3. Apr 2017

Regional data protection breaches

After an inspection of the five administrative regions of Denmark, the Danish Data Protection Agency ‎has concluded that the regions are in non-compliance with the Danish Data Protection Act in a number ‎of areas.

Each year, the Danish Data Protection Agency carries out a number of scheduled inspections. In 2016, the ‎Agency scheduled and carried out inspections at several municipalities and all five regions in order to ‎verify compliance with the Danish Data Protection Act. In this connection, the Agency collected various ‎written information through questionnaires and carried out inspection visits. The inspection reports ‎issued by the Agency have now been released.‎

In the inspections that were carried out, the Agency's focus was on the regions' security procedures, the ‎authorities' own supervision, data processor agreements and monitoring of data processors, etc.‎

The inspections carried out showed that all regions are having difficulties complying with all of the ‎requirements of the Data Protection Act. As a result, the Agency found reason to criticise all five ‎regions. The most severe criticism concerned the absence of or inadequate data processor agreements ‎as well as failure to monitor the processing carried out by data processors.‎

In addition, the Agency requested all five regions to submit a statement of the measures that will be ‎implemented to ensure compliance in future.‎

The full-length inspection reports are now available on the Agency's website (in Danish only).‎

Norrbom Vinding notes

  • that under the Data Protection Act, a data controller must conclude a written agreement with each of its ‎data processors and the agreement must specify that the data processor will act on the controller's ‎instructions alone;‎
  • that the Data Protection Agency has centred its focus particularly on public authorities and their ‎compliance with the requirements of the Data Protection Act and the Executive Order on data security ‎and especially the requirement that data processor agreements must be concluded with processors; but‎
  • that the requirement of conclusion of data processor agreements with processors applies to the private ‎sector as well as the public sector, and this is relevant among other things for outsourcing of IT services ‎or in other situations where personal data are made available to third parties for processing on behalf of ‎the data controller; and
  • that the requirements to data processor agreements etc. will not become less strict when the new EU ‎General Data Protection Regulation enters into force next year.‎

The above article is intended for general information only and does not constitute legal advice.


Data protection