Denmark
Region of Syddanmark
GDPR enforcement action by Danish Data Protection Authority (Datatilsynet) on 2021-07-16.
Case details
- Authority
- Danish Data Protection Authority (Datatilsynet)
- Date
- 2021-07-16
- Controller / Processor
- Region of Syddanmark
- Sector
- Health Care
- Quoted Articles
- Art. 32 GDPR
- Type of violation
- Insufficient technical and organisational measures to ensure information security
Summary
The Danish DPA (Datatilsynet) has fined the Region of Syddanmark EUR 67,900 for failing to comply with its obligation as a data controller to implement adequate security measures. The matter came to the attention of the DPA when a citizen complained to the authority in 2020 about the lack of security in the processing of personal data of the citizen's child by the region, and shortly thereafter the region reported the matter to the authority as a personal data breach.
The Region of Syddanmark had maintained a database for research and clinical purposes for a period of more than 1.5 years, whereby the database was not adequately secured against unauthorized access. By manipulating URLs, it was possible to gain access to PDF documents stored in the database. This allowed citizens who were registered in the database - and who also had a login to the database - to access the personal data of people registered in the database. The database contained questionnaires with health information on more than 30,000 children receiving psychiatric care.
Related fines