GDPR Breach in Gladsaxe Municipality
In 2018, four work computers were stolen from the town hall in Gladsaxe Municipality. One of the computers contained a spreadsheet with personal data on 20,620 citizens. The workstation was secured with a username and password, but no additional security measures were taken, which was a GDPR violation of the municipality’s own security policy. Seven citizens subsequently filed a lawsuit against the municipality, which was the data controller, claiming compensation for the breach. The district court found that Gladsaxe Municipality had not complied with the rules on processing security in the GDPR. The question was then whether the citizens were entitled to non-economic compensation under Article 82 of the GDPR.
GDPR Article 82
Article 82 states that anyone who has suffered material or non-material damage due to a GDPR violation is entitled to compensation for the damage caused.
The Court’s Decision on Damages for GDPR Breach
In the case, the court in Glostrup concluded that Article 82 also includes compensation for non-economic damage. Despite this, no compensation was paid in the specific case. This was based on an overall assessment of the security breach, the nature and sensitivity of the information.
What Does the Judgment Show?
The judgment shows that even if a data subject has not suffered financial damage in connection with a violation of the GDPR, it is possible to be awarded compensation after a specific assessment. The decision is a matter of principle, as neither the Danish courts nor the European Court of Justice have previously ruled on whether Article 82 of the GDPR provides access to compensation for non-economic damage.
What Should You as an Employer Be Aware Of to Avoid GDPR Violations?
As an employer, you will often be the data controller for the processing of a number of personal data, which is why you will also be responsible for adequate security measures to protect the data. This means that you may incur liability if the personal data is not processed in accordance with the GDPR. The above principled decision means that you as an employer must be even more aware that sufficient security measures have been taken and that the processing otherwise meets the requirements of the GDPR.
If you need help with a specific case or if you have questions about how your company can become compliant or other GDPR-related matters, please contact Raadgiver.dk for a non-binding conversation.
Learn more about GDPR here.
Contact a specialist
Do you have questions about how your company becomes compliant? Or if you have other commercial legal issues, you are more than welcome to contact us.