Missing security measures triggered GDPR fine
On March 23, 2026, The Western High Court delivered its judgment in a criminal case against the Region of Southern Denmark, which had been charged with two counts of violating the GDPR requirement to ensure an appropriate level of security.
The High Court found the Region of Southern Denmark guilty on one count and imposed a fine of DKK 500,000. At the same time, the region was acquitted on the second count.
The case had previously been heard by the District Court in Kolding, where the Region of Southern Denmark was found guilty on both counts and fined a total of DKK 1 million. The court held that data security breaches had occurred in both instances and that the region, as the data controller, bore responsibility.
Failure to secure database
The first count concerned a database used by the region for research and clinical purposes. For a period of more than 1.5 years, it was possible for individuals registered in the database to access other individuals’ data by modifying the URL.
As a result, users with login access to the database could view personal data relating to approximately 23,000 other individuals, including sensitive health information about children receiving psychiatric care.
The High Court emphasized that the region should have been aware of the vulnerability associated with the use of URLs, particularly in light of a previously reported breach in 2018 involving the same type of vulnerability. On that basis, the court found that the region had violated Article 32 of the GDPR regarding appropriate security measures.
Acquittal regarding accessible PowerPoint
The second count concerned a PowerPoint presentation from 2011 that the region had uploaded to its website. Through a chart in the presentation, it was possible to access a number of underlying personal identification numbers. The presentation was later removed from the website and placed in a document archive, where it could still be found via Google.
The High Court emphasized that the region had implemented organizational measures and that, at the relevant time, no technical tools were available to effectively identify the embedded data. The region was therefore acquitted on this count.
Littler comments
The judgment clarifies that data controllers have a duty to respond to known risks in their IT systems especially if similar security breaches have occurred previously.
At the same time, the acquittal shows that liability is not automatic if the authority has taken the measures that could reasonably be expected based on the technical possibilities available at the time.
Questions regarding this article and the applicable legal framework may be directed to Attorney Christian Bonne Rasmussen at
