On the basis of a complaint, the Data Inspectorate has considered that the use of the encryption form of the opportunistic TLS without further control in a specific case was not an adequate precaution.
The Data Inspectorate criticizes Lowell Danmark A / S (hereinafter Lowell) in a case where a citizen has complained that Lowell has sent confidential information about the citizen unencrypted over the Internet.
In a previous decision (January 2019-31-1263), the Data Inspectorate decided that the safeguards that Lowell had taken in the specific case on the basis of their risk assessment were appropriate. The use of opportunistic TLS was supplemented with a check whether the recipient domain supported TLS, and the risk assessment showed that in cases where the recipient domain was unable to receive TLS, a communication method other than email was used.
The difference between the present case and the previous decision was that Lowell in this case could not verify whether the recipient domain could receive TLS, and despite this lack of verification sent the email with opportunistically tuned TLS 1.2 – and thus Lowell could not prove , whether the email was actually received encrypted.
Therefore, in the present case, the Data Inspectorate finds that Lowell has not been able to demonstrate that the processing has been done in a way that ensures sufficient security for the personal data concerned, including protection against unauthorized access to personal data, using appropriate technical or organizational measures, cf. Article 5 (1) of the Data Protection Regulation. 2, cf. Article 32 (1) (f). 1 and 2.