News
FOUR YEARS OF GDPR: The Danish approach to data protection, or absence thereof?
25th May 2022 marked the 4th anniversary of the entry into force of the General Data Protection Regulation (GDPR) and the announcement of sanctions with a deterrent effect. However, the obligation to issue fines that are effective, proportionate and dissuasive has not been met at all by the Danish Data Protection Authority and the Danish courts. The lack of enforcement of the rules will ultimately lead to a lax treatment of personal data and may in the long term have serious consequences for the protection of the fundamental rights of individuals.
MUNICIPALITY OF LEJRE FINED DKK 50,000
One of a total of two cases in which Danish courts have currently imposed fines for breaches of the GDPR concerns a public authority, the municipality of Lejre. On 9th March 2022, the court in Roskilde imposed a fine of DKK 50,000 upon Lejre Municipality for breach of data protection requirements.
The decision was in line with the Data Protection Authority's police notification of Lejre Municipality, which was set to pay a fine of DKK 50,000 back in June 2020 in connection to the municipality's self-reporting of a security breach.
The case against Lejre Municipality concerned the municipality's practice regarding meeting protocols. The municipality's departments had an established practice of uploading meeting protocols including personal data of a sensitive and confidential nature to the municipality's employee portal. Some of the personal data also concerned citizens under the age of 18.
By uploading the meeting records to the staff portal, a large proportion of the municipality's staff had access to the personal data, regardless of whether they were working on the type of cases or not. In addition, it was not recorded who accessed the data.
The Data Protection Authority was of the opinion that the processing of sensitive and confidential data by the municipality should at least be protected by access control, so that as a rule only employees with a work-related need have access to the data. In addition, it was noted that registering each access to the data would normally be a necessary and appropriate safeguard when processing this kind of information.
Against this background, the Data Protection Authority found that the municipality did not comply with the requirements of the data protection regulation on adequate security measures.
IDDESIGN A/S FINED DK 100,000
The second of the two cases in which the courts have currently decided on a fine is the case against IDdesign. On 12th February 2021, the District Court in Aarhus found that IDdesign had breached the GDPR by storing approximately 350,000 personal data for longer than necessary in an older and partly phased-out customer data system. IDdesign was fined DKK 100,00 for this breach, despite the fact that the Data Protection Authority had set a fine of DKK 1.5 million. The court only found evidence proving that the violation had been committed negligently and based its decision on the fact that IDdesign had failed to delete the data through an oversight as a result of focusing too one-sidedly on the company's active IT systems. In addition, the Court held that only IDdesign's own revenue and not that of the group (IDdesign is part of the JYSK group) should be taken into account for the calculation of the fine and that the negligence of the infringement should be taken into account. The prosecution subsequently appealed against the judgment, which has not yet been heard by the Court of Appeal.
DATA PROTECTION AUTHORITY FINES DANISH BANK DKK 10 MILLION
Most recently, the Danish Data Protection Authority has imposed a record fine of DKK 10 million on Danske Bank for failing to document the deletion of personal data in 400 systems. This is the largest fine that the Data Protection Authority has imposed so far.
CONCLUSION
At present, we have very few judgments concerning the level of fines for violations of the GDPR in Denmark. Despite the fact that this years 25th of May marked four years since the GDPR entered into force, the courts have only imposed two fines of DKK 100,000 on IDdesign A/S and DKK 50,000 on Lejre Municipality. These decisions are in sharp contrast to the levels of fines currently seen in other EU countries, where fines are in the millions.
If we continue this trend in Denmark, there is a significant risk that Denmark will be considered a "safe haven" in relation to fines. This could lead to foreign companies choosing to locate in Denmark precisely to avoid higher fines if they breach the GDPR. Companies may thus speculate on not complying with data protection legislation (or only partially complying with it) because the fine for non-compliance is much lower than the costs, both financial and in terms of resources, required to comply with data protection legislation. This is hardly a desirable scenario for Denmark as a digital pioneer.
The failure to enforce the rule that fines must have a deterrent effect will also ultimately lead to the negligent handling of personal data and may have serious consequences for the protection of the fundamental rights of individuals in the long run.
It will be interesting to see what the courts come up with in the case against Danske Bank and the case against IDdesign, which has been appealed to the regional court. https://noyb.eu/sites/default/files/2022-04/Bescheid%20geschwärzt%20EN.pdf
Article provided by INPLP member: Claas Thöle (NJORD, Denmark)
Discover more about the INPLP and the INPLP-Members
Dr. Tobias Höllwarth (Managing Director INPLP)
News Archiv
- Alle zeigen
- Jänner 2025
- Dezember 2024
- November 2024
- Oktober 2024
- September 2024
- August 2024
- Juli 2024
- Juni 2024
- Mai 2024
- April 2024
- März 2024
- Februar 2024
- Jänner 2024
- Dezember 2023
- November 2023
- Oktober 2023
- September 2023
- August 2023
- Juli 2023
- Juni 2023
- Mai 2023
- April 2023
- März 2023
- Februar 2023
- Jänner 2023
- Dezember 2022
- November 2022
- Oktober 2022
- September 2022
- August 2022
- Juli 2022
- Mai 2022
- April 2022
- März 2022
- Februar 2022
- November 2021
- September 2021
- Juli 2021
- Mai 2021
- April 2021
- Dezember 2020
- November 2020
- Oktober 2020
- Juni 2020
- März 2020
- Dezember 2019
- Oktober 2019
- September 2019
- August 2019
- Juli 2019
- Juni 2019
- Mai 2019
- April 2019
- März 2019
- Februar 2019
- Jänner 2019
- Dezember 2018
- November 2018
- Oktober 2018
- September 2018
- August 2018
- Juli 2018
- Juni 2018
- Mai 2018
- April 2018
- März 2018
- Februar 2018
- Dezember 2017
- November 2017
- Oktober 2017
- September 2017
- August 2017
- Juli 2017
- Juni 2017
- Mai 2017
- April 2017
- März 2017
- Februar 2017
- November 2016
- Oktober 2016
- September 2016
- Juli 2016
- Juni 2016
- Mai 2016
- April 2016
- März 2016
- Februar 2016
- Jänner 2016
- Dezember 2015
- November 2015
- Oktober 2015
- September 2015
- August 2015
- Juli 2015
- Juni 2015
- Mai 2015
- April 2015
- März 2015
- Februar 2015
- Jänner 2015
- Dezember 2014
- November 2014
- Oktober 2014
- September 2014
- August 2014
- Juli 2014
- Juni 2014
- Mai 2014
- April 2014
- März 2014
- Februar 2014
- Jänner 2014
- Dezember 2013
- November 2013
- Oktober 2013
- September 2013
- August 2013
- Juli 2013
- Juni 2013
- Mai 2013
- April 2013
- März 2013
- Februar 2013
- Jänner 2013
- Dezember 2012
- November 2012
- Oktober 2012
- September 2012
- August 2012
- Juli 2012
- Juni 2012
- Mai 2012
- April 2012
- März 2012
- Februar 2012
- Jänner 2012
- Dezember 2011
- November 2011
- Oktober 2011
- September 2011
- Juli 2011
- Juni 2011
- Mai 2011
- April 2011
- März 2011
- Februar 2011
- Jänner 2011
- November 2010
- Oktober 2010
- September 2010
- Juli 2010