PrivatBo was not aware that for some of the leases handed out, documents were attached which contained personal data of a confidential nature and which should not have been disclosed. Therefore, the Datatilsynet chose to report PrivatBo to the police for the unintentional transfer of personal information that took place as part of the handing over of the 424 USB keys.
In addition, the Datatilsynet found grounds for expressing serious criticism that PrivatBo subsequently, in connection with the same offer obligation, unintentionally distributed information relating to outstanding deposits and prepaid rent, and in some cases information on disbursements in deposits, to residents in a property other than that which was subject to the obligation in question. The unintentional disclosure of this information occurred despite the fact that PrivatBo had hired an external auditing company.
You can read the announcement, only available in Danish, here.