Høje-Taastrup Municipality – Violation Found (Denmark, 2022)

The controller is the Høje-Taastrup Municipality. It was among the selected municipalities that the Danish DPA had chosen (ex officio) to assess its compliance with the GDPR. The DPA focused on access rights in the municipalities’ filing systems. To assess these access rights, the DPA requested a list of 12 AD groups (so 12 different groups of users) who had access to a database in the GIS (Geographic Information System) which contained personal data. Moreover, it requested the unicipalities’ guidelines for joining the respective AD groups (so how a user would get a certain permission to access particular files). The DPA found that the municipality violated Article 32(1) GDPR. First, it considered that the municipality does not have guidelines or objective criteria in place to determine whether a user could join a particular AD group (which grants the user particular access to certain files). The DPA then noted that it follows from Article 32(1) GDPR, that user access to systems containing personal data is limited to the personal data that is necessary for the work-related needs of the user in question. Because of the absence of the guidelines or objective criteria, the DPA concluded that the municipality had not taken appropriate technical or organisational measures pursuant to Article 32(1) GDPR. In this regard, the DPA stipulated that the fact that the municipality cannot document which users need access to the database due to work-related needs, is extra problematic if one considers that there were 410 users with access to the database. Hence, the DPA expressed criticism on the municipality, and encouraged the municipality to objectively describe which function or task must be present in order to gain access, and that this access is also verified by a manager.