GDPR decisions – December 2020

Holst, Advokater | View firm profile

Danish municipality reported to the Police and is facing EUR 6,700 fine

The Danish Data Protection Agency (the DPA) has reported the municipality of Guldborgsund to the Police and recommended a fine of EUR 6,700 (DKK 50,000) since the municipality failed to act with necessary alertness in connection with a security breach.

A citizen of the municipality of Guldborgsund filed a complaint with the Danish DPA regarding a serious personal data breach made in 2018. By mistake the municipality had through digital mail sent a decision containing information about the whereabouts of the complainant’s child to the father of the complainant’s child, although the father had been denied custody. The security breach entailed great consequences to the complainant and the complainant’s child. The complainant had not been duly informed about the security breach by the municipality so that the complainant could arrange for necessary precautions, and the municipality had also neglected to notify the breach to the DPA.

When recommending the fine, the DPA took into account the character and the severity of the infringements, and the condition of the GDPR that a fine in each individual case should be effective, proportionate and dissuasive, cf. Art. 83 (9) of the GDPR. The DPA also attached importance to the size of the municipality in respect to population and to the aggregate operation grant.

More information is available (in Danish) here.



EUR 10,000 fine issued for sending a “To All” e-mail instead of using the Bcc function

The Spanish data protection authority (AEPD) has imposed a fine of EUR 10,000 on Spanish law firm Losada Advocats S.L for not having implemented adequate measures for securing personal data. AEPD was of the opinion that it was in violation of Art. 5 (1) lit f and Art. 32 of the GDPR that Losada Advocats failed to use the Bcc function for a number of recipients of an e-mail, but instead sent the e-mail to everyone thereby disclosing all recipients to one another.

AEPD emphasized that the data controller (Losada Advocats) according to Art. 32 of the GDPR must implement technical and organisational measures appropriate to

  • the risk of processing data
  • the purpose of processing data and
  • the risks for data subjects due to i.a. changes to or unauthorised access to data.

AEPD emphasised in more detail that this incident compromised basic personal data such as names, surnames and addresses, and AEPD noted that this constituted an infringement of the principle relating to the secure processing of data, cf. Art. 5 (1) lit f of the GDPR.=

AEPD did, however, reduce the fine to EUR 6,000 in consequence of Losada Advocat’s voluntary payment.

Read the whole decision here (in Spanish).

Twitter fined several thousand euros for failing to notify and document personal data breach

The Irish Data Protection Commission (the DPC) imposed a fine of EUR 450,000 on Twitter International Company for failing to notify the DPC of a data breach within the 72-hour deadline and for lacking adequate documentation about the breach   thereby constituting an infringement of Art. 33 (1) and Art. 33 (5) of the GDPR.

The personal data breach regarded privacy settings for users’ tweets on Twitter, where users have the option of deciding whether their tweets should appear as private or public. Private tweets can only be accessed by followers of the user profile in question, while public tweets can be accessed by everyone. A programming error in Twitter’s Android app entailed that some private tweets became accessible to the public.

The DPC had in fact recommended a lower fine, however, such disagreement occurred among the other European data agencies that it resulted in a so-called Article 65 decision. An Article 65 decision means that the European Data Protection Board in some cases can adopt a binding decision. The result of such decision was that the DPC was ordered to raise the fine.

The entire decision is available here:


Swedish University fined for not protecting sensitive personal data

The Swedish data protection authority (Datainspektionen) completed an audit of Umeå University, concluding that the University had violated the GDPR by processing special categories of personal data without applying appropriate technical and organisational measures to protect the data.

A research group at the University had requested preliminary investigation reports from the police concerning cases of male rape and, upon receiving such reports, proceeded to scanning and storing them digitally. The reports contained information on suspicion of crime, name, personal identity number and contact details, as well as sensitive data about sexual life and health. More than a hundred scanned preliminary investigation reports were stored in an American cloud service, despite the University having informed via its intranet that special categories of data should not be stored in the cloud service in question. Afterwards the research group sent an e-mail to the police requesting further information. In the unencrypted e-mail, one of the scanned reports was attached as a reference even though the police had pointed out the inappropriateness in sending sensitive material in unencrypted e-mail.

These events showed that the University had not taken necessary measures to ensure a level of security appropriate in relation to the risk. Finally, the University had failed to report the incident as a personal data breach.

The events led to Datainspektionen imposing a fine of EUR 54,400 (SEK 550,000) on the University.

The whole decision is available here (in Swedish):

Amazon fined EUR 35 million for placing advertising cookies without consent

From 12 December 2019 to 19 May 2020, the French data protection authority (CNIL) conducted several investigations regarding the website The investigations concluded that when a user visited the website, cookies were automatically placed on his or her computer without any action required on his or her part. A vast majority of the cookies were used for advertising purposes.

Cookies for advertising purposes, which – unlike functional cookies – are not essential to the service, may only be placed after the user has provided his or her consent. CNIL expressed that users being exposed to cookies the instant they access a certain website, was terminology incompatible with prior consent.

The website’s information banner displayed a message stating “By using this website, you accept our use of cookies allowing us to offer and improve our services. Read More.” The banner only contained a general and approximate information regarding the purposes of all the cookies placed and the user could not understand that cookies placed on his or her computer were mainly used to display personalised ads. Finally, the banner did not explain to the user that he or she could refuse these cookies nor how to.

As a consequence, Amazon has been fined EUR 35 million, and in addition the company has been ordered to inform the users who had been subject to the breach within three months after the notification of the decision. Failing such, the company must pay a penalty payment of EUR 100,000 for each day of delay.

The whole decision is available here (in French):



Henrik Christian Strand, Associated Partner


M, +45 3010 2186


Pernille Kristensen, Attorney


M, +45 3010 2224

More from Holst, Advokater