Denmark

Civilstyrelsen

13,400 €

GDPR enforcement action by Danish Data Protection Authority (Datatilsynet) on 2022-05-12.

Rank · Sector

#156

of 356 in Public Sector and Education

Rank · Denmark

#21

of 29

Rank · All fines

#1,233

of 3,042

Case details

Authority: Danish Data Protection Authority (Datatilsynet)
Date: 2022-05-12
Controller / Processor: Civilstyrelsen
Sector: Public Sector and Education
Quoted Articles: Art. 32 GDPR, Art. 33 GDPR
Type of violation: Insufficient technical and organisational measures to ensure information security

Summary

The Danish DPA has imposed a fine of EUR 13,400 on the Danish agency Civilstyrelsen.

A Civilstyrelsen USB stick containing more than 800 pages of sensitive and confidential information had been lost. During its investigation, the DPA found that the USB stick was not encrypted. In addition, the agency did not have any policies for its employees on the use of removable and portable media.

Moreover, the DPA found that despite being aware of this data breach, the agency had not reported the breach, contrary to its obligation under Art. 33 GDPR.

The DPA concluded that the agency had not taken appropriate technical and organizational measures to protect personal data. Encryption of removable media, for example, is a necessary and required security measure, especially if the removable media contain sensitive information such as personal data.

Open original source Links to the regulator's original publication or another source.