Danish DPA commits personal data breach and misses the 72-hour notification deadline
Early in August, the Danish Data Protection Agency established that since the month of February, some of the DPA’s paper waste intended for shredding had been disposed of as ordinary paper waste.
The physical documents could very likely have contained confidential and sensitive data about citizens, employees, etc. Such documents are normally stored electronically in the DPA’s systems but may in connection with the authority’s review of a case be printed out by the authority’s employees, for example when discussing a case inhouse or when proof-reading a draft letter or memo. The documents were subsequently thrown into a container in the belief that this paper waste would become shredded. However, an employee of the DPA found out that the contents of the container was disposed of as ordinary paper waste. This means that the paper waste had been stored in a container in a locked-up waste storage room, to which service workers in the building had access, and also the haulage company collecting the paper for recycling.
The personal data breach was reported according to the same solution as used by other data controllers when becoming aware of breaches to protection of personal data. The breach was reported about 24 hours too late in respect to the 72-hour data breach notification requirement.
More details are available here (in Danish):
Danish property management company reported to the police and should expect a fine of about EUR 20,100 for disclosing confidential data on tenants
In 2018, Danish property management company PrivatBo assisted a housing fund in connection with a potential sale of three properties. In that regard, PrivatBo provided documentation for the properties in question, which was distributed by means of 424 USB keys to the tenants of said properties.
However, PrivatBo was not aware of the fact that attached to some of the disclosed lease agreements were documents containing personal data of a confidential nature, which should not have been disclosed to for example neighbours, among others.
As such disclosure of confidential data could cause considerable discomfort to the tenants concerned, including reputational damage, the Danish DPA reported PrivatBo to the police and recommended a fine of about EUR 20,100 (DKK 150,000).
The whole decision can be read here (in Danish):
Fine issued in consequence of marketing acitivities without consent and failure to comply with data subjects’ rights
In Finland, Depute Data Protection Ombudsman (the Finnish DPA) has imposed a fine on a company for distributing promotional material about various courses without the prior consent from receivers, and for failing to comply with the data subjects’ rights.
The case was raised as a result of eleven complaints received by the Finnish DPA in the spring and summer of 2019 about the company’s direct electronic marketing.
Under Section 200 of the Finnish Act on Electronic Communications Services (917/2014), direct marketing may only be directed at individuals who have provided their consent. According to the EU GDPR, consent must be freely given, specific, informed and unambiguous. The complainants had not given any consent, which is why the electronic marketing was unlawful.
Some of the data subjects had reacted towards the company, but despite this, the data subjects continued to receive marketing material from the company. Hence, the company had not complied with the rights of data subjects about objecting against direct marketing under the GDPR.
The company had neither responded to nor complied with requests on data subjects’ rights and could therefore not demonstrate that it had processed the personal data lawfully as there was no lawful basis for processing, upon which the Finnish DPA imposed a fine of EUR 7,000 on the company.
The entire decision is available here (in Finnish):
Henrik Christian Strand, Associated Partner
M, +45 3010 2186
Pernille Kristensen, Attorney
M, +45 3010 2224