Region of Syddanmark – €67,900 Fine (Denmark, 2021)
General GDPR enforcement action
This case relates to broader data protection obligations, not specifically to cookie or consent banner compliance. It is not included in cookie statistics or the Risk Calculator.
The Danish DPA fined the Region of Syddanmark for not securing a database that contained sensitive health information about children. The database was vulnerable to unauthorized access, risking the privacy of over 30,000 children. This case highlights the importance of strong security measures for protecting personal data.
What happened
The Region of Syddanmark was fined for failing to secure a database containing sensitive health information, allowing unauthorized access.
Who was affected
Children receiving psychiatric care whose health information was stored in an inadequately secured database.
What the authority found
The Danish DPA found that the region violated GDPR by not implementing adequate security measures to protect personal data.
Why this matters
This fine emphasizes the critical need for robust security practices to protect sensitive data, especially in healthcare. Organizations should regularly review and update their security measures to prevent unauthorized access.
GDPR Articles Cited
The Danish DPA (Datatilsynet) has fined the Region of Syddanmark EUR 67,900 for failing to comply with its obligation as a data controller to implement adequate security measures. The matter came to the attention of the DPA when a citizen complained to the authority in 2020 about the lack of security in the processing of personal data of the citizen's child by the region, and shortly thereafter the region reported the matter to the authority as a personal data breach. The Region of Syddanmark had maintained a database for research and clinical purposes for a period of more than 1.5 years, whereby the database was not adequately secured against unauthorized access. By manipulating URLs, it was possible to gain access to PDF documents stored in the database. This allowed citizens who were registered in the database - and who also had a login to the database - to access the personal data of people registered in the database. The database contained questionnaires with health information on more than 30,000 children receiving psychiatric care.
Related Enforcement Actions (0)
No other enforcement actions found for Region of Syddanmark in DK
This is the only recorded action for this entity in this jurisdiction.
Details
Fine Date
16 July 2021
Authority
Datatilsynet (Denmark)
Fine Amount
€67,900
Enforcement Tracker ID
ETid-759
About this data
Cite as: Cookie Fines. Region of Syddanmark - Denmark (2021). Retrieved from cookiefines.eu
Last updated: