IMY (Sweden) - DI-2021-1905
IMY - DI-2021-1905 | |
---|---|
Authority: | IMY (Sweden) |
Jurisdiction: | Sweden |
Relevant Law: | Article 5(1)(f) GDPR Article 32(1) GDPR Article 58(2) GDPR Article 83 GDPR |
Type: | Investigation |
Outcome: | Violation Found |
Started: | |
Decided: | 28.08.2023 |
Published: | 28.08.2023 |
Fine: | 35,000,000 SEK |
Parties: | n/a |
National Case Number/Name: | DI-2021-1905 |
European Case Law Identifier: | n/a |
Appeal: | Unknown |
Original Language(s): | Swedish |
Original Source: | IMY (in SV) |
Initial Contributor: | Maximilien Hjortland |
The Swedish DPA issued a penalty fee of SEK 35 million (around 3 million euros) against Trygg-Hansa. The insurance company had serious security flaws via faulty URLs resulting in a data breach of 650,000 customers' data over a period of two years.
English Summary
Facts
On the 30th of November 2020, an external phone call notified the controller about a data breach. This was initially not recognised as a security flaw, and therefore was not immediately reported further within the controller organisation.
The controller,the insurance company Moderna Försäkringar (since April 2022 Trygg-Hansa A/S), notified Swedish DPA in December 2020, that a data breach had occurred. As a result, unauthorised access to the personal data of 650,000 customers, including special categories listed in Article 9(1) GDPR, was made possible.
In March 2021, the Swedish DPA initiated an investigation to uncover whether the controller had implemented appropriate safeguards and mitigated risks to the data subject resulting from the data processing, in line with Articles 5(1)(f) and 32 of the GDPR.
The data breach notification pertained to16 different document types, that the Swedish DPA subsequently reviewed. The documents contained multiple categories of personal data: names, contact information, health accounts, ID numbers, economic data, etc. The controller had not conducted a data protection impact assessment prior to the processing in question, which would have identified the high risk associated with it.
The investigation revealed that data breach occurred in 4 steps:
1) An existing or potential customer called customer service enquiring about an insurance offer. The customer service representative sent an SMS or email to the customer after the phone call ended.
2) This SMS or email contained a URL to an insurance offer on Trygg-Hansa’s website.
3) Trygg-Hansa's website contained additional links to documents with insurance information.
4) These documents contained URLs that were (able to be changed) on the website browser allowing access to other customers' documents.
Holding
IMY found the data breach to compromise (Article 5(1)(f) GDPR). The processing operation carried a high risk and would have required equivalent security levels. Appropriate technical and organizational measures (TOMs), as prescribed in Article 32 GDPR, were not implemented.
The long duration of the data breach combined with the very detailed records (including largely descriptive health data) underscores the severity of the incident. Analyses of behavioural patterns in the controller's logs indicated that 202 customers probably were directly affected. This means that their personal data were leaked and made accessible to non-authorised third parties.
IMY stated that data subjects expectations of high degrees of confidentiality are justified, especially in this case, where personal data was collected to make decisions about the insurance of registered individuals. Nevertheless, the controller failed to implement adequate authorisation control, encryption, logging, and access control, to remedy these technical shortcomings. The breach was of such an elementary character, that Trygg-Hansa should have identified and remedied the compromised system before it was implemented.
The investigation established that no routine was in place to verify the identity of persons making data access requests. Lack of pseudonymisation meant that individual accounts were accessible in plain text to a broad audience simply by rendering a few digits of a numeric URL sub-string. Once obtained, these individual records could have easily been distributed.
TOMs were implemented only after IMY contacted the controller about the data breach, and were found not to exceed minimum expectations. As such, they did not positively impact the calculation of the administrative fine.
Because the violation only concerned the Swedish branch of the company, the administrative fine was calculated based on the reported annual turnover of Moderna Försäkringar and not the parent company. The Swedish DPA fined Trygg-Hansa SEK 35 million (around €3 million) for breaching Article 5(1) GDPR and Article 32 GDPR.
Comment
In April 2022, Moderna Försäkringar was acquired by Trygg-Hansa, which is the company IMY addresses as the controller in its decision. Trygg-Hansa A/S is a branch of Tryg Forsikring A/S, which is the largest non-life insurer in Scandinavia.
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Swedish original. Please refer to the Swedish original for more details.
1(12) Trygg-Hansa Insurance branch Diary number: DI-2021-1905 Decision after supervision according to Date: data protection regulation - Trygg- 2023-08-28 Hansa Insurance branch The Privacy Protection Authority's decision The Swedish Privacy Protection Authority states that Trygg-Hansa Försäkring branch (organization number 516403-8662) has processed personal data in violation of articles 5.1 f and 32.1 of the data protection regulation by during the period October 2018 – February 2021 not having taken appropriate technical measures and thereby enabled unauthorized access to privacy-sensitive personal data about its customers. The Privacy Protection Authority decides with the support of articles 58.2 and 83 i data protection regulation that Trygg-Hansa Försäkring filial must pay an administrative penalty fee of SEK 35,000,000 (thirty-five million) for the violation of articles 5.1 f and 32.1. Account of the supervisory matter Background In December 2020, the Swedish Privacy Agency (IMY) received tips that Moderna Försäkringar, branch of Tryg Forsikring A/S (Moderna Försäkringar) had made it possible access by unauthorized persons to personal data that concerned data of sensitive character of Moderna Försäkringar's customers. In March 2021, IMY began supervision of Moderna Försäkringar in order to review whether Moderna Försäkringar had taken appropriate measures to ensure a level of security that was appropriate in relation to the risk of personal data processing, in accordance with articles 5.1 f and 32 i data protection regulation. As part of its review, IMY has taken note of the 16 documents that the tip refers to. The is a question of several different types of insurance documents, including claims, Postal address: invoices, insurance letters, insurance decisions, response cards regarding insurance compensation, Box 8114 scope change and request for additional information for insurance investigation. 104 20 Stockholm The documents contain a large number of categories of personal data, such as e.g. name, Website: contact details, health details, social security number, financial details, www.imy.se insurance holdings, sequence of events (for example time, place, actions and others E-mail: imy@imy.se 1 Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with Telephone: regarding the processing of personal data and on the free flow of such data and on the cancellation of 08-657 61 00 directive 95/46/EC (general data protection regulation). Data Protection Agency Diary number: DI-2021-1905 2(12) Date: 2023-08-28 information provided by the data subject in free text fields) and information regarding ownership and property damage. In April 2022, Moderna Försäkringar merged with Trygg-Hansa. Modern Försäkringar subsequently changed its name to Trygg-Hansa branch (Trygg-Hansa) but continued to operate under the same organization number as before (516403-8662). In the decision, IMY will consistently use the supervised object's new name, Trygg- Hansa, when explaining what happened. Statement from the subject of supervision Trygg-Hansa has essentially stated the following. On November 30, 2020, Trygg-Hansa was contacted by a person by phone who informed of the deficiency. The recipient of the tip at Trygg-Hansa did not understand that it was a possible incident, and the deficiency was therefore not reported further within Trygg-Hansa's organization. The security breach has occurred in the following way: 1. An existing or new potential customer has contacted customer service by phone and wanted to get a quote for insurance. The customer service manager has after ended phone call sent an SMS or e-mail to the customer. 2. The SMS or email has contained a unique web address to a quote page on Trygg-Hansa's website. 3. On the quote page there have been clickable links with URLs leading to documents with insurance information. The person who contacted Trygg- Hansa as above has been able to open the documents by clicking on the links. 4. These documents have had web addresses which at the time could be modified by the person in their browser by replacing numbers with other numbers. On in this way, the person has been able to retrieve other customers' documents. There has been internet access to data on approximately 650,000 customers during the period October 2018 up to and including when IMY contacted the company at the end of February 2021. The information covered is name, social security number, contact information (address, e-mail address, phone number), insurance number, claims number, financial information, health information, insurance holdings, ownership information (such as animal ownership, vehicle details, property details), property damage (such as details about workshop, notice of compensation), sequence of events (for example time, place, actions and other information that the data subject provided in free text fields) and other free text fields. It can it cannot be ruled out that there was also information about violations of the law (such as in connection with claims) or information about membership of a trade union (such as when insurance has been taken out with a trade union). Analysis of behavioral patterns in logs indicates that 202 customers are likely direct concerned in such a way that information about them (documents) may have been shown to someone unauthorized. As far as Trygg-Hansa has been able to ascertain, after examining the logs, it is only the tipster and IMY who gained access to the documents. In order to similar security flaws would not arise, Trygg-Hansa had taken before the event in question measures by drawing up an IT security policy, implementing regular penetration tests and logging on nodes, transactions and customer management systems as well as by holding an annual training in data protection and security and ongoing Date: 2023-08-28 training for employees with special responsibility for data protection issues. Trygg Hansa follows the ISO 27001 standard, which i.a. involves continuous penetration testing and segmentation of networks. Trygg-Hansa did not carry out an impact assessment concerning the treatment in question before the treatment began. This had, however carried out if the personal data processing started today because Trygg-Hansa nowadays have routines for this. Since approximately the middle of 2019, Trygg implements Hansa a compliance system that Trygg-Hansa describes in a structured way processes, data, storage, contracts, suppliers, etc. along with impact assessments. In order to access documents with information about other customers, according to Trygg- Hansa required knowledge of the structure of Internet addresses and how to take part in it the underlying content with, for example, a browser. Furthermore, it has been required changing part of the URL digits in the Document ID. Since the incident in question has been identified, Trygg-Hansa has taken further steps security measures, such as addressing the current flaw by encrypting and ensure that access can only take place by someone who is authorized. After the event identified, Trygg-Hansa has also carried out two independently of each other penetration tests by two different external security companies, updated IT the security policy, took measures to improve the procedures for testing activities, decided to establish an architecture council with security control and code review at development, reviewed the internal customer complaint process and decided to implement additional training for employees in customer service as well as for developers and testers. Trygg-Hansa has also contacted registered persons by letter, and in some cases by telephone, for to inform about what happened and informed on its website. Justification of the decision Has Trygg-Hansa ensured an appropriate security level for the personal data? Applicable regulations According to article 5.1 f of the data protection regulation, the personal data controller must process the personal data in a way that ensures appropriate security, including protection against unauthorized or unauthorized processing and against loss, destruction or damage by accident, using appropriate technical or organizational measures measures (integrity and confidentiality). According to article 9.1 of the data protection regulation, it is prohibited as a starting point to process special categories of personal data (so-called sensitive personal data), including information about health. In Article 9.2 certain exceptions are specified from the ban. It follows from Article 32.1 of the Data Protection Regulation that the person in charge of personal data shall take appropriate technical and organizational measures to ensure a safety level that is appropriate in relation to the risk of the treatment. It shall, according to the same provision, take into account the latest developments, the implementation costs and the nature, extent, context and purpose and the risks, of varying degree of probability and seriousness, for physical rights and freedoms of persons. When assessing the appropriate level of security, the Privacy Protection Agency Diary number: DI-2021-1905 4(12) Date: 2023-08-28 according to article 32.2, special consideration is given to the risks that the processing entails, i in particular from accidental or unlawful destruction, loss or alteration or to unauthorized disclosure of or unauthorized access to the personal data transmitted, stored or on otherwise treated. The Swedish Privacy Protection Authority's assessment Trygg-Hansa is responsible for personal data Trygg-Hansa has stated that Trygg-Hansa is responsible for personal data for them personal data processing that the tip intended, which is supported by the investigation i the case. IMY assesses that Trygg-Hansa is the personal data controller for that processing which the supervision covers. The treatment involved major privacy risks and required a high level of protection The person in charge of personal data must provide security that is suitable from the outside the risks of the treatment. The assessment of the appropriate level of protection must be done with taking into account, among other things, the nature, scope, context and purpose of the processing as well as the risks, of varying degrees of probability and seriousness, for natural persons rights and freedoms. During the assessment, special consideration must be given to the risks that the processing entails, among other things, unauthorized disclosure of or unauthorized access to the personal data. IMY notes that the processing of personal data has included a large number registered within Trygg-Hansa's core business. According to Trygg-Hansa's own information has been a question of data on approximately 650,000 customers. IMY further states that the processing intended a large number of personal data about each registered, which enabled mapping of individuals' personal circumstances. The 16 documents that IMY has seen within the framework of the supervisory case contain a large number categories of personal data, such as names, contact details, health details, social security number, financial information, insurance holdings, sequence of events (e.g. time, place, actions and other information provided by the data subject free text field) and information regarding ownership and property damage. Trygg-Hansa also has presented that it cannot be ruled out that information about violations of the law or information about membership in a trade union. Through access to a document, it has been possible to directly read out a large number information about an individual person. Thus, in some cases it has been possible to get a detailed picture of the personal circumstances of the registered person using the documents. The comprehensive the processing of personal data has been particularly sensitive to privacy through use of social security numbers and other identification data that enabled a clear and direct connection to individuals. IMY further assesses that the nature of the personal data in itself entails a high risk. The documents have contained sensitive personal data, i.a. information about health, such as according to the main rule in Article 9.1 of the data protection regulation may not be processed. Such data have been given extended protection, as processing them may constitute a extremely serious interference with the fundamental rights regarding respect for 2 privacy and protection of personal data. The data on health has also had a 2 The judgment of the Court of Justice of the European Union in case C‑184/20, Vyriausioji tarnybinės etikos komisija, EU:C:2019:773, paragraph 126. The Swedish Data Protection Authority Diary number: DI-2021-1905 5(12) Date: 2023-08-28 high level of detail, so that, for example, it was possible to determine how a health problem arose or exactly what health condition it is, which meant an even higher risk. The material has also contained other types of information that are particularly worthy of protection. This applies, among other things, to information about social security numbers that are covered by a special protection according to article 87 of the data protection regulation and ch. 3 Section 10 of the Act (2018:218) with supplementary regulations to the EU data protection regulation. According to Trygg-Hansa can it is also not excluded that there was information about legal offenses that are covered of a strong protection according to Article 10 of the Data Protection Regulation, because processing of they can have serious effects on individuals. There have also been reports of individuals' financial conditions. The documents in the case also show that it has been possible for registered users to provide information in forms themselves. In some claims, the registrants have provided detailed information in running text regarding health problems and how injuries occurred. By giving Trygg-Hansa the opportunity to provide information in running text has it has been difficult for Trygg-Hansa to fully control the content and the types of information that appears. This has resulted in special requirements for handling the documents on a safe way. Overall, the large number of registrants has the extensive amount of data if each person and the sensitive nature of the data entailed a high risk of rights and freedoms of natural persons. Unauthorized disclosure of or unauthorized access to the personal data has been able to lead to serious consequences for those concerned the persons. This has led to demands for a high level of protection for the treatment. IMY further states that the context for the processing of personal data entailed a even higher requirements on the level of protection. Personal data processing has taken place within the framework for Trygg-Hansa's core business. In addition, the registrants are entitled expectations of a high degree of confidentiality and robust protection against unauthorized access access to personal data processed in insurance operations. The data have further collected in order to be able to make assessments and make decisions regarding registered, which is a type of processing of personal data that may involve higher risks and require higher protection. In summary, the treatment has been of such a nature that high demands have been placed on it the security of the data, for example through authorization control, encryption, logging, access control and management of technical vulnerabilities. The data has not been adequately protected IMY must then assess whether Trygg-Hansa has ensured the high level of protection that required. IMY states that it has not been required that the person who prepared access to the data verified their identity for Trygg-Hansa or otherwise verified their authorization to receive access to these. Anyone who has had access to the web addresses has thus been able to visit the websites and thereby gain access to the documents with personal data without ensuring that it was an authorized person. The data in 3 The Council of Europe has stated in a recommendation that member states must ensure that employees of insurance companies who receive access to personal data must be subject to rules on confidentiality (Recommendation rec[2002]9 on the protection of personal data collected and processed for insurance purposes). See also prop. 2009/10:241 p. 43 and Ds 2011:7. The Swedish Privacy Agency Diary number: DI-2021-1905 6(12) Date: 2023-08-28 nor have the documents been protected by encryption, but have been available in plain text. Furthermore, there has been a question of data that directly identified individuals, i.e. the data has not been protected by pseudonymisation. Trygg-Hansa has thus done a large amount of direct personal data of a privacy-sensitive nature available on internet without taking protective measures in the form of authorization control or encryption. Trygg-Hansa has stated that special knowledge is required to access documents with personal data via the web addresses. However, IMY has observed through the documents and web addresses in the case that it has been possible to access documents by changing the last digits of the URLs. In some cases they have first six digits out of eight have been the same in the different URLs, which means that few numbers in these cases have had to be changed for unauthorized access document. It has also been possible to forward the URLs, which lead to unprotected information about policyholders, to other unauthorized persons. These people have in their luckily, without having to change any numbers, was able to access the information in the documents only by clicking on the URL. That in some cases it was required that an individual changed numbers in the web address field to access documents does not mean that Trygg- Hansa has taken appropriate measures, for example authentication and authorization control, for to prevent unauthorized persons from accessing the relevant information. IMY has been able to access information in the documents without hindrance, simply by visiting the URLs and without having to change the address bar of the browser. Against this background, IMY notes that Trygg-Hansa made a large amount privacy-sensitive personal data accessible in plain text on the internet. It has not been required some authentication to ensure that only the right people could access the data. Persons who obtained or prepared unauthorized access to the dispatches the URLs – or manipulated versions of the sent URLs – has thus been able to gain access to the privacy-sensitive personal data. Based on these circumstances, IMY makes the assessment that there were major deficiencies in the protection of the data. The investigation also shows that the deficiencies have led to unauthorized access access to the data. IMY notes that Trygg-Hansa's own logs indicate that 202 customers likely to have been directly affected in such a way that their data may have been shown to someone unauthorized. However, it should be emphasized that the fact that it has been easy for unauthorized to prepare access to a large amount of personal data of the subject the battle itself is a serious flaw, regardless of how many instances of unauthorized use occurred access that has been possible to ascertain. The shortcomings have been of such a fundamental nature that Trygg-Hansa should have detected and fixed them before the system was implemented. Trygg-Hansa has, however, introduced the system with the flaws, nor during the long period in which the system was used able to identify and remedy them. This despite the fact that Trygg-Hansa received information about the shortcomings through a tip from the outside. IMY further states that the processing of personal data is part of the insurance company's core business and that Trygg-Hansa should therefore have had a good ability to ensure a security that was suitable from the outside the scope and sensitivity of the treatment. Overall, IMY assesses that Trygg-Hansa has not taken appropriate technical measures measures to ensure a level of security that is appropriate in relation to the risk. Trygg-Hansa has thus processed personal data in violation of article 32.1 of the Swedish Privacy Protection Agency Diary number: DI-2021-1905 7(12) Date: 2023-08-28 data protection regulation. That a large amount of personal data, including sensitive data, for a longer period of time has been processed in a way that entailed a risk of unauthorized access access means, according to IMY, that the lack of security was of such a serious nature that it also involves a violation of Article 5.1 f of the data protection regulation. Choice of intervention Legal regulation If there has been a breach of the data protection regulation, IMY has a number corrective powers to be available according to Article 58.2 of the Data Protection Regulation. It follows from Article 58.2 of the data protection regulation that IMY in accordance with Article 83 shall impose penalty charges in addition to or in lieu of other corrective measures which referred to in Article 58(2), depending on the circumstances of each individual case. Each supervisory authority must ensure that the imposition of administrative penalty charges in each individual case are effective, proportionate and dissuasive. The stated in Article 83.1 of the Data Protection Regulation. In Article 83.2, the factors to be taken into account in deciding whether an administrative penalty fee must be imposed, but also what will affect the penalty fee size. Important for the assessment of the seriousness of the violation is, among other things, its nature, severity and duration. According to Article 83.4, in the event of violations of, among other things, Article 32, it must be imposed administrative penalty fees of up to EUR 10,000,000 or, if one applies company, of up to 2% of the total global annual turnover in the previous year budget year, depending on which value is the highest. According to Article 83.5, in the event of violations of, among other things, Article 5, it must be imposed administrative penalty fees of up to EUR 20,000,000 or, if one applies company, of up to 4% of the total global annual turnover in the previous year budget year, depending on which value is the highest. If it is a question of a minor violation, IMY receives according to what is stated in reason 148 i instead of imposing a penalty charge, issue a reprimand in accordance with Article 58.2 b i the regulation. IMY's assessment A penalty fee must be imposed IMY has made the assessment that Trygg-Hansa has processed personal data in violation of article article 32.1 and that the violation is of such a serious nature that it is also question of a violation of the principle of integrity and confidentiality in Article 5.1 f. The violation has occurred through Trygg-Hansa processing personal data with a insufficient level of security, which has entailed the risk that unauthorized persons could obtain access to approximately 650,000 customer data during the period October 2018 to and including with February 2021. The personal data has, among other things, made up of sensitive personal data and social security number, and unauthorized access to these data entails a high risk of the freedoms and rights of the data subjects. The Swedish Privacy Agency Diary number: DI-2021-1905 8(12) Date: 2023-08-28 IMY does not consider it to be a question of less serious violations. Trygg-Hansa will therefore, an administrative penalty fee is imposed for the violations. When deciding of the amount of the sanction fee, IMY must take into account the circumstances stated in article 83.2 and ensure that the administrative penalty fee is effective, proportionate and discouraging. The parent company's annual turnover must be used as the basis for the calculation When determining the maximum amount of a penalty charge to be imposed on a company shall the definition of the concept of company be used as used by the EU Court of Justice application of Articles 101 and 102 of the TFEU (see recital 150 i data protection regulation). It appears from the court's practice that this includes every entity that carries out economic activities, regardless of the legal form of the entity and the way of doing so financing as well as even if the unit in the legal sense consists of several physical or legal entities. What constitutes a company must therefore be based on the definitions of competition law. The rules for group liability in EU competition law revolve around the concept economic unit. A parent company and a subsidiary company are considered part of the same economic unit when the parent company exercises decisive influence over the subsidiary. The decisive influence (ie control) can be achieved either through ownership or by agreement. Jurisprudence shows that one hundred percent or almost 100% ownership implies a presumption that control is deemed to exist. However, the presumption can be rebutted if the company provides sufficient evidence that proof that the subsidiary acts independently on the market. To refute the presumption, the company must therefore provide evidence relating to the organizational, the financial and legal links between the subsidiary and its parent company which shows that they do not constitute an economic unit even though the parent company owns 100 percent 5 or almost 100 percent of the shares. Trygg-Hansa is a branch of the Danish company Tryg Forsikring A/S. Tryg Forsikring A/S is in turn a wholly owned subsidiary of Tryg A/S ("Tryg"). According to the one described above the presumption is therefore Tryg's turnover that must be used as a basis for calculation of the maximum penalty fee amount. To depart from the presumption it is required that Trygg-Hansa provides sufficient evidence that another turnover must be added basis for the calculation. Trygg-Hansa has stated that it is the part of Tryg's turnover that corresponds the turnover of Moderna Försäkringar which should be used as a basis for the calculation of the maximum penalty fee. Trygg-Hansa has estimated this turnover to 2,406,294,859 Danish kroner. Secondly, Trygg-Hansa believes that the maximum the penalty fee should be based on Modern Insurance and Tryg's turnover, whereby the turnover of the companies that have been acquired by Tryg after the time period which the review should be excluded from the calculation of the penalty fee. Trygg Hansa has estimated this turnover at 23,622,304,333 Danish kroner. IMY has understood Trygg-Hansa's approach so that the maximum sanction fee i primarily should be calculated on the hypothetical turnover as the branch Moderna Insurance would have had during 2022 if not for Trygg-Hansa and Moderna Insurances had merged in April 2022. Furthermore, IMY has understood that Trygg-Hansa 4 Case C-97/08, para. 59-61 5 Cf. EDPB's guidelines Guidelines 04/2022 on the calculation of administrative fines under the GDPR, point 125 and where reported rulings. Privacy Protection Agency Diary number: DI-2021-1905 9(12) Date: 2023-08-28 secondarily believes that it is Tryg in the organization that applied when the deficiency existed, i which Moderna Försäkringar is included, which constitutes the financial unit on which a maximum penalty fee must be calculated. In determining the relevant the annual turnover for Tryg must thus be the estimated turnover for the companies that acquired after the time of infringement is exempted. In support of his view, Trygg-Hansa has stated in summary that Moderna Insurance at the time of the review was seen as an independent business from Tryg in technical and organizational terms. Trygg-Hansa has thereby highlighted i mainly the following. Moderna Försäkringar was a branch only for tax reasons. Moderna Försäkringar decided independently on its actions and had its own management team. The server environment where the current personal data processing took place was run and developed by Moderna Försäkringar which also had its own IT manager and IT organization. Only customers of Moderna Försäkringar are affected in this matter. The personal data processing reviewed in the case was also not sanctioned by Tryg and the insurance systems for the two businesses were different and separate from each other without any logical, organizational or technical connection. According to Trygg Hansa, the turnover of the acquired companies should under all circumstances are excluded from Tryg's turnover when determining the maximum sanction amount then the responsibility for an infringement according to competition law practice must be attributed to the one who had controlling influence over the business at the time of the incident. IMY makes the following assessment. Trygg-Hansa is a branch of Tryg Forsikring A/S, and is thus not an independent legal person. Trygg-Hansa's turnover is included as one integral part of Tryg's total turnover, and is fully integrated with the turnover for Tryg Forsikring A/S. These circumstances strongly suggest that Trygg-Hansa, Tryg Forsikring A/S and Tryg must be regarded as one and the same financial entity. The circumstances that Trygg-Hansa highlighted that the branch, when it went under the name Moderna Försäkringar, had its own management team, IT system and IT organization not something which in itself contradicts the fact that it is a question of one and the same economic unit. Overall, IMY assesses that there is no reason to deviate from the presumption that is Tryg's turnover that must be added to the calculation of the maximum the penalty fee. What does Trygg-Hansa's attitude mean that the turnover of the acquired companies should is excluded from the calculation of the maximum amount of the sanction fee, IMY does the following assessment. At the time of the infringement, Trygg-Hansa was, as it is today, another branch Safe. There have therefore been no organizational changes that in themselves have an impact the liability relationship between the branch and the company. It may further be noted that the fact that the relevant annual turnover for the calculation of the penalty fee is that annual turnover determined in the year immediately preceding that of the supervisory authority decision can mean that major changes in the annual turnover have taken place since then the time of the violation, both decreases and increases. Such changes may be due to business events, such as increasing or decreasing market share and profitability, or changes to the company's organization, such as sales or acquisition of companies. There is, to a certain extent, the possibility of taking such into account changes within the framework of the proportionality assessment that must always be made at imposition of penalty charges under the Data Protection Regulation to ensure that the sanction fee imposed is proportional in the individual case. IMY assesses on the other hand, that the maximum penalty fee amount should be based on the determined amount the annual turnover, without deduction for hypothetical amounts for the companies that have been acquired during this time period. The Swedish Data Protection Agency Diary number: DI-2021-1905 10(12) Date: 2023-08-28 However, IMY takes into account both the fact that the violation occurred in a limited part of Trygs activities that the organizational changes Trygg-Hansa has highlighted, within the framework for the proportionality assessment, which is reported below under the heading "The penalty fee must be effective, proportionate and dissuasive". IMY assesses overall that the turnover of the company to be used as a basis for calculation of the administrative penalty fees that Trygg-Hansa can impose is Guaranteed turnover. From Tryg's annual report for the year 2022, it appears that the annual turnover in 2022 was approx. 33,938,000,000 Danish kroner, which corresponds to approx. 54,000,000,000 6 Swedish crowns. The maximum penalty amount that can be determined in the case is four percent of this amount, i.e. approximately SEK 2,160,000,000. The seriousness of the violation IMY makes the following considerations regarding the seriousness of the violation. That there was one possible unauthorized access to approximately 650,000 customers' data implies that there was a risk to a high number of people. The data has included sensitive personal data, such as health data, and other data of a privacy-sensitive nature, such as social security number and financial information. It cannot be ruled out that information about violations of the law have been revealed. The personal data processing has meant significant risks. Individuals were directly identifiable, which meant that information of a sensitive nature could be linked to identified persons. The data have processed in a context where the data subjects have legitimate expectations of a high level of confidentiality and robust protection against unauthorized access. The data has been collected in order to be able to make assessments and make decisions regarding registered, which is a type of processing of personal data that may involve higher risks and require higher protection. Information about, for example, ownership, which would could entail a risk of theft, could easily be linked to names in case of unauthorized access and address. Due to the nature of the information, and since the documents contained a numerous collected data, any unauthorized access has meant a high risk of damaged reputation and loss of confidentiality. Trygg-Hansa's analysis of behavior patterns in logs indicate that 202 customers are likely to be directly affected by so way that information about them in documents may actually have been shown to unauthorized persons, and IMY states that unauthorized access occurred on at least one occasion, in connection with the tip about shortage was given to IMY. The violation has also continued for a longer period of time, between October 2018 and time when IMY contacted Trygg-Hansa and pointed out the deficiency in February 2021. Trygg- Hansa received information about the shortcomings in November 2020 through an external tip the security that could have been used to remedy the deficiencies and thereby reduce privacy risks for individuals. However, Trygg-Hansa was unable to use it the information to remedy the deficiencies. The violation has concerned Trygg-Hansa core business, where Trygg-Hansa can be assumed to have knowledge of risks and requirements for the protection of personal data. It appears from the EDPB's guidelines that the supervisory authority must assess whether the violation is of low, medium, or high severity.7 IMY has established that the violation is so serious that it also constitutes a violation of the fundamental principle of integrity and confidentiality according to Article 5.1 f i 6 Based on the exchange rate on 23 August 2023, published on riksbanken.se 7 EDPB's guidelines Guidelines 04/2022 on the calculation of administrative fines under the GDPR, point 60. Data Protection Authority Diary number: DI-2021-1905 11(12) Date: 2023-08-28 data protection regulation, which means that the maximum sanction fee is 4 percent of the annual turnover instead of the 2 percent that applies in case of violation of article 32. Overall, IMY assesses that the violation in question has a medium level degree of seriousness within the range of violations of Article 5.1 f data protection regulation. Trygg-Hansa has taken a number of measures before and after the deficiencies were identified. Trygg-Hansa has, among other things, had two carried out independently of each other penetration tests by two different external security companies and initiated measures in order to improve routines for testing activities. Trygg-Hansa has also decided to establish one architecture board with security control and code review during development, decided to implement additional training for employees in customer service as well as for developers and tester. Trygg-Hansa has also provided certain information to registered users about it occurred. This and other measures described by Trygg-Hansa were carried out however, after IMY contacted the company to inform about the deficiency, and does not go beyond what can be expected. The measures are not of such a nature that they affect IMY's assessment in the case in a mitigating direction. The penalty fee must be effective, proportionate and dissuasive The administrative penalty fee must be effective, proportionate and deterrent. This means that the amount must be determined so that the administrative the penalty fee leads to correction, that it provides a preventive effect and that it in addition, is proportionate in relation to current violations as well as to the supervised entity's ability to pay. In the proportionality assessment, IMY considers that Tryg's annual turnover has increased significant due to the acquisition of companies that were not included in the company's total turnover at the time of the infringement. In addition, IMY attaches great importance to the fact that the violation, as revealed in the matter, only happened in the Swedish branch. To be based solely on the group's turnover in this case, where the violation affected a limited part of the business, would result in the penalty fee being set far too high in relation to what has occurred. IMY therefore sees reason that in a proportionality assessment, taking it into account turnover for Moderna Försäkringar as reported by Trygg-Hansa, determine the penalty fee to a significantly lower amount than an assessment solely based on Tryg's turnover had resulted in IMY decides based on an overall assessment that Trygg-Hansa must pay a administrative sanction fee of SEK 35 million. This decision has been taken by the general manager Lena Lindgren Schelin after a presentation by lawyer Evelin Palmér. In the final proceedings, the Chief Justice David also has Törngren and unit manager Catharina Fernquist as well as IT and information security specialist Magnus Bergström participated. Lena Lindgren Schelin, 2023-08-28 (This is an electronic signature) Privacy Protection Agency Diary number: DI-2021-1905 12(12) Date: 2023-08-28 How to appeal If you want to appeal the decision, you must write to the Swedish Privacy Agency. Enter in the letter which decision you are appealing and the change you are requesting. The appeal shall have been received by the Privacy Protection Authority no later than three weeks from the day you received it part of the decision. If the appeal has been received in time, send The Privacy Protection Authority forwards it to the Administrative Court in Stockholm examination. You can e-mail the appeal to the Privacy Protection Authority if it does not contain any privacy-sensitive personal data or information that may be covered by secrecy. The authority's contact details appear on the first page of the decision.