Lolland Kommune – €6,700 Fine (Denmark, 2022)

The DPA became aware of the case after a report from Lolland Kommune, a Danish municipality, in December 2020, when an employee had their work phone stolen. The phone was not protected with an access code, because it had been manually disabled by the employee, and it could therefore be used to access the employee's work email account, which contained information on several citizens' names, social security numbers, health information and substance abuse. The municipality informed the DPA that employees, for several years, could manually disable the otherwise mandatory access code. Following this incident, the municipality had immediately taken remedial action in the form of new precautions and changes in the technical set-up of new employee phones. The Danish DPA held that the municipality's personal data processing violated the rules on sufficient security measures. The DPA emphasized that a controller must assume that not every employee will follow an internal security policy at all times. Real and effective protection is thus contingent on security measures that cannot be circumvented, like forced use of access codes. The DPA also noted that stolen mobile devices, before they're disposed of (like resold), are searched for personal data like credit card information and social security numbers, to a higher degree today than in the past. In view of the potential risks to the data subjects, the DPA held that the municipality had acted irresponsibly in the case, and thus proposed a €6,700 fine for exposing citizens' personal data to unnecessary risk through insufficient device security measures. The police will investigate the case before a final decision is made in the courts.