Denmark
Danish Cancer Society
GDPR enforcement action by Danish Data Protection Authority (Datatilsynet) on 2021-09-29.
Case details
- Authority
- Danish Data Protection Authority (Datatilsynet)
- Date
- 2021-09-29
- Controller / Processor
- Danish Cancer Society
- Sector
- Health Care
- Quoted Articles
- Art. 32 GDPR
- Type of violation
- Insufficient technical and organisational measures to ensure information security
Summary
The Danish DPA has fined the Danish Cancer Society EUR 107,000 for failing to comply with the requirements of the GDPR regarding appropriate security measures.
The Danish Cancer Society had reported four data breaches according to Art. 33 GDPR to the DPA. Two of these involved computer thefts, two phishing attacks - and all four were due to the Danish Cancer Foundation's failure to implement technical and organizational measures to ensure a level of security appropriate to the risk to data subjects.
A similar personal data breach already occurred in August 2018, when the Foundation fell victim to phishing and spoofing hacking attacks. In this context, the Danish Cancer Society stated that it should increase protection through multifactor authentication, however, this was not implemented.
The data of at least 1,448 individuals was compromised, and in several cases it involved sensitive personal health data, including medical history.
Related fines