Capital Region of Denmark – Violation Found (Denmark, 2022)
General GDPR enforcement action
This case relates to broader data protection obligations, not specifically to cookie or consent banner compliance. It is not included in cookie statistics or the Risk Calculator.
The Capital Region of Denmark faced scrutiny for two data breaches involving health data. The breaches happened because of software updates that weren't properly tested, affecting thousands of patients. This highlights the need for thorough testing and timely communication in handling sensitive data.
What happened
Software updates to the Health Platform in Denmark caused data breaches affecting health data of over 4,000 patients.
Who was affected
Patients whose prescription and medicine purchase data were incorrectly displayed due to the software errors.
What the authority found
The Danish data protection authority found that the Capital Region of Denmark failed to ensure adequate security measures and did not properly notify authorities about the breaches.
Why this matters
This case underscores the critical importance of testing software updates in systems handling sensitive data. Organizations must ensure robust security measures and timely breach notifications to protect individuals' rights.
GDPR Articles Cited
The controller is the Capital Region of Denmark (an administrative region). It operates a platform, the “Health Platform”, which is used by the Danish Health and Medicines Authority (the Authority). This platform has integrated the central database of the Authority, which holds all data on the prescriptions and medicine purchases of all Danish citizens. Both on 10 August 2020 and 8 July 2021, data breaches occurred because the Health Platform was initially updated, and affected the integrated database. The code changes of the first update caused the database to incorrectly display the number of prescriptions patients were to receive, which led to unintended double subscriptions, affecting 2,310 data subjects. Although the controller became aware of the coding error, it did not immediately inform the Authority. The second data breach affected another 1,149 patients. Hence, in total, the two data breaches concerned sensitive personal data (health data) of 4,459 data subjects. First, the DPA noted that the controller is obliged to take appropriate technical and organisational measures to ensure an appropriate level of security relating to its processing. Now, the DPA found during its investigation that the controller, before both updates, did not qualify and perform any tests to identify how the update on the platform would affect the integrated database. In this regard, the DPA emphasised that even minor changes in integrated systems can lead to significant risks of data subjects, the sensitive nature of the personal data and the fact that there were two breaches. Lastly, as explained, the controller did not inform the Authority. Considering all of the foregoing, the DPA concluded that the controller violated Article 32(1) GDPR. Second, the DPA considered that the breach of health data poses a high risk to the rights of the citizens concerned. Moreover, it noted that the controller notified the data subjects affected by the data breach via a health professional noti
Outcome
Violation Found
The DPA found a violation but did not impose a fine.
Related Enforcement Actions (0)
No other enforcement actions found for Capital Region of Denmark in DK
This is the only recorded action for this entity in this jurisdiction.
Details
About this data
Cite as: Cookie Fines. Capital Region of Denmark - Denmark (2022). Retrieved from cookiefines.eu
Last updated: