Coop Danmark A/S – Violation Found (Denmark, 2021)

When testing a new scanning tool, Coop Danmark A/S had become aware that it was storing personal information on the company's shared drive without sufficient access control. The information concerned 477 employees and external consultants. It included, among other things, health information, financial information, and social security numbers. Some information was placed in the folders by the data subjects themselves, and the controller saved other information as part of the employment processes. The personal data related to the time period from 2013 until 2017, when there was not the same policy for user management as the company has today. On 12 June 2021, the controller reported the data breach to the supervisory authority. After three months, it initiated the notification of affected data subjects. At the same time, it also started moving the information to a more secure solution with better user management and logging. The DPA held that in systems with a large amount of sensitive information about many users, controllers must have more stringent measures in place to ensure that only authorized people have access to it. The DPA emphasized that a controller the size of Coop Danmark A/S should have previously been aware that employees may have erroneously placed personal information on the company's joint drive. Therefore, it should have checked and cleaned up that data and introduced relevant security measures earlier.