GDPR decisions – February 2021

Holst, Advokater | View firm profile

Phone conversations recorded by on-call GPs

A Danish citizen had filed a complaint about her phone conversation with an on-call GP in the Region of Southern Denmark being recorded and the fact that the on-call GP subsequently denied to erase the recordings. The Danish Data Protection Agency found that it was alright for the on-call GP to record phone conversations, but on the other hand found that the GP generally saved the recordings for too long. During the case it was revealed that the on-call GP in question had recorded and saved approx 7.5 million conversations since January 2013.

The GP was of the opinion that recordings of phone conversations with citizens were to be considered a part of a patient’s medical record and should therefore be saved in accordance with the rules applicable for saving information contained in medical records, i.e. basically 10 years after the last contact to the patient.

The DPA found that recordings of phone conversations with the GP could not be regarded part of a patient’s medical record. Hence, the issue on how long the GP could save the recordings was then to be settled pursuant to the general rules on data protection.

The DPA found that a period of up to 5 years saving time would be in accordance with the GDPR. The DPA took into account that the purpose of the recordings was to ensure documentation to be used in the event of any complaints about healthcare treatment, and the fact that it is possible within the Danish healthcare system and according to the Danish Act on the Right to Complain and Receive Compensation for patients to submit complaints up to five years after the day where incident took place.

On those grounds the DPA criticized the GP for having saved recordings of phone conversations which were more than 5 years old and ordered the GP to erase all recordings of phone conversations that were more than 5 years old.

Read the whole decision here (in Danish):

Cyberbook A/S fined for automatic forwarding of emails

The Norwegian DPA has issued a fine of approx. EUR 19,500 (NOK 200,000) to Cyberbook AS for illegal automatic forwarding of a former employee’s emails.

The background for this case was a complaint filed by the former employee of Cyberbook, who discovered that the company had activated automatic forwarding of the former employee’s personal email address at the company. This forwarding remained active for several months without the former employee being informed of it.

The DPA concluded that the company had i.a. violated the requirements for privacy protection and for providing information to the data subject as well as the provisions concerning erasure of personal data.

In addition to the fine of EUR 19,500, the DPA decided that the company must implement written routines for access to employees’ emails.

Read the whole decision here (in Norwegian).

Hospital in the Netherlands fined for insufficient security on medical records

The Dutch data protection authority (AP) has imposed a fine of EUR 440,000 on the OLVG Hospital in Amsterdam because the hospital between 2018 and 2020 had failed to implement sufficient measures for preventing unauthorised employees’ access to medical records.

Upon the combination of a tip from a worried citizen, signals from medias, and two reports on data breaches from the hospital on students employed at the hospital and other employees having access to medical files without such being necessary for their work, AP began its investigation in the matter. Apart from medical data, the files contained information on personal ID numbers, addresses and phone numbers.

Following the investigation, AP concluded that the hospital’s way of structuring the access to medical files was incorrect.

AP stated that the hospital must keep track of and control on a regular basis who uses which file. For instance, the hospital can at an early stage state if/when someone uses a file which is not permitted and then decide on the necessary measures. OLVG automatically kept track of which employee accessed which medical file and when (logging), but did not control such logging often enough in respect of unauthorised access.

AP also stated that a good level of security at least requires a two-factor authentication. In such case, the identity of a user to access a patient file could for instance be created with a code or an access code combined with a staff ID card. OLVG did not use two-factor authentication. However, logging onto the system outside the hospital did require a two-factor authentication.

Although the hospital did implement the necessary improvements after AP’s investigation, the insufficient control of who accessed which file and the insufficient security in the hospital computer systems entailed a fine.

Read the whole decision here (in Dutch).

DPA’s recommendation for a EUR 200,000 fine for furniture retailer ILVA reduced to EUR 13,500

In the monthly GDPR news of June 2019, we wrote about the Danish DPA recommending a fine of approx. EUR 200,000 (DKK 1.5 million) being imposed on IDdesign (ILVA).

The case emanated from an inspection visit during the autumn of 2018, at which the DPA established that ILVA saved data on approx. 350,000 customers’ names, addresses, phone numbers, emails and purchase history. The data had not been used, hence, the case only concerned the GDPR provisions on data minimisation.

The case was brought before the District Court of Aarhus which was the first Danish court to decide about standard of proof, question of guilt and a fine under the provisions of the GDPR.

The court decided that ILVA did not have any valid basis for processing data of approx. 350,000 customers, and that such customers’ personal data should hence have been erased according to the provisions on data minimisation, which therefore constituted a violation of the GDPR.

During the proceedings, the DPA informed that it should be a mitigating factor that it was only an issue of general personal data and not sensitive personal data, like for instance health information.

The court found it mitigating that ILVA had not previously violated the GDPR, that no one had suffered any damage, that the violation was of a formal nature, that ILVA had not intentionally violated the regulations, and that ILVA had made great efforts otherwise to comply with the GDPR.

When calculating the recommendation of the fine, the DPA had based its calculations on the turnover of the JYSK group, which ILVA is part of. However, in addition to the mitigating factors, the court also found that the fine should be calculated on the basis of ILVA’s own turnover; hence, the fine became significantly lower than recommended by the DPA.

It was the opinion of the DPA that there is not always an identity between the legal entity being the data controller and the business whose aggregate annual turnover should form the basis of the fine calculation.

In relation to fixing of the fine, the DPA has interpreted the term “business” as a financial unit constituting the parent company and all the subsidiaries (group calculation) according to EU law and case law. The District Court of Aarhus did not agree to this.

The case has been appealed to the High Court.

The judgment can be obtained in an anonymised version by approaching Pernille Kristensen at


Henrik Christian Strand, Associated Partner


M, +45 3010 2186

Pernille Kristensen, Attorney


M, +45 3010 2224

More from Holst, Advokater