The Agency of Family Law – Violation Found (Denmark, 2022)
General GDPR enforcement action
This case relates to broader data protection obligations, not specifically to cookie or consent banner compliance. It is not included in cookie statistics or the Risk Calculator.
The Agency of Family Law in Denmark accidentally shared sensitive information with unauthorized parties due to human error. This breach involved personal data like names and addresses, which were meant to be protected. The case emphasizes the need for public authorities to implement strict data security measures to prevent such mistakes.
What happened
The Agency of Family Law mistakenly disclosed protected personal information to unauthorized individuals.
Who was affected
Individuals involved in family law cases who had their protected contact details accidentally shared.
What the authority found
Datatilsynet found that the Agency failed to ensure adequate data security, as required by GDPR, leading to unauthorized disclosures.
Why this matters
This incident highlights the critical importance of data security and the need for rigorous checks to prevent human errors in handling sensitive information. Public authorities must enhance their data protection practices to avoid similar breaches.
GDPR Articles Cited
The Agency of Family Law (the controller) is a public authority that handles cases relating to family issues, including i.a. separation and divorce, guardianship, adoption, child/spousal support, etc. On 13 October 2021, following its March decision [https://gdprhub.eu/index.php?title=Datatilsynet_-_2020-432-0037 2020-432-0037], the Danish DPA opened another investigation into the controller's disclosures of protected name and address information to unauthorised parties. The inspection covered 37 personal data security breaches from 27 May 2021 to 16 August 2022, where the controller accidentally shared protected information about one party to a proceeding with another party. In those cases, parties protected their contact details precisely to avoid the other party getting to know their whereabouts, e.g. due to concerns about child abduction, violence, etc. The disclosures happened mainly because of a human error when responding to information access requests, information letters, party hearings and sending decisions. Case handlers would not pay enough attention to the information and thereby did not anonymise it. The controller emphasised that it processes thousands of cases each year. Despite the strong focus on avoiding accidental disclosure of personal data and continuous work to improve data security, human errors can occur when employees perform their job. These errors can, unfortunately, lead to breaches of personal data security. The DPA held that the requirement of Article 32 GDPR for adequate security typically obliges the controller to ensure that information about data subjects, including particularly confidential and sensitive information, is not disclosed to unauthorised persons. To avoid this, the controller must conduct appropriate content quality control in forwarded documents. Furthermore, handling confidential and sensitive personal data places greater demands on employees' diligence in connection with the transmission of personal data, includin
Outcome
Violation Found
The DPA found a violation but did not impose a fine.
Related Enforcement Actions (0)
No other enforcement actions found for The Agency of Family Law in DK
This is the only recorded action for this entity in this jurisdiction.
Details
About this data
Cite as: Cookie Fines. The Agency of Family Law - Denmark (2022). Retrieved from cookiefines.eu
Last updated: