The Danish Data Protection Authority has expressed serious criticisms about the fiscal administration that has not promptly notified the personal data breach to a data subject.
The Danish Data Protection Authority has pronounced itself on a case in which the tax administration has not notified to the supervisory authority a personal data breach. The notification was showing that the tax administration had informed the data subject two days before the notification to the same Authority.
Anyway, after a month, the Danish Data Protection Authority has received an update in which was informed that the data subject has not being notified as it was described into the first notification – but only 40 days after. The tax administration has justified the late notification with “exceptional conditions during holidays”.
In this context, the Danish Authority considers that the fundamental purpose of the obligation to notify to data subject a breach is to permit them to protect their own interest if they have been affected by a security breach. This is realized in order to avoid that their rights or freedoms are breached.
In this regard, the Authority affirms that the supervisory authority shall be able to protect rights of data subject if it has not been provided an (adequate) notification to data subjects – for example, by ordering to the data controller the notification to the data subject(s).
For this reason, the Danish Data Protection Authority – while it was processing the case – has paid particularly attention to the fact that neither the data subject nor the data controller was able to exercise the data subject’s rights because he/she has not been informed of the personal data breach. Due to wrong information provided into the notification, the Authority has considered that the data subject has been informed on the accident.
In addition, the Authority has undermined, among other things, that we usually expect that public authorities have adequate procedures, guidelines and emergency plans in order to permit the notification to data subject in compliance with the legislation – regardless of whether employees are on holidays or not.
The Authority has criticized the lack of Communication of a personal data breach to the data subject by the tax administration in compliance with the article 34, paragraph 1 of the General Data Protection Regulation.
SOURCE: DANISH DATA PROTECTION AUTHORITY