Gladsaxe Kommune – Violation Found (Denmark, 2022)

In summer 2021, the Danish DPA conducted inspections in selected municipalities. The DPA focused on the municipalities' way of administering access rights to personal data of children and young people, especially in the school area. In connection with the Gladsaxe Municipality, it inspected whether the controller withdrew terminated employees' access rights to its electronic case and document management system (SBSYS). The inspection showed that the controller had a comprehensive information security handbook regulating access rights management. However, in one instance, the DPA found that the controller did not follow the procedure of reviewing whether terminated employees still had an active user account. As a result, the DPA also assumed that the user [X] had access to SBSYS even after the employee's resignation. First, the DPA held that the controller must always identify data processing risks and implement appropriate security measures to protect the data subjects against those risks. Such security measures must typically ensure that access rights to systems are properly allocated so that only users with a work-related need are authorised to access the information. Second, the DPA considered that in addition to a procedure for disabling access rights upon termination of employment, there must be a control procedure that effectively follows up on whether the access was truly disabled. Consequently, the DPA held that the Gladsaxe Municipality did not take appropriate technical and organisational measures to ensure a level of security appropriate to the risks involved in the municipality's processing of personal data under Article 32(1) GDPR. That was because a) it did not deprive the user [X] of access rights to SBSYS after the employee's resignation, and b) it did not carry out the necessary follow-up or revision of terminated employees' rights.