Elgiganten A/S โ Complaint Upheld (Denmark, 2022)
General GDPR enforcement action
This case relates to broader data protection obligations, not specifically to cookie or consent banner compliance. It is not included in cookie statistics or the Risk Calculator.
Elgiganten A/S had a TV stolen from their warehouse, which contained a customer's personal data. The Norwegian DPA found that Elgiganten didn't do enough to protect this data, violating GDPR rules. This case highlights the need for businesses to secure personal data on returned products.
What happened
Elgiganten A/S had a customer's TV stolen, which contained personal data, due to insufficient security measures.
Who was affected
The affected individuals were customers whose personal data was stored on returned TVs that were not properly secured.
What the authority found
The Norwegian DPA decided that Elgiganten failed to implement adequate security measures to protect personal data, violating GDPR Article 32(1).
Why this matters
This decision emphasizes the importance of securing personal data on returned products. Businesses should ensure data is deleted or encrypted to prevent unauthorized access, especially in high-risk environments.
GDPR Articles Cited
Elgiganten A/S, a consumer electronics retailer (the controller), took back the data subject's used TV. Returned TVs that had not been reset yet were usually placed inside the store in an area that only employees had access to. However, in this case, an employee of the controller placed the data subject's TV in the controller's warehouse due to lack of space and hectic situation in the store. The warehouse was subsequently bulglarised and the TV was stolen. As the TV had not been reset yet, the burglar(s) gained access to the data subject's personal data from the various streaming services to which the data subject was logged in, as well as the data subject's browsing history. Before the burglary, the controller had carried out a risk assessment for theft of its products and concluded that the risk was high. Therefore, the warehouse was secured by a lock, a high wall, surveillance cameras and motion censors. However, the burglar gained access to the area by punching a hole in the high wall. The DPA held that the controller violated Article 32(1) GDPR. The obligation under Article 32(1) GDPR to implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk normally entails preventing unauthorized third parties' access to personal data and thereby a data breach. The DPA observed that in its risk assessment, the controller should have considered and mitigated the risk that its employees would not comply with the internal procedures in place due to lack of space or stressful situations in the store. Similarly, the controller should have taken into account that the personal data stored on the data subject's TV, such as his browsing history, could include special categories of data. The TV could also contain the data subject's financial information, such as a credit card number. Considering these risk factors, the DPA held that that the personal data on the TV should have been encrypted or deleted before it was store
Outcome
Complaint Upheld
A data subject complaint that was upheld by the DPA.
Related Enforcement Actions (0)
No other enforcement actions found for Elgiganten A/S in DK
This is the only recorded action for this entity in this jurisdiction.
Details
About this data
Cite as: Cookie Fines. Elgiganten A/S - Denmark (2022). Retrieved from cookiefines.eu
Last updated: