The Danish data protection authority ('Datatilsynet') published, on 15 November 2021, its decision in Case no. 2021-31-4596, in which it had found the company, T.Hansen Gruppen A/S, in violation of Articles 32(1) and 33(1) of the General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR'). Background to the decision In particular, the Datatilsynet stated that the decision arises following a customer's complaint that his personal information had been given unauthorised access by another customer due to the way in which customer profiles were set up. In this regard, the Datatilsynet noted that this had led both customers' information to be combined under the same profile, allowing u