Regulatory actions, fines, warnings, and enforcement decisions
Een boete van 200.900 euro - De Deense Autoriteit voor Gegevensbescherming (Datatilsynet).
De Deense autoriteit voor gegevensbescherming heeft ILVA A/S een boete van 200.900 euro opgelegd. De verantwoordelijke partij heeft nagelaten om de deadlines voor het verwijderen van gegevens na te leven. Dit heeft geleid tot een schending van het beginsel van opslagbeperking.
€200,900 fine - Danish Data Protection Authority (Datatilsynet)
The Danish DPA has imposed a fine of EUR 200,900 on ILVA A/S. The controller failed to implement data deletion deadlines. This led to an infringement of the principle of storage limitation.
Danish Data Protection Authority (Datatilsynet)
The Danish DPA has imposed a fine between EUR 46,900 and EUR 53,600 on the Lyngby-Taarbæk Municipality. The controller failled to implement sufficient security measures resulting in a data breach.
€6,700 fine - Danish Data Protection Authority (Datatilsynet)
The Danish DPA has imposed a fine of EUR 9,700 on Uptime-IT ApS. Uptime-IT ApS, the data processor for a chiropractic clinic, failed to install sufficient security measures, resulting in a data breach.
€26,800 fine - Danish Data Protection Authority (Datatilsynet)
The Danish DPA has imposed a fine of EUR 26,800 on the municipality of Vejen. The municipality had suffered a security incident involving the theft of three unencrypted computers containing information about children. During its investigation, the DPA found that 300 other computers were not encrypted either.
€6,700 fine - Danish Data Protection Authority (Datatilsynet)
The Danish DPA has imposed a fine of EUR 6,700 on Hørsholm municipality. The municipality had reported a data breach to the DPA pursuant to Art. 33 GDPR. An employee's work computer, which contained sensitive and confidential information about approximately 1,600 municipality employees, had been stolen. During its investigation, the DPA determined that the data on the computer was not adequately secured and that the municipality had failed to take appropriate technical measures to protect person
€6,700 fine - Danish Data Protection Authority (Datatilsynet)
The Danish DPA has imposed a fine of EUR 6,700 on Lolland municipiality. The municipality had reported a data breach to the DPA in accordance with Art. 33 GDPR. One of the municipality's employees had their work phone stolen. The employee used the phone to access their work email account which contained information on the names of several citizens, social security numbers and health data. During its investigation, the DPA found that the phone was not protected by a password. Therefore, it was po
€67,200 fine - Danish Data Protection Authority (Datatilsynet)
The Danish DPA has imposed a fine of EUR 67,200 on the law firm SIRIUS. The law firm had suffered a cyber attack in which hackers gained access to the firm's servers and encrypted them. This gave them access to information about the firm's clients and business partners. During its investigation, the DPA found that the law firm lacked basic security measures, which increased the risk of unauthorized access to client data. The firm's systems, for example, did not contain sufficient verification me
€134,000 fine - Danish Data Protection Authority (Datatilsynet)
The Danish DPA has fined publisher Gyldendal A/S EUR 134,000. During its investigation, the DPA found that the company had kept the data of approximately 685,000 unsubscribed members of Gyldendal's book clubs longer than necessary. Instead of deleting the data of the deregistered book club members, Gyldendal kept the data in a database. The data of approximately 395,000 of the former members affected were kept for more than 10 years. In addition, the DPA found that Gyldendal did not have a proce
€13,400 fine - Danish Data Protection Authority (Datatilsynet)
The Danish DPA has imposed a fine of EUR 13,400 on the Danish agency Civilstyrelsen. A Civilstyrelsen USB stick containing more than 800 pages of sensitive and confidential information had been lost. During its investigation, the DPA found that the USB stick was not encrypted. In addition, the agency did not have any policies for its employees on the use of removable and portable media. Moreover, the DPA found that despite being aware of this data breach, the agency had not reported the breach,
€1,300,000 fine - Danish Data Protection Authority (Datatilsynet)
The Danish DPA has imposed a fine of EUR 1.3 million on Danske Bank. The DPA had opened an investigation against the bank after it informed the DPA that it had a problem with the deletion of personal data. During the investigation, the DPA found that the bank had failed to document the rules for deletion and storage of personal data in more than 400 systems. Consequently, the bank was unable to prove that such rules, which are required under the GDPR, existed. The DPA considered this to be a bre
