The Danish Health Data Authority – Violation Found (Denmark, 2022)
General GDPR enforcement action
This case relates to broader data protection obligations, not specifically to cookie or consent banner compliance. It is not included in cookie statistics or the Risk Calculator.
The Danish Health Data Authority didn't properly test a medication record system, leading to errors in patient data. The Danish DPA found that the authority failed to ensure data security. This case highlights the need for thorough testing of systems handling personal data to prevent errors.
What happened
A technical error in the Shared Medication Record led to incorrect data, and the Danish Health Data Authority failed to test the system adequately.
Who was affected
Patients whose medication data was incorrectly recorded due to the system error.
What the authority found
The Danish DPA found that the Health Data Authority did not take proper security measures to protect patient data, violating GDPR.
Why this matters
This case emphasizes the importance of testing systems for errors, especially when they handle sensitive personal data. It serves as a warning to organizations to ensure robust data security measures are in place.
GDPR Articles Cited
The Danish Health Data Authority (Sundhedsdatastyrelsen) is a controller for the Shared Medication Record (Fælles Medicinkort (FMK)), a national register that shares citizens' medication information across the healthcare system. The FMK is integrated with the healthcare professionals' local systems so they can see which medicine is registered for patients. Doctors can also add, change and remove drug prescriptions in the FMK via their local systems. A technical error occurred on one of the local systems which led to unintended changes in the FMK. The error meant that the removal of the dosage end date for 267 patients on the FMK did not make it through to the local system. The Health Data Authority became aware of the breach on 9 August 2021 but only reported it to the Danish Data Protection Authority (Datatilsynet) on 13 August 2021. The DPA held that under Article 32(1) GDPR, the controller has a duty to identify the data processing risks to the data subjects and implement appropriate security measures to protect them against those risks. Adequate security will typically imply that all probable error scenarios should be tested in connection with developing and modifying software where personal data is processed. In cases where third parties can make changes, the controller is also responsible for testing changes made by others. The DPA held that there must be clearly agreed control mechanisms in place between all actors in a service-based architecture, which would ensure that the controllers can ensure that misunderstandings in data formats or service structure do not result in loss or corruption of the integrity of the data. Consequently, the DPA held that by not testing the Shared Medication Record for integrity errors, the Danish Health Data Authority did not take appropriate technical and organizational measures to ensure security appropriate to the risks involved in the personal data processing. Additionally, the DPA held that the controller violated Articl
Outcome
Violation Found
The DPA found a violation but did not impose a fine.
Related Enforcement Actions (0)
No other enforcement actions found for The Danish Health Data Authority in DK
This is the only recorded action for this entity in this jurisdiction.
Details
About this data
Cite as: Cookie Fines. The Danish Health Data Authority - Denmark (2022). Retrieved from cookiefines.eu
Last updated: