Gladsaxe Municipality: Court ruling in the Gladsaxe case Summary The Danish Data Protection Agency’s The case concerned a personal data breach in decision Gladsaxe Municipality, where four computers were The Court concluded that Gladsaxe Municipality had stolen from the municipality’s town hall. One of these not acted in breach of the principles for processing computers contained a spreadsheet with information personal data in GDPR, Article 5(1)(a), (b), or (c) on approximately 20,000 citizens. This information (processing principles). The processing had also been was not encrypted and the spreadsheet contained carried out in accordance with GDPR, Article 6(1)(f) information such as civil registration number, age, and (legitimate interest) and Article 9(2)(f) (processing gender. is necessary for the establishment of legal claims), Seven individuals subsequently sued Gladsaxe and Section 5(1) of the Danish Data Protection Act Municipality, claiming compensation for non-material (processing in accordance with purpose). damage under GDPR, Article 82. The individual The Court concluded that the municipality, as claimants had made claims in the range of DKK 7,500 data controller, had not complied with the GDPR’s and DKK 30,000. requirements for the security of processing within the meaning of GDPR, Article 32(1) and (2) (security of the processing), cf. Article 5(1)(f). After an overall assessment of the data security breach and in comparison, with the nature of the information on each of the applicants to which the breach related, there was no basis to conclude that the applicants had suffered damage that could justify compensation. Consequently, the Court held that there was no basis for awarding the applicants compensation under GDPR, Article 82 for non-material damage. Gladsaxe Municipality was therefore dismissed from the plaintiffs’ claim for compensation. Published: 11-05-2021, Journal number: BS-19120/2019-GLO Tags: 05 Data security 112