€6,700 fine - Danish Data Protection Authority (Datatilsynet)
The Danish DPA has imposed a fine of EUR 6,700 on the Danish National Genome Center. The center had conducted a data protection impact assessment that revealed circumstances that could pose a high risk to the rights of data subjects. The DPA imposed the fine because the center had processed personal data without first consulting the DPA, even though the impact assessment had revealed a high risk to data subjects. The center has complied with all the DPA's requests and has shown good cooperation
€13,450 fine - Danish Data Protection Authority (Datatilsynet)
The Danish DPA has fined the municipality of Frederiksberg EUR 13,450. On March 1, 2021, the municipality reported a data breach under Art. 33 GDPR. The municipality's dental care service had operated a system through which parents could access their children's dental care letters online. The municipality then extended this access to parents with joint custody. As a result, in several cases, parents gained access to information about the other parent and the child's address, even though the affe
€107,000 fine - Danish Data Protection Authority (Datatilsynet)
The Danish DPA has fined the Danish Cancer Society EUR 107,000 for failing to comply with the requirements of the GDPR regarding appropriate security measures. The Danish Cancer Society had reported four data breaches according to Art. 33 GDPR to the DPA. Two of these involved computer thefts, two phishing attacks - and all four were due to the Danish Cancer Foundation's failure to implement technical and organizational measures to ensure a level of security appropriate to the risk to data subje
€67,200 fine - Danish Data Protection Authority (Datatilsynet)
The Danish DPA imposed a fine of EUR 67,200 on Syddanmark Region. On March 9, 2020, the DPA received a notification from Syddanmark Region regarding a personal data breach according to Art. 33 GDPR. The Syddanmark Region states that since May 2011, a PowerPoint presentation was available on its website that had been created at Odense University Hospital for training purposes and contained charts with personal data - including health information and ID card number details - of 3,915 patients. The
€10,000 fine - Danish Data Protection Authority (Datatilsynet)
The Danish DPA has imposed a fine of EUR 10,000 on Favrskov municipality. On August 19, 2020, the DPA received a notification from Favrskov Municipality of a personal data breach under Art. 33 GDPR. The notification stated that during a break-in at the municipality's premises, a laptop was stolen which contained a program that provided an overview of the municipality's care facilities and thus information on the names and personal identity numbers of approximately 100 individuals with physical o
€53,800 fine - Danish Data Protection Authority (Datatilsynet)
The Danish DPA has imposed a fine of EUR 53,800 on Midtjylland Region. On June 12, 2020, the DPA received a notification from the region regarding a personal data security breach pursuant to Art. 33 GDPR. According to the notification, all patients and staff at a lifestyle center were able to access a building where up to 100,000 physical patient records were stored, including health information and personal identity number details. The reason for this was that both staff and patients had been g
€20,100 fine - Danish Data Protection Authority (Datatilsynet)
The Danish DPA has imposed a fine of EUR 20,100 on the Danish Immigration Agency. Media reports brought the DPA's attention to possible logging errors in one of the agency's IT systems, which could have an impact on the rights and freedoms of residents. The DPA consequently started an investigation at the agency. In spring and summer 2020, several security incidents occurred in the agency's systems, resulting in the loss of data records. The loss of data led to proceedings being initiated agains
€67,900 fine - Danish Data Protection Authority (Datatilsynet)
The Danish DPA (Datatilsynet) has fined the Region of Syddanmark EUR 67,900 for failing to comply with its obligation as a data controller to implement adequate security measures. The matter came to the attention of the DPA when a citizen complained to the authority in 2020 about the lack of security in the processing of personal data of the citizen's child by the region, and shortly thereafter the region reported the matter to the authority as a personal data breach. The Region of Syddanmark ha
€80,700 fine - Danish Data Protection Authority (Datatilsynet)
The Danish DPA (Datatilsynet) has fined Medicals Nordic I/S EUR 80,700. In January 2021, the DPA became aware that Medicals Nordic was using WhatsApp to transmit confidential information and health data about citizens being tested in the company's test centres. All employees working in a test centre were invited to a WhatsApp group associated with the test centre. The members of these WhatsApp groups received all the messages transmitted by other employees in the groups. The employees shared con
€53,800 fine - Danish Data Protection Authority (Datatilsynet)
The Danish DPA ( Datatilsynet) has imposed a fine of EUR 53,800 on Nordbornholms Byggeforretning Aps. In 2018, the DPA was contacted by a data subject who complained that his former employer Nordbornholms Byggeforretning ApS, had disclosed information about him to the company's customers. The controller had emailed two of the company's customers informing them that the former employee had committed crimes in the course of employment and had admitted to committing them, as well as describing in d
€27,000 fine - Danish Data Protection Authority (Datatilsynet)
The Danish DPA (Datatilsynet) has imposed a fine of EUR 27,000 on Vejle municipality. The Danish DPA had started investigations against the municipality after it had reported a data breach pursuant to Art. 33 GDPR. The municipal dental care service had sent automated welcome letters to both parents as part of the treatment of children, which contained the contact details of both parents. In this process, the municipality had not checked whether it was permitted to pass the information on to the
€13,450 fine - Danish Data Protection Authority (Datatilsynet)
Original summary: On June 3, 2019, the Danish DPA (Datatilsynet) reported IDdesign to the police and demanded payment of a fine in the amount of EUR 200,850 for the processing of personal data of approximately 385,000 customers for a longer period than necessary for the purposes for which they were processed. Additionally, the company had not established and documented deadlines for deletion of personal data in their new CRM system. The deadlines set for the old system were not deleted after the
€20,100 fine - Danish Data Protection Authority (Datatilsynet)
The company had distributed USB sticks to tenants in the context of a sale of real estate, which contained not only non-personal information on the real estate objects in question but also personal data of other persons such as lease agreements and other documents containing confidential personal data.
€147,800 fine - Danish Data Protection Authority (Datatilsynet)
During an inspection, the supervisory authority reviewed a number of IT systems to examine whether Arp-Hansen had sufficient procedures in place to ensure that personal data were not kept longer than necessary for the purposes of collection. It was found that one of the reservation systems contained a large amount of personal data that should already have been deleted in accordance with the deletion deadlines set by Arp-Hansen itself.
€6,700 fine - Danish Data Protection Authority (Datatilsynet)
The data protection authority had found that the Lejre Municipal Child and Youth Centre had regularly uploaded minutes of meetings with particularly sensitive and sensitive personal data, including on citizens under 18 years of age, to the Lejre Municipal Personnel Portal, which was accessible to employees of the Lejre Municipality, regardless of whether the employees in question were working with these cases. In addition, the data protection authority denied the failure to comply with the oblig
€6,700 fine - Danish Data Protection Authority (Datatilsynet)
The company has deleted personal data affected by a request for access without legal reason.
€14,000 fine - Danish Data Protection Authority (Datatilsynet)
A computer, containing personal data that was not protected by encryption, has been stolen, including sensitive information and personal identification numbers of 20,620 city residents.
€7,000 fine - Danish Data Protection Authority (Datatilsynet)
A city government employee had his work computer stolen, which contained the personal data of about 1,600 city government employees, including sensitive information and information about social security numbers.
€160,000 fine - Danish Data Protection Authority (Datatilsynet)
The Danish DPA reported the taxi company to the police and recommended a fine (of 1.2M DKK) for non-adherence to the data-minimization principle. While the company deleted the names of its passengers from all its records after two years, the deletion did not include the rest of the ride records (about 8,873,333 taxi trips). Hence, the company continued to hold onto individual's phone numbers. Please note: Since Danish law does not provide for administrative fines as in the GDPR (unless it is an