Who is responsible when personal data is sent via un-encrypted connections?

By Michael Gorm Madsen, Laura Katarina Dollerup

11-2020

According to the Danish Data Protection Agency, no data controller should request data subjects to send sensitive or confidential personal data via an unencrypted internet connection.

All data controllers are subject to the principle of accountability in art. 5 of the GDPR, which requires them to ensure that personal data is processed in a manner that warrants appropriate security.

In practice, this means, that a data controller prior to processing personal data must carry out a risk assessment and implement appropriate security measures corresponding to the identified risk(s).

In 2018, the Danish Data Protection Agency, Datatilsynet, issued a statement on encryption requirements (in Danish only), as Datatilsynet was of the opinion that email correspondence including sensitive or confidential information had to be encrypted, in order to ensure appropriate security. In its guideline, Datatilsynet listed different appropriate encryption methods and stated: When an email is sent from the data controller, the data controller is responsible for the secure transmission to the recipient's mail server.

Datatilsynet has now published a new statement (in Danish only), in which Datatilsynet makes it clear, that the obligation (as a data controller under Danish jurisdiction) to ensure appropriate security is advanced if the data controller has requested a data subject to send information to the data controller, i.e. the obligation to ensure security applies not only from the point in time the data controller receives the data, but from the point in time the data subject sends the requested information to the controller.

There are only two exceptions to the advanced security measure; unrequested personal data provided by data subjects, or in case a data subject actively chooses not to make use of a secure transmission solution.

The requirement applies to both public authorities as well as private businesses acting as data controllers, who as part of a task or a service, requests data subjects, e.g. customers/clients/patients to send certain types of personal data. Further, Datatilsynet has not, at least publicly, admitted data controllers a transition period.

In conclusion, this new requirement therefore means that data controllers who request data subjects to send sensitive or confidential personal data, now have an obligation to provide the data subject the opportunity to use an encrypted channel, e.g. a sufficiently secure two-way transmission solution, enabling the data controller and the data subject to exchange sensitive and confidential personal data relating to the data subject.