IMY (Sweden) - DI-2021-1905: Difference between revisions

From GDPRhub
No edit summary
No edit summary
Line 65: Line 65:
}}
}}


The Swedish DPA issued a penalty fee of SEK 35 million (around 3 million euros) against Trygg-Hansa. The insurance company had serious security flaws via faulty URLs resulting in a data breach of 650,000 customers' data over a period of two years.  
The Swedish DPA issued a penalty fee of SEK 35 million (around €3 million) against Trygg-Hansa. The insurance company had serious security flaws via faulty URLs resulting in a data breach of 650,000 customers' data over a period of two years.  


== English Summary ==
== English Summary ==
Line 99: Line 99:
TOMs were implemented only after IMY contacted the controller about the data breach, and were found not to exceed minimum expectations. As such, they did not positively impact the calculation of the administrative fine.
TOMs were implemented only after IMY contacted the controller about the data breach, and were found not to exceed minimum expectations. As such, they did not positively impact the calculation of the administrative fine.


Because the violation only concerned the Swedish branch of the company, the administrative fine was calculated based on the reported annual turnover of Moderna Försäkringar and not the parent company. The Swedish DPA fined Trygg-Hansa SEK 35 million (around '''€'''3 million) for breaching [[Article 5 GDPR|Article 5(1) GDPR]] and [[Article 32 GDPR|Article 32 GDPR.]]  
Because the violation only concerned the Swedish branch of the company, the administrative fine was calculated based on the reported annual turnover of Moderna Försäkringar and not the parent company. The Swedish DPA fined Trygg-Hansa SEK 35 million (around €3 million) for breaching [[Article 5 GDPR|Article 5(1) GDPR]] and [[Article 32 GDPR|Article 32 GDPR.]]  


== Comment ==
== Comment ==

Revision as of 12:37, 13 September 2023

IMY - DI-2021-1905
LogoSE.png
Authority: IMY (Sweden)
Jurisdiction: Sweden
Relevant Law: Article 5(1)(f) GDPR
Article 32(1) GDPR
Article 58(2) GDPR
Article 83 GDPR
Type: Investigation
Outcome: Violation Found
Started:
Decided: 28.08.2023
Published: 28.08.2023
Fine: 35,000,000 SEK
Parties: n/a
National Case Number/Name: DI-2021-1905
European Case Law Identifier: n/a
Appeal: Unknown
Original Language(s): Swedish
Original Source: IMY (in SV)
Initial Contributor: Maximilien Hjortland

The Swedish DPA issued a penalty fee of SEK 35 million (around €3 million) against Trygg-Hansa. The insurance company had serious security flaws via faulty URLs resulting in a data breach of 650,000 customers' data over a period of two years.

English Summary

Facts

On the 30th of November 2020, an external phone call notified the controller about a data breach. This was initially not recognised as a security flaw, and therefore was not immediately reported further within the controller organisation.

The controller,the insurance company Moderna Försäkringar (since April 2022 Trygg-Hansa A/S), notified Swedish DPA in December 2020, that a data breach had occurred. As a result, unauthorised access to the personal data of 650,000 customers, including special categories listed in Article 9(1) GDPR, was made possible.

In March 2021, the Swedish DPA initiated an investigation to uncover whether the controller had implemented appropriate safeguards and mitigated risks to the data subject resulting from the data processing, in line with Articles 5(1)(f) and 32 of the GDPR.

The data breach notification pertained to16 different document types, that the Swedish DPA subsequently reviewed. The documents contained multiple categories of personal data: names, contact information, health accounts, ID numbers, economic data, etc. The controller had not conducted a data protection impact assessment prior to the processing in question, which would have identified the high risk associated with it.

The investigation revealed that data breach occurred in 4 steps:

1) An existing or potential customer called customer service enquiring about an insurance offer. The customer service representative sent an SMS or email to the customer after the phone call ended.

2) This SMS or email contained a URL to an insurance offer on Trygg-Hansa’s website.

3) Trygg-Hansa's website contained additional links to documents with insurance information.

4) These documents contained URLs that were (able to be changed) on the website browser allowing access to other customers' documents.

Holding

IMY found the data breach to compromise (Article 5(1)(f) GDPR). The processing operation carried a high risk and would have required equivalent security levels. Appropriate technical and organizational measures (TOMs), as prescribed in Article 32 GDPR, were not implemented.

The long duration of the data breach combined with the very detailed records (including largely descriptive health data) underscores the severity of the incident. Analyses of behavioural patterns in the controller's logs indicated that 202 customers probably were directly affected. This means that their personal data were leaked and made accessible to non-authorised third parties.

IMY stated that data subjects expectations of high degrees of confidentiality are justified, especially in this case, where personal data was collected to make decisions about the insurance of registered individuals. Nevertheless, the controller failed to implement adequate authorisation control, encryption, logging, and access control, to remedy these technical shortcomings. The breach was of such an elementary character, that Trygg-Hansa should have identified and remedied the compromised system before it was implemented.

The investigation established that no routine was in place to verify the identity of persons making data access requests. Lack of pseudonymisation meant that individual accounts were accessible in plain text to a broad audience simply by rendering a few digits of a numeric URL sub-string. Once obtained, these individual records could have easily been distributed.

TOMs were implemented only after IMY contacted the controller about the data breach, and were found not to exceed minimum expectations. As such, they did not positively impact the calculation of the administrative fine.

Because the violation only concerned the Swedish branch of the company, the administrative fine was calculated based on the reported annual turnover of Moderna Försäkringar and not the parent company. The Swedish DPA fined Trygg-Hansa SEK 35 million (around €3 million) for breaching Article 5(1) GDPR and Article 32 GDPR.

Comment

In April 2022, Moderna Försäkringar was acquired by Trygg-Hansa, which is the company IMY addresses as the controller in its decision. Trygg-Hansa A/S is a branch of Tryg Forsikring A/S, which is the largest non-life insurer in Scandinavia.

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Swedish original. Please refer to the Swedish original for more details.

1(12)






                                                                     Trygg-Hansa Insurance branch









Diary number:
DI-2021-1905 Decision after supervision according to

Date: data protection regulation - Trygg-
2023-08-28

                               Hansa Insurance branch





                               The Privacy Protection Authority's decision


                               The Swedish Privacy Protection Authority states that Trygg-Hansa Försäkring branch
                               (organization number 516403-8662) has processed personal data in violation of
                               articles 5.1 f and 32.1 of the data protection regulation by during the period October
                               2018 – February 2021 not having taken appropriate technical measures and thereby

                               enabled unauthorized access to privacy-sensitive personal data about its customers.

                               The Privacy Protection Authority decides with the support of articles 58.2 and 83 i

                               data protection regulation that Trygg-Hansa Försäkring filial must pay an administrative
                               penalty fee of SEK 35,000,000 (thirty-five million) for the violation of
                               articles 5.1 f and 32.1.


                               Account of the supervisory matter


                               Background


                               In December 2020, the Swedish Privacy Agency (IMY) received tips that Moderna
                               Försäkringar, branch of Tryg Forsikring A/S (Moderna Försäkringar) had made it possible
                               access by unauthorized persons to personal data that concerned data of sensitive
                               character of Moderna Försäkringar's customers. In March 2021, IMY began supervision of

                               Moderna Försäkringar in order to review whether Moderna Försäkringar had taken
                               appropriate measures to ensure a level of security that was appropriate in relation to
                               the risk of personal data processing, in accordance with articles 5.1 f and 32 i

                               data protection regulation.

                               As part of its review, IMY has taken note of the 16 documents that the tip refers to. The
                               is a question of several different types of insurance documents, including claims,

Postal address: invoices, insurance letters, insurance decisions, response cards regarding insurance compensation,
Box 8114 scope change and request for additional information for insurance investigation.
104 20 Stockholm The documents contain a large number of categories of personal data, such as e.g. name,
Website:
                               contact details, health details, social security number, financial details,
www.imy.se insurance holdings, sequence of events (for example time, place, actions and others
E-mail:
imy@imy.se 1
                                 Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with
Telephone: regarding the processing of personal data and on the free flow of such data and on the cancellation of
08-657 61 00 directive 95/46/EC (general data protection regulation). Data Protection Agency Diary number: DI-2021-1905 2(12)
                               Date: 2023-08-28






                               information provided by the data subject in free text fields) and information regarding ownership
                               and property damage.


                               In April 2022, Moderna Försäkringar merged with Trygg-Hansa. Modern
                               Försäkringar subsequently changed its name to Trygg-Hansa branch (Trygg-Hansa) but continued to
                               operate under the same organization number as before (516403-8662).

                               In the decision, IMY will consistently use the supervised object's new name, Trygg-
                               Hansa, when explaining what happened.


                               Statement from the subject of supervision

                               Trygg-Hansa has essentially stated the following.


                               On November 30, 2020, Trygg-Hansa was contacted by a person by phone who
                               informed of the deficiency. The recipient of the tip at Trygg-Hansa did not understand that it

                               was a possible incident, and the deficiency was therefore not reported further within
                               Trygg-Hansa's organization.


                               The security breach has occurred in the following way:

                                    1. An existing or new potential customer has contacted customer service by phone

                                        and wanted to get a quote for insurance. The customer service manager has after
                                        ended phone call sent an SMS or e-mail to the customer.
                                    2. The SMS or email has contained a unique web address to a

                                        quote page on Trygg-Hansa's website.
                                    3. On the quote page there have been clickable links with URLs leading
                                        to documents with insurance information. The person who contacted Trygg-

                                        Hansa as above has been able to open the documents by clicking on
                                        the links.
                                    4. These documents have had web addresses which at the time could be modified by
                                        the person in their browser by replacing numbers with other numbers. On

                                        in this way, the person has been able to retrieve other customers' documents.

                               There has been internet access to data on approximately 650,000 customers

                               during the period October 2018 up to and including when IMY contacted the company at the end of
                               February 2021. The information covered is name, social security number, contact information
                               (address, e-mail address, phone number), insurance number, claims number,

                               financial information, health information, insurance holdings, ownership information
                               (such as animal ownership, vehicle details, property details), property damage (such as details
                               about workshop, notice of compensation), sequence of events (for example time, place, actions

                               and other information that the data subject provided in free text fields) and other free text fields. It can
                               it cannot be ruled out that there was also information about violations of the law (such as in connection
                               with claims) or information about membership of a trade union (such as when

                               insurance has been taken out with a trade union).

                               Analysis of behavioral patterns in logs indicates that 202 customers are likely direct

                               concerned in such a way that information about them (documents) may have been shown to someone unauthorized.
                               As far as Trygg-Hansa has been able to ascertain, after examining the logs, it is only
                               the tipster and IMY who gained access to the documents. In order to similar security flaws

                               would not arise, Trygg-Hansa had taken before the event in question
                               measures by drawing up an IT security policy, implementing regular
                               penetration tests and logging on nodes, transactions and customer management systems

                               as well as by holding an annual training in data protection and security and ongoing
                               Date: 2023-08-28






                               training for employees with special responsibility for data protection issues. Trygg Hansa
                               follows the ISO 27001 standard, which i.a. involves continuous penetration testing and
                               segmentation of networks. Trygg-Hansa did not carry out an impact assessment
                               concerning the treatment in question before the treatment began. This had, however

                               carried out if the personal data processing started today because Trygg-Hansa
                               nowadays have routines for this. Since approximately the middle of 2019, Trygg implements
                               Hansa a compliance system that Trygg-Hansa describes in a structured way

                               processes, data, storage, contracts, suppliers, etc. along with
                               impact assessments.

                               In order to access documents with information about other customers, according to Trygg-

                               Hansa required knowledge of the structure of Internet addresses and how to take part in it
                               the underlying content with, for example, a browser. Furthermore, it has been required
                               changing part of the URL digits in the Document ID.


                               Since the incident in question has been identified, Trygg-Hansa has taken further steps
                               security measures, such as addressing the current flaw by encrypting and
                               ensure that access can only take place by someone who is authorized. After the event

                               identified, Trygg-Hansa has also carried out two independently of each other
                               penetration tests by two different external security companies, updated IT
                               the security policy, took measures to improve the procedures for testing activities,

                               decided to establish an architecture council with security control and code review at
                               development, reviewed the internal customer complaint process and decided to implement
                               additional training for employees in customer service as well as for developers and testers.


                               Trygg-Hansa has also contacted registered persons by letter, and in some cases by telephone, for
                               to inform about what happened and informed on its website.


                               Justification of the decision


                               Has Trygg-Hansa ensured an appropriate security level for
                               the personal data?


                               Applicable regulations
                               According to article 5.1 f of the data protection regulation, the personal data controller must

                               process the personal data in a way that ensures appropriate security, including
                               protection against unauthorized or unauthorized processing and against loss, destruction or damage
                               by accident, using appropriate technical or organizational measures

                               measures (integrity and confidentiality).

                               According to article 9.1 of the data protection regulation, it is prohibited as a starting point to
                               process special categories of personal data (so-called sensitive

                               personal data), including information about health. In Article 9.2 certain exceptions are specified
                               from the ban.


                               It follows from Article 32.1 of the Data Protection Regulation that the person in charge of personal data shall
                               take appropriate technical and organizational measures to ensure a
                               safety level that is appropriate in relation to the risk of the treatment. It shall, according to
                               the same provision, take into account the latest developments,

                               the implementation costs and the nature, extent, context and
                               purpose and the risks, of varying degree of probability and seriousness, for physical
                               rights and freedoms of persons. When assessing the appropriate level of security, the Privacy Protection Agency Diary number: DI-2021-1905 4(12)
                                Date: 2023-08-28






                                according to article 32.2, special consideration is given to the risks that the processing entails, i
                                in particular from accidental or unlawful destruction, loss or alteration or to unauthorized

                                disclosure of or unauthorized access to the personal data transmitted, stored or on
                                otherwise treated.


                                The Swedish Privacy Protection Authority's assessment


                                Trygg-Hansa is responsible for personal data

                                Trygg-Hansa has stated that Trygg-Hansa is responsible for personal data for them

                                personal data processing that the tip intended, which is supported by the investigation i
                                the case. IMY assesses that Trygg-Hansa is the personal data controller for that processing
                                which the supervision covers.


                                The treatment involved major privacy risks and required a high level of protection


                                The person in charge of personal data must provide security that is suitable from the outside
                                the risks of the treatment. The assessment of the appropriate level of protection must be done with
                                taking into account, among other things, the nature, scope, context and purpose of the processing

                                as well as the risks, of varying degrees of probability and seriousness, for natural persons
                                rights and freedoms. During the assessment, special consideration must be given to the risks that

                                the processing entails, among other things, unauthorized disclosure of or unauthorized access to
                                the personal data.


                                IMY notes that the processing of personal data has included a large number
                                registered within Trygg-Hansa's core business. According to Trygg-Hansa's own information
                                has been a question of data on approximately 650,000 customers.


                                IMY further states that the processing intended a large number of personal data about each
                                registered, which enabled mapping of individuals' personal circumstances. The 16

                                documents that IMY has seen within the framework of the supervisory case contain a large number
                                categories of personal data, such as names, contact details, health details,
                                social security number, financial information, insurance holdings, sequence of events

                                (e.g. time, place, actions and other information provided by the data subject
                                free text field) and information regarding ownership and property damage. Trygg-Hansa also has
                                presented that it cannot be ruled out that information about violations of the law or

                                information about membership in a trade union.


                                Through access to a document, it has been possible to directly read out a large number
                                information about an individual person. Thus, in some cases it has been possible to get a detailed picture of
                                the personal circumstances of the registered person using the documents. The comprehensive

                                the processing of personal data has been particularly sensitive to privacy through use
                                of social security numbers and other identification data that enabled a clear and direct
                                connection to individuals.


                                IMY further assesses that the nature of the personal data in itself entails a high risk.
                                The documents have contained sensitive personal data, i.a. information about health, such as

                                according to the main rule in Article 9.1 of the data protection regulation may not be processed. Such
                                data have been given extended protection, as processing them may constitute a
                                extremely serious interference with the fundamental rights regarding respect for
                                                                           2
                                privacy and protection of personal data. The data on health has also had a


                                2 The judgment of the Court of Justice of the European Union in case C‑184/20, Vyriausioji tarnybinės etikos komisija, EU:C:2019:773, paragraph 126. The Swedish Data Protection Authority Diary number: DI-2021-1905 5(12)
                                Date: 2023-08-28






                                high level of detail, so that, for example, it was possible to determine how a health problem arose

                                or exactly what health condition it is, which meant an even higher risk.


                                The material has also contained other types of information that are particularly worthy of protection.
                                This applies, among other things, to information about social security numbers that are covered by a special
                                protection according to article 87 of the data protection regulation and ch. 3 Section 10 of the Act (2018:218) with

                                supplementary regulations to the EU data protection regulation. According to Trygg-Hansa can
                                it is also not excluded that there was information about legal offenses that are covered
                                of a strong protection according to Article 10 of the Data Protection Regulation, because processing of

                                they can have serious effects on individuals. There have also been reports of
                                individuals' financial conditions.


                                The documents in the case also show that it has been possible for registered users to
                                provide information in forms themselves. In some claims, the registrants have

                                provided detailed information in running text regarding health problems and how injuries
                                occurred. By giving Trygg-Hansa the opportunity to provide information in running text has

                                it has been difficult for Trygg-Hansa to fully control the content and the types of
                                information that appears. This has resulted in special requirements for handling the documents on
                                a safe way.


                                Overall, the large number of registrants has the extensive amount of data
                                if each person and the sensitive nature of the data entailed a high risk of

                                rights and freedoms of natural persons. Unauthorized disclosure of or unauthorized access
                                to the personal data has been able to lead to serious consequences for those concerned

                                the persons. This has led to demands for a high level of protection for the treatment.

                                IMY further states that the context for the processing of personal data entailed a

                                even higher requirements on the level of protection. Personal data processing has taken place within the framework
                                for Trygg-Hansa's core business. In addition, the registrants are entitled
                                expectations of a high degree of confidentiality and robust protection against unauthorized access

                                access to personal data processed in insurance operations. The data have
                                further collected in order to be able to make assessments and make decisions regarding

                                registered, which is a type of processing of personal data that may involve
                                higher risks and require higher protection.


                                In summary, the treatment has been of such a nature that high demands have been placed on it
                                the security of the data, for example through authorization control, encryption,

                                logging, access control and management of technical vulnerabilities.

                                The data has not been adequately protected


                                IMY must then assess whether Trygg-Hansa has ensured the high level of protection that
                                required.


                                IMY states that it has not been required that the person who prepared access to the data

                                verified their identity for Trygg-Hansa or otherwise verified their authorization to receive
                                access to these. Anyone who has had access to the web addresses has thus been able to
                                visit the websites and thereby gain access to the documents with personal data

                                without ensuring that it was an authorized person. The data in


                                3 The Council of Europe has stated in a recommendation that member states must ensure that employees of insurance companies
                                who receive access to personal data must be subject to rules on confidentiality (Recommendation rec[2002]9 on the
                                protection of personal data collected and processed for insurance purposes). See also prop. 2009/10:241 p. 43 and
                                Ds 2011:7. The Swedish Privacy Agency Diary number: DI-2021-1905 6(12)
                                Date: 2023-08-28






                                nor have the documents been protected by encryption, but have been available in plain text.
                                Furthermore, there has been a question of data that directly identified individuals, i.e.
                                the data has not been protected by pseudonymisation. Trygg-Hansa has thus done

                                a large amount of direct personal data of a privacy-sensitive nature available on
                                internet without taking protective measures in the form of authorization control or encryption.


                                Trygg-Hansa has stated that special knowledge is required to access documents
                                with personal data via the web addresses. However, IMY has observed through
                                the documents and web addresses in the case that it has been possible to access

                                documents by changing the last digits of the URLs. In some cases they have
                                first six digits out of eight have been the same in the different URLs, which means that
                                few numbers in these cases have had to be changed for unauthorized access

                                document.

                                It has also been possible to forward the URLs, which lead to unprotected

                                information about policyholders, to other unauthorized persons. These people have in their
                                luckily, without having to change any numbers, was able to access the information in the documents
                                only by clicking on the URL. That in some cases it was required that an individual

                                changed numbers in the web address field to access documents does not mean that Trygg-
                                Hansa has taken appropriate measures, for example authentication and authorization control, for
                                to prevent unauthorized persons from accessing the relevant information.


                                IMY has been able to access information in the documents without hindrance, simply by visiting
                                the URLs and without having to change the address bar of the browser.


                                Against this background, IMY notes that Trygg-Hansa made a large amount
                                privacy-sensitive personal data accessible in plain text on the internet. It has not been required
                                some authentication to ensure that only the right people could access

                                the data. Persons who obtained or prepared unauthorized access to the dispatches
                                the URLs – or manipulated versions of the sent URLs –
                                has thus been able to gain access to the privacy-sensitive personal data.


                                Based on these circumstances, IMY makes the assessment that there were major deficiencies in
                                the protection of the data. The investigation also shows that the deficiencies have led to unauthorized access

                                access to the data. IMY notes that Trygg-Hansa's own logs indicate that
                                202 customers likely to have been directly affected in such a way that their data may have been shown to
                                someone unauthorized. However, it should be emphasized that the fact that it has been easy for

                                unauthorized to prepare access to a large amount of personal data of the subject
                                the battle itself is a serious flaw, regardless of how many instances of unauthorized use occurred
                                access that has been possible to ascertain.


                                The shortcomings have been of such a fundamental nature that Trygg-Hansa should have
                                detected and fixed them before the system was implemented. Trygg-Hansa has, however, introduced

                                the system with the flaws, nor during the long period in which the system was used
                                able to identify and remedy them. This despite the fact that Trygg-Hansa received information about
                                the shortcomings through a tip from the outside. IMY further states that the processing of personal data

                                is part of the insurance company's core business and that Trygg-Hansa should therefore
                                have had a good ability to ensure a security that was suitable from the outside
                                the scope and sensitivity of the treatment.


                                Overall, IMY assesses that Trygg-Hansa has not taken appropriate technical measures
                                measures to ensure a level of security that is appropriate in relation to the risk.

                                Trygg-Hansa has thus processed personal data in violation of article 32.1 of the Swedish Privacy Protection Agency Diary number: DI-2021-1905 7(12)
                                Date: 2023-08-28






                                data protection regulation. That a large amount of personal data, including sensitive
                                data, for a longer period of time has been processed in a way that entailed a risk of unauthorized access
                                access means, according to IMY, that the lack of security was of such a serious nature that it

                                also involves a violation of Article 5.1 f of the data protection regulation.


                                Choice of intervention

                                Legal regulation

                                If there has been a breach of the data protection regulation, IMY has a number
                                corrective powers to be available according to Article 58.2 of the Data Protection Regulation.


                                It follows from Article 58.2 of the data protection regulation that IMY in accordance with Article 83 shall
                                impose penalty charges in addition to or in lieu of other corrective measures which
                                referred to in Article 58(2), depending on the circumstances of each individual case.


                                Each supervisory authority must ensure that the imposition of administrative
                                penalty charges in each individual case are effective, proportionate and dissuasive. The
                                stated in Article 83.1 of the Data Protection Regulation.


                                In Article 83.2, the factors to be taken into account in deciding whether an administrative
                                penalty fee must be imposed, but also what will affect the penalty fee

                                size. Important for the assessment of the seriousness of the violation is, among other things, its
                                nature, severity and duration.


                                According to Article 83.4, in the event of violations of, among other things, Article 32, it must be imposed
                                administrative penalty fees of up to EUR 10,000,000 or, if one applies
                                company, of up to 2% of the total global annual turnover in the previous year

                                budget year, depending on which value is the highest.

                                According to Article 83.5, in the event of violations of, among other things, Article 5, it must be imposed

                                administrative penalty fees of up to EUR 20,000,000 or, if one applies
                                company, of up to 4% of the total global annual turnover in the previous year
                                budget year, depending on which value is the highest.


                                If it is a question of a minor violation, IMY receives according to what is stated in reason 148 i
                                instead of imposing a penalty charge, issue a reprimand in accordance with Article 58.2 b i

                                the regulation.

                                IMY's assessment


                                A penalty fee must be imposed


                                IMY has made the assessment that Trygg-Hansa has processed personal data in violation of
                                article article 32.1 and that the violation is of such a serious nature that it is also
                                question of a violation of the principle of integrity and confidentiality in Article 5.1 f.


                                The violation has occurred through Trygg-Hansa processing personal data with a
                                insufficient level of security, which has entailed the risk that unauthorized persons could obtain
                                access to approximately 650,000 customer data during the period October 2018 to and including

                                with February 2021. The personal data has, among other things, made up of sensitive personal data
                                and social security number, and unauthorized access to these data entails a high risk of
                                the freedoms and rights of the data subjects. The Swedish Privacy Agency Diary number: DI-2021-1905 8(12)
                               Date: 2023-08-28







                               IMY does not consider it to be a question of less serious violations. Trygg-Hansa will
                               therefore, an administrative penalty fee is imposed for the violations. When deciding
                               of the amount of the sanction fee, IMY must take into account the circumstances stated in article

                               83.2 and ensure that the administrative penalty fee is effective, proportionate
                               and discouraging.


                               The parent company's annual turnover must be used as the basis for the calculation


                               When determining the maximum amount of a penalty charge to be imposed on a company
                               shall the definition of the concept of company be used as used by the EU Court of Justice

                               application of Articles 101 and 102 of the TFEU (see recital 150 i
                               data protection regulation). It appears from the court's practice that this includes every entity
                               that carries out economic activities, regardless of the legal form of the entity and the way of doing so

                               financing as well as even if the unit in the legal sense consists of several physical or
                               legal entities.


                               What constitutes a company must therefore be based on the definitions of competition law.
                               The rules for group liability in EU competition law revolve around the concept

                               economic unit. A parent company and a subsidiary company are considered part of the same
                               economic unit when the parent company exercises decisive influence over

                               the subsidiary. The decisive influence (ie control) can be achieved either through
                               ownership or by agreement. Jurisprudence shows that one hundred percent or almost
                               100% ownership implies a presumption that control is deemed to exist.

                               However, the presumption can be rebutted if the company provides sufficient evidence that
                               proof that the subsidiary acts independently on the market. To refute
                               the presumption, the company must therefore provide evidence relating to the organizational,

                               the financial and legal links between the subsidiary and its parent company which
                               shows that they do not constitute an economic unit even though the parent company owns 100 percent
                                                                     5
                               or almost 100 percent of the shares.

                               Trygg-Hansa is a branch of the Danish company Tryg Forsikring A/S. Tryg Forsikring

                               A/S is in turn a wholly owned subsidiary of Tryg A/S ("Tryg"). According to the one described above
                               the presumption is therefore Tryg's turnover that must be used as a basis for calculation

                               of the maximum penalty fee amount. To depart from the presumption it is required that
                               Trygg-Hansa provides sufficient evidence that another turnover must be added
                               basis for the calculation.


                               Trygg-Hansa has stated that it is the part of Tryg's turnover that corresponds

                               the turnover of Moderna Försäkringar which should be used as a basis for the calculation of
                               the maximum penalty fee. Trygg-Hansa has estimated this turnover to
                               2,406,294,859 Danish kroner. Secondly, Trygg-Hansa believes that the maximum

                               the penalty fee should be based on Modern Insurance and Tryg's turnover, whereby
                               the turnover of the companies that have been acquired by Tryg after the time period which

                               the review should be excluded from the calculation of the penalty fee. Trygg Hansa
                               has estimated this turnover at 23,622,304,333 Danish kroner.


                               IMY has understood Trygg-Hansa's approach so that the maximum sanction fee i
                               primarily should be calculated on the hypothetical turnover as the branch Moderna

                               Insurance would have had during 2022 if not for Trygg-Hansa and Moderna
                               Insurances had merged in April 2022. Furthermore, IMY has understood that Trygg-Hansa


                               4 Case C-97/08, para. 59-61
                               5 Cf. EDPB's guidelines Guidelines 04/2022 on the calculation of administrative fines under the GDPR, point 125 and
                               where reported rulings. Privacy Protection Agency Diary number: DI-2021-1905 9(12)
                               Date: 2023-08-28






                               secondarily believes that it is Tryg in the organization that applied when the deficiency existed, i
                               which Moderna Försäkringar is included, which constitutes the financial unit on which
                               a maximum penalty fee must be calculated. In determining the relevant

                               the annual turnover for Tryg must thus be the estimated turnover for the companies that
                               acquired after the time of infringement is exempted.


                               In support of his view, Trygg-Hansa has stated in summary that Moderna
                               Insurance at the time of the review was seen as an independent business
                               from Tryg in technical and organizational terms. Trygg-Hansa has thereby highlighted i

                               mainly the following. Moderna Försäkringar was a branch only for tax reasons.
                               Moderna Försäkringar decided independently on its actions and had its own
                               management team. The server environment where the current personal data processing took place

                               was run and developed by Moderna Försäkringar which also had its own IT manager and
                               IT organization. Only customers of Moderna Försäkringar are affected in this matter.
                               The personal data processing reviewed in the case was also not sanctioned by

                               Tryg and the insurance systems for the two businesses were different and separate from
                               each other without any logical, organizational or technical connection.


                               According to Trygg Hansa, the turnover of the acquired companies should under all circumstances
                               are excluded from Tryg's turnover when determining the maximum sanction amount
                               then the responsibility for an infringement according to competition law practice must be attributed to the one who

                               had controlling influence over the business at the time of the incident.

                               IMY makes the following assessment. Trygg-Hansa is a branch of Tryg Forsikring A/S, and is

                               thus not an independent legal person. Trygg-Hansa's turnover is included as one
                               integral part of Tryg's total turnover, and is fully integrated with the turnover for
                               Tryg Forsikring A/S. These circumstances strongly suggest that Trygg-Hansa, Tryg
                               Forsikring A/S and Tryg must be regarded as one and the same financial entity. The

                               circumstances that Trygg-Hansa highlighted that the branch, when it went under the name
                               Moderna Försäkringar, had its own management team, IT system and IT organization
                               not something which in itself contradicts the fact that it is a question of one and the same economic unit.

                               Overall, IMY assesses that there is no reason to deviate from the presumption that
                               is Tryg's turnover that must be added to the calculation of the maximum
                               the penalty fee.


                               What does Trygg-Hansa's attitude mean that the turnover of the acquired companies should
                               is excluded from the calculation of the maximum amount of the sanction fee, IMY does the following

                               assessment. At the time of the infringement, Trygg-Hansa was, as it is today, another branch
                               Safe. There have therefore been no organizational changes that in themselves have an impact
                               the liability relationship between the branch and the company. It may further be noted that the fact

                               that the relevant annual turnover for the calculation of the penalty fee is that
                               annual turnover determined in the year immediately preceding that of the supervisory authority
                               decision can mean that major changes in the annual turnover have taken place since then

                               the time of the violation, both decreases and increases. Such changes
                               may be due to business events, such as increasing or decreasing market share and
                               profitability, or changes to the company's organization, such as sales or

                               acquisition of companies. There is, to a certain extent, the possibility of taking such into account
                               changes within the framework of the proportionality assessment that must always be made at
                               imposition of penalty charges under the Data Protection Regulation to ensure that

                               the sanction fee imposed is proportional in the individual case. IMY assesses
                               on the other hand, that the maximum penalty fee amount should be based on the determined amount
                               the annual turnover, without deduction for hypothetical amounts for the companies that have been acquired

                               during this time period. The Swedish Data Protection Agency Diary number: DI-2021-1905 10(12)
                               Date: 2023-08-28






                               However, IMY takes into account both the fact that the violation occurred in a limited part of Trygs

                               activities that the organizational changes Trygg-Hansa has highlighted, within the framework
                               for the proportionality assessment, which is reported below under the heading

                               "The penalty fee must be effective, proportionate and dissuasive".

                               IMY assesses overall that the turnover of the company to be used as a basis for

                               calculation of the administrative penalty fees that Trygg-Hansa can impose is
                               Guaranteed turnover. From Tryg's annual report for the year 2022, it appears that the annual turnover in
                               2022 was approx. 33,938,000,000 Danish kroner, which corresponds to approx. 54,000,000,000 6

                               Swedish crowns. The maximum penalty amount that can be determined in the case is four
                               percent of this amount, i.e. approximately SEK 2,160,000,000.


                               The seriousness of the violation


                               IMY makes the following considerations regarding the seriousness of the violation. That there was one
                               possible unauthorized access to approximately 650,000 customers' data implies that there was

                               a risk to a high number of people. The data has included sensitive personal data,
                               such as health data, and other data of a privacy-sensitive nature, such as
                               social security number and financial information. It cannot be ruled out that information about

                               violations of the law have been revealed. The personal data processing has meant
                               significant risks. Individuals were directly identifiable, which meant that
                               information of a sensitive nature could be linked to identified persons. The data have

                               processed in a context where the data subjects have legitimate expectations of a
                               high level of confidentiality and robust protection against unauthorized access.


                               The data has been collected in order to be able to make assessments and make decisions regarding
                               registered, which is a type of processing of personal data that may involve

                               higher risks and require higher protection. Information about, for example, ownership, which would
                               could entail a risk of theft, could easily be linked to names in case of unauthorized access
                               and address. Due to the nature of the information, and since the documents contained a

                               numerous collected data, any unauthorized access has meant a high risk of
                               damaged reputation and loss of confidentiality. Trygg-Hansa's analysis of

                               behavior patterns in logs indicate that 202 customers are likely to be directly affected by so
                               way that information about them in documents may actually have been shown to unauthorized persons, and IMY
                               states that unauthorized access occurred on at least one occasion, in connection with

                               the tip about shortage was given to IMY.


                               The violation has also continued for a longer period of time, between October 2018 and
                               time when IMY contacted Trygg-Hansa and pointed out the deficiency in February 2021. Trygg-
                               Hansa received information about the shortcomings in November 2020 through an external tip

                               the security that could have been used to remedy the deficiencies and thereby
                               reduce privacy risks for individuals. However, Trygg-Hansa was unable to use it
                               the information to remedy the deficiencies. The violation has concerned Trygg-Hansa

                               core business, where Trygg-Hansa can be assumed to have knowledge of risks and requirements for
                               the protection of personal data.


                               It appears from the EDPB's guidelines that the supervisory authority must assess whether the violation is
                               of low, medium, or high severity.7


                               IMY has established that the violation is so serious that it also constitutes a violation
                               of the fundamental principle of integrity and confidentiality according to Article 5.1 f i


                               6 Based on the exchange rate on 23 August 2023, published on riksbanken.se
                               7 EDPB's guidelines Guidelines 04/2022 on the calculation of administrative fines under the GDPR, point 60. Data Protection Authority Diary number: DI-2021-1905 11(12)
                                Date: 2023-08-28






                                data protection regulation, which means that the maximum sanction fee is 4
                                percent of the annual turnover instead of the 2 percent that applies in case of violation of article
                                32. Overall, IMY assesses that the violation in question has a medium level

                                degree of seriousness within the range of violations of Article 5.1 f
                                data protection regulation.


                                Trygg-Hansa has taken a number of measures before and after the deficiencies were identified.
                                Trygg-Hansa has, among other things, had two carried out independently of each other
                                penetration tests by two different external security companies and initiated measures in order to

                                improve routines for testing activities. Trygg-Hansa has also decided to establish one
                                architecture board with security control and code review during development, decided to
                                implement additional training for employees in customer service as well as for developers and

                                tester. Trygg-Hansa has also provided certain information to registered users about it
                                occurred. This and other measures described by Trygg-Hansa were carried out
                                however, after IMY contacted the company to inform about the deficiency, and does not go beyond

                                what can be expected. The measures are not of such a nature that they affect IMY's
                                assessment in the case in a mitigating direction.


                                The penalty fee must be effective, proportionate and dissuasive

                                The administrative penalty fee must be effective, proportionate and

                                deterrent. This means that the amount must be determined so that the administrative
                                the penalty fee leads to correction, that it provides a preventive effect and that it
                                in addition, is proportionate in relation to current violations as well as to

                                the supervised entity's ability to pay.

                                In the proportionality assessment, IMY considers that Tryg's annual turnover has increased
                                significant due to the acquisition of companies that were not included in the company's total

                                turnover at the time of the infringement.

                                In addition, IMY attaches great importance to the fact that the violation, as revealed in

                                the matter, only happened in the Swedish branch. To be based solely on the group's turnover
                                in this case, where the violation affected a limited part of the business, would
                                result in the penalty fee being set far too high in relation to what has occurred. IMY

                                therefore sees reason that in a proportionality assessment, taking it into account
                                turnover for Moderna Försäkringar as reported by Trygg-Hansa, determine
                                the penalty fee to a significantly lower amount than an assessment solely based on

                                Tryg's turnover had resulted in

                                IMY decides based on an overall assessment that Trygg-Hansa must pay a

                                administrative sanction fee of SEK 35 million.

                                This decision has been taken by the general manager Lena Lindgren Schelin after a presentation

                                by lawyer Evelin Palmér. In the final proceedings, the Chief Justice David also has
                                Törngren and unit manager Catharina Fernquist as well as IT and
                                information security specialist Magnus Bergström participated.


                                Lena Lindgren Schelin, 2023-08-28 (This is an electronic signature) Privacy Protection Agency Diary number: DI-2021-1905 12(12)
                                Date: 2023-08-28






                                How to appeal


                                If you want to appeal the decision, you must write to the Swedish Privacy Agency. Enter in
                                the letter which decision you are appealing and the change you are requesting. The appeal shall

                                have been received by the Privacy Protection Authority no later than three weeks from the day you received it
                                part of the decision. If the appeal has been received in time, send
                                The Privacy Protection Authority forwards it to the Administrative Court in Stockholm
                                examination.


                                You can e-mail the appeal to the Privacy Protection Authority if it does not contain
                                any privacy-sensitive personal data or information that may be covered by

                                secrecy. The authority's contact details appear on the first page of the decision.