Finanstilsynet – Violation Found (Denmark, 2022)

The Danish Financial Supervisory Authority (FSA) (the controller) received a request for access to documents from a journalist regarding information collected via its whistleblower scheme. On 31 May 2020, the FSA complied with the request under [https://www.retsinformation.dk/eli/lta/2020/145 The Public Access to Information Act] after removing the identifiable personal data relating to the reporting individuals. On 6 June 2020, one of the whistleblowers complained with the FSA that the journalist contacted them by email. The FSA investigated the matter and learned that, due to a software feature, it was possible to unredact the blackened parts and extract the supposedly anonymised information. After learning about the data breach, the Danish DPA (Datatilsynet) assessed whether the controller implemented appropriate technical and organisational measures to ensure a level of security appropriate to the risks of processing. The DPA held that processing information received via a whistleblower scheme poses a higher risk to data subjects' rights. Therefore, the appropriate security measure must ensure that material passed on to others does not contain personal data that could reveal their identities. According to the DPA, especially in such cases, the controller must choose an anonymisation method that does not leave traces of the removed personal data, not even in metadata. As a result, it should not be easy to circumvent the redaction with standardised tools. The DPA established that the controller's internal policies were not clear and precise enough to ensure that the caseworkers adequately anonymise personal data. Also, the peer training did not provide appropriate security by providing clear and accurate instructions. Moreover, the DPA noted that the controller lacked the necessary understanding of which methods it must implement to remove information from the documents, including the metadata, so that the information can no longer be retrieved. Consequently, th