Denmark: Datatilsynet recommends DKK 50,000 fine against Municipality of Lolland for data secuirty failures
The Danish data protection authority ('Datatilsynet') announced, on 11 August 2022, that it had referred the Municipality of Lolland to the police and recommended a fine of DKK 50,000 (approx. €6,720), for their failure to implement adequate data security measures in connection with the processing of personal data, following a notification by the Municipality in December 2020.
Background to the decision
In particular, the Datatilsynet stated that the Municipality's notification took place after an employee had a work phone stolen, which allowed access to the employee's work email account containing personal data in the form of citizens' names, social security numbers, and health information, among others. In this regard, the Datatilsynet highlighted that the phone had not been protected by a code and that the Municipality had stated that over a number of years it has been possible for employees to remove otherwise mandatory access codes.
Findings of the Datatilsynet
Notably, the Datatilsynet found that the Municipality had failed to comply with the rules on adequate security with regard to its processing of personal data. Furthermore, the Datatilsynet emphasised that controllers must not assume that all employees follow internal guidelines stating that mobile devices must always be protected by an access code, and must instead ensure that effective safeguards are in place such that the requirement to set up an access code cannot be bypassed. In this regard, the Datatilsynet noted that, considering the risk exposure for citizens linked to the Municipality's processing of personal data, it had been unjustifiable that the Municipality had not protected mobile devices with access codes that the employees could not disable themselves.
Ultimately, the Datatilsynet stated that it had reported the Municipality to the police and recommended a fine of DKK 50,000 (approx. €6,720) for the Municipality's failure to ensure the adequate security measures had been implemented in connection with processing of personal data.
You can read the press release, only available in Danish, here.