Udviklings- og Forenklingsstyrelsen – Complaint Upheld (Denmark, 2024)
General GDPR enforcement action
This case relates to broader data protection obligations, not specifically to cookie or consent banner compliance. It is not included in cookie statistics or the Risk Calculator.
The Danish Agency for Development and Simplification mistakenly shared personal data with an accountant, who then disclosed it to their client. This breach highlights the importance of protecting personal information and ensuring proper data handling practices. The agency's refusal to reveal the accountant's identity led to complaints, emphasizing the need for transparency.
What happened
The Danish Agency for Development and Simplification shared personal data of two individuals with an accountant without proper authorization.
Who was affected
Two individuals whose personal data was shared without their consent.
What the authority found
The Danish Data Protection Authority ruled that the agency must provide the identity of the unauthorized data recipient, as it is covered by GDPR transparency rules.
Why this matters
This case underscores the necessity for organizations to handle personal data responsibly and maintain transparency. It serves as a reminder for companies to review their data sharing practices to avoid similar breaches.
GDPR Articles Cited
View original scraped data
Original data from scraper before AI verification against source document.
National Law Articles
In 2020 a data breach occurred within the Danish Agency for Development and Simplification ([https://ufst.dk/ Udviklings- og Forenklingsstyrelsen], the controller). The controller erroneously shared the data of other data subjects (two persons) in response to an accountant request. The accountant's request was filed on behalf of their client. The accountant then disclosed the data to that client. The controller notified two data subjects about the breach by sending a letter in 2023. In response, the data subjects requested access to the identity of the accountant. The controller refused to provide the data subject with exact identity, calling upon the controller’s confidentiality obligation. Instead, the controller informed that data was shared with a Danish accountant, who disclosed the data to their Danish client. The data subjects filed complaints with the Danish DPA (Datatilsynet). According to the DPA the identity of unauthorised data recipient was, in principle, covered by Article 15(1)(c) GDPR. The DPA rejected the controller’s interpretation of its confidentiality obligation under [https://www.retsinformation.dk/eli/lta/2018/678 Article 17(1) of the Tax Administration Act] (skatteforvaltningsloven). The fact that the accountant was granted access to the data had no relation to professional or business secrecy, as it was “common knowledge” that accountants were able to request and access the documents on behalf of their clients. Nevertheless, the DPA considered that the identity of the accountant's client with whom the data was shared is subject to the controller's confidentiality obligation. The DPA found no interest that had overridden the confidentiality obligation in relation to the client’s identity. Hence, it fell within the scope of professional secrecy under Article 17(1) of the Tax Administration Act. Consequently, for the DPA the data subject was entitled to access the accountant's identity, but not the client one.
Outcome
Complaint Upheld
A data subject complaint that was upheld by the DPA.
Related Enforcement Actions (0)
No other enforcement actions found for Udviklings- og Forenklingsstyrelsen in DK
This is the only recorded action for this entity in this jurisdiction.
Details
About this data
Cite as: Cookie Fines. Udviklings- og Forenklingsstyrelsen - Denmark (2024). Retrieved from cookiefines.eu
Last updated: