Danish Agency for Digitisation – Violation Found (Denmark, 2022)
General GDPR enforcement action
This case relates to broader data protection obligations, not specifically to cookie or consent banner compliance. It is not included in cookie statistics or the Risk Calculator.
The Danish Agency for Digitisation mistakenly gave 26 curators access to the wrong companies' digital mailboxes. The Danish DPA found that the agency lacked proper checks to prevent such errors, which led to unauthorized access to confidential information. This case highlights the need for robust data handling procedures.
What happened
The Danish Agency for Digitisation gave access to the wrong companies' digital mailboxes due to an incorrect list.
Who was affected
26 curators who received unauthorized access to digital mailboxes of companies.
What the authority found
The Danish DPA found that the agency failed to implement adequate checks to prevent unauthorized access to personal data.
Why this matters
This incident underscores the importance of having strong data handling procedures to prevent unauthorized access. Businesses should ensure they have checks in place to avoid human errors that could lead to data breaches.
GDPR Articles Cited
The controller is the Danish Agency for Digitisation. As the responsible authority, it grants curators reading access to companies’ (digital) mailboxes in cases of bankruptcy, cessation, etc. The controller receives this access from the company e-Boks, a digital platform that, inter alia, manages access to mailboxes. The procedure is as follows: the controller compiles a list of which person/legal entity requests reading access to which mailbox, and provides this list to e-Boks, so that the latter can grant technical access to the mailbox. On 29 March 2021, a law firm contacted the controller because, as trustee, they had received access to a companies’ mailbox. However, the law firm had received access to the mailbox of the wrong company. Hence, the controller had e-Boks, which is the digital platform that provides the controller with access to mailboxes, close access to the mailboxes. On 31 March 2021, the controller notified a personal data breach to the Danish DPA. From the controller’s investigation, it became clear that 26 curators had gotten access to the wrong companies’ digital mailbox. Moreover, the controller found that the data breach was caused because the controller had sent an incorrect list to e-Boks, and claimed that a technical error was the reason for this mistake. However, the controller also claimed there was no procedure in place to check the list for mistakes since, until then, mistakes had never occurred. First, the DPA considered that the controller provides curators/trustees access to a large number of confidential information, and thus, higher requirements are placed on the controller’s diligence to ensure that there is no unauthorised access to the personal data. Moreover, the DPA considered that the controller had a procedure in place where a single human error could lead to major personal data breaches, and that the controller found this procedure sufficient since no errors had previously occurred. The DPA concluded that the control
Outcome
Violation Found
The DPA found a violation but did not impose a fine.
Related Enforcement Actions (0)
No other enforcement actions found for Danish Agency for Digitisation in DK
This is the only recorded action for this entity in this jurisdiction.
Details
About this data
Cite as: Cookie Fines. Danish Agency for Digitisation - Denmark (2022). Retrieved from cookiefines.eu
Last updated: