The Danish data protection authority ('Datatilsynet') published, on 15 November 2021, its decision in Case no. 2021-31-4596, in which it had found the company, T.Hansen Gruppen A/S, in violation of Articles 32(1) and 33(1) of the General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR'). Background to the decision In particular, the Datatilsynet stated that the decision arises following a customer's complaint that his personal information had been given unauthorised access by another customer due to the way in which customer profiles were set up. In this regard, the Datatilsynet noted that this had led both customers' information to be combined under the same profile, allowing u
News
Denmark: Datatilsynet issues decision criticising T.Hansen for inadequate data security measures
November 16, 2021
Summary
The Danish Data Protection Authority, Datatilsynet, issued a decision on 15 November 2021, criticizing T.Hansen Gruppen A/S for violating GDPR Articles 32(1) and 33(1) by failing to secure customer data and properly notify a breach. The case stemmed from a complaint about unauthorized access to personal information due to poorly set up customer profiles, which included storing passwords in clear text. Datatilsynet ordered T.Hansen to encrypt all customer passwords with a recognized algorithm.