Civilstyrelsen: Insufficient technical and organisational measures to ensure information security

The Danish DPA has imposed a fine of EUR 13,400 on the Danish agency Civilstyrelsen. A Civilstyrelsen USB stick containing more than 800 pages of sensitive and confidential information had been lost. During its investigation, the DPA found that the USB stick was not encrypted. In addition, the agency did not have any policies for its employees on the use of removable and portable media. Moreover, the DPA found that despite being aware of this data breach, the agency had not reported the breach, contrary to its obligation under Art. 33 GDPR. The DPA concluded that the agency had not taken appropriate technical and organizational measures to protect personal data. Encryption of removable media, for example, is a necessary and required security measure, especially if the removable media contain sensitive information such as personal data.

GDPR Articles: Art. 32 GDPR, Art. 33 GDPR
Industry: Public Sector and Education