EG Digital Welfare ApS – Violation Found (Denmark, 2022)
General GDPR enforcement action
This case relates to broader data protection obligations, not specifically to cookie or consent banner compliance. It is not included in cookie statistics or the Risk Calculator.
Norway's data protection authority found that EG Digital Welfare ApS had weak security measures for its Mediconnect platform. They stored passwords in plain text and relied on simple username and password logins. The company was ordered to improve its security by encrypting passwords and using stronger authentication methods.
What happened
EG Digital Welfare ApS was found to have inadequate security measures for storing and accessing personal data on its Mediconnect platform.
Who was affected
Users of the Mediconnect platform, including municipalities, regions, insurance companies, and specialist doctors processing sensitive health information.
What the authority found
The Norwegian DPA determined that the company violated GDPR by not implementing adequate security measures, such as encrypting passwords and using multi-factor authentication.
Why this matters
This decision highlights the importance of strong security practices, like encryption and multi-factor authentication, for protecting sensitive data. It serves as a warning to companies handling personal data to prioritize robust security measures.
GDPR Articles Cited
Mediconnect is an IT system offered by EG Digital Welfare ApS (the processor) and used by municipalities, regions, insurance companies, and specialist doctors to process personal data, including health information. In June 2021, the DPA received complaints about weak security in using the Mediconnect platform and decided to examine the matter. The investigation showed that users could access the system via a username and password. The users had an opportunity to use the Active Directory Federation Service (ADFS) which uses claims-based authentication. However, not all users opted for it. In addition, the processor stored the passwords in plain text in a database which only employees with work-related needs could access. The DPA held that where a processor provides an IT system used to process special categories of personal data via a network over which it has no control, an appropriate security measure would require a greater level of access control than a mere username and password. It could be, for example, a multi-factor authentication, certificates, tokens or a PKI solution. The DPA pointed out that a single-factor authentication entails a risk of access misuse and a risk of access being shared by several users. In that case, any access log is no longer effective because one cannot be sure who used which access. Furthermore, the DPA also held that appropriate security would require using a recognised algorithm for irreversible encryption (e.g. hashing) of all passwords so that they are not stored and cannot be recovered in plain text. This rule applies regardless of the volume or nature of processed personal data. Because users tend to reuse their passwords across different online services, there is a risk that an unauthorised party could also combine the password with an email address to access data on other websites. Consequently, the DPA reprimanded the processor for violating Article 32(1) GDPR and ordered it to encrypt all the passwords and improve its au
Outcome
Violation Found
The DPA found a violation but did not impose a fine.
Related Enforcement Actions (0)
No other enforcement actions found for EG Digital Welfare ApS in DK
This is the only recorded action for this entity in this jurisdiction.
Details
About this data
Cite as: Cookie Fines. EG Digital Welfare ApS - Denmark (2022). Retrieved from cookiefines.eu
Last updated: