Datatilsynet (Norway) - 20/02376: Difference between revisions
(Created page with "{{DPAdecisionBOX |Jurisdiction=Norway |DPA-BG-Color= |DPAlogo=LogoNO.png |DPA_Abbrevation=Datatilsynet (Norway) |DPA_With_Country=Datatilsynet (Norway) |Case_Number_Name=20/...") |
No edit summary |
||
Line 24: | Line 24: | ||
|Date_Published=11.06.2021 | |Date_Published=11.06.2021 | ||
|Year=2021 | |Year=2021 | ||
|Fine= | |Fine=400,000 | ||
|Currency=NOK | |Currency=NOK | ||
Line 56: | Line 56: | ||
}} | }} | ||
The Norwegian DPA (Datatilsynet) fined a bank NOK 400 000 ( | The Norwegian DPA (Datatilsynet) fined a bank NOK 400,000 (€ 39,700) for failing to assess risks, conduct sufficient testing and implement sufficient technical measures when launching a new customer portal, thus breaching Articles 24 and 32 GDPR. | ||
== English Summary == | == English Summary == | ||
=== Facts === | === Facts === | ||
A bank launched a new online portal for a selection of customers (about 500) | A bank launched a new online portal for a selection of customers (about 500) where they would be able to see their loans. However, as a result of "frequent navigation" and, consequently, a problem with verifying sessions per user, some customers were able to see other customers' data, including contact information, while others only saw incorrect loan details. After a customer notified the bank that her loan details were incorrect, the bank immediately shut the portal down. By then, 91 customers had logged on and had potentially viewed incorrect data/ data of other data subjects. The bank was not able to recreate the error. | ||
The bank | The bank claimed they tested the portal during between May and August 2019. After this incident, they conducted thorough testing and added an extra verification measure in the system, before they testing once again and did another launch for a selection of customer. After 14 days without errors, they launched the portal to all customers and after six months operations, no new errors have been discovered. | ||
When asked by the DPA, the bank said that they had assessed the risks for the rights and freedoms of the customers as "low" because they | When asked by the DPA, the bank said that they had assessed the risks for the rights and freedoms of the customers as "low" because they could not change the information themselves and the personal data presented were not of a sensitive nature. However, they were not able to document that they had made this assessment. | ||
The DPA | The DPA noted in their decision that they do not agree and they assess, on the contrary, that the nature of the personal data in question, is indeed sensitive and require stronger measures. Further, the DPA commented that they do not feel reassured by the bank's responses to their investigation and, second, that they have not received sufficient documentation for the bank's claimed risk assessments and testing. | ||
=== Dispute === | === Dispute === | ||
Did the bank comply with the requirements | Did the bank comply with the requirements of Articles 24 and 32 GDPR when introducing the new online customer portal? | ||
=== Holding === | === Holding === | ||
The Norwegian DPA held that the bank | The Norwegian DPA held that the bank did not comply with the GDPR requirements for conducting risk assessments and taking appropriate technical measures (testing) when launching the new online portal. The DPA considered that the breach could have been avoided if the bank had conducted these steps. | ||
Consequently, the DPA fined them NOK 400 000 ( | Consequently, the DPA fined them NOK 400,000 (€ 39,700) for failing to assess risks and conduct testing when launching a new customer portal, in breach of Articles 24 and 32 GDPR. | ||
== Comment == | == Comment == |
Revision as of 08:01, 21 June 2021
Datatilsynet (Norway) - 20/02376 | |
---|---|
Authority: | Datatilsynet (Norway) |
Jurisdiction: | Norway |
Relevant Law: | Article 24(1) GDPR Article 32(1) GDPR Article 32(2) GDPR |
Type: | Investigation |
Outcome: | Violation Found |
Started: | |
Decided: | 28.05.2021 |
Published: | 11.06.2021 |
Fine: | 400,000 NOK |
Parties: | BRABANK ASA (former Easybank ASA) |
National Case Number/Name: | 20/02376 |
European Case Law Identifier: | n/a |
Appeal: | n/a |
Original Language(s): | Norwegian Norwegian |
Original Source: | Datatilsynet (in NO) Datatilsynet (in NO) |
Initial Contributor: | Rie Aleksandra Walle |
The Norwegian DPA (Datatilsynet) fined a bank NOK 400,000 (€ 39,700) for failing to assess risks, conduct sufficient testing and implement sufficient technical measures when launching a new customer portal, thus breaching Articles 24 and 32 GDPR.
English Summary
Facts
A bank launched a new online portal for a selection of customers (about 500) where they would be able to see their loans. However, as a result of "frequent navigation" and, consequently, a problem with verifying sessions per user, some customers were able to see other customers' data, including contact information, while others only saw incorrect loan details. After a customer notified the bank that her loan details were incorrect, the bank immediately shut the portal down. By then, 91 customers had logged on and had potentially viewed incorrect data/ data of other data subjects. The bank was not able to recreate the error.
The bank claimed they tested the portal during between May and August 2019. After this incident, they conducted thorough testing and added an extra verification measure in the system, before they testing once again and did another launch for a selection of customer. After 14 days without errors, they launched the portal to all customers and after six months operations, no new errors have been discovered.
When asked by the DPA, the bank said that they had assessed the risks for the rights and freedoms of the customers as "low" because they could not change the information themselves and the personal data presented were not of a sensitive nature. However, they were not able to document that they had made this assessment.
The DPA noted in their decision that they do not agree and they assess, on the contrary, that the nature of the personal data in question, is indeed sensitive and require stronger measures. Further, the DPA commented that they do not feel reassured by the bank's responses to their investigation and, second, that they have not received sufficient documentation for the bank's claimed risk assessments and testing.
Dispute
Did the bank comply with the requirements of Articles 24 and 32 GDPR when introducing the new online customer portal?
Holding
The Norwegian DPA held that the bank did not comply with the GDPR requirements for conducting risk assessments and taking appropriate technical measures (testing) when launching the new online portal. The DPA considered that the breach could have been avoided if the bank had conducted these steps.
Consequently, the DPA fined them NOK 400,000 (€ 39,700) for failing to assess risks and conduct testing when launching a new customer portal, in breach of Articles 24 and 32 GDPR.
Comment
The DPA commented that the personal data in question is of a particularly private nature, and thus an aggravating circumstance that weighed in on their decision.
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Norwegian original. Please refer to the Norwegian original for more details.
BRABANK ASA PO Box 4126 Sjølyst Excluded from the public: 0217 OSLO Offl. § 13 cf. Popplyl. § 24 (1) 2. pkt. Their reference Our reference Date 20 / 02376-5 28.05.2021 Decision on infringement fee - Notification of non-conformance - BRABANK ASA (formerly Easybank ASA) 1 Introduction We refer to our notification of decision on infringement fee of 7 April 2021 to BRABANK ASA («BRABANK»). The privacy representative in BRABANK has confirmed in a telephone conversation with the Data Inspectorate caseworker 19 May 2021 that the company has no comments on the notice, and that the company accepts it notified the fee. The Authority therefore makes decisions on infringement fines in accordance with the notification and ours justification follows below. 2. Decision on the imposition of infringement fines 1. Pursuant to Article 58 (2) (2) of the Privacy Ordinance, BRABANK ASA, org.nr. 986 144 706, an infringement fee of NOK 400,000 for: • Violation of Article 24 (1) of the Privacy Regulation in that it is not implemented appropriate technical and organizational measures to secure and demonstrate that the processing is carried out in accordance with the Regulation, and • Infringement of Article 32 (1) and (2) of the Privacy Regulation in that it is not implemented appropriate technical and organizational measures to achieve a suitable security level. Our legal basis for imposing infringement fines is Article 58 (2) of the Privacy Ordinance letter i. The deadline for fulfillment follows from section 6 of the decision. Postal address: Office address: Telephone: Org.nr: Homepage: 1 PO Box 458 SentrumTrelastgata 3 22 39 69 00 974 761 467 www.datatilsynet.no 0105 OSLO 0191 OSLO3. Description of the deviation The Data Inspectorate received a deviation report from Easybank ASA (now: BRABANK ASA) on 6 September 2019. According to the deviation report, some customers could see other customers' loan conditions then the bank launched "My Page" on September 3, 2019. "My Page" is a solution where customers get an overview over their loan commitment. The discrepancy occurred with frequent navigation on the page, due to a problem with «verification of sessions per user ». When asked about the more detailed reason why the deviation occurred, BRABANK ASA states in the statement dated 29 May 2020 that they have not managed to recreate the error in the test. According to the deviation report, some customers could see other customers' social security numbers, names, telephone number, e-mail, loan number, outstanding loan, status of loan, payment account, information about invoices, and information on any insurance conditions. The insurance products are associated with the loan. In the statement dated 29 May 2020, BRABANK ASA writes that social security numbers still do not was available to other customers. Customers also could not see who the financial the information belonged to. If the customer followed a link to verify contact information, they could get up the contact details of other customers. This information would not necessarily be associated with the loan they had been given access to. BRABANK ASA has found that one customer obtained another customer's address information and At least two customers received incorrect loan information. When asked by the Norwegian Data Protection Authority, BRABANK ASA states that the risk for those registered rights and freedoms were considered low, as customers could not make changes in the solution, and the information presented was not of a sensitive nature. BRABANK ASA does not have documentation on this assessment. When asked by the Norwegian Data Protection Authority, the bank writes that the solution was tested in the period May 2019 to August 2019 in their test environment. It was then verified / tested in an internal environment that points towards production database. At launch, the bank sent out login information to a smaller one selection of customers (approx. 500). Of these, 91 customers logged in before the rollout reversed. BRABANK ASA discovered the discrepancy by a customer contacting shortly after launch, and stated that the balance and payment plans did not match her loan. BRABANK ASA 2closed "My Page" immediately after this, ten minutes after launch. The 91 customers who was logged in in the period at. 11: 35-11: 45 was potentially affected by the discrepancy. As a remedial measure, the non-conformance report states that rectification of the problem is underway Work and extensive testing will be done before the website is put back into production. Further that the bank will enter an additional verification in the system. Then review all actions that has been performed on "My Page" by the affected customers to ensure the validity of the changes. The report states that BRABANK ASA has replaced the data connector If there was a deviations, the customer would receive an error message and it would be logged in their database. The solution was then tested, and then relaunched for a smaller sample of customers. After 14 days without error, the solution was launched for all customers. After 6 months of operation, it has not been logged some new bugs. The bank has informed the 91 customers about the discrepancy by SMS and e-mail, and informed about remedial measures. 4. More about the requirements of the Personal Data Act 4.1. The responsibility of the "controller" The "treatment manager" is the one who decides the purpose of the treatment and which ones funds to be used, cf. Article 4 (7). The data controller is responsible for ensuring that the processing of personal data takes place in line with the basic principles of the Privacy Ordinance and must be able to demonstrate this, cf. Article 5 (2) of the Privacy Regulation. The data controller has a duty to carry out appropriate technical and organizational measures measures to ensure and demonstrate that the processing takes place in accordance with the Privacy Ordinance, cf. Article 24. According to Article 24, in assessing appropriate measures, the nature of the treatment shall be taken into account; the scope, purpose and context in which it is carried out, as well as the risks of varying probabilities and the severity of the data subjects' rights and freedoms. The measures will be reviewed new and updated as needed. 4.2. The basic principles for the processing of personal data The basic principles for the processing of personal data follow from Article 5 (1) of the Privacy Regulation. We refer to Article 5 (1) (a), (b), (c) and (f): 3 1. Personal data shall a) is processed in a lawful, fair and open manner with regard to the data subject ("Legality, justice and transparency"), b) collected for specific, expressly stated and justified purposes and not further processed in a manner incompatible with these purposes (…) ("Purpose limitation"), c) be adequate, relevant and limited to what is necessary for the purposes they processed for ("data minimization"), (…) f) processed in a manner that ensures adequate security of personal data, including protection against unauthorized or illegal treatment (…) by the use of suitable technical or organizational measures ("integrity and confidentiality") ". The data controller is responsible for and must be able to demonstrate that the privacy principles complied with, in accordance with Article 5 (2). 4.3. Safety of treatment The requirements for personal data security are further regulated in Article 32. It follows: 1. Taking into account technical developments, implementation costs and the nature, scope, purpose and context of the treatment, as well as the risks of varying degrees of probability and severity for the rights of natural persons and freedoms, the data controller and the data processor shall implement appropriate technical and organizational measures to achieve a level of security that is appropriate with consideration of the risk, including, inter alia, as appropriate, a) pseudonymisation and encryption of personal data, b) ability to ensure lasting confidentiality, integrity, availability and robustness in treatment systems and services, (…) d) a process for regular testing, analysis and assessment of how effective the treatment's technical and organizational security measures are. 2. In assessing the appropriate level of safety, special consideration shall be given to the risks associated with the processing, in particular as a result of (…) unauthorized disclosure of or access to personal information that has been transferred, stored or otherwise treated". 4.4. The Data Inspectorate's corrective authority The Data Inspectorate's corrective authority follows from the Privacy Ordinance, Article 58 (2). 4Datatilsynet has, among other things, competence to impose infringement fines and issue them reprimand for violations. According to Proposition 148 of the Privacy Ordinance, in case of violations of the Ordinance «Sanctions, including infringement fines, are imposed in addition to or instead of appropriate measures as imposed by the supervisory authority »in accordance with the Regulation. In case of minor violations can a reprimand is given instead of an infringement fee. In assessing whether an infringement fee is to be imposed, the Norwegian Data Protection Authority shall emphasize the points in Article 83, paragraph 2, letters a to k. 5. The Data Inspectorate's assessment 5.1. Responsible for processing The bank itself has submitted the deviation report pursuant to Article 33, which imposes it processing managers to report deviations to the Norwegian Data Protection Authority. The case concerns the treatment of personal information through the launch of "My Page", a login service that after that stated belongs to Easybank ASA (now: BRABANK ASA). Based on this, we assume that BRABANK ASA determined the purpose and means of the processing, so that the bank is «responsible for processing» according to Article 4 no. 7. 5.2. Responsibility of the controller, in accordance with Article 24 The question is whether BRABANK ASA at the launch of "My Page" carried out suitable technical and organizational measures to ensure and demonstrate that the treatment is carried out in accordance with Regulation. As mentioned in point 4, integrity and confidentiality are a basic principle according to the Privacy Regulation. Article 5 (1) (f) stipulates that personal data must processed in a manner that ensures adequate security of personal data, including protection against accidental loss, destruction or damage. In assessing which measures are suitable, the person responsible for treatment shall take into account the nature, scope, purpose, and context in which the treatment is performed, as well as the risks of varying degrees of probability and severity for the data subjects' rights and freedoms. "My Page" is a solution that offers customers an overview of their loan commitment. Based on the statements from BRABANK ASA, we assume that the solution would show the customer's loan details, including loan balance and payment plan (s). The launch of "My Page" thus involved processing the customers' financial information. 5This information is not special categories of personal information after Article 9 of the Privacy Regulation, however, the information may still be sensitive grade for the registered. Unlike, for example, income, is not financial information publicly available information. The Data Inspectorate's privacy surveys have 1 also shown that information about personal finances is perceived as particularly worthy of protection. All 89% thought this according to the Data Inspectorate's privacy survey for 2019/2020. 2 According to the website, the bank offers general banking services, but also consumer loans and refinancing. In our opinion, information about this type of debt in particular can feel painful many, something also a report from SIFO supports. 3 We therefore do not agree with BRABANK ASA that the nature of the information was too low a risk for the data subjects' rights and freedoms. On the contrary, we believe the nature of the information speaks for itself for a higher severity, so the measures must be considered accordingly. Furthermore, "My Page" initially involved a treatment of 500 customers personal information, before the solution was to be rolled out to the rest of the customer base. Through the solution, BRABANK ASA would thus process the personal data in a large number registered. Both Article 24 and Article 32 impose an obligation to carry out a risk assessment. This one must among other things, take into account the risk that a planned processing of personal data poses the rights and freedoms of natural persons. The risk assessment forms the basis for the measures pursuant to Articles 24 and 32 suitable, and it forms the basis for the assessment of whether the person responsible for treatment must carry out an impact assessment (DPIA) in accordance with Article 35. The risk assessment is thus governing the data controller's internal control and information security. In our assessment, the nature, scope and context in which the treatment was to be performed spoke in favor a thorough assessment of measures to ensure and demonstrate that the treatment would be carried out in accordance with the Regulation. In our opinion, BRABANK ASA cannot present documentation or in any other way demonstrate that they have made the necessary assessments in accordance with Articles 24 and 32. Based on this, our preliminary conclusion is that the bank has not complied with its responsibility Article 24 (1). 1See Datatilsynet, Privacy Survey 2013/2014, https://www.datatilsynet.no/regelverk-og- tools / reports-and-studies / privacy surveys / privacy survey-2013 sub-reports / (visited 14.1.2021) and the Norwegian Data Protection Authority, the Privacy Survey 2019/2020, https://www.datatilsynet.no/regelverk-og- tools / reports-and-studies / privacy surveys / privacy survey-20192020 / (visited 14.1.2021) 2Datatilsynet, Privacy Survey 2019/2020, https://www.datatilsynet.no/regelverk-og-verktoy/rapporter- and-investigations / privacy surveys / privacy survey-20192020 / (visited 14.1.2021) 3Jf. https://www.oslomet.no/forskning/forskningsnyheter/stor-forbrukslan-skam-i-norge (visited 14.1.2021) 6 5.3. Safety of treatment pursuant to Article 32 The next question is whether BRABANK ASA completed the launch of "My Page" appropriate technical and organizational measures to achieve an appropriate level of security in accordance with Article 32 Risk assessment In assessing which measures are suitable, the person responsible for treatment shall take into account the technical development, the implementation costs and the nature, scope, purpose of the treatment, and the context in which it is performed, as well as the risks of varying probabilities and severity of the data subjects' rights and freedoms. Integrity and the principle of confidentiality is a basic principle according to the Privacy Ordinance, cf. Article 5 (1) (f). The risk to the rights and freedoms of natural persons governs the security measures they take treatment managers must carry out before they start a new treatment activity. This Article 32 (1) and (2). However, BRABANK ASA cannot document the risk assessment, and states that they rated the risk as low. The bank points out that the information that customers should have access to through the solution was not of a sensitive nature. As mentioned, we do not agree with the bank's assessment that the nature of the information was too low risk. As financial information would be processed in the solution, the processing counted nature for a higher severity, so that the measures had to be assessed accordingly. Furthermore, the roll-out of a new solution for which "My Page" will always be associated with risk technical faults and security breaches, including the risk of breaches of confidentiality, integrity and availability. We therefore believe that the probability of deviations spoke in favor of a real risk for the data subjects rights and freedoms. The scope of treatment is other factors in the assessment of how extensive the security measures must be, cf. Article 32 (1). As mentioned, the solution initially involved a processing of the personal data to 500 of the bank's customers. We also believe that the high number of registered people spoke in favor of a high degree of personal data security. Article 32 sets out an obligation to carry out a risk assessment, regardless of the type personal information in question, and regardless of whether it is possible to make changes to the solution or not. The obligation to carry out a risk assessment is regulated in several places in the regulation. This shows how basic such assessments are for safeguarding 7personal security. However, we do not find BRABANK ASA's answer questions about risk assessment reassuring, and believes there is reason to ask questions about the risk was assessed, and whether in that case there was a sound assessment. Appropriate safety measures According to Article 32, the data controller shall implement appropriate security measures with based on the risks that have been identified in the risk assessment. BRABANK ASA tested the solution in the period May 2019 to August 2019 in its own test environment. Then they verified / tested the solution in an internal environment that points to the production database. At launch, they sent out login information to a small sample of customers (about 500). In our assessment, the bank is not very specific in the description of how the testing turned out completed, and it has not attached documentation, such as test protocols, to prove what measures were implemented before the launch. We believe this may indicate a deficiency testing. That the discrepancy occurred on the same day as the solution was launched for a selection of customers, can also substantiate that the testing was inadequate. It appears from the deviation message that the deviation occurred during frequent navigation on the page. We informs about the importance of testing and different test methods in our guide to the built-in privacy. We also mention session management, which the bank states has been one of the reasons for the discrepancy. We note that the financial information that has been made available to other customers in the case has not been linked to names or other contact information. Our assessment that it is coincidences that meant that the breach of personal data security did not lead to that as well contact information was made available to unauthorized persons, as the solution does not have been tested well enough. Adequate technical measures in the form of testing are a basic prerequisite for uncovering vulnerabilities that may lead to breaches of confidentiality as in this the case. In our preliminary assessment, sufficient testing would have revealed the errors in the solution. Adequate testing and detection of errors before launch could lead to the bank being put in place able to implement appropriate safety measures, thus avoiding the deviation. We can therefore not see that BRABANK ASA may have implemented sufficient security measures before launch, set up against the moments as described above. Conclusion Based on the above, we conclude that the risk assessment was deficient, that BRABANK ASA did not make a sound assessment of appropriate technical and organizational measures, and that they thus did not achieve a suitable level of safety in relation to the risk factors. 4 https://www.datatilsynet.no/rettigheter-og-plikter/virksomhetenes-plikter/innebygd- privacy / software-development-with-built-in-privacy / test / 8After our preliminary conclusion, there is therefore a breach of Article 32 (1) and (2). 5.4. Assessment of corrective measures The Data Inspectorate's corrective authority follows from the Privacy Ordinance, Article 58 (2). Depending on the circumstances in each individual case, an infringement fine shall be imposed in addition to or in place of the other sanctions referred to in Article 58 (2) (a) to (h) and (j), cf. Article 83 No. 2 first sentence. According to Proposition 148 of the Privacy Ordinance, it is possible for minor violations a reprimand is given instead of an infringement fee. In the case of serious violations is thus infringement fine the primary form of sanction. In accordance with the Supreme Court's practice (cf. Rt. 2012 page 1556), we assume that infringement fines are to be regarded as penalties under the European Convention on Human Rights Article 6. Therefore, a clear preponderance of probabilities for offenses is required in order to be able to impose fee. In assessing whether an infringement fee is to be imposed, the Norwegian Data Protection Authority shall emphasize the moments in article 83 no. 2 letters a to k. We will here assess the moments on an ongoing basis. a) the nature, severity and duration of the infringement, taking into account it the nature, extent or purpose of the act concerned and the number of data subjects affected; and the extent of the damage they have suffered, The breach of personal data security is a result of lack of technical and organizational measures that ensure satisfactory information security with regard to confidentiality and integrity, cf. Article 32 of the Regulation. The principle of confidentiality and integrity is fundamental under the Privacy Ordinance, cf. Article 5 No. 1 letter f. In our opinion, it appears as if the bank violated fundamentals safety principles for deficient studies and measures before launching the solution. We can do not see that BRABANK ASA made a sound risk assessment and assessment of security measures, if it made such assessments at all. This pulls in the direction of that the infringement was serious. Furthermore, the solution involved the processing of information that we believe is natural to perceive as information worthy of protection. Information on personal finances, especially information on consumer loans, is perceived by many as information of a very private nature. Treatment managers must therefore be particularly careful when treating such information, even if it is not about special categories of personal information. However, the bank seems to have underestimated this, which we also believe is exacerbating direction. 9The nature and severity of the infringement thus suggest the imposition of infringement fine. We also look at the duration of the violation. BRABANK ASA stopped access to «My Page» immediately after they were made aware of the discrepancy. The security breach lasted from kl. 11:35 to 11:45. The fact that the bank acted immediately means that the duration does not constitute an aggravating circumstance moment in the case. The extent of the damage the registered have suffered does not draw in a particularly aggravating direction, based on the information the bank has provided. Customers must not have had access to identifiable information about other customers' financial situation. However, customers could access other customers' contact information, which is identifiable. According to the non-conformance report, 91 people were affected by the non-conformance, as this was the number of people logged in during the security breach. However, the solution was rolled out for 500 of the customers, and all of them these were thus exposed to the risk of breaches of confidentiality. In our opinion it is therefore 500 who were affected by the infringement. b) whether the infringement was committed intentionally or negligently In our opinion, BRABANK ASA should have carried out more thorough and documentable work risk assessment and assessment of appropriate safety measures. Based on the case information it appears as if the bank downplayed what assessments they had to carry out before registered could access the solution. The bank exposed the data subjects to a risk by launch the solution without adequate risk assessment and measures. The probability of deviation must have therefore been visible to the bank, and we consider it negligent of the bank not to implement better appropriate technical measures to mitigate this risk such as the Privacy Regulation Article 32 requires. This suggests that infringement fines should be imposed. c) any measures taken by the data controller or data processor to limit the damage suffered by the data subjects BRABANK ASA stopped access to "My Page" immediately after a customer contacted them and informed of the discrepancy. According to the bank, they implemented stronger security measures before launched the solution again. After six months of operation, they have not received any inquiries about deviations. The Norwegian Data Protection Authority has no basis for assessing whether the remedial measures were sufficient. We sees, however, that the bank acted quickly when they were made aware of the discrepancy, which may have limited extent of damage. This pulls in a mitigating direction. d) the degree of responsibility of the data controller or data processor, taking into account to the technical and organizational measures they have implemented in accordance with Articles 25 and 32 10We have concluded that the bank did not carry out sufficient technical and organizational work measures in accordance with Article 32. Furthermore, we that there is a violation of Article 24, as precisely regulates the responsibility of the data controller. As mentioned, the bank fundamentally disregarded safety principles and underestimated the risk of treatment. It should be common known that risk assessment is a basic starting point for work with safety measures in new solutions. As the bank has not done what must be expected based on the nature and scope of the treatment, we believe the degree of liability speaks for the imposition of infringement fines. e) any relevant previous violations committed by the data controller or the data processor The Data Inspectorate is not aware of any previous violations. f) the degree of cooperation with the supervisory authority to remedy the infringement and reduce it possible negative effects of it We do not see that this moment is relevant. g) the categories of personal data affected by the infringement Special categories of personal data shall not be affected by the discrepancy. The bank would however, process financial information about the data subjects, which we believe is a type personal data that must be treated with particular care. As mentioned is information about personal finances, something that the data subjects find particularly worthy of protection, and information whether consumer loans are perceived as very private. However, based on the bank's statements, it is not certain that this information was directly identifiable when they were made available to unauthorized persons. On the other side This seems to be due to coincidences, and in our opinion the bank did not take it well enough account of the risk that financial information in their processing systems could be exposed for breach of confidentiality. The categories of personal data that are affected by the infringement therefore speak in favor of the imposition of infringement fine. h) the manner in which the supervisory authority became aware of the infringement, in particular whether and possibly to what extent the data controller or data processor has notified of the infringement 11We gained knowledge of the infringement through a deviation report from BRABANK ASA. according to guidelines from the Article 29 Working Party, adopted by the Privacy Council ("EDPB"), there is not one mitigating circumstance that the data controller complies with its duty to notify. 5 (i) if the measures referred to in Article 58 (2) have previously been taken against the person concerned data controller or data processor with respect to the same subject matter that mentioned measures are complied with We do not know that measures have been taken in the past with regard to the same subject matter. (j) compliance with approved standards of conduct in accordance with Article 40 or approved certification mechanisms in accordance with Article 42 We do not find this aspect relevant to the case. k) and any other aggravating or mitigating factor in the case, e.g. economic benefits which have been obtained, or losses which have been avoided, directly or indirectly, as a result of the infringement We have not established whether BRABANK ASA has obtained any financial benefits, or avoided losses directly or indirectly as a result of the infringement. Based on the assessment above, the Data Inspectorate concludes that an infringement fee should be imposed. The The next question is the size of the fee. 5.5. The amount of the infringement fee In determining the fee, the points in section 5.4 above shall be given weight, cf. Article 83 no. 2. The fee shall in each individual case be effective, be in a reasonable proportion to the infringement and have a deterrent effect, cf. Article 83 (1). The statement above shows the grade and severity, degree of responsibility and type personal data that was affected pulls in an aggravating direction. In a mitigating direction, it suggests that the bank acted immediately when they were made aware on the deviation, and thus may have limited the extent of the damage. We also ensure that customers do not have access to directly identifying information about other people's personal finances in the event of the deviation, and emphasizes this in a mitigating direction. On the other hand, deficient routines often have the consequence that the risk of errors increases. IN in this case, there was a lack or lack of risk assessment and assessment of appropriate measures before launching a new solution that would involve the processing of personal data in greater 5 See Guidelines on the application and setting of administrative fines for the purposes of the Regulation 2016/679, WP 253, page 15. 12 scope. The case raises fundamental security issues, and the signal effects must be considered to be present. Since the fee in each individual case must be effective and have a deterrent effect, we will also look at the business finances. BRABANK ASA is registered in 2019 with revenues of NOK 271,380,000 and annual profit of kr 86 180 000. After an overall assessment of the case, we have come to a violation fee of NOK 400,000 considered correct. 6. Right of appeal You can appeal the decision. Any complaint must be sent to us within three weeks after this the letter has been received (cf. the Public Administration Act §§ 28 and 29). If we maintain our decision will we forward the case to the Privacy Board for complaint processing. If you do not appeal the order for an infringement fee, the fulfillment deadline is 4 weeks after the expiry of the time limit for appeal, cf. the Personal Data Act § 27. 7. Transparency and publicity You have the right to access the case documents (cf. the Public Administration Act § 18). We will also inform that all documents are in principle public (cf. the Public Access to Information Act § 3.) If you believe there is a basis for exempting all or part of the document from public insight, we ask you to justify this. If you have questions about the case, you can contact legal adviser Ole Martin Moe at telephone 22 39 69 59. With best regards Jørgen Skorstad department director Ole Martin Moe legal adviser The document is electronically approved and therefore has no handwritten signatures 13