05. december 2017
KL's høringssvar vedr. Artikel 29-gruppens Guidelines om anmeldelse af brud på persondatasikkerheden
Artikel 29-gruppen har den 3. oktober 2017 vedtaget en ny vejledning (guideline) om databeskyttelsesforordningens artikel 33 og 34 om brud på persondatasikkerheden.
KL har den 28. november 2017 afgivet følgende høringssvar til Artikel 29-gruppen:
Comments on Guidelines on Personal data breach notification under Regulation 2016/679
Local Government Denmark welcomes the opportunity to comment on "Guidelines on Personal data breach notification under Regulation 2016/679" from The Article 29 Data Protection Working Party.
The notificating of the supervisory authority in cases of breaches is a new administrative task imposed on the Danish municipalities under Regulation 2016/679. In order to support an effective administration it is therefore in the interest of the municipalities that the guidelines elaborate on conditions where notifications are not required, where breaches are unlikely to result in a risk to the rights and freedoms of natural persons. The flowchart and the examples listed in the Annex are very helpful but more examples are demanded, especially situations concerning confidentiality breaches:
- A municipal caseworker looks into a case file on a citizen. Some of the personal data in the case file are not relevant for the caseworker´s tasks, e.g. information about social problems or health matters.
- By mistake a municipal caseworker sends an Email containing confidential information about a citizen to the wrong recipient employed at the same municipality. The Email could contain health data e.g.
In these and similar cases caseworkers have access to unnecessary personal data. The municipalities do not consider the breaches likely to result in a risk to individuals´ rights and freedoms that leads to the obligation to notify the supervisory authority. The staff have no use for these data and will delete the Email, refrain from reading the unnecessary parts of the case file, e.g. Communication to the data subjects in these situations are also considered unnecessary.
Addressing these examples in the guidelines would help the municipalities of Denmark comply with the obligations pursuant to the GDPR.