Favrskov municipality – €10,000 Fine (Denmark, 2021)

The Danish DPA has imposed a fine of EUR 10,000 on Favrskov municipality. On August 19, 2020, the DPA received a notification from Favrskov Municipality of a personal data breach under Art. 33 GDPR. The notification stated that during a break-in at the municipality's premises, a laptop was stolen which contained a program that provided an overview of the municipality's care facilities and thus information on the names and personal identity numbers of approximately 100 individuals with physical or mental disabilities. The computer hard drive in question was not encrypted and the program in question, which contained confidential and sensitive personal data, was not equipped with security measures. In reviewing the case, the DPO found that Favrskov Municipality had not ensured the encryption of the hard drives of the municipality's laptops for a long period of time prior to August 12, 2020, resulting in an inadequate level of security. The DPA considered this to be a violation of Art. 32 GDPR, as the municipality had failed to implement appropriate technical and organizational measures to ensure a level of protection commensurate with the risk.