Kombit A/S – Violation Found (Denmark, 2020)

In December 2018 - February 2019, the Danish Data Protection Agency received a number of notifications from the country's municipalities regarding the Joint Municipal Management Information System (FLIS). The purpose of the system was to provide management information to the municipalities. However, the company managing the FLIS system (Kombit A/S), which in this instance was acting as processor, mistakenly forgot to limit the access to the data of the individual municipalities. Therefore, for the duration of 4 months, individual municipalities and suppliers of Business intelligence could illegally access the social security numbers and employment details of 4.2 million Danish citizens. Whether the processor of the data (Kombit A/S) had acted wrongfully by allowing this technical error to go on for four months. The processor of the information management system (Kombit A/S) tried to argue that no data was made publicly available on the Internet. However, it follows from Article 28(1) GDPR and Article 28(3)(f) GDPR that the data processor (in this instance Kombit A/S) is required to assist the data controller (the Danish municipalities) in ensuring compliance with the obligations under Articles 32 to 36, taking into account the nature of the processing and the information available to the data processor. The DPA also held that it followed from Article 32(1) GDPR that the data controller and the data processor must implement appropriate technical and organizational measures to ensure the continued confidentiality of processing systems and services. In context, the DPA held that this meant that both the controller and processor had to ensure that the system which had been implemented (FLIS) had been tested for inconveniences. As a result of an error in the setup of a particular data filter in FLIS, there had been an unlawful disclosure of information, which involved information relating to the social security numbers and employment of 4.2 million Danish citizens.