Denmark: Datatilsynet issues decision criticising Municipality of Herning for inadequate data security measures
View 11.3K
words 354 read in 1 minute, 46 Seconds
The Danish data protection authority ('Datatilsynet') issued, on 10 February 2022, its decision in Case No. 2021-432-0077, as issued on 11 January 2022, in which it expressed criticism against the Municipality of Herning for its violation of Article 32(1) of the General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR'), following its failure to adopt appropriate technical and organisational measures in connection with its processing of personal data via the IT system, 'Affaldsweb'.
Background to the case
In particular, the Datatilsynet stated that, following a citizen's compliant, it had initiated an investigation against the Municipality for its personal data processing activities via the IT system, Affaldsweb. In this regard, the Datatilsynet stated that users of the IT system (citizens), who could login to the system using a unique 5-digit code, were able to access the information of those who they share a waster container with, about who had last edited/ordered waste containers, as well as contact information entered by such users. Additionally, the Datatilsynet noted that the system was prone to URL manipulation that allowed the retrieval of information about addresses and container conditions, both of which could amount to personally identifiable information.
Findings of the Datatilsynet
Notably, the Datatilsynet found that access controls based on 5-digit code had not provided appropriate security against attempts to adjust URLs to access the personal information of other users. Furthermore, the Datatilsynet noted that, in response to the Municipality's claim that the processing's less sensitive nature meant that the service to users/citizens exceeded potential risks to their data subject rights, such a balancing act does not challenge the fact that all personal data is worthy of protection. In this regard, the Datatilsynet further emphasised that URL manipulation is a security risk that is generally known and should have been addressed by the Municipality. As such, the Datatilsynet found the Municipality had failed to implement appropriate technical and organisational measures for personal data security in breach of Article 32(1) of the GDPR.
Outcomes
Ultimately, the Datatilsynet expressed criticism against the Municipality for failing to adhere to the requirements of Article 32(1) of the GDPR.
