Silkeborg Municipality – Complaint Upheld (Denmark, 2021)

Due to a human error, a Danish municipality had sent a list of information regarding 12 916 children in public school to a consulting agency without properly encrypting the content. The information included the children's national identity numbers, school names and school codes. When the error was discovered, the municipality notified the Danish DPA of the incident. The municipality reported that the content of the email had possibly been encrypted on the transportation layer using TLS 1.1, however end-to-end encryption had not been implemented. The Danish DPA did not have enough evidence to conclude that TLS 1.1 had been used on the transportation layer when this specific email was sent. Moreover, the DPA held that encryption on the transportation layer is insufficient if the email contains personal data of a sensitive nature or personal data that deserve a high level of protection. In such instances, end-to-end encryption is a more adequate security measure. Furthermore, the DPA highlighted the fact that TLS 1.1 suffers from well known security issues, and that the protocol is therefore not suitable for encryption on the transportation layer. The DPA therefore concluded that the controller had not fulfilled its obligation to implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk under Article 32(1) GDPR.