The 4^th of March 2021, the Danish Data Protection Agency has expressed serious criticism for the personal data processing by the Court of the family, which in different cases has not adequate measures. In addition, there was a lack of compliance with the requirements for a written agreement of the data processor with two data processors.

After an exam of cases about notifications of personal data security breaches, the Danish Data Protection Agency has detected that the family Court had, until the 27^th of September 2020, reported 158 personal data security breaches to the Authority. 130 of those breaches were concerned the unintentional share of personal data, including information about people like name and the address of protection.

Since the 16^th of June to the 8^th of September 2020, the Danish Data Protection Authority has received seven specific complaints on personal data processes by the family Court. Based on notifications and received complaints, the Danish Data Protection Agency has carried out an inspection on personal data processing by the family Court. In particular, the Danish Data Protection Agency wanted to investigate on the security of personal data processing manually carried out of the family Court and of the management of human errors sources.

In addition, the Agency wanted to investigate on the security of self-service solutions of the family Court, as well as on guidelines of the Court for the anonymization of the material shared with other people and authorities.

During the exam of personal data security breaches, the Danish Agency has detected that the self-service solutions of the Court had accidentally shared personal information of 3.400 persons. This happened due to a technical failure of a component which was working since many years.

Even few personal data processes carried out by the family Court bring to personal data security breaches, the Danish Data Protection Agency has revealed different cases in which errors could be easily avoided.

This applies both in relation to a tightening of the organizational measures that have been implemented, but also in relation to the risk assessment for those concerned. The Danish Data Protection Agency also found some points where the way IT support was designed and used should be optimized.

SOURCE: AUTORITA’ PER LA PROTEZIONE DEI DATI DELLA DANIMARCA