In the year since the GDPR took effect, the Danish data protection authority (DPA) has been very active, receiving and dealing with large numbers of complaints relating to data protection breaches. This article looks back at the first year of enforcement activity.
Even before 25 May 2018, it was clear that the Danish DPA would not impose large-scale GDPR fines from the beginning. Danish constitutional law means the Danish DPA cannot issue GDPR fines until the Danish courts have established an adequate level for fines for the various types of breach of the GDPR.
In its 2018 annual report, the Danish DPA announced it had received 2,780 notifications of data breaches. Approximately 900 of these cases had been closed, approximately 700 cases were pending and approximately 600 cases were being reevaluated due to the number of notifications of data breaches involving certain data controllers. 55 cases have been deemed so serious that they have been subject to fast track processing. The Danish DPA further stated that the remaining cases were being classified to ensure uniform processing. Some of the cases that were closed resulted in orders to the data controller.
There are still a number of cases pending. In a few cases on this issue where we have assisted clients, the Danish DPA has confirmed, however, that our client would not be reported to the police even though the case was still pending.
So far, a Danish therapy portal has been reported to the police by the Danish DPA after one user was able to access confidential and private correspondence between other users and their therapists.
Further, the Danish DPA has referred a case to the Danish Prosecution Service for the purpose of the Danish courts prosecuting the company in question. Following an inspection visit at a Danish taxi company, the Danish DPA found that the taxi company had stored personal data (mainly phone numbers) from approximately 9 million taxi rides without a legitimate reason.
The Danish DPA has suggested a fine of DKK 1.2 million (approximately EUR 161,000) be imposed on the taxi company, so even though no GDPR fines have been issued in Denmark yet, we still believe that we will experience a significant increase in the level of sanctions as predicted when the GDPR came into force.
We have not yet seen any final decisions in cases concerning processing of employee data or other labour market-related issues. We do, however, see a significant increase in the awareness from employees and trade unions on employees’ rights with regard to personal data. By way of example, we have assisted a number of clients in handling requests on the right of access to personal data from (former) employees.