Denmark
Syddanmark Region
GDPR enforcement action by Danish Data Protection Authority (Datatilsynet) on 2021-09-17.
Case details
- Authority
- Danish Data Protection Authority (Datatilsynet)
- Date
- 2021-09-17
- Controller / Processor
- Syddanmark Region
- Sector
- Public Sector and Education
- Quoted Articles
- Art. 32 GDPR
- Type of violation
- Insufficient technical and organisational measures to ensure information security
Summary
The Danish DPA imposed a fine of EUR 67,200 on Syddanmark Region.
On March 9, 2020, the DPA received a notification from Syddanmark Region regarding a personal data breach according to Art. 33 GDPR. The Syddanmark Region states that since May 2011, a PowerPoint presentation was available on its website that had been created at Odense University Hospital for training purposes and contained charts with personal data - including health information and ID card number details - of 3,915 patients.
The region used a screening tool to periodically check for inadvertent postings of personal identity numbers on its website. However, the screening tool was unable to scan the underlying data in PowerPoint presentations.
In this context, the DPA found that the region had not implemented appropriate technical and organizational measures to ensure a level of protection appropriate to the risk.
In assessing whether a fine should be imposed, the DPA took into aggravating consideration the fact that Syddanmark Region processes large amounts of personal data, including health data - which is of a sensitive nature.
Related fines