Digitaliseringsstyrelsens – Violation Found (Denmark, 2023)
General GDPR enforcement action
This case relates to broader data protection obligations, not specifically to cookie or consent banner compliance. It is not included in cookie statistics or the Risk Calculator.
The Danish data protection authority found that the Agency for Digital Government did not properly assess risks related to using JavaScript in its digital ID system. This is significant because it shows that companies must evaluate security risks to protect users' rights. Small businesses should regularly assess their technology for potential security issues.
What happened
The Agency for Digital Government was found to have inadequate risk assessment practices regarding JavaScript use in its digital ID system.
Who was affected
Users of the MitID digital ID system who rely on secure technology were affected.
What the authority found
The authority determined that the Agency failed to properly assess risks to users' rights when using JavaScript, violating GDPR requirements for security measures.
Why this matters
This finding highlights the need for organizations to conduct thorough risk assessments of their technologies to ensure user safety and compliance with GDPR.
GDPR Articles Cited
View original scraped data
Original data from scraper before AI verification against source document.
On 20 January 2022, the Danish DPA received an inquiry from a citizen about the Agency for Digital Government’s (the controller) use of JavaScript, a programming language, in connection with MitID, the Danish digital ID. In general, the inquiry stated that JavaScript is outdated and not safe and that devices can easily be hacked if JavaScript is enabled, as highlighted by leading security experts for many years. The DPA decided to further investigate the issue and requested the controller to present statements regarding the processing in question. The controller explained that it conducted a risk assessment of MitID and identified relevant risks, including overall risks related to code quality, which JavaScript falls under. However, it stated it did not assess possible risks to the rights of the data subjects when using specifically JavaScript. Nonetheless, it clarified to have implemented appropriate technical and organisational measures to ensure a sufficient level of security to protect the rights and freedoms of data subjects. Regarding this processing, the controller also clarified that many security requirements have been set to ensure that the system is secure and updated at all times. Finally, the controller noted that in 2013 it assessed the usage of JavaScript for NemID (the old eID, replaced by MitID) and found that a JavaScript solution would have always provided high security levels. The DPA reminded that the GDPR in several provisions requires a data controller to address the risk to the rights and freedoms of the data subjects. Article 25 GDPR, Article 35 GDPR and Article 36 GDPR, among others, require to consider the risks to the rights of data subjects before initiating processing operations. In addition, the DPA reminded that under Article 5(1)(f) GDPR personal data must be processed in a manner that ensures appropriate security of the personal data concerned. It further noted that from both Article 5(2) GDPR and Article 24(1) GDPR it follows tha
Outcome
Violation Found
The DPA found a violation but did not impose a fine.
Related Enforcement Actions (0)
No other enforcement actions found for Digitaliseringsstyrelsens in DK
This is the only recorded action for this entity in this jurisdiction.
Details
About this data
Cite as: Cookie Fines. Digitaliseringsstyrelsens - Denmark (2023). Retrieved from cookiefines.eu
Last updated: