Danish Data Protection Authority (Datatilsynet)-Midtjylland Region (9/8/2021)

On June 12, 2020, the DPA received a notification from the region regarding a personal data security breach pursuant to Art. 33 GDPR. According to the notification, all patients and staff at a lifestyle center were able to access a building where up to 100,000 physical patient records were stored, including health information and personal identity number details. The reason for this was that both staff and patients had been given key cards that allowed them to access all three buildings of the lifestyle center, regardless of whether the user was required to access them.
In addition, passersby were able to take a look at the covers of some of the records -which showed personal data such as identity numbers and names – through a window in the building.
In this context, the DPA found that the Midtjylland Region had not taken adequate security measures for the storage of personal data.

In addition, the region had not established sufficient guidelines for access restrictions when creating key cards, and had not conducted adequate periodic testing, assessment, and evaluation of the security measures taken.

In evaluating the question of whether a fine should be imposed, the Danish DPA took into account, as an aggravating factor, that the region processed large amounts of sensitive data, such as health data.