In order to comply with the GDPR regulations and provisions pertaining to the security of processing, it has since 1 January 2019 been the practice of the Danish DPA that private companies must use encryption when confidential and sensitive personal data are sent by e-mail. Therefore, during the spring of 2019, the DPA visited four companies and carried out planned inspections.
Subsequently, the DPA criticises two of the four companies.
One company was criticised for sending e-mails through opportunistic TLS without verifying whether the receiving domain could receive TLS and, secondly, for not having prepared any risk assessment deciding on the risk associated with an internet transmission of personal data. Last month, Lowell Danmark A/S was also the object of the Danish DPA’s criticism for sending e-mails through opportunistic TLS (read more here).
The second company was criticised for not having notified that, in a number of cases, they had accidentally sent unencrypted e-mails from which sensitive personal data could be inferred. In addition, the DPA criticised the company for using personal ID numbers as passwords for opening the e-mails, as the DPA has instructed that companies must not use passwords that inherently constitute personal data.
Read the decision here (in Danish).
According to article 32 of the GDPR, the data controller must take appropriate technical and organisational measures to ensure that personal data processed by the company is protected against unauthorised or unlawful processing and against accidental loss, destruction or damage.
In November last year, the Spanish TV and radio station, RTVE, lost 6 unencrypted USB memory sticks containing a wide range of personal data on 11,000 persons, including identification data, personal circumstances, employment information and in some cases information on criminal offences and health.
The Spanish DPA therefore found that RTVE had not taken appropriate measures to protect the data and the company was therefore fined EUR 60,000.
Read the decision here (in Spanish).
In connection with an inspection in June 2017, the Berlin Commissioner for Data Protection and Freedom on Information (“the Berlin Commissioner”) found that the real estate company, Deutsche Wohnen SE, used an archiving system which did not allow for the erasure of information, and therefore, among others, former tenants' salary statements, excerpts from employment contracts and tax information were retained.
According to the GDPR regulations, only data that are necessary may be processed (and thereby retained), and the Berlin Commissioner therefore requested that the system be modified in order for data on former tenants to be deleted. However, when the Berlin Commissioner about two years later inspected the company again, the system still contained personal data from former tenants and, for that reason, the Commissioner found grounds for issuing a fine.
When assessing the penalty, it was taken into account that the fine should not exceed EUR 28 million (2% of the company's turnover last year) and, on the basis of a number of aggravating and mitigating circumstances, the Berlin Commissioner decided that the fine should be set at EUR 14.5 million.
According to the GDPR and as a rule, a citizen (data subject) is entitled to a right of access without undue delay to all the data subject’s data processed by a company.
Hence, the DPA criticized the Danish State Railways ("DSB") for only describing the data they processed to a citizen and not the contents of the data. For example, DSB mentioned that they were processing the citizen’s place of study but not which place of study.
In addition, the DPA criticised DSB for not providing access to video recordings on the grounds that they were not asked to do so. The GDPR does not stipulate that data subjects shall specify which data they require access to, hence, as a general rule DSB should have provided access to the video recordings too. In addition hereto, it should be noted that the right of access according to Danish law, can be limited, among others, provided the data subject’s interest in the data is deemed less significant than decisive considerations to private or public interests (see our GDPR news from June 2019, in which Metro Service legitimately could refuse to provide access). Therefore, DSB was not necessarily obliged to provide access to the video recordings, however, this should have been reasoned in other circumstances than that access to such had not been required.
Furthermore, the same citizen had complained about the fact that access had not been granted in relation to cookies, however, in this respect the DPA did not find any grounds for criticising DSB, since it was not possible for DSB to reverse data collected through cookies to the citizen without the citizen providing additional information to DSB.
In another case, the DPA seriously criticized a Danish pension fund for lawyers and economists ("JØP") for not having complied with the GDPR regulations, when a citizen requested access to data processed. JØP refused to grant a citizen access to an assessment drawn up by a medical consultant which had been prepared in connection with handling a case pertaining to the citizen. JØP was of the opinion that the said data was exempted on the grounds of its nature being an inhouse assessment, a business secret and in the interests of said citizen.
However, the DPA did not find that any of the exemption clauses should apply, and consequently JØP was ordered to hand over the assessment made by the medical consultant to said citizen.
The Romanian DPA has decided in a case where a citizen had complained about BNP Paribas Personal Finance Bucharest’s (the bank) handling of said citizen’s request for erasure.
In this case the DPA found that the bank had failed to act “without undue delay” as provided for in article 12 (3) of the GDPR and therefore imposed a fine on the bank in the amount of RON 9,508 (about EUR 2,000).
The DPA also ordered the bank to implement measures in order for future requests to be processed in compliance with the provision of the GDPR that action on requests shall be taken without undue delay and in any event within one month of receipt of the request.