Digitaliseringsstyrelsen (Danish Agency for Digitalisation) – Violation Found (Denmark, 2025)
General GDPR enforcement action
This case relates to broader data protection obligations, not specifically to cookie or consent banner compliance. It is not included in cookie statistics or the Risk Calculator.
The Datatilsynet in Norway found that the Danish Agency for Digitalization had multiple data breaches due to technical errors in its new digital post system. This matters because it shows that even government agencies must ensure their systems are secure to protect citizens' information.
What happened
The agency experienced several data breaches that exposed personal information of users due to technical mistakes during system updates.
Who was affected
Citizens who were affected by the breaches, including those who lost access to their mailboxes or had their information mishandled.
What the authority found
The authority reprimanded the agency for failing to maintain adequate security measures during the implementation of the new system.
Why this matters
This finding serves as a warning to government agencies about the importance of secure system updates. Organizations must ensure robust security protocols to protect personal data.
GDPR Articles Cited
View original scraped data
Original data from scraper before AI verification against source document.
In 2022 Denmark replaced it digital post system with a new system, the Next Generation Digital Post (Næste generations Digital Post). The system was operated by the Danish Agency for Digitalization (Digitaliseringsstyrelsen- the controller). The controller notified four data breaches to the DPA between 2022 and 2023. Additionally, the controller admitted a fifth breach in a statement explaining a system update. In 2023 the DPA started an ex officio investigation. It found that all the breaches were caused by technical errors in the system’s implementation: * In March 2022 about 15,000 users were accidentally granted reading right to other people’s mailboxes. The breach was due to a misunderstanding between the providers of the new and old systems during the migration of the database. * In February 2023 a coding error caused the incorrect revocation of reading rights for a small number of users; * Another migration error caused users to lose reading rights. The error affected about 7,000 users with reading rights for a large number of mailboxes; * In November 2022 yet another migration error caused 42,000 citizens to be enrolled by mistakes. This sometimes prevented them from responding to official communication carried out via the digital post system. * Finally, a bug in a 2023 system update resulted in the removal of more than 116,000 natural persons and 1,700 companies from the system and in the accidental enrolment of about 30,000 Greenland residents. The DPA reprimanded the controller for the unsecure processing of personal data, in violation of Article 32(1) GDPR. The DPA emphasized that an official digital post system should be held to high security standards. Such systems process a large amount of data, including sensitive data and the content of communications between authorities. Furthermore, the system carries official communications and the delivery of the communication sometimes has legal value (e.g. when a defendant is notified of a legal proceeding).
Outcome
Violation Found
The DPA found a violation but did not impose a fine.
Related Enforcement Actions (0)
No other enforcement actions found for Digitaliseringsstyrelsen (Danish Agency for Digitalisation) in DK
This is the only recorded action for this entity in this jurisdiction.
Details
About this data
Cite as: Cookie Fines. Digitaliseringsstyrelsen (Danish Agency for Digitalisation) - Denmark (2025). Retrieved from cookiefines.eu
Last updated: