IMY (Sweden) - DI-2021-3422: Difference between revisions
No edit summary |
No edit summary |
||
Line 64: | Line 64: | ||
=== Facts === | === Facts === | ||
The Swedish DPA s received complaints alleging that | The Swedish DPA s received complaints alleging that on January 20 2021, Indecap (the controller) sent an email message containing a file with personal data about, among other things, customers' finances to other customers. | ||
The controller acknowledged the mistake and explained that the breach was due to human error. An employee had attached the incorrect Excel sheet by mistake because it was named similarly to the correct file. The incorrect file contained information about information about customers' name, social security number, bank, name of bank advisor, e-mail address, selected risk level, allocation to funds (limited to individual fund selection) and the last loaded value of the customers' holdings in these funds. The erroneous mailings involved the personal data of 52,364 data subjects and were received by a maximum of 2,813 individuals. The exact number of recipients could not be determined as Indecap's own investigations showed that the email has been stuck in the mail filter of many of the customers. | The controller acknowledged the mistake and explained that the breach was due to human error. An employee had attached the incorrect Excel sheet by mistake because it was named similarly to the correct file. The incorrect file contained information about information about customers' name, social security number, bank, name of bank advisor, e-mail address, selected risk level, allocation to funds (limited to individual fund selection) and the last loaded value of the customers' holdings in these funds. The erroneous mailings involved the personal data of 52,364 data subjects and were received by a maximum of 2,813 individuals. The exact number of recipients could not be determined as Indecap's own investigations showed that the email has been stuck in the mail filter of many of the customers. |
Revision as of 15:25, 28 November 2023
IMY - DI-2021-3422 | |
---|---|
Authority: | IMY (Sweden) |
Jurisdiction: | Sweden |
Relevant Law: | Article 32(1) GDPR |
Type: | Complaint |
Outcome: | Upheld |
Started: | |
Decided: | |
Published: | 07.11.2023 |
Fine: | 500,000 SEK |
Parties: | n/a |
National Case Number/Name: | DI-2021-3422 |
European Case Law Identifier: | n/a |
Appeal: | n/a |
Original Language(s): | Swedish |
Original Source: | DI-2021-3422 (in SV) |
Initial Contributor: | sh |
The Swedish DPA fined a securities company 500,000 SEK (around €43,700) for incorrectly sending an email containing a file with personal data, resulting in a breach of Article 32(1) GDPR.
English Summary
Facts
The Swedish DPA s received complaints alleging that on January 20 2021, Indecap (the controller) sent an email message containing a file with personal data about, among other things, customers' finances to other customers.
The controller acknowledged the mistake and explained that the breach was due to human error. An employee had attached the incorrect Excel sheet by mistake because it was named similarly to the correct file. The incorrect file contained information about information about customers' name, social security number, bank, name of bank advisor, e-mail address, selected risk level, allocation to funds (limited to individual fund selection) and the last loaded value of the customers' holdings in these funds. The erroneous mailings involved the personal data of 52,364 data subjects and were received by a maximum of 2,813 individuals. The exact number of recipients could not be determined as Indecap's own investigations showed that the email has been stuck in the mail filter of many of the customers.
Indecap took various steps to mitigate the damage of the breach. It initiated a major incident investigation together with external experts to identify internal risks and create an internal action plan. They sent information to data subjects about the incident, implemented additional technical security security measures and held extra training sessions for employees. They also contacted the recipients who had received the email with personal data and asked them to delete the message and to confirm that the message had been deleted. Finally, Indecap filed a personal data breach notification to the Swedish DPA and also made a report to the Swedish Financial Supervisory Authority.
Holding
Indecap had stated that the file was attached to the email as a result of a mistake made by an an individual employee. However, as the data controller, Indecap is responsible for all the processing of personal data that takes place under its management or on its behalf. Thus, the Swedish DPA chose to fine Indecap and not the employee.
Indecap is a securities company, meaning that the nature of its work imposed high protection standards as it processed, among other things, financial information and national security numbers. These high standards are also reflected in national law. Chapter 1, section 11, first paragraph of the Securities Market Act (2007:528) states that a person who is or has been affiliated with a securities company may not unauthorisedly disclose or use what he or she has learned in his or her employment or during the assignment about someone else's business or personal circumstances. It was clear that the processing in question therefore entailed high risk.
In accordance with Article 32 of the GDPR, Indecap has an obligation to protect the personal data that the company processes by taking appropriate technical and organisational measures. The personal data processing took place within the framework of Indecap's core business, for which the company should have had a good ability to ensure an appropriate level of security. According to Indecap's own information, the reason for the erroneously attatched file was that it had been named a similar name to another file that contained general information about the funds' performance. This suggests that Indecap did not had sufficiently clear instructions to prevent documents containing customer data from being mixed with other public documents. Moreover, the breach involved a large number of data subjects (approximately 52,000 persons).
For these reasons, the Swedish DPA held Indecap to have breached Article 32(1) GDPR and fined them around €43,700.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Swedish original. Please refer to the Swedish original for more details.
1(11) Indecap AB Diary number: DI-2021-3422 Decision after supervision according to Date: Data Protection Regulation – 2023-11-07 Indecap AB The Privacy Protection Authority's decision The Swedish Privacy Protection Authority notes that Indecap AB (556622–4480) has processed personal data in violation of article 32.1 of the data protection regulation through that, in connection with a mailing on January 20, 2021, not having secured a appropriate safety level in relation to the risks of the treatment. The Privacy Protection Authority decides with the support of articles 58.2 and 83 i data protection regulation that Indecap AB must pay an administrative penalty fee of SEK 500,000 for the violation of Article 32.1 of the data protection regulation. Account of the supervisory matter The Swedish Privacy Agency (IMY) has received complaints that Indecap AB (Indecap) on 20 January 2021 incorrectly sent an email containing a file with personal information about, among other things, customers' finances to others customers. IMY has initiated supervision of Indecap with the aim of investigating what appears from the complaints. Indecap has stated that it considers itself responsible for the personal data of the person in question the processing of personal data. In addition, the company has stated in summary following. All information in Indecap's system was protected and required user login to access the information that was included in the erroneous mailing. That which occurred in the current case was that an employee retrieved information from the system containing personal data to process the information into a report i Excel. During processing, the Excel file was saved and unluckily renamed to one Mailing address: similar name to the general PDF report on the development of the funds that would Box 8114 is sent out to customers. When the employee would later attach the PDF report in the mailing 104 20 Stockholm, the employee happened to attach the Excel file which was being processed and which contained Website: personal data, instead of the correct PDF report. Because of the human www.imy.se E-mail: imy@imy.se 1 European Parliament and Council Regulation (EU) 2016/679 of 27 April 2016 on the protection of natural persons with Telephone: regarding the processing of personal data and on the free flow of such data and on the cancellation of 08-657 61 00 directive 95/46/EC (general data protection regulation). Data Protection Agency Diary number: DI-2021-3422 2(11) Date: 2023-11-07 the mistake, the incorrect file was thus sent out to a number of customers before the error was noticed and the shipment was stopped. The erroneously attached file that was sent by e-mail to the company's customers contained information about customers' names, social security number, bank, name of bank adviser, email address, selected risk level, allocation to funds (limited to individual fund selection) and that last read the value of the customers' holdings in these funds. The file did not contain any information about account numbers, login details, shareholdings in specific funds, or information about fund portfolios regarding capital insurance, service or private pensions. The incorrect mailings comprised 52,364 were registered personal data, and was received by a maximum of 2,813 people. The exact number of recipients cannot be determined as Indecap's own investigations show that the email has been stuck in the mail filter of many of the customers. Indecap has an information security policy and applies documented processes and routines linked to personal data and information security management. Before the incident occurred, Indecap had limited access to the relevant systems which concerns customer data, so that only four employees had access to these. Indecap had further trained all staff in personal data and information security management. The internal investigation carried out by Indecap after the current incident has shown that difficulties in complying with Indecap's duality routine which is applied in larger handling of personal data. The routine means that two individuals must approve/verify a certain one action before it can be implemented. The reason for the difficulties in complying with this routine is explained by the increased distance work required due to Covid-19 the pandemic. The part that was not carried out in the incident was to visually, with a so-called four-eyes principle, ensure that the correct data is entered into the system and attached correct before the data was sent out via e-mail. This could not be done remotely and made it possible to attach the incorrect file. The file that was incorrectly included in the for this reason, the email was not encrypted or contained any reading restrictions. However, access to the original computer was limited based on authorization as well as password protected. Before the incident occurred, Indecap had launched a system-based application with login via BankID in order to reduce the risks that arise when data is sent via E-mail. Before the incident, Indecap had made a decision to phase out its routine for sending emails. Since the incident occurred, quarterly reports are no longer sent out by email. Nowadays, customers are instead directed to log in with BankID at Indecap to see their portfolio development. Furthermore, reports containing customer data are now available encrypted and password protected. In addition to immediately stopping all planned customer communication through letters/emails Indecap took a number of measures in connection with the incident occurring. The company initiated a major incident investigation together with external experts to map and document the incident, as well as to carry out an inspection of Indecaps systematic data protection work. The internal investigation, which has been completed, includes a analysis of the seriousness of the personal data incident according to ENISA's method for assessment of personal data incidents and plan for measures. In addition, Indecap has among other things, updated routines around homework and the duality process, sent information to data subjects about the incident, took additional technical measures security measures and held extra training sessions for employees. The Swedish Privacy Protection Agency Diary number: DI-2021-3422 3(11) Date: 2023-11-07 Indecap has submitted a personal data incident report to IMY and made a incident report to the Financial Supervisory Authority due to the incident being investigated in the case. In the notification to IMY, Indecap stated, among other things, that the company had contacted them recipient who received the e-mail with personal data and asked them to delete it the message and confirm that the message had been deleted. Justification of the decision Applicable regulations According to Article 4.7 of the Data Protection Regulation, the person in charge of personal data is a physical or legal person, public authority, institution or other body which alone or together with others determines the purposes and means of the processing of personal data. If the purposes and means of the processing are determined by Union law or the national law of the Member States can the personal data controller or the special criteria for how he is to be appointed are prescribed in Union law or in national law of the Member States. The personal data controller is responsible for and must be able to demonstrate that the basic principles in Article 5 of the Data Protection Regulation are followed. This is apparent from Article 5.2 of the data protection regulation. According to Article 5.1 f of the data protection regulation, personal data must be processed in one way which ensures appropriate security for the personal data, including protection against unauthorized or unauthorized processing and against loss, destruction or damage by accident, using appropriate technical or organizational measures. It follows from Article 32.1 of the Data Protection Regulation that the person in charge of personal data shall take appropriate technical and organizational measures to ensure a safety level that is appropriate in relation to the risk of the treatment. At the assessment of which technical and organizational measures are appropriate must data controllers take into account the latest developments, implementation costs and the nature, scope, context and purpose of the treatment as well as the risks for rights and freedoms of natural persons. According to Article 32(1), appropriate safeguards include, where appropriate, a) pseudonymisation and encryption of personal data, b) the ability to continuously ensure confidentiality, integrity, availability and resilience of treatment systems and services; c) the ability to restore availability and access to personal data in a reasonable time in the event of a physical or technical incident, and d) a procedure for regularly testing, investigating and evaluating the effectiveness of the technical and organizational measures that must ensure the security of the processing. According to article 32.2 of the data protection regulation, when assessing the appropriate security level special consideration is given to the risks that the treatment entails, in particular for accidental or unlawful destruction, loss or alteration or for unauthorized disclosure of or unauthorized access to the personal data transmitted, stored or otherwise treated. According to Article 87 of the Data Protection Regulation, the member states may decide in more detail which special conditions a national identification number or something else accepted methods of identification may be processed. A national identification number or another In such cases, the accepted method of identification must only be used in compliance with the Swedish Data Protection Agency Diary number: DI-2021-3422 4(11) Date: 2023-11-07 appropriate protective measures for the rights and freedoms of the data subjects according to this regulation. According to ch. 3 Section 10 of the law (2018:218) with supplementary regulations to the EU's data protection regulation, social security numbers and coordination numbers may be processed without consent only when it is clearly justified with regard to the purpose of the processing, the importance of a secure identification or any other considerable reason. The Swedish Privacy Protection Authority's assessment Through the investigation into the matter, it has emerged that Indecap has mistakenly sent an unencrypted file containing personal data on approx. 52,000 customers with e-mails to approx 2,800 recipients who were not authorized to receive the current information. The the file in question contained, among other things, information about customers' names, email addresses, social security number, bank, risk level, individual fund selection and the last loaded value of the customer's holdings in these funds. Indecap is responsible for personal data Indecap has stated that the company is responsible for personal data for it personal data processing that is reviewed in the case. The investigation shows that the purpose of sending the message in question was to inform customers about the general development of funds. IMY notes that Indecap has determined purpose and means of the processing of the personal data, i.e. how and why the personal data is to be processed. It is thus Indecap as per article 4.7 of the data protection regulation has been responsible for personal data for the person in question the processing of personal data. The treatment involved a high risk According to Article 32 of the Data Protection Regulation, Indecap has an obligation to protect them personal data that the company processes by taking appropriate technical and organizational measures. The measures must ensure an appropriate level of security. At the assessment of which level of security is appropriate shall be the responsibility of the personal data controller take into account the costs, the nature, scope, context and purpose of the processing and the risks to the rights and freedoms of natural persons that the processing entails. From ch. 1 Section 11 first paragraph of the Act (2007:528) on the securities market follows that anyone who is or has been connected to a securities company may not disclose information without authorization or make use of what he or she has learned about in the employment or during the assignment someone else's business or personal relationships. Because Indecap is one securities company applies these legal requirements on confidentiality in the company's operations. The places high demands on the protection of the personal data processed in the business. In this case, the data that has been handled has, among other things, consisted of special protection officers personal data, namely social security numbers, which may only be processed under certain conditions conditions. There has also been a question of financial information, such as the latest one the holdings in funds and the most recently read value of the customers' holdings in these funds, for which data subjects have legitimate expectations of a high degree of confidentiality and robust protection against unauthorized access. IMY notes that the context for the processing of personal data has resulted in an even higher demand for the protection level. Personal data processing has taken place within the framework of Indecaps core business for which the company should have had good ability to secure a security that was appropriate based on the scope and sensitivity of the processing. The Swedish Privacy Protection Agency Diary number: DI-2021-3422 5(11) Date: 2023-11-07 Compiling a large amount of privacy-sensitive personal data entails in addition, special risks as loss of control over such a compilation may result to the detriment of many registered users. In the current case, the processing concerned data about a large number of registered users (approx. 52,000 people). With regard, among other things, to the fact that the data processed by Indecap has been deleted Indecaps have protective nature and affected a very large number of people processing of the personal data in total entailed a high risk of physical rights and freedoms of persons. The nature, scope and context of the treatment have thereby entailing a requirement for strong data protection. The measures would include otherwise ensure that the personal data was protected against unauthorized disclosure and unauthorized access. Indecap has not taken sufficient measures to protect the data From the complaints and Indecap's account it appears that the file with personal data has attached to an e-mail message sent out to a large number of people. Uncaps The sending of the file in question has meant that people who do not have the right to take part the data has been accessed. Indecap has stated that the file was attached to the email as a result of a mistake by an individual employee. Indecap, as the personal data controller, is responsible for all personal data processing that takes place under the company's management or on behalf of the company. IN in this case, the incorrect attachment of the file has occurred within the scope of the employee service. Indecap is responsible for the processing of personal data carried out by it employee took place in accordance with the data protection regulation's requirements for a suitable security level. IMY also assesses that the mistake in question could have been prevented or at least becomes more difficult. In its operations, Indecap treats both the public and security guards information. Depending on, among other things, the sensitivity of the information, different requirements are placed on appropriate level of protection and thus the content of the routines for handling this data. In the handling of public information, there is, for example, no reason to consider the risk of unauthorized access when choosing appropriate communication channels. To not jeopardize the protection of information of a nature worthy of protection, Indecap should have been clear procedures to ensure that the handling of information worthy of protection would not mixed with the handling of public information. From Indecap's own data appears that one reason an incorrect file was attached was that it had been renamed to one similar name to another file that contained general information about funds development. This suggests that Indecap did not have clear enough instructions to prevent documents containing customer data from being mixed up with others public documents. Nor has it emerged that Indecap implemented any technical or organizational barriers or control functions that have made the incorrect the handling of the file, e.g. technical obstacles or warnings in connection with the file attached in e-mail. Admittedly, Indecap has had a routine which means that every dispatch must checked by fellow staff in order to prevent the type of mistake in question. It has however, it emerged that the current routine was not used as a result of difficulties to maintaining the routine for home work during the then prevailing Covid-19 pandemic. IMY however, believes that Indecap in the situation that has arisen, especially with regard to the sensitivity of the data the company processes in its core business, should have taken other measures for to ensure a sufficient level of protection for the relevant data when the current one the protective measure could not be taken as a result of the pandemic. The pandemic has thus not The Swedish Privacy Agency Diary number: DI-2021-3422 6(11) Date: 2023-11-07 constituted a reasonable excuse for deviating from existing security procedures without replace these with some other equivalent protection. IMY states that the lack of measures to prevent the privacy sensitive the information about the customers was sent out has meant that the risk that employees would make incorrect mailings been high. IMY further notes that the file in question lacked protection in the form of, for example read restrictions or encryption. After the file was mistakenly attached in the email unauthorized persons have therefore been able to gain access to privacy-sensitive information about over 50,000 identifiable individuals in plain text. There has also been a risk that the data would be spread further, for example by one of the unauthorized recipients forwarded the email. According to IMY, there have been shortcomings regarding the protection of personal data partly through that Indecap has not taken sufficient technical or organizational measures to prevent employees from incorrectly sending out customer data by e-mail to unauthorized persons recipient, partly because the data was not protected against unauthorized access, e.g. through encryption. Indecap's protective measures would ensure that personal data about the company's customers was protected against unauthorized disclosure and unauthorized access. Indecap has, however, through e- the January 20, 2021 mail that was sent to a large number of unauthorized persons recipients disclosed unencrypted personal data about their customers, including information about customers' finances. IMY concludes in summary that Indecap has not taken sufficient technical measures and organizational measures to ensure a level of security that has been appropriate in relation to the risk. Indecap has thus processed personal data in violation of article 32.1 of the data protection regulation. Choice of intervention Legal regulation In the event of violations of the data protection regulation, IMY has a number of corrective measures powers, including reprimands, injunctions and penalty charges. It follows from article 58.2 a–j of the data protection regulation. IMY shall impose penalty fees in addition to or instead of other corrective measures referred to in Article 58(2), depending the circumstances of each individual case. Each supervisory authority must ensure that the imposition of administrative penalty charges in each individual case are effective, proportionate and dissuasive. The stated in Article 83.1 of the Data Protection Regulation. Article 83.2 specifies the factors that must taken into account in determining whether an administrative penalty fee should be imposed and, if so, with what amount. According to Article 83.4, in the event of violations of, among other things, Article 32, it must be imposed administrative penalty fees of up to EUR 10,000,000 or, if one applies company, of up to 2% of the total global annual turnover in the previous year budget year, depending on which value is the highest. The Swedish Privacy Protection Agency Diary number: DI-2021-3422 7(11) Date: 2023-11-07 The European Data Protection Board (EDPB) has adopted guidelines on the calculation of administrative penalty charges according to the data protection regulation which aims to create 2 a harmonized method and principles for calculating penalty fees. If it is a question of a minor violation, IMY receives according to what is stated in reason 148 i instead of imposing a penalty charge, issue a reprimand in accordance with Article 58.2 b i the regulation. IMY's assessment A penalty fee must be imposed IMY has made the assessment that Indecap has processed personal data in violation of article 32.1 of the data protection regulation. The violation has occurred through Indecap processing personal data with a insufficient level of security, which has led to, among other things, financial information about over 50,000 registrants sent via email to around 2,800 unauthorized recipients. Indecap has been aware of the risks of emailing and had therefore introduced special control routines, but due to the pandemic, made deviations from the control routine without taking compensatory protective measures. The incorrect dispatch has resulted in a high risk for the freedoms and rights of the registered, including loss of confidentiality of data worthy of protection. Against this background, IMY assesses that it was not a question of a minor violation. Indecap must therefore be charged an administrative sanction fee for the violation. At determining the size of the penalty fee, IMY must take into account the circumstances that stated in Article 83.2 as well as ensuring that the administrative sanction fee is effective, proportionate and dissuasive. The parent company's annual turnover must be used as the basis for the calculation When determining the maximum amount for the penalty fee, the definition of the concept of company is used as follows from the practice of the European Court of Justice according to Articles 101 and 102 of the TFEU (see recital 150 of the Data Protection Regulation). Of the court's practice it appears that the concept of company includes every entity that carries out economic activities, regardless of the entity's legal form and the method of its financing, as well as whether the entity in the legal sense consists of several natural or legal persons. What constitutes a company must therefore be based on the definitions of competition law. The rules for group liability in EU competition law revolve around the concept economic unit. A parent company and a subsidiary company are considered part of the same economic unit when the parent company exercises decisive influence over the subsidiary. The decisive influence (ie control) can be achieved either through ownership or by agreement. It appears from the practice of the European Court of Justice that one hundred percent or almost one hundred percent ownership involves a presumption for control to be considered exist. However, the presumption can be rebutted if the company provides sufficient evidence 3 to prove that the subsidiary acts independently on the market. To refute the presumption, the company must therefore provide evidence relating to the organizational, the financial and legal links between the subsidiary and its parent company which shows that they do not constitute an economic unit even though the parent company owns 100 percent or almost 100 percent of the shares. 4 2EDPB's guidelines Guidelines 04/2022 on the calculation of administrative fines under the GDPR, adopted on 24 May 2023. 3Case C-97/08, para. 59-61 4 Cf. EDPB's guidelines Guidelines 04/2022 on the calculation of administrative fines under the GDPR, point 125 and where reported rulings. The Swedish Privacy Agency Diary number: DI-2021-3422 8(11) Date: 2023-11-07 The group in which Indecap is a part consists of three companies, the parent company Indecap Holding AB and the two sister companies Indecap and Indecap Fonder AB. Indecap Holding AB's commission income consists of Indecap's and Indecap Fonder AB's commission income. Indecap has stated that the turnover attributable to Indecap Fonder AB should excluded when calculating a penalty fee. In support of this, Indecap has stated that the current violation only occurred in one of the group companies, namely Indecap. Indecap is a securities company that provides individual pension savings and advice on the fund market. Indecap Fonder AB is in turn a fund company that manages nine funds within different equity and fixed income strategies. Indecap Fonder AB has few direct customers but distributes the funds via various platforms and banks. Indecap Fonder AB's funds are indeed selectable at Indecap, but Indecaps fund portfolios also consist of many other funds that have no connection to the commodity itself Indecap Fonder AB or Indecap Holding AB. The customer data included in the mailing belonged only to customers of Indecap. Indecap Holding AB owns 100 percent of the shares in Indecap and it therefore exists a presumption that Indecap and Indecap Holding AB are an economic entity. Indecap has not highlighted anything that shows that Indecap is acting independently in relation to the parent company which causes the presumption to be broken. That subsidiaries in the group have businesses with different orientations, or that an incident only occurred in one subsidiaries, are not such circumstances that in themselves have any effect on the presumption of the parent company's influence. IMY assesses with regard to the above that the company's turnover that will be added to the basis for calculating the administrative penalty fee that Indecap can imposed is Indecap's parent company Indecap Holding AB (556971-6987). In the EDPB's guidelines, the starting point is that the annual turnover refers to the company's net sales, i.e. the amount obtained through the sale of goods and provision of services after deduction of sales discounts and value added tax as well as other taxes that are directly related to turnover. To determine which turnover Indecap Holding AB had during the previous financial year has IMY obtained information from the group's annual report for 2022. This information shows that Indecap Holding AB has had commission income amounting to SEK 558,260,000. Indecap has stated that Indecap Holding AB's annual report is prepared in accordance with the law (1995:1559) on annual reports in credit institutions and securities companies and that the post for commission income does not fairly reflect the group's net sales. The current commission income is stated before the Pensions Authority's agreed mandatory discount on management fees has been deducted. The agreement with The pension authority's discount is a requirement for a fund company to be able to offer funds on the premium pension's fund market. Discounts to the Pensions Authority amounted to year 2022 to SEK 394,326,770. Indecap Holding AB's net turnover is thus the sum 5EDPB's guidelines Guidelines 04/2022 on the calculation of administrative fines under the GDPR, point 128-130. 6 The definition corresponds to that stated in Article 5.2 of Directive 2013/34/EU of the European Parliament and of the Council of 26 June 2013 on annual accounts, consolidated accounts and reports in certain types of companies, on amendment of European Parliament and Council Directive 2006/43/EC and repealing Council Directive 78/660/EEC and 83/349/EEC Text of importance for the EEA and which has been implemented in Swedish law through ch. 1, § 3, third point Annual Accounts Act (1995:1554) Data Protection Agency Diary number: DI-2021-3422 9(11) Date: 2023-11-07 which remains after this discount has been deducted. Indecap has submitted documents to verification of the discounts submitted to the Pensions Authority. IMY makes the following assessment. Indecap Holding AB's annual report contains none clear accounting item that can be equated with the company's net sales. For that one sanction fee shall have the corresponding effect regardless of the accounting rules that it the intervention is aimed at applies, according to IMY, however, it is important that the turnover is calculated in such a way that it corresponds to what would have constituted net turnover if the accounting rules of the Annual Accounts Act had been applied. There is a lack of guidance clarifications from the EU Court of Justice or the EDPB that clarify how the annual turnover i credit institutions and securities companies must be calculated. IMY therefore assesses, against background of that net turnover must be determined with deduction of discounts provided, that relevant annual turnover for Indecap Holding AB must be assessed with deductions for discounts on management fees. Indecap has proven through submitted documents that the discounts to The pension authority in the year 2022 amounted to the amount they indicated. IMY assesses with regard to the above that the relevant annual turnover for Indecap Holding AB is approximately SEK 140,199,260. Two percent of that annual turnover is approx SEK 2,800,000. The maximum penalty amount that can be determined in the case is therefore 10,000,000 EUR. The seriousness of the violation IMY assesses that the following factors are important for the assessment of the infringement seriousness. IMY has established that Indecap did not take sufficient technical and organizational measures measures to reduce the risk that personal data about the company's customers would be disseminated to unauthorized persons. The current security flaws have led to an incident that has affected one large number of registered and a large number of unauthorized recipients have been able to take part others' personal data in plain text. The information has included financial information and information about social security numbers, i.e. information that requires strong protection. The management of the personal data was also part of Indecap's core business where the data covered by statutory confidentiality. Indecap has also been aware of the risks of emailing and had therefore introduced special control routines, but on grounds of the pandemic, deviated from the control routine without taking compensatory measures protective measures. When assessing the seriousness of the violation, IMY takes into account, in mitigation, that Indecap already started work on replacement before the current incident mailing to a more secure alternative. This process was also accelerated after it current incident. It appears from the EDPB's guidelines that the supervisory authority must assess whether the violation is of low, medium or high severity. IMY assesses against the background of above circumstances that in total it is a violation of Article 32.1 of the Data Protection Regulation of medium severity. As a mitigating circumstance, it is taken into account that Indecap, before IMY started supervision, immediately and in a clear manner informed the data subjects concerned about what occurred. IMY also considers that Indecap contacted the recipients of the erroneously sent e- 7 EDPB's guidelines Guidelines 04/2022 on the calculation of administrative fines under the GDPR, point 60. The Data Protection Authority Diary number: DI-2021-3422 10(11) Date: 2023-11-07 the mail message and ask them to delete the message, as well as confirm that this has been done, as a mitigating circumstance. The penalty fee must be effective, proportionate and dissuasive The administrative penalty fee must be effective, proportionate and deterrent. This means that the amount must be determined so that the administrative the penalty fee leads to correction, that it provides a preventive effect and that it in addition, is proportionate in relation to current violations as well as to the supervised entity's ability to pay. IMY assesses that a penalty fee calculated on the parent company's total net turnover would not, in the present case, lead to the imposition of the penalty fee far too high in relation to the violation established in the case. It exists therefore not reason to reduce the penalty fee on the basis that the violation only intended for a company in the group. In light of the seriousness of the violation, aggravating and mitigating circumstances IMY determines the administrative sanction fee for Indecap at SEK 500,000 for the established violation. IMY considers this amount to be effective, proportionate and dissuasive. This decision has been taken by the head of unit Catharina Fernquist after a presentation by the lawyer Evelin Palmér. In the final proceedings, the Chief Justice David also has Törngren, the lawyer Cecilia Agnehall and the IT and information security specialist Katarina Bengtsson participated. Catharina Fernquist, 2023-11-07 (This is an electronic signature) Copy to: 1. The complainants The Swedish Privacy Agency Diary number: DI-2021-3422 11(11) Date: 2023-11-07 How to appeal If you want to appeal the decision, you must write to the Swedish Privacy Agency. Enter in the letter which decision you are appealing and the change you are requesting. The appeal shall have entered IMY no later than three weeks from the day you were informed of the decision. If the appeal has been received in time, IMY forwards it to the Administrative Court i Stockholm for examination. You can e-mail the appeal to IMY if it does not contain any privacy-sensitive information personal data or information that may be subject to confidentiality. The authority's contact details appear on the first page of the decision.