Unauthorized access to video surveillance Summary The Danish Data Protection Agency’s An employee in Salling (Danish supermarket) allowed decision a former employee to enter the store through the staff The Danish DPA criticized Salling for not complying with entrance. The former employee was shown video GDPR, Article 33(1), as Salling did not report the security surveillance footage from the store, which included breach to the Agency until 10 days after the company images of the former employee’s ex-girlfriend shopping became aware of the incident. with a friend. Despite the incident, the Danish DPA concluded that The Danish DPA concluded that Salling’s processing Salling had taken appropriate organizational and of personal data had been carried out in accordance technical measures to ensure a level of security with GDPR, Article 32(1) on security, and Article 34(1) on appropriate to the risks inherent in the processing of notification of breaches to data subjects. personal data in question and that the company could not be held responsible for the incident in question. Our remarks In addition to many of the measures taken by Salling, A controller is not held liable for exceptional or the Danish DPA emphasized that an employee unforeseeable actions of employees that lead to a deliberately and against company guidelines violated personal data breach if the controller itself has taken the guidelines in several ways, such as giving a former appropriate organizational and technical measures. The employee access to the building. The Danish DPA also division of liability between employer and employee is concluded that the employee took several actions thus similar to the principal liability in tort law. that went beyond what Salling could reasonably be • It must be possible to document to the Data expected to have been prepared for or taken measures Protection Authority what measures have been to avoid. taken. This documentation must be easily The Danish DPA therefore only criticized the fact that accessible and must be produced within a Salling did not report the breach until 10 days after the reasonable time. company became aware of the incident. • The ISO/IEC 27001 standard can be a useful tool for ensuring and documenting proper information security. The standard is not in itself a requirement under the GDPR. However, it can be useful for many reasons and can also be a prerequisite for compliance with ISO/IEC 27701, which is an extension to ISO/IEC 27001 and ISO/IEC 27002 for privacy protection and can be used to ensure compliance with the GDPR. Published: 18-06-2020, Journal number: 2020-441-4652 Tags: 05 Data security 109