Falkonergården (High School) – Complaint Upheld (Denmark, 2021)
General GDPR enforcement action
This case relates to broader data protection obligations, not specifically to cookie or consent banner compliance. It is not included in cookie statistics or the Risk Calculator.
A Danish high school, Falkonergården, accidentally sent a student's personal information to the wrong person due to a typing error. The Danish data protection authority found that the school had proper security measures in place, so no fine was issued. This case highlights the importance of careful handling of personal data, even when no sensitive information is involved.
What happened
Falkonergården sent a student's absence warning to the wrong recipient due to a typing error.
Who was affected
The student whose absence information was mistakenly shared with another student.
What the authority found
The Danish data protection authority found that Falkonergården had adequate security measures and was not in breach of GDPR Article 32.
Why this matters
This case shows that even non-sensitive data breaches can lead to complaints if they affect individuals. Schools and businesses should ensure employees are trained to handle personal data carefully to avoid similar incidents.
GDPR Articles Cited
National Law Articles
Falkonergården, a Danish high school, sent a written message with respect to the high absence rate of a student (the Complainant) to the wrong recipient. The message included the Complainant's full name, absence rate, as well as a warning that he or she may have been suspended from school in case his or her attendance would not improve. This breach was the result of a human error; the person in charge of sending the warning messages forgot to type in the correct social security number of the Complainant. As a result, the message was sent to another student. On the same day, Falkonergården informed the Complainant about the incident and apologized for their error. They also requested the other student to whom the message had been sent to delete it and keep this information confidential. Falkonergården decided not report the incident as a breach with the Danish DPA, because they considered that the information did not contain any sensitive data in the sense of Article 9 GDPR and that the breach was thus unlikely to have a negative impact on the Complainant's rights or freedoms. The Complainant however started suffering from rumors circulating among students in relation to his or her absence rate. As a result, the Complainant decided to file a complaint with the Danish DPA, arguing that Falkonergården should have implemented better security measures (Article 32 GDPR) and should have reported the personal data breach to the Danish DPA (Article 33 GDPR). Regarding the need to implement organisational and technical measures to ensure an appropriate level of security of the personal data, the Danish DPA found that Falkonergården was not in breach of its obligations under Article 32 GDPR. The Danish DPA noted in particular that the procedure for sending warning messages is conducted by trained employees, who have been instructed to be careful when entering student's information in the school management system, and to always double check such information before sending any
Outcome
Complaint Upheld
A data subject complaint that was upheld by the DPA.
Related Enforcement Actions (0)
No other enforcement actions found for Falkonergården (High School) in DK
This is the only recorded action for this entity in this jurisdiction.
Details
About this data
Cite as: Cookie Fines. Falkonergården (High School) - Denmark (2021). Retrieved from cookiefines.eu
Last updated: