The Danish supervisory authority found that the data breach reported by the Authority on 13 August 2021 occurred after the implementation of a health platform update, for which the Capital Region (Hovedstaden) is responsible. In this regard, Datatilsynet determined that the data breach resulted in the deletion of information regarding patients’ end-of-treatment and dosage dates on the Common Medical Record, for which the Authority is responsible.
As data controller, the Authority should take appropriate technical and organisational measures to ensure a level of security corresponding to the risks associated with the processing of sensitive data. In this regard, Datatilsynet determined that the Authority should have tested likely error scenarios in relation to platform updates, even in cases where a third party was directly responsible for the implementation of the process. The supervisory authority therefore concluded that the Authority had not complied with the requirements under Article 32(1) of the GDPR. In cases where several actors are involved in the processing, each controller must, for its own systems, define guidelines and procedures on how changes to the source systems may affect its organisation.
In addition, Datatilsynet found that the Authority did not report the data breach within 72 hours and had previously made similar data security mistakes. Datatilsynet considered these to be aggravating circumstances.