The Danish data protection authority ('Datatilsynet') announced, on 20 August 2020, that it had itself suffered a personal data breach after finding that some of its paper waste containing confidential and sensitive information about citizens and employees, which should have been shredded, had been disposed of as ordinary paper waste. In particular, the Datatilsynet noted that this material is generally stored electronically in its systems, but had been printed by the Datatilsynet's employees when they needed to discuss a matter internally or proofread a draft letter or note, and that such material had since been thrown into a container in the belief that this paper waste would be shredded. However, a Datatilsynet employee discovered that it had instead been disposed of as ordinary waste paper, which means that the paper waste had been stored in a container in a locked waste room and driven for ordinary recycling. Moreover, the Datatilsynet highlighted that the breach had been going on in the period from February, when it moved to new premises, to August, when an employee became aware of the problem, although the Datatilsynet noted that from mid-March to mid-June, the issue has not been relevant, as all employees during this period worked from home due to COVID-19 ('Coronavirus') pandemic and there have been no indications that personal information should have reached unauthorised persons.

In addition, the Datatilsynet noted that the breach of personal data security had been reported in the same way that all other data controllers use when they detect breaches of personal data security, but that the notification took place almost 24 hours late in relation to the requirement for notification within a maximum of 72 hours, and the employee responsible for reporting the specific breach had been reprimanded for the same. Finally, the Datatilsynet outlined that it is considering the question of possible notification of the data subjects affected and has reviewed all procedures for the disposal of waste paper and tightened up its internal guidelines.

You can read the announcement, only available in Danish, here.

UPDATE (28 August 2020)

Datatilsynet provides information to potentially affected data subjects

The Datatilsynet announced, on 26 August 2020, that, although there is no evidence to suggest that the data subject to the breach has been accessed by unauthorised persons, the Datatilsynet is, as a precaution, informing the potentially affected data subjects of the possible risks of the breach. In addition, the Datatilsynet highlighted that the information affected by the breach includes names, subject of complaints, including information of a confidential and sensitive nature, and, in some cases, addresses. In relation to the possible consequences of the breach, the Datatilsynet outlined that the breach may result in unlawful advertising, publication of sensitive personal information, identity theft, and phishing attacks.

You can read the press release, only available in Danish, here.