City of Copenhagen – Violation Found (Denmark, 2024)
General GDPR enforcement action
This case relates to broader data protection obligations, not specifically to cookie or consent banner compliance. It is not included in cookie statistics or the Risk Calculator.
The City of Copenhagen accidentally allowed 37,500 employees to access personal data of up to 3.7 million people due to a mistake during a disk swap. This breach included sensitive information about well-being and health care. While there was no fine, this incident highlights the importance of proper data access controls for organizations.
What happened
The City of Copenhagen mistakenly granted unauthorized access to personal data for 37,500 employees.
Who was affected
Approximately 3.7 million people whose personal data was exposed due to the breach.
What the authority found
The Danish Data Protection Authority found that the City of Copenhagen failed to protect personal data adequately, although no fine was imposed.
Why this matters
This incident underscores the need for companies to implement strict data access controls to prevent unauthorized access. It serves as a reminder that human error can lead to significant data breaches.
GDPR Articles Cited
View original scraped data
Original data from scraper before AI verification against source document.
On 17 June 2021, the City of Copenhagen (“the controller”) reported a personal data breach to the Danish DPA (“Datatilsnynet”). During a routine scan on 15 June 2021 of the controller’s open file drive, the controller found that there was access to a normally closed drive that contained personal data. The data included name and address information, but the files also contained information about well-being, language assessment and information about children's dental and health care. Normally, only four data warehouse developers have access to this data, but now approximately 37,500 employees in the municipality gained unauthorised access to information about up to 3.7 million people. This was due to human error as an employee with administrator access mistakenly gave too wide access to the drive during a disk swap. The unauthorised access existed for almost two months until the controller discovered the error. The access was then closed and reported to the DPA. The controller stated there was a very low probability of an ordinary employee encountering the drive, as it required special prerequisites to find it. Network registration was turned off on the individual PCs, which meant that employees could not find the drive through ordinary searches on the PC. It also meant that the URL had to be known or the drive had to be actively scanned for. Moreover, the controller, after investigation, found that no scanning tool had been used to look for open drives during the period of the breach. Furthermore, examination of the administrative log showed access only for people with a work-related need. However, the controller's logs of all administrative IT users' potential access to the drive only went back in time 35 days and therefore the controller could not definitively conclude that no employees other than those with a work-related need had accessed the data during the period. The controller also stated that the majority of the files were not immediately readable for thos
Outcome
Violation Found
The DPA found a violation but did not impose a fine.
Related Enforcement Actions (0)
No other enforcement actions found for City of Copenhagen in DK
This is the only recorded action for this entity in this jurisdiction.
Details
About this data
Cite as: Cookie Fines. City of Copenhagen - Denmark (2024). Retrieved from cookiefines.eu
Last updated: