Datatilsynet (Norway) - 20/02376: Difference between revisions

From GDPRhub
No edit summary
No edit summary
 
(2 intermediate revisions by 2 users not shown)
Line 52: Line 52:
|Appeal_To_Link=
|Appeal_To_Link=


|Initial_Contributor=Rie Aleksandra Walle
|Initial_Contributor=[https://gdprhub.eu/index.php?title=User:Riealeksandra Rie Aleksandra Walle]
|
|
}}
}}


The Norwegian DPA (Datatilsynet) fined a bank NOK 400,000 (€ 39,700) for failing to assess risks, conduct sufficient testing and implement sufficient technical measures when launching a new customer portal, thus breaching Articles 24 and 32 GDPR.
The Norwegian DPA (Datatilsynet) fined a bank NOK 400,000 (€ 39,700) for failing to assess risks, conduct sufficient testing and implement appropriate technical measures when launching a new customer portal, thus breaching Articles 24 and 32 GDPR.


== English Summary ==
== English Summary ==


=== Facts ===
=== Facts ===
A bank launched a new online portal for a selection of customers (about 500) where they would be able to see their loans. However, as a result of "frequent navigation" and, consequently, a problem with verifying sessions per user, some customers were able to see other customers' data, including contact information, while others only saw incorrect loan details. After a customer notified the bank that her loan details were incorrect, the bank immediately shut the portal down. By then, 91 customers had logged on and had potentially viewed incorrect data/ data of other data subjects. The bank was not able to recreate the error.  
A bank launched a new online portal for a selection of customers (about 500) where they would be able to see their loans. However, as a result of "frequent navigation" and, consequently, a problem with verifying sessions per user, some customers were able to see other customers' data, including contact information, while others only saw incorrect loan details. After a customer notified the bank that her loan details were incorrect, the bank immediately shut the portal down. By then, 91 customers had logged on and had potentially viewed incorrect data/ data of other data subjects. When asked about the exact reason why the discrepancy occurred, the bank was not able to recreate the error.  


The bank claimed they tested the portal during between May and August 2019. After this incident, they conducted thorough testing and added an extra verification measure in the system, before they testing once again and did another launch for a selection of customer. After 14 days without errors, they launched the portal to all customers and after six months operations, no new errors have been discovered.
The bank claimed they tested the portal between May and August 2019. After this incident, they conducted thorough testing and added an extra verification measure in the system, before they testing once again and did another launch for a selection of customer. After 14 days without errors, they launched the portal to all customers and after six months operations, no new errors have been discovered.


When asked by the DPA, the bank said that they had assessed the risks for the rights and freedoms of the customers as "low" because they could not change the information themselves and the personal data presented were not of a sensitive nature. However, they were not able to document that they had made this assessment.  
When asked by the DPA, the bank said that they had assessed the risks for the rights and freedoms of the customers as "low" because they could not change the information themselves and the personal data presented were not of a sensitive nature. However, they were not able to document that they had made this assessment.  
The DPA noted in their decision that they do not agree and they assess, on the contrary, that the nature of the personal data in question, is indeed sensitive and require stronger measures. Further, the DPA commented that they do not feel reassured by the bank's responses to their investigation and, second, that they have not received sufficient documentation for the bank's claimed risk assessments and testing.


=== Dispute ===
=== Dispute ===
Line 73: Line 71:


=== Holding ===
=== Holding ===
The Norwegian DPA held that the bank did not comply with the GDPR requirements for conducting risk assessments and taking appropriate technical measures (testing) when launching the new online portal. The DPA considered that the breach could have been avoided if the bank had conducted these steps.
First, the DPA held that the bank did not comply with the GDPR requirements for conducting risk assessments. Both Article 24 and Article 32 GDPR impose such an obligation.
 
Considering the individual case a thorough assessment would have been necessary. This is due to the following facts: Although financial data do not constitute special categories of personal data within the meaning of Article 9 GDPR, they are nevertheless to be considered sensitive data. Personal data in a large number were processed.
 
However, the controller could not present documentation or in any other way demonstrate that they have made the necessary assessments.
 
Second, the DPA found that the controller failed to take appropriate technical measures (testing) when launching the new online portal.
 
The DPA repeated that the controller did not assess the risk correctly.
 
With regard to measures under Article 32 of the GDPR, the DPA has ruled the following. Despite of the facts that the controller tested the portal in its own test environment and only launched it for a selection of customers, those measures were not sufficient. The testing was not specifically described and documented. Further, the error occurred during frequent navigation of the page. The DPA considered that the breach could have been avoided if the bank had tested sufficiently.


Consequently, the DPA fined them NOK 400,000 (€ 39,700) for failing to assess risks and conduct testing when launching a new customer portal, in breach of Articles 24 and 32 GDPR.
Consequently, the DPA fined the controller NOK 400,000 (€ 39,700) for failing to assess risks and conduct testing when launching a new customer portal.


== Comment ==
== Comment ==

Latest revision as of 07:40, 4 October 2021

Datatilsynet (Norway) - 20/02376
LogoNO.png
Authority: Datatilsynet (Norway)
Jurisdiction: Norway
Relevant Law: Article 24(1) GDPR
Article 32(1) GDPR
Article 32(2) GDPR
Type: Investigation
Outcome: Violation Found
Started:
Decided: 28.05.2021
Published: 11.06.2021
Fine: 400,000 NOK
Parties: BRABANK ASA (former Easybank ASA)
National Case Number/Name: 20/02376
European Case Law Identifier: n/a
Appeal: n/a
Original Language(s): Norwegian
Norwegian
Original Source: Datatilsynet (in NO)
Datatilsynet (in NO)
Initial Contributor: Rie Aleksandra Walle

The Norwegian DPA (Datatilsynet) fined a bank NOK 400,000 (€ 39,700) for failing to assess risks, conduct sufficient testing and implement appropriate technical measures when launching a new customer portal, thus breaching Articles 24 and 32 GDPR.

English Summary

Facts

A bank launched a new online portal for a selection of customers (about 500) where they would be able to see their loans. However, as a result of "frequent navigation" and, consequently, a problem with verifying sessions per user, some customers were able to see other customers' data, including contact information, while others only saw incorrect loan details. After a customer notified the bank that her loan details were incorrect, the bank immediately shut the portal down. By then, 91 customers had logged on and had potentially viewed incorrect data/ data of other data subjects. When asked about the exact reason why the discrepancy occurred, the bank was not able to recreate the error.

The bank claimed they tested the portal between May and August 2019. After this incident, they conducted thorough testing and added an extra verification measure in the system, before they testing once again and did another launch for a selection of customer. After 14 days without errors, they launched the portal to all customers and after six months operations, no new errors have been discovered.

When asked by the DPA, the bank said that they had assessed the risks for the rights and freedoms of the customers as "low" because they could not change the information themselves and the personal data presented were not of a sensitive nature. However, they were not able to document that they had made this assessment.

Dispute

Did the bank comply with the requirements of Articles 24 and 32 GDPR when introducing the new online customer portal?

Holding

First, the DPA held that the bank did not comply with the GDPR requirements for conducting risk assessments. Both Article 24 and Article 32 GDPR impose such an obligation.

Considering the individual case a thorough assessment would have been necessary. This is due to the following facts: Although financial data do not constitute special categories of personal data within the meaning of Article 9 GDPR, they are nevertheless to be considered sensitive data. Personal data in a large number were processed.

However, the controller could not present documentation or in any other way demonstrate that they have made the necessary assessments.

Second, the DPA found that the controller failed to take appropriate technical measures (testing) when launching the new online portal.

The DPA repeated that the controller did not assess the risk correctly.

With regard to measures under Article 32 of the GDPR, the DPA has ruled the following. Despite of the facts that the controller tested the portal in its own test environment and only launched it for a selection of customers, those measures were not sufficient. The testing was not specifically described and documented. Further, the error occurred during frequent navigation of the page. The DPA considered that the breach could have been avoided if the bank had tested sufficiently.

Consequently, the DPA fined the controller NOK 400,000 (€ 39,700) for failing to assess risks and conduct testing when launching a new customer portal.

Comment

The DPA commented that the personal data in question is of a particularly private nature, and thus an aggravating circumstance that weighed in on their decision.

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Norwegian original. Please refer to the Norwegian original for more details.

 BRABANK ASA
 PO Box 4126 Sjølyst Excluded from the public:
 0217 OSLO Offl. § 13 cf. Popplyl. § 24 (1) 2.

                                                              pkt.







Their reference Our reference Date
                        20 / 02376-5 28.05.2021



Decision on infringement fee - Notification of non-conformance - BRABANK ASA (formerly

Easybank ASA)

1 Introduction


We refer to our notification of decision on infringement fee of 7 April 2021 to BRABANK ASA
(«BRABANK»).


The privacy representative in BRABANK has confirmed in a telephone conversation with the Data Inspectorate
caseworker 19 May 2021 that the company has no comments on the notice, and that the company accepts
it notified the fee.


The Authority therefore makes decisions on infringement fines in accordance with the notification and ours
justification follows below.


2. Decision on the imposition of infringement fines


        1. Pursuant to Article 58 (2) (2) of the Privacy Ordinance,
            BRABANK ASA, org.nr. 986 144 706, an infringement fee of NOK 400,000 for:

                • Violation of Article 24 (1) of the Privacy Regulation in that it is not

                    implemented appropriate technical and organizational measures to secure and demonstrate
                    that the processing is carried out in accordance with the Regulation, and

                • Infringement of Article 32 (1) and (2) of the Privacy Regulation in that it is not
                    implemented appropriate technical and organizational measures to achieve a suitable

                    security level.

Our legal basis for imposing infringement fines is Article 58 (2) of the Privacy Ordinance

letter i.

The deadline for fulfillment follows from section 6 of the decision.



Postal address: Office address: Telephone: Org.nr: Homepage: 1
PO Box 458 SentrumTrelastgata 3 22 39 69 00 974 761 467 www.datatilsynet.no
0105 OSLO 0191 OSLO3. Description of the deviation

The Data Inspectorate received a deviation report from Easybank ASA (now: BRABANK ASA) on 6 September
2019. According to the deviation report, some customers could see other customers' loan conditions then the bank
launched "My Page" on September 3, 2019. "My Page" is a solution where customers get an overview
over their loan commitment.


The discrepancy occurred with frequent navigation on the page, due to a problem with «verification of
sessions per user ».

When asked about the more detailed reason why the deviation occurred, BRABANK ASA states in
the statement dated 29 May 2020 that they have not managed to recreate the error in the test.




According to the deviation report, some customers could see other customers' social security numbers, names,
telephone number, e-mail, loan number, outstanding loan, status of loan, payment account, information about
invoices, and information on any insurance conditions. The insurance products are
associated with the loan.


In the statement dated 29 May 2020, BRABANK ASA writes that social security numbers still do not
was available to other customers. Customers also could not see who the financial
the information belonged to.

If the customer followed a link to verify contact information, they could get up
the contact details of other customers. This information would not necessarily be

associated with the loan they had been given access to.

BRABANK ASA has found that one customer obtained another customer's address information and
At least two customers received incorrect loan information.

When asked by the Norwegian Data Protection Authority, BRABANK ASA states that the risk for those registered
rights and freedoms were considered low, as customers could not make changes in

the solution, and the information presented was not of a sensitive nature. BRABANK
ASA does not have documentation on this assessment.

When asked by the Norwegian Data Protection Authority, the bank writes that the solution was tested in the period May 2019 to
August 2019 in their test environment. It was then verified / tested in an internal environment that points towards
production database. At launch, the bank sent out login information to a smaller one
selection of customers (approx. 500). Of these, 91 customers logged in before the rollout

reversed.

BRABANK ASA discovered the discrepancy by a customer contacting shortly after launch, and
stated that the balance and payment plans did not match her loan. BRABANK ASA





                                                                                               2closed "My Page" immediately after this, ten minutes after launch. The 91 customers who
was logged in in the period at. 11: 35-11: 45 was potentially affected by the discrepancy.

As a remedial measure, the non-conformance report states that rectification of the problem is underway
Work and extensive testing will be done before the website is put back into production. Further that
the bank will enter an additional verification in the system. Then review all actions that
has been performed on "My Page" by the affected customers to ensure the validity of the changes.


The report states that BRABANK ASA has replaced the data connector

                                                                        If there was a
deviations, the customer would receive an error message and it would be logged in their database.

The solution was then tested, and then relaunched for a smaller sample of customers. After 14 days

without error, the solution was launched for all customers. After 6 months of operation, it has not been
logged some new bugs.

The bank has informed the 91 customers about the discrepancy by SMS and e-mail, and informed about
remedial measures.



4. More about the requirements of the Personal Data Act

    4.1. The responsibility of the "controller"

The "treatment manager" is the one who decides the purpose of the treatment and which ones
funds to be used, cf. Article 4 (7).


The data controller is responsible for ensuring that the processing of personal data takes place in line
with the basic principles of the Privacy Ordinance and must be able to demonstrate this, cf.
Article 5 (2) of the Privacy Regulation.

The data controller has a duty to carry out appropriate technical and organizational measures
measures to ensure and demonstrate that the processing takes place in accordance with the Privacy Ordinance, cf.

Article 24.

According to Article 24, in assessing appropriate measures, the nature of the treatment shall be taken into account;
the scope, purpose and context in which it is carried out, as well as the risks of varying probabilities
and the severity of the data subjects' rights and freedoms. The measures will be reviewed
new and updated as needed.


    4.2. The basic principles for the processing of personal data

The basic principles for the processing of personal data follow from
Article 5 (1) of the Privacy Regulation. We refer to Article 5 (1) (a), (b), (c) and (f):





                                                                                                3 1. Personal data shall

        a) is processed in a lawful, fair and open manner with regard to the data subject
        ("Legality, justice and transparency"),

        b) collected for specific, expressly stated and justified purposes and not
        further processed in a manner incompatible with these purposes (…)

        ("Purpose limitation"),

        c) be adequate, relevant and limited to what is necessary for the purposes they
        processed for ("data minimization"), (…)

        f) processed in a manner that ensures adequate security of personal data,
        including protection against unauthorized or illegal treatment (…) by the use of suitable

        technical or organizational measures ("integrity and confidentiality") ".

The data controller is responsible for and must be able to demonstrate that the privacy principles
complied with, in accordance with Article 5 (2).

    4.3. Safety of treatment


The requirements for personal data security are further regulated in Article 32. It follows:

        1. Taking into account technical developments, implementation costs and
        the nature, scope, purpose and context of the treatment, as well as the risks of
        varying degrees of probability and severity for the rights of natural persons and
        freedoms, the data controller and the data processor shall implement appropriate

        technical and organizational measures to achieve a level of security that is appropriate with
        consideration of the risk, including, inter alia, as appropriate,

        a) pseudonymisation and encryption of personal data,

        b) ability to ensure lasting confidentiality, integrity, availability and robustness in
        treatment systems and services, (…)


        d) a process for regular testing, analysis and assessment of how effective
        the treatment's technical and organizational security measures are.

        2. In assessing the appropriate level of safety, special consideration shall be given to the risks
        associated with the processing, in particular as a result of (…) unauthorized disclosure of
        or access to personal information that has been transferred, stored or otherwise

        treated".

    4.4. The Data Inspectorate's corrective authority

The Data Inspectorate's corrective authority follows from the Privacy Ordinance, Article 58 (2).




                                                                                                4Datatilsynet has, among other things, competence to impose infringement fines and issue them
reprimand for violations.

According to Proposition 148 of the Privacy Ordinance, in case of violations of the Ordinance
«Sanctions, including infringement fines, are imposed in addition to or instead of appropriate measures
as imposed by the supervisory authority »in accordance with the Regulation. In case of minor violations can
a reprimand is given instead of an infringement fee.


In assessing whether an infringement fee is to be imposed, the Norwegian Data Protection Authority shall emphasize
the points in Article 83, paragraph 2, letters a to k.


5. The Data Inspectorate's assessment


    5.1. Responsible for processing

The bank itself has submitted the deviation report pursuant to Article 33, which imposes it
processing managers to report deviations to the Norwegian Data Protection Authority. The case concerns the treatment of
personal information through the launch of "My Page", a login service that after that
stated belongs to Easybank ASA (now: BRABANK ASA).


Based on this, we assume that BRABANK ASA determined the purpose and means of
the processing, so that the bank is «responsible for processing» according to Article 4 no. 7.

    5.2. Responsibility of the controller, in accordance with Article 24

The question is whether BRABANK ASA at the launch of "My Page" carried out suitable

technical and organizational measures to ensure and demonstrate that the treatment is carried out in accordance with
Regulation.

As mentioned in point 4, integrity and confidentiality are a basic principle according to
the Privacy Regulation. Article 5 (1) (f) stipulates that personal data must
processed in a manner that ensures adequate security of personal data, including
protection against accidental loss, destruction or damage.


In assessing which measures are suitable, the person responsible for treatment shall take into account
the nature, scope, purpose, and context in which the treatment is performed, as well as the risks of
varying degrees of probability and severity for the data subjects' rights and freedoms.

"My Page" is a solution that offers customers an overview of their loan commitment. Based on
the statements from BRABANK ASA, we assume that the solution would show the customer's

loan details, including loan balance and payment plan (s).

The launch of "My Page" thus involved processing the customers' financial information.






                                                                                               5This information is not special categories of personal information after
Article 9 of the Privacy Regulation, however, the information may still be sensitive
grade for the registered. Unlike, for example, income, is not financial
information publicly available information. The Data Inspectorate's privacy surveys have
                                                                                             1
also shown that information about personal finances is perceived as particularly worthy of protection. All
89% thought this according to the Data Inspectorate's privacy survey for 2019/2020. 2


According to the website, the bank offers general banking services, but also consumer loans and
refinancing. In our opinion, information about this type of debt in particular can feel painful
many, something also a report from SIFO supports. 3


We therefore do not agree with BRABANK ASA that the nature of the information was too low a risk
for the data subjects' rights and freedoms. On the contrary, we believe the nature of the information speaks for itself
for a higher severity, so the measures must be considered accordingly.


Furthermore, "My Page" initially involved a treatment of 500 customers
personal information, before the solution was to be rolled out to the rest of the customer base. Through
the solution, BRABANK ASA would thus process the personal data in a large number
registered.


Both Article 24 and Article 32 impose an obligation to carry out a risk assessment. This one must
among other things, take into account the risk that a planned processing of personal data poses
the rights and freedoms of natural persons.


The risk assessment forms the basis for the measures pursuant to Articles 24 and 32
suitable, and it forms the basis for the assessment of whether the person responsible for treatment must

carry out an impact assessment (DPIA) in accordance with Article 35. The risk assessment is thus
governing the data controller's internal control and information security.

In our assessment, the nature, scope and context in which the treatment was to be performed spoke in favor

a thorough assessment of measures to ensure and demonstrate that the treatment would be carried out in accordance
with the Regulation.

In our opinion, BRABANK ASA cannot present documentation or in any other way

demonstrate that they have made the necessary assessments in accordance with Articles 24 and 32.

Based on this, our preliminary conclusion is that the bank has not complied with its responsibility
Article 24 (1).



1See Datatilsynet, Privacy Survey 2013/2014, https://www.datatilsynet.no/regelverk-og-
tools / reports-and-studies / privacy surveys / privacy survey-2013 sub-reports / (visited
14.1.2021) and the Norwegian Data Protection Authority, the Privacy Survey 2019/2020, https://www.datatilsynet.no/regelverk-og-
tools / reports-and-studies / privacy surveys / privacy survey-20192020 / (visited
14.1.2021)
2Datatilsynet, Privacy Survey 2019/2020, https://www.datatilsynet.no/regelverk-og-verktoy/rapporter-
and-investigations / privacy surveys / privacy survey-20192020 / (visited 14.1.2021)
3Jf. https://www.oslomet.no/forskning/forskningsnyheter/stor-forbrukslan-skam-i-norge (visited 14.1.2021)




                                                                                                      6 5.3. Safety of treatment pursuant to Article 32

The next question is whether BRABANK ASA completed the launch of "My Page"
appropriate technical and organizational measures to achieve an appropriate level of security in accordance with
Article 32


Risk assessment

In assessing which measures are suitable, the person responsible for treatment shall take into account
the technical development, the implementation costs and the nature, scope, purpose of the treatment,
and the context in which it is performed, as well as the risks of varying probabilities and
severity of the data subjects' rights and freedoms. Integrity and
the principle of confidentiality is a basic principle according to the Privacy Ordinance, cf.

Article 5 (1) (f).

The risk to the rights and freedoms of natural persons governs the security measures they take
treatment managers must carry out before they start a new treatment activity. This
Article 32 (1) and (2).

However, BRABANK ASA cannot document the risk assessment, and states that they

rated the risk as low. The bank points out that the information that customers should have access to
through the solution was not of a sensitive nature.

As mentioned, we do not agree with the bank's assessment that the nature of the information was too low
risk. As financial information would be processed in the solution, the processing counted
nature for a higher severity, so that the measures had to be assessed accordingly.


Furthermore, the roll-out of a new solution for which "My Page" will always be associated with risk
technical faults and security breaches, including the risk of breaches of confidentiality, integrity and
availability.

We therefore believe that the probability of deviations spoke in favor of a real risk for the data subjects
rights and freedoms.


The scope of treatment is other factors in the assessment of how extensive
the security measures must be, cf. Article 32 (1).

As mentioned, the solution initially involved a processing of the personal data to 500
of the bank's customers. We also believe that the high number of registered people spoke in favor of a high degree of
personal data security.


Article 32 sets out an obligation to carry out a risk assessment, regardless of the type
personal information in question, and regardless of whether it is possible to make changes to the solution
or not. The obligation to carry out a risk assessment is regulated in several places in the regulation.
This shows how basic such assessments are for safeguarding




                                                                                                 7personal security. However, we do not find BRABANK ASA's answer
questions about risk assessment reassuring, and believes there is reason to ask questions about
the risk was assessed, and whether in that case there was a sound assessment.
Appropriate safety measures


According to Article 32, the data controller shall implement appropriate security measures with
based on the risks that have been identified in the risk assessment.

BRABANK ASA tested the solution in the period May 2019 to August 2019 in its own test environment.
Then they verified / tested the solution in an internal environment that points to the production database.

At launch, they sent out login information to a small sample of customers (about 500).

In our assessment, the bank is not very specific in the description of how the testing turned out
completed, and it has not attached documentation, such as test protocols, to prove
what measures were implemented before the launch. We believe this may indicate a deficiency

testing. That the discrepancy occurred on the same day as the solution was launched for a selection of customers,
can also substantiate that the testing was inadequate.

It appears from the deviation message that the deviation occurred during frequent navigation on the page. We
informs about the importance of testing and different test methods in our guide to the built-in
privacy. We also mention session management, which the bank states has been one of

the reasons for the discrepancy.

We note that the financial information that has been made available to other customers in
the case has not been linked to names or other contact information. Our assessment that it is
coincidences that meant that the breach of personal data security did not lead to that as well

contact information was made available to unauthorized persons, as the solution does not have
been tested well enough. Adequate technical measures in the form of testing are a basic
prerequisite for uncovering vulnerabilities that may lead to breaches of confidentiality as in this
the case.

In our preliminary assessment, sufficient testing would have revealed the errors in the solution.

Adequate testing and detection of errors before launch could lead to the bank being put in place
able to implement appropriate safety measures, thus avoiding the deviation.

We can therefore not see that BRABANK ASA may have implemented sufficient security measures
before launch, set up against the moments as described above.


Conclusion

Based on the above, we conclude that the risk assessment was deficient, that BRABANK
ASA did not make a sound assessment of appropriate technical and organizational measures, and that
they thus did not achieve a suitable level of safety in relation to the risk factors.


4
 https://www.datatilsynet.no/rettigheter-og-plikter/virksomhetenes-plikter/innebygd-
privacy / software-development-with-built-in-privacy / test /



                                                                                                  8After our preliminary conclusion, there is therefore a breach of Article 32 (1) and (2).

    5.4. Assessment of corrective measures

The Data Inspectorate's corrective authority follows from the Privacy Ordinance, Article 58 (2).


Depending on the circumstances in each individual case, an infringement fine shall be imposed in addition to
or in place of the other sanctions referred to in Article 58 (2) (a) to (h) and (j), cf. Article 83
No. 2 first sentence.

According to Proposition 148 of the Privacy Ordinance, it is possible for minor violations
a reprimand is given instead of an infringement fee. In the case of serious violations is thus
infringement fine the primary form of sanction.


In accordance with the Supreme Court's practice (cf. Rt. 2012 page 1556), we assume that
infringement fines are to be regarded as penalties under the European Convention on Human Rights
Article 6. Therefore, a clear preponderance of probabilities for offenses is required in order to be able to impose
fee.

In assessing whether an infringement fee is to be imposed, the Norwegian Data Protection Authority shall emphasize

the moments in article 83 no. 2 letters a to k. We will here assess the moments on an ongoing basis.

a) the nature, severity and duration of the infringement, taking into account it
the nature, extent or purpose of the act concerned and the number of data subjects affected; and
the extent of the damage they have suffered,


The breach of personal data security is a result of lack of technical and
organizational measures that ensure satisfactory information security with regard to
confidentiality and integrity, cf. Article 32 of the Regulation. The principle of confidentiality and
integrity is fundamental under the Privacy Ordinance, cf. Article 5 No. 1 letter f.

In our opinion, it appears as if the bank violated fundamentals
safety principles for deficient studies and measures before launching the solution. We can

do not see that BRABANK ASA made a sound risk assessment and assessment of
security measures, if it made such assessments at all. This pulls in the direction of
that the infringement was serious.

Furthermore, the solution involved the processing of information that we believe is natural to perceive
as information worthy of protection. Information on personal finances, especially information
on consumer loans, is perceived by many as information of a very private nature.

Treatment managers must therefore be particularly careful when treating such
information, even if it is not about special categories of personal information.
However, the bank seems to have underestimated this, which we also believe is exacerbating
direction.





                                                                                                9The nature and severity of the infringement thus suggest the imposition of
infringement fine.

We also look at the duration of the violation. BRABANK ASA stopped access to «My Page»
immediately after they were made aware of the discrepancy. The security breach lasted from kl. 11:35
to 11:45. The fact that the bank acted immediately means that the duration does not constitute an aggravating circumstance
moment in the case.


The extent of the damage the registered have suffered does not draw in a particularly aggravating direction, based on
the information the bank has provided. Customers must not have had access to identifiable
information about other customers' financial situation. However, customers could access
other customers' contact information, which is identifiable.

According to the non-conformance report, 91 people were affected by the non-conformance, as this was the number of people logged in

during the security breach. However, the solution was rolled out for 500 of the customers, and all of them
these were thus exposed to the risk of breaches of confidentiality. In our opinion it is
therefore 500 who were affected by the infringement.

b) whether the infringement was committed intentionally or negligently

In our opinion, BRABANK ASA should have carried out more thorough and documentable work

risk assessment and assessment of appropriate safety measures. Based on the case information
it appears as if the bank downplayed what assessments they had to carry out before
registered could access the solution. The bank exposed the data subjects to a risk by
launch the solution without adequate risk assessment and measures. The probability of deviation must
have therefore been visible to the bank, and we consider it negligent of the bank not to implement
better appropriate technical measures to mitigate this risk such as the Privacy Regulation

Article 32 requires.

This suggests that infringement fines should be imposed.

c) any measures taken by the data controller or data processor to limit
the damage suffered by the data subjects


BRABANK ASA stopped access to "My Page" immediately after a customer contacted
them and informed of the discrepancy. According to the bank, they implemented stronger security measures before
launched the solution again. After six months of operation, they have not received any inquiries about deviations.

The Norwegian Data Protection Authority has no basis for assessing whether the remedial measures were sufficient. We
sees, however, that the bank acted quickly when they were made aware of the discrepancy, which may have
limited extent of damage. This pulls in a mitigating direction.


d) the degree of responsibility of the data controller or data processor, taking into account
to the technical and organizational measures they have implemented in accordance with Articles 25 and 32






                                                                                               10We have concluded that the bank did not carry out sufficient technical and organizational work
measures in accordance with Article 32. Furthermore, we that there is a violation of Article 24, as precisely
regulates the responsibility of the data controller. As mentioned, the bank fundamentally disregarded
safety principles and underestimated the risk of treatment. It should be common
known that risk assessment is a basic starting point for work with safety measures in
new solutions.


As the bank has not done what must be expected based on the nature and scope of the treatment,
we believe the degree of liability speaks for the imposition of infringement fines.

e) any relevant previous violations committed by the data controller or
the data processor

The Data Inspectorate is not aware of any previous violations.


f) the degree of cooperation with the supervisory authority to remedy the infringement and reduce it
possible negative effects of it

We do not see that this moment is relevant.

g) the categories of personal data affected by the infringement


Special categories of personal data shall not be affected by the discrepancy. The bank would
however, process financial information about the data subjects, which we believe is a type
personal data that must be treated with particular care. As mentioned is information about
personal finances, something that the data subjects find particularly worthy of protection, and information
whether consumer loans are perceived as very private.


However, based on the bank's statements, it is not certain that this information was
directly identifiable when they were made available to unauthorized persons. On the other side
This seems to be due to coincidences, and in our opinion the bank did not take it well enough
account of the risk that financial information in their processing systems could be exposed
for breach of confidentiality.


The categories of personal data that are affected by the infringement therefore speak in favor of the imposition of
infringement fine.

h) the manner in which the supervisory authority became aware of the infringement, in particular whether and
possibly to what extent the data controller or data processor has
notified of the infringement











                                                                                              11We gained knowledge of the infringement through a deviation report from BRABANK ASA. according to
guidelines from the Article 29 Working Party, adopted by the Privacy Council ("EDPB"), there is not one
mitigating circumstance that the data controller complies with its duty to notify. 5


(i) if the measures referred to in Article 58 (2) have previously been taken against the person concerned
data controller or data processor with respect to the same subject matter that mentioned
measures are complied with

We do not know that measures have been taken in the past with regard to the same subject matter.


(j) compliance with approved standards of conduct in accordance with Article 40 or approved
certification mechanisms in accordance with Article 42

We do not find this aspect relevant to the case.


k) and any other aggravating or mitigating factor in the case, e.g. economic benefits
which have been obtained, or losses which have been avoided, directly or indirectly, as a result of the infringement

We have not established whether BRABANK ASA has obtained any financial benefits,
or avoided losses directly or indirectly as a result of the infringement.


Based on the assessment above, the Data Inspectorate concludes that an infringement fee should be imposed. The
The next question is the size of the fee.


    5.5. The amount of the infringement fee


In determining the fee, the points in section 5.4 above shall be given weight, cf. Article 83
no. 2. The fee shall in each individual case be effective, be in a reasonable proportion to
the infringement and have a deterrent effect, cf. Article 83 (1).

The statement above shows the grade and severity, degree of responsibility and type

personal data that was affected pulls in an aggravating direction.

In a mitigating direction, it suggests that the bank acted immediately when they were made aware
on the deviation, and thus may have limited the extent of the damage.


We also ensure that customers do not have access to directly identifying information
about other people's personal finances in the event of the deviation, and emphasizes this in a mitigating direction.

On the other hand, deficient routines often have the consequence that the risk of errors increases. IN
in this case, there was a lack or lack of risk assessment and assessment of appropriate measures
before launching a new solution that would involve the processing of personal data in greater


5
 See Guidelines on the application and setting of administrative fines for the purposes of the Regulation
2016/679, WP 253, page 15.



                                                                                                  12 scope. The case raises fundamental security issues, and the signal effects must be considered to be
present.

Since the fee in each individual case must be effective and have a deterrent effect, we will
also look at the business finances.

BRABANK ASA is registered in 2019 with revenues of NOK 271,380,000 and annual profit of

kr 86 180 000.

After an overall assessment of the case, we have come to a violation fee of NOK 400,000
considered correct.


6. Right of appeal


You can appeal the decision. Any complaint must be sent to us within three weeks after this
the letter has been received (cf. the Public Administration Act §§ 28 and 29). If we maintain our decision will
we forward the case to the Privacy Board for complaint processing.

If you do not appeal the order for an infringement fee, the fulfillment deadline is 4 weeks after
the expiry of the time limit for appeal, cf. the Personal Data Act § 27.



7. Transparency and publicity

You have the right to access the case documents (cf. the Public Administration Act § 18). We will also inform
that all documents are in principle public (cf. the Public Access to Information Act § 3.)

If you believe there is a basis for exempting all or part of the document from public
insight, we ask you to justify this.

If you have questions about the case, you can contact legal adviser Ole Martin Moe at
telephone 22 39 69 59.




With best regards


Jørgen Skorstad
department director
                                                                  Ole Martin Moe

                                                                  legal adviser

The document is electronically approved and therefore has no handwritten signatures






                                                                                             13