Digitaliseringsstyrelsen (Danish Agency for Digitalisation) – Violation Found (Denmark, 2025)
The Danish Agency for Digitalisation faced scrutiny for multiple data breaches in its new digital post system. Technical errors allowed users to access others' mailboxes and caused enrollment mistakes for thousands. This incident serves as a reminder for companies to thoroughly test systems before launching them.
What happened
The Danish Agency for Digitalisation reported several data breaches caused by technical errors in its digital post system.
Who was affected
Citizens of Denmark, including about 15,000 users who were mistakenly given access to others' mailboxes.
What the authority found
The Norwegian Data Protection Authority found that the agency's breaches were due to technical errors, but no penalties were imposed.
Why this matters
This case highlights the need for careful implementation and testing of digital systems to prevent data breaches. Companies should prioritize security during system updates and migrations.
GDPR Articles Cited
View original scraped data
Original data from scraper before AI verification against source document.
In 2022 Denmark replaced it digital post system with a new system, the Next Generation Digital Post (Næste generations Digital Post). The system was operated by the Danish Agency for Digitalization (Digitaliseringsstyrelsen- the controller). The controller notified four data breaches to the DPA between 2022 and 2023. Additionally, the controller admitted a fifth breach in a statement explaining a system update. In 2023 the DPA started an ex officio investigation. It found that all the breaches were caused by technical errors in the system’s implementation: * In March 2022 about 15,000 users were accidentally granted reading right to other people’s mailboxes. The breach was due to a misunderstanding between the providers of the new and old systems during the migration of the database. * In February 2023 a coding error caused the incorrect revocation of reading rights for a small number of users; * Another migration error caused users to lose reading rights. The error affected about 7,000 users with reading rights for a large number of mailboxes; * In November 2022 yet another migration error caused 42,000 citizens to be enrolled by mistakes. This sometimes prevented them from responding to official communication carried out via the digital post system. * Finally, a bug in a 2023 system update resulted in the removal of more than 116,000 natural persons and 1,700 companies from the system and in the accidental enrolment of about 30,000 Greenland residents. The DPA reprimanded the controller for the unsecure processing of personal data, in violation of Article 32(1) GDPR. The DPA emphasized that an official digital post system should be held to high security standards. Such systems process a large amount of data, including sensitive data and the content of communications between authorities. Furthermore, the system carries official communications and the delivery of the communication sometimes has legal value (e.g. when a defendant is notified of a legal proceeding).
Outcome
Violation Found
The DPA found a violation but did not impose a fine.
Related Enforcement Actions (0)
No other enforcement actions found for Digitaliseringsstyrelsen (Danish Agency for Digitalisation) in DK
This is the only recorded action for this entity in this jurisdiction.
Details
About this data
Cite as: Cookie Fines. Digitaliseringsstyrelsen (Danish Agency for Digitalisation) - Denmark (2025). Retrieved from cookiefines.eu
Last updated: