Datatilsynet (Denmark) - 2021-442-12980: Difference between revisions
No edit summary |
No edit summary |
||
| Line 61: | Line 61: | ||
}} | }} | ||
In an [[Article 60 GDPR]] procedure, the Danish DPA reprimanded Dankse bank for a violation of [[Article 32 GDPR|Article 32(1) GDPR]] caused by a technical error, which | In an [[Article 60 GDPR]] procedure, the Danish DPA reprimanded Dankse bank for a violation of [[Article 32 GDPR|Article 32(1) GDPR]] caused by a technical error, which resulted in the unauthorised disclosure of invoices to Finnish business customers of the bank. | ||
== English Summary == | == English Summary == | ||
Revision as of 15:55, 30 January 2023
| Datatilsynet - INC000003185717 | |
|---|---|
 | |
| Authority: | Datatilsynet (Denmark) |
| Jurisdiction: | Denmark |
| Relevant Law: | Article 32(1) GDPR |
| Type: | Other |
| Outcome: | n/a |
| Started: | 12.05.2021 |
| Decided: | 13.06.2022 |
| Published: | 23.01.2023 |
| Fine: | n/a |
| Parties: | Danske Bank |
| National Case Number/Name: | INC000003185717 |
| European Case Law Identifier: | n/a |
| Appeal: | Unknown |
| Original Language(s): | English |
| Original Source: | EDPB (in EN) |
| Initial Contributor: | n/a |
In an Article 60 GDPR procedure, the Danish DPA reprimanded Dankse bank for a violation of Article 32(1) GDPR caused by a technical error, which resulted in the unauthorised disclosure of invoices to Finnish business customers of the bank.
English Summary
Facts
A technical error at the side of Danske Bank (Controller) resulted in a data breach which concerned 132 electronic invoices, which were disclosed to Finish business customers. The breach occurred because the invoices in question were uploaded in the controller's database, which was specifically designed for business users. However, these invoices were uploaded without the account details of the person who was supposed to receive the specific invoice. This lack of a receiver in the controller's system allowed another user to search these invoices by performing a 'blank search', a search without using the search box for 'recipient'
The invoices contained the name, address an invoice number of the controller's customers in Finland. These invoices were searchable and visible for 14.511 Finish business customers between 5 May 2021 and 10 May 2021.
The controller notified the Danish DPA on 12 May 2021 of this data breach.
Holding
The DPA stated that Article 32 GDPR normally implies that when a controller is using systems with a large number of confidential information concerning a large number of users, the controller has to comply with higher requirements to ensure that there is no unauthorised access to personal data. In this case, it meant that the controller should have assessed all likely out-comes in the context of the development of software used to process personal data. The DPA specifically referred to Article 32(1)(d) GDPR, which states that the controller should implement a procedure for the regular testing, assessment and evaluation of the effectiveness of the technical and organisational measures to ensure security of processing.
The DPA considered considers that the controller had not taken appropriate organisational and technical measures by not continuously testing its own technical measures, resulting in a violation of Article 32(1) GDPR. The DPA reprimanded the controller for this violation.
Comment
It was not specified in the decision itself why this decision was the result of an Article 60 GDPR procedure.
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the English original. Please refer to the English original for more details.
Danske Bank A/S
13 June 2022
Holmens Kanal 2-12
1092 København K J.No. 2021-442-12980
IMI case no. 483097
Caseworker
Betty Husted
Sendt via Digital Post til CVR 61126228
Regarding personal data breach, your case no. INC000003185717 The Danish Data
Protection Agency
The Danish Data Protection Agency hereby returns to the case where Danske Bank A/S has Carl Jacobsens Vej 35
notified a personal data breach to the Danish Data Protection Agency on 12 May 2021. 2500 Valby
Denmark
T 3319 3200
1. Decision
dt@datatilsynet.dk
After examining the case, the Danish Data Protection Agency considers that there are grounds datatilsynet.dk
for issuing a reprimand that Danske Bank’s processing of personal data has not been carried
VAT No. 11883729
out in accordance with the rules laid down in Article 32(1) of the GDPR.
Below is an examination of the case and a statement of reasons for the Danish Data Protection
Agency’s decision.
2. Summary of facts
Danske Bank notified a personal data breach to the Danish Data Protection Agency on 12 May
2021.
According to the notification, a technical error in sending 132 electronic invoices containing the
name, address and invoice number to Danske Bank’s customers in Finland resulted in the 132
invoices being searchable and visible to 14.511 Finnish business customers in the period be-
tween 5 May 2021 and 10 May 2021.
The breach occurred due to a technical error in which 132 invoices were placed in the 'District
platform' system without the recipients’ account details. The blank receiver field allowed these
invoices to be searched if the user performed a search without entering receiver’s information
(a blank search).
Danske Bank’s investigation of the breach shows that 371 Finnish users accessed the elec-
tronic invoices between 5 May 2021 and 10 May 2021. However, the number of users who
performed a search without entering the receiver’s information (a blank search) would most
likely be lower.
District Platform is an application developed by Danske Bank for the bank’s business custom-
ers to search for invoices, among other things.Danske Bank stated that on 10 May 2021, recipient information was added manually to the Page 2 of 2
132 electronic invoices. On 20 May 2021, a safety mechanism was verified and released en-
suring the possibility of performing a search for electronic invoices with no receiver information
was disabled.
3. Reasons for the Danish Data Protection Agency’s decision
On the basis of the information provided by Danske Bank, the Danish Data Protection Agency
considers that from 5 May 2021 to 10 May 2021 it has been possible for the bank’s business
customers in Finland to see unrelated invoices.
According to Article 32(1) of the GDPR the controller must take appropriate technical and or-
ganisational measures to ensure a level of security appropriate to the risks posed by the pro-
cessing of personal data by the controller.
There is thus an obligation on the controller to identify the risks that the controller’s processing
poses to data subjects and to ensure that appropriate safeguards are put in place to protect
data subjects from those risks.
The Data Protection Agency is of the opinion that the requirement under Article 32 on adequate
security will normally imply that in systems with a large number of confidential information
about a large number of users, higher requirements must be imposed on the controller’s care-
fulness in ensuring that there is no unauthorised access to personal data, that all likely out-
comes should be tested in the context of the development of software where personal data
are processed and that a relevant security measure in Article 32(1)(d) specifically mentions
that the controller implements a procedure for the regular testing, assessment and evaluation
of the effectiveness of the technical and organisational measures to ensure security of pro-
cessing.
In the light of the above, the Danish Data Protection Agency considers that Danske Bank – by
not having continuously tested the Bank’s technical measures – has not taken appropriate
organisational and technical measures to ensure a level of security appropriate to the risks
associated with the processing of personal data by Danske Bank, cf. Article 32(1) of the GDPR.
After examining the case, the Danish Data Protection Agency considers that there are grounds
for issuing a reprimand that Danske Bank’s processing of personal data has not been carried
out in accordance with the rules laid down in Article 32(1) of the GDPR.
As a mitigating fact, the Danish Data Protection Agency has taken into account that the breach
concerned only information on name, address and invoice number.
Kind regards
Betty Husted
