3F Østfyn – Violation Found (Denmark, 2022)
General GDPR enforcement action
This case relates to broader data protection obligations, not specifically to cookie or consent banner compliance. It is not included in cookie statistics or the Risk Calculator.
3F Østfyn accidentally sent a member's magazine to an old address, revealing their new name to a former partner. This happened because they didn't update the address in their system due to a human error. The Danish DPA found that 3F Østfyn failed to implement proper security measures to protect sensitive member information.
What happened
3F Østfyn sent a member's magazine to an old address, revealing their new name to a former partner due to a system error.
Who was affected
A member of the Danish Trade Union and Unemployment Fund who had changed their name and address for safety reasons.
What the authority found
The Danish DPA ruled that 3F Østfyn violated GDPR by not having adequate security measures to ensure data accuracy and protection.
Why this matters
This case highlights the importance of having robust systems to protect sensitive personal information, especially when individuals have address protection. Organizations should ensure their systems are capable of handling such updates accurately to prevent data breaches.
GDPR Articles Cited
The data subject was a member of the Danish Trade Union and Unemployment Fund (3F Østfyn). The data subject had changed their name and address due to a violent partner and had been granted address protection by the Danish authorities. 3F Østfyn updates the members' names and addresses on the basis of address information from the Central Person Register. In cases where a member is granted address protection in the Central Person Register, 3F Østfyn no longer receives information about, among other things, the member's address, and the address field is unlocked in its system, so that the member's information can be changed manually. In this case, the data subject informed 3F Østfyn about the changes regarding their name and address. However, only the name was changed in the system due to a human error. Consequently, when 3F Østfyn sent a magazine to the data subject, their new name was on the package but it was sent to the old address where the former partner still lived. The former partner was therefore informed about the data subject’s new name. The Danish DPA held that 3F Østfyn violated Article 32 GDPR due to its lack of implementation of technical and organisational measures to ensure a level of security appropriate to the risk. No procedures or system support had been set up to ensure that the information in the system was updated. For instance, a warning system could have been set up to prevent the information being sent if not checked for accuracy and other factors, such as whether name and address protection was granted to the member. Such a warning should be present in an IT system and not only described in a procedure. The DPA also emphasized that the controller should identify the risks that the specific processing poses to the data subjects. It is not sufficient to simply focus on generic risk scenarios and put in place safeguards to protect data subjects from those risks. The Danish DPA also held that 3F Østfyn violated the data accuracy principle
Outcome
Violation Found
The DPA found a violation but did not impose a fine.
Related Enforcement Actions (0)
No other enforcement actions found for 3F Østfyn in DK
This is the only recorded action for this entity in this jurisdiction.
Details
About this data
Cite as: Cookie Fines. 3F Østfyn - Denmark (2022). Retrieved from cookiefines.eu
Last updated: