European Data Protection Board

Fines proposed for two municipalities

Tuesday, 10 March, 2020

The Danish Data Protection Agency has reported the municipality of Gladsaxe and the Municipality of Hørsholm to the police, as it finds that the municipalities have not met the requirements of an adequate level of security under the General Data Protection Regulation (GDPR).

For the municipalities of Gladsaxe and Hørsholm Municipality fines of DKK 100.000 and DKK 50.000 have been proposed respectively.

The Data Protection Agency became aware of the cases when both municipalities notified the agency of personal data breaches relating to the theft of computers containing personal data.

Neither computers were protected by encryption, and the loss of personal data by the municipalities therefore posed an undue risk to its citizens.

In one of the cases, the lack of security resulted in a serious personal data breach, as a computer containing personal data of 20.620 citizens, including information of a sensitive nature and personal data, was stolen from Gladsaxe City Hall.

The second security breach took place when the computer of an employee from the municipality of Hørsholm was stolen from his car. On the computer, there was information on about 1.600 employees in the municipality of Hørsholm, including information of a sensitive nature and personal data.

The specific security breaches express some of the possible consequences of the insufficient level of security which poses a high risk to all citizens of whom the municipality processes data.

Municipalities have a great deal of responsibility
“A municipality processes very large amounts of personal data concerning the municipality’s citizens, including information of a sensitive nature. As a citizen, it is not possible to opt out of the municipality’s processing of information about oneself, and the municipality therefore has a high responsibility to avoid the information being disclosed, "said Frederik Viksøe Siegumfeldt, Head of Unit of the Supervisory Unit in the Danish Data Protection Agency. He explains:

“It is simple to access the files stored on the computer when a computer’s hard drive is not encrypted, for example by moving the hard drive to another computer. Therefore, when personal data are stored locally on the computer, it is very imprudent that the municipalities' computers were not encrypted.”

Proposal of fines
The Danish Data Protection Agency has decided to report the Municipality of Gladsaxe and the Municipality of Hørsholm to the police and proposes that the two municipalities be fined DKK 100.000 and DKK 50.000 respectively.

To read the press release in Danish, click here

For further information, please contact the Danish DPA: