Home

Some companies that have chosen us

Privacy Officer and Privacy Consultant
CDP Scheme according to ISO/IEC 17024:2012
European Privacy Auditor
ISDP©10003 Certification Scheme according to ISO/IEC 17065:2012
Auditor
According to standard UNI 11697:2017
Lead Auditor ISO/IEC 27001:2022
According to standard ISO/IEC 17024:2012
Data Protection Officer
According to standard ISO/IEC 17024:2012
Anti-Bribery Lead Auditor Expert
According to standard ISO/IEC 17024:2012
ICT Security Manager
According to standard UNI 11506:2017
IT Service Management (ITSM)
According to the ITIL Foundation
Ethical Hacker (CEH)
According to the EC-Council
Network Defender (CND)
According to the EC-Council
Computer Hacking Forensics Investigator (CHFI)
According to the EC-Council
Penetration Testing Professional (CPENT)
According to the EC-Council

Professional qualifications

Stay up-to-date with world news!

Select your topics of interest:

News

Home / News
/
DANISH SUPERVISORY AUTHORITY: new decision – serious criticisms to the tax administration in case of notification

DANISH SUPERVISORY AUTHORITY: new decision – serious criticisms to the tax administration in case of notification

The Danish Data Protection Authority has expressed serious criticisms about the fiscal administration that has not promptly notified the personal data breach to a data subject.

The Danish Data Protection Authority has pronounced itself on a case in which the tax administration has not notified to the supervisory authority a personal data breach. The notification was showing that the tax administration had informed the data subject two days before the notification to the same Authority.

Anyway, after a month, the Danish Data Protection Authority has received an update in which was informed that the data subject has not being notified as it was described into the first notification – but only 40 days after. The tax administration has justified the late notification with “exceptional conditions during holidays”.

In this context, the Danish Authority considers that the fundamental purpose of the obligation to notify to data subject a breach is to permit them to protect their own interest if they have been affected by a security breach. This is realized in order to avoid that their rights or freedoms are breached.

In this regard, the Authority affirms that the supervisory authority shall be able to protect rights of data subject if it has not been provided an (adequate) notification to data subjects – for example, by ordering to the data controller the notification to the data subject(s).

For this reason, the Danish Data Protection Authority – while it was processing the case – has paid particularly attention to the fact that neither the data subject nor the data controller was able to exercise the data subject’s rights because he/she has not been informed of the personal data breach. Due to wrong information provided into the notification, the Authority has considered that the data subject has been informed on the accident.

In addition, the Authority has undermined, among other things, that we usually expect that public authorities have adequate procedures, guidelines and emergency plans in order to permit the notification to data subject in compliance with the legislation – regardless of whether employees are on holidays or not.

The Authority has criticized the lack of Communication of a personal data breach to the data subject by the tax administration in compliance with the article 34, paragraph 1 of the General Data Protection Regulation.

SOURCE: DANISH DATA PROTECTION AUTHORITY

Recommended to you

Advanced Research