The Danish Customs and Tax Administration – Violation Found (Denmark, 2021)

On 12 July 2021, the Danish Customs and Tax Administration (CTA) reported a personal data breach to the Danish DPA (Datatilsynet). The CTA had sent a letter containing the personal data (of someone else) in the form of identification data, financial information and social security number, to the wrong recipient. The CTA knew already on 8 July that a breach had possibly occured, because the incorrect recipient made them aware. After the CTA's internal investigation, they concluded on 9 July that a personal data breach had indeed happened. From the report to the DPA, the CTA stated that the affected data subject was informed on 10 July. Because of the information they had provided, the DPA closed the matter on 23 July. However, on 20 August the DPA received a follow-up from the CTA, stating that they had not, in fact, informed the affected data subject on 10 July, as the initially reported, but on 18 August. The CTA explained that their late follow-up was due to the vacation period. Because of the new information, the DPA decided to reopen the case. The DPA held that the Customs and Tax Administration had not processed personal data in line with Article 34(1) GDPR. They expressed serious criticism of the way the CTA had dealt with the personal data breach, in particular i) that the CTA first, incorrectly, reported to the DPA that they had notified the affected data subject shortly after, and ii) that they blamed their late response on "extraordinary circumstances" due to vacation period, which the DPA does not agree is a valid excuse.