Syddansk Universitet – Violation Found (Denmark, 2022)

In August 2021, the University of Southern Denmark (Syddansk Universitet) reported a personal data breach to the Danish DPA. The University uses an HR system where employees are assigned to roles so that they can access applications. Due to an update of the system, the role management was reset completely, so that all 7011 employees of the university had access to more than 400 applications for a period of 14 days. These applications contained personal data such as name, social security number and health data of the applicants. Normally only about 400 employees have access to this kind of information. The university had not performed an adequate testing of the software update before it was implemented. It claimed that they had no knowledge that the update would make a change in the role management. The university also did not keep access logs, so that it was not able to see whether unauthorised employees accessed the data in that time period or not. The Danish DPA held that the controller did not implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk under Article 32 GDPR. The DPA was of the opinion that controllers must perform adequate testing in order to be able to identify and assess conditions that may, for example, lead to changes or reset previously selected settings. The controller's liability cannot lapse simply because the software provider had not adequately disclosed the extent of the update. The Danish DPA therefore issued a serious reprimand.