GDPR News – November 2021
Selected GDPR decisions from the month of November
Sensitive data submitted in unencrypted emails draws severe criticism
On 3 February 2021, the Danish Municipality of Silkeborg reported a personal data breach, as the municipality on that day had submitted an email to Danmarks Statistik Consulting containing a list of personal ID numbers, school name and school code on 12,915 pupils. The report stated that the email due to a human error had been sent unencrypted.
The municipality informed that at the time of submitting the email, TLS version 1.1. was implemented, and hence the municipality assumed that the email at issue had been encrypted in the transport layer. However, the municipality could not verify this.
The Danish DPA stated that encryption in the transport layer by means of TLS is not always sufficiently secure when submitting a lot of confidential and/or sensitive personal data – or when frequently repeating submissions of much personal data. The DPA also informed that TLS version 1.1 – which at the time was implemented at the Municipality of Silkeborg – due to known security vulnerabilities cannot be regarded as adequate security for encryption in the transport layer.
The DPA took into consideration that a municipality processing large quantities of confidential and/or sensitive data on citizens must ensure that data is submitted in such way that the data is not readable. This also applies if a third party by mistake should receive the email; hence, the municipality must have routines ensuring that the contents of such submissions are encrypted, and not only by TLS in the transport layer. This obligation particularly applies when personal data concerns children, who benefit from special protection under the GDPR. The DPA also stated that the municipality had not been able to explain whether the email at all had been encrypted or not.
Hence, the DPA severely criticised the Municipality of Silkeborg for not having implemented adequate security measures.
Read the whole decision here (in Danish).
Church criticised and ordered to process a subject access request
In February 2021, the Danish DPA received a complaint from a citizen who was unsatisfied with The Catholic Church in Denmark which refused to disclose information in the form of testimonies and questions in a matter where the complainant’s former spouse wanted to get married again in The Catholic Church.
In order for the complainant’s former spouse to remarry in The Catholic Church, it was necessary that the marriage between the complainant and the complainant’s former spouse became annulled. Therefore, witnesses were summoned to explain about various aspects of the marriage, including the reason for the divorce of the complainant and the complainant’s former spouse. The complainant had required access to the questions that the witnesses were asked about.
Meanwhile, the DPA found that The Catholic Church had not rendered probable that the consideration of the complainant’s ex-husband’s religious freedom and the witnesses’ rights could entail that The Catholic Church could reject disclosing a copy of the questions that the witnesses were asked about and what the witnesses had answered.
The DPA took into consideration that any exemption from granting a right of access only applies in cases where there would be an obvious danger of significantly damaging private interests. The DPA stated that The Catholic Church had not rendered probable that either the complainant’s ex-husband’s religious freedom, the priests’ confidentiality, nor the witnesses’ rights were in any danger of being significantly damaged by disclosing the information at issue about the complainant.
The DPA also took into consideration that The Catholic Church was not seen to have made a correct deliberation in respect of the information, but had only entirely refused to disclose a copy of the information. The DPA found that processing of personal data by The Catholic Church had not been made in compliance with article 15 of the GDPR, which gave the DPA rise to express criticism.
The DPA also found rise to exercise its enforcement powers and ordered The Catholic Church to reprocess the complainant’s access request.
Read the whole decision here (in Danish).
IKEA ROMÂNIA fined after a drawing competition for children
The Romanian DPA (ANSPDCP) initiated an investigation of IKEA ROMÂNIA SA after IKEA ROMÂNIA SA had notified ANSPDCP of a personal data breach.
IKEA ROMÂNIA SA had arranged a drawing competition where children of IKEA Family members could participate. The participants uploaded their own drawings to an online platform together with registration forms containing personal data on the children and their parents, including parents’ consents. When deciding which of the children’s drawings was the best, the drawings were posted on an online platform and by accident all personal data included in the registration forms also became posted on that platform.
At the time of ANSPDCP’s investigation, it was ascertained that the security incident had entailed an unauthorised disclosure of personal data about IKEA Family members (surname, given name and age of minors, and surname, given name, town, country, email, IKEA Family member number and parents’ signatures) to the online platform, which was only accessible to IKEA Family members in Romania. The incident involved 114 persons of which half were minors.
ANSPDCP found that IKEA ROMÂNIA SA thereby had disregarded its obligation under article 32 of the GDPR to implement technical and organisational measures ensuring a level of security matching the risk of the data subjects. Hence, ANSPDCP imposed a fine of EUR 1,000 on IKEA ROMÂNIA SA.