Danish DPA refers municipality to police for GDPR violation


Denmark’s data protection authority Datatilsynet is reporting the municipality of Lejre to the police for failing to provide an appropriate level of computer security.

After the council reported a breach of personal data, Datatilsynet says it became aware the municipality’s children and young people department included information of a particularly sensitive and protective nature of those under 18 in the minutes of meetings. Those minutes could be uploaded on to the staff portal which meant employees who worked in other areas of the council potentially had access to the data.

The DPA also criticised Lejre municipality, population around 28,000 and about 40km west of Copenhagen, for not notifying those affected of the breach of personal data.

“It is our general opinion that municipalities’ processing of confidential information should at least be protected with access control,” said Frederik Viksoe Siegumfeldt, head of Datatilsynet’s supervisory unit. “In principle, only employees with a work-related need should have access to the information.”

In addition to referring the matter to the police for further investigation, the DPA recommends the municipality be fined DKK50,000 ($6,700, €7,600). The final decision on a financial penalty rests with a court under the Danish system.


Catch the replays and discover the best talks from Last Thursday in Privacy, addressing data protection, privacy and security challenges including working from home, COVID-19, global regulations and more. Visit https://digital.privsec.info/.

We have been awarded the number 1 GDPR Blog in 2019 by Feedspot.