Defendant – Court Ruling (Denmark, 2024)

Data Controller (B) had entered into contract with defendant company to ensure back-up of personal data in case of physical or technical incidents, and to establish regular testing, assessment and evaluation of the efficiency of the technical and organisational measures. Witness 2 explains, and this is uncontested, that the Data Controller was subject to a ransomware attack on 12ᵗʰ August 2020. The Data Controller’s systems were locked and they were unable to restore using back-ups. t is found in the terms of service that the defendant has assumed obligations to ensure access and availability of processed data for the Data Controller. Witness 1 has explained that they, as Executive Officer in the Data Controlling company, were unaware that they ought be in possession of an access key to the back-up. The witness for Data Controller explains that the defendant company had not established a procedure for testing, assessment and evaluation of the feasibility of using the back-up to restore access to the processed data. Irrespective of * it according to the Witness 1’s statement is found apparent, that the customer themselves create the access-key upon installation * the customer in this process is informed that they themselves are responsible for storing the access-key; which the defendant company is not in possession of * it being stated in the terms of service appendix that the customer them selves are responsible for setting up the system and software and access-key used, and it is apparent that there can be no other outcome The defendant did not take steps to ensure that the Data Controller was in possession of the access key and thus had the ability to restore access and availability of the personal data in the back-up. The defendant is found guilty of being negligent in their obligations stated in the Article 32(1) & Article 83(2), (4)(a), (9). The sanction is set as a monetary penalty of €5 ,360 (DKK 40,000). In setting the sanction the court has takien into