FOUR YEARS OF GDPR: The Danish approach to data protection, or absence thereof?
MUNICIPALITY OF LEJRE FINED DKK 50,000
One of a total of two cases in which Danish courts have currently imposed fines for breaches of the GDPR concerns a public authority, the municipality of Lejre. On 9th March 2022, the court in Roskilde imposed a fine of DKK 50,000 upon Lejre Municipality for breach of data protection requirements.
The decision was in line with the Data Protection Authority's police notification of Lejre Municipality, which was set to pay a fine of DKK 50,000 back in June 2020 in connection to the municipality's self-reporting of a security breach.
The case against Lejre Municipality concerned the municipality's practice regarding meeting protocols. The municipality's departments had an established practice of uploading meeting protocols including personal data of a sensitive and confidential nature to the municipality's employee portal. Some of the personal data also concerned citizens under the age of 18.
By uploading the meeting records to the staff portal, a large proportion of the municipality's staff had access to the personal data, regardless of whether they were working on the type of cases or not. In addition, it was not recorded who accessed the data.
The Data Protection Authority was of the opinion that the processing of sensitive and confidential data by the municipality should at least be protected by access control, so that as a rule only employees with a work-related need have access to the data. In addition, it was noted that registering each access to the data would normally be a necessary and appropriate safeguard when processing this kind of information.
Against this background, the Data Protection Authority found that the municipality did not comply with the requirements of the data protection regulation on adequate security measures.
IDDESIGN A/S FINED DK 100,000
The second of the two cases in which the courts have currently decided on a fine is the case against IDdesign. On 12th February 2021, the District Court in Aarhus found that IDdesign had breached the GDPR by storing approximately 350,000 personal data for longer than necessary in an older and partly phased-out customer data system. IDdesign was fined DKK 100,00 for this breach, despite the fact that the Data Protection Authority had set a fine of DKK 1.5 million. The court only found evidence proving that the violation had been committed negligently and based its decision on the fact that IDdesign had failed to delete the data through an oversight as a result of focusing too one-sidedly on the company's active IT systems. In addition, the Court held that only IDdesign's own revenue and not that of the group (IDdesign is part of the JYSK group) should be taken into account for the calculation of the fine and that the negligence of the infringement should be taken into account. The prosecution subsequently appealed against the judgment, which has not yet been heard by the Court of Appeal.
DATA PROTECTION AUTHORITY FINES DANISH BANK DKK 10 MILLION
Most recently, the Danish Data Protection Authority has imposed a record fine of DKK 10 million on Danske Bank for failing to document the deletion of personal data in 400 systems. This is the largest fine that the Data Protection Authority has imposed so far.
At present, we have very few judgments concerning the level of fines for violations of the GDPR in Denmark. Despite the fact that this years 25th of May marked four years since the GDPR entered into force, the courts have only imposed two fines of DKK 100,000 on IDdesign A/S and DKK 50,000 on Lejre Municipality. These decisions are in sharp contrast to the levels of fines currently seen in other EU countries, where fines are in the millions.
If we continue this trend in Denmark, there is a significant risk that Denmark will be considered a "safe haven" in relation to fines. This could lead to foreign companies choosing to locate in Denmark precisely to avoid higher fines if they breach the GDPR. Companies may thus speculate on not complying with data protection legislation (or only partially complying with it) because the fine for non-compliance is much lower than the costs, both financial and in terms of resources, required to comply with data protection legislation. This is hardly a desirable scenario for Denmark as a digital pioneer.
The failure to enforce the rule that fines must have a deterrent effect will also ultimately lead to the negligent handling of personal data and may have serious consequences for the protection of the fundamental rights of individuals in the long run.
It will be interesting to see what the courts come up with in the case against Danske Bank and the case against IDdesign, which has been appealed to the regional court. https://noyb.eu/sites/default/files/2022-04/Bescheid%20geschwärzt%20EN.pdf
Article provided by INPLP member: Claas Thöle (NJORD, Denmark)
Dr. Tobias Höllwarth (Managing Director INPLP)