Defendant – Court Ruling (Denmark, 2024)
General GDPR enforcement action
This case relates to broader data protection obligations, not specifically to cookie or consent banner compliance. It is not included in cookie statistics or the Risk Calculator.
A Danish court found that Defendant failed to ensure that a client could access their data backups after a ransomware attack. This matters because it highlights the importance of companies taking responsibility for data security and backup procedures. Businesses need to ensure they have proper access to their data in case of emergencies.
What happened
Defendant did not provide a necessary access key for data backups, leading to data loss during a ransomware attack.
Who was affected
The client company that suffered a ransomware attack and lost access to their personal data.
What the authority found
The court ruled that Defendant was negligent in their obligations to ensure data access and availability, violating GDPR's security requirements.
Why this matters
This ruling emphasizes that companies must take data security seriously and ensure clients have the means to access their backups. It serves as a reminder for all businesses to review their data protection practices.
GDPR Articles Cited
View original scraped data
Original data from scraper before AI verification against source document.
National Law Articles
Data Controller (B) had entered into contract with defendant company to ensure back-up of personal data in case of physical or technical incidents, and to establish regular testing, assessment and evaluation of the efficiency of the technical and organisational measures. Witness 2 explains, and this is uncontested, that the Data Controller was subject to a ransomware attack on 12ᵗʰ August 2020. The Data Controller’s systems were locked and they were unable to restore using back-ups. t is found in the terms of service that the defendant has assumed obligations to ensure access and availability of processed data for the Data Controller. Witness 1 has explained that they, as Executive Officer in the Data Controlling company, were unaware that they ought be in possession of an access key to the back-up. The witness for Data Controller explains that the defendant company had not established a procedure for testing, assessment and evaluation of the feasibility of using the back-up to restore access to the processed data. Irrespective of * it according to the Witness 1’s statement is found apparent, that the customer themselves create the access-key upon installation * the customer in this process is informed that they themselves are responsible for storing the access-key; which the defendant company is not in possession of * it being stated in the terms of service appendix that the customer them selves are responsible for setting up the system and software and access-key used, and it is apparent that there can be no other outcome The defendant did not take steps to ensure that the Data Controller was in possession of the access key and thus had the ability to restore access and availability of the personal data in the back-up. The defendant is found guilty of being negligent in their obligations stated in the Article 32(1) & Article 83(2), (4)(a), (9). The sanction is set as a monetary penalty of €5 ,360 (DKK 40,000). In setting the sanction the court has takien into
Outcome
Court Ruling
A ruling by a national court on a data-protection matter.
Related Cases (0)
No other cases found for Defendant in DK
This is the only recorded case for this entity in this jurisdiction.
Details
About this data
Cite as: Cookie Fines. Defendant - Denmark (2024). Retrieved from cookiefines.eu
Last updated: