Support Centre

You have out of 5 free articles left for the month

Signup for a trial to access unlimited content.

Start Trial

Continue reading on DataGuidance with:

Free Member

Limited Articles

Create an account to continue accessing select articles, resources, and guidance notes.

Free Trial

Unlimited Access

Start your free trial to access unlimited articles, resources, guidance notes, and workspaces.

Denmark: Datatilsynet issues decision expressing criticism against FSA for insufficient data security measures in connection with access request

The Danish data protection authority ('Datatilsynet') published, on 16 May 2022, its decision in Case No. 2020-442-8099, as issued on 21 April 2022, in which it expressed criticism against the Danish Financial Supervisory Authority ('FSA') for its failure to implement sufficient data security measures in accordance with Article 32(1) of the General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR'), following an investigation by the Datatilsynet. 

Background to the decision 

In particular, the Datatilsynet stated that the FSA had passed on information about whistleblowers to a journalist in connection with a request for access to documents. In this regard, the Datatilsynet specified that the unintentional disclosure of personal data took place because the FSA had failed to remove personal data from the material disclosed in a sufficiently secure manner, as the FSA had crossed out personal data in the disclosed documents, but such data could still be read by holding the mouse cursor over the crossed out material.  

Findings of the Datatilsynet 

Notably, following its investigation, the Datatilsynet found that the FSA had failed to implement appropriate technical and organisational measures prior to the occurrence of the breach, since the FSA did not have sufficient procedures for anonymising information in connection with requests for access to documents. More specifically, the Datatilsynet stated that guidelines that only stipulate that caseworkers must cross out everything that is not related to the extraction obligation are not precise enough to provide sufficient assurance of correct anonymisation, especially with regards to the chosen technical solution to carry out such anonymisation. 

In this regard, the Datatilsynet noted that it is essential that the technical solution chosen can not be easily bypassed with standard tools and does not leave traces of the removed personal data, including metadata. As such, the Datatilsynet emphasised that a controller must be fully aware of the functionality of the technical solution it uses and provide instructions to its employees in this regard, which ensures that the personal data in the documents are effectively removed. Moreover, the Datatilsynet expressed that the risk to the data subject's rights must generally be considered higher when the information originates from a whistleblower scheme.

Outcomes

Ultimately, the Datatilsynet expressed criticism against the FSA for its failure to implement sufficient security measures in connection with its response to a request for access to documents, in violation of Article 32(1) of the GDPR. 

You can read the press release here and the decision here, both only available in Danish.