Datatilsynet (Denmark) - Unknown

From GDPRhub
Datatilsynet - Unknown
LogoDK.png
Authority: Datatilsynet (Denmark)
Jurisdiction: Denmark
Relevant Law: Article 32(1) GDPR
Type: Complaint
Outcome: Upheld
Started:
Decided:
Published:
Fine: n/a
Parties: Netcompany
National Case Number/Name: Unknown
European Case Law Identifier: n/a
Appeal: n/a
Original Language(s): Danish
Original Source: Press Release (in DA)
Initial Contributor: sh

The Danish DPA recommended the relevant judicial authority to fine Netcompany15 million DKK (around €2 million) in its highest fine to date and reported them to the police for failing to implement appropriate and technical organisational measures.

English Summary

Facts

Netcompany (the controller) operates and owns mit.dk. Mit.dk is a way for Danish citizens and businesses to access, among others, digital mail from public authorities. The mailbox, which opened in March 2022, can be used to receive mail from governments, book doctor’s or dentist’s appointments, pay electricity bills, share documents with hospitals or general practitioners, manage finances and more.

Even though the controller carried out tests such as code review, static code analysis and performance tests before launching the mailbox, it failed to discover an ‘inappropriate coding’ in the component that authenticated the users. When users logged in an error occurred that meant they were able to access other users’ digital mail and gain access to confidential and sensitive information. Which, led to an unnecessarily high risk for all users of mit.dk.

The controller became aware of the inappropriate coding shortly after the launch of mit.dk when several users contacted the company about being able to access other users' information. The solution was to shut down until the inappropriate coding was corrected, and the breach was reported to the Danish DPA.[1]

Holding

The Danish DPA decided that data controller had not implemented appropriate security measures in connection with the development of mit.dk., including not ensuring that appropriate security measures were built into the design of the solution itself (privacy by design) and for not having prepared an impact assessment in connection with the development of mit.dk.

First, because mit.dk contained inappropriate coding, it was clear to the DPA that the principle of privacy by design under Article 25(1) GDPR had not been considered. Better testing of the platform before launching should have uncovered the error.

Second, considering the purpose of mit.dk, one of the most critical and obvious risks was that other users could gain access to digital mail that they were not authorised to access. The Danish DPA stated that preparing an impact analysis is not a formality. The analysis is an important guarantee of legal certainty for citizens’ rights when the processing of their information has an inherent high risk. These impact assesments must be done before the controller starts processing data.

The Danish DPA referred the controller to the police and recommended that the responsible judicial authority fine the controller around €2 million.

Comment

This is not the first time that the Danish DPA has held Netcompany to have breached the GDPR. See https://gdprhub.eu/index.php?title=Datatilsynet_(Denmark)_-_2019-431-0037 and https://gdprhub.eu/index.php?title=Datatilsynet_(Denmark)_-_2021-431-0126.

In their press release the Danish DPA stated that: "Danish society is highly digitized, and therefore it is crucial that citizens can trust that the security of the national critical infrastructure is in order. A case like this can jeopardize that trust, and for this reason, too, the Danish Data Protection Agency needs to crack down hard. Solutions like mit.dk need to manage citizens' data responsibly, securely and with respect for individual privacy."

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Danish original. Please refer to the Danish original for more details.

Skip the main navigation

Search

Police report

Netcompany is fined

Date: 12-01-2024

Decision Private companies Police report Reported breach of personal data security Processing security Sensitive information Risk assessment and impact analysis CPR number Unauthorized access

The Danish Data Protection Authority reports Netcompany to the police and recommends a fine of at least DKK 15 million. DKK. During the development of mit.dk, the company did not ensure an appropriate level of security, and a consequence analysis should have been prepared, the inspection assesses.

Netcompany has been fined no less than DKK 15 million. DKK for having violated the data protection regulation in several cases, as the company as data controller had not implemented appropriate security measures in connection with the development of mit.dk, including not ensuring that appropriate security measures were built into the design of the solution itself - so-called privacy by design - and for not having prepared an impact analysis in connection with the development of mit.dk.

Improper coding allowed access to other users' information

The IT solution mit.dk is operated and owned by Netcompany, and citizens and businesses can choose to use the solution to access digital mail from, among other things. public authorities.

In connection with the development of mit.dk, Netcompany used inappropriate coding in the component that must authenticate the users of mit.dk. When the solution was put into operation on 22 March 2022, an error therefore occurred almost immediately when several users logged into the solution at the same time - and the error meant that users gained unauthorized access to other users' digital mail and thus to personal data of both confidential and sensitive nature. This led to an unnecessarily high risk for all users of mit.dk.

Netcompany became aware of the inappropriate coding shortly after the launch of mit.dk, when several users approached the company about being able to access other users' information. The solution was then shut down until the inappropriate coding was corrected, and the breach was reported to the Danish Data Protection Authority.

Critical risk scenarios must be in focus

Before the launch of mit.dk, a number of tests were carried out, including code review, static code analysis and performance tests, but the inappropriate coding was not discovered.

It is the Danish Data Protection Authority's opinion that, considering the purpose of mit.dk, one of the most critical and obvious risks of the solution was that other users gained access to digital mail that they were not authorized to access, including mail with confidential and sensitive information.

"When developing IT solutions, you must – before starting to process personal data – identify the specific risks and especially the most critical risk scenarios that the individual IT solution may involve, so that you can take them into account with appropriate security measures. And when you subsequently test your solution, it is crucial that there is an extra focus on the particularly critical risk scenarios. In this way, you can select and carry out just the tests that are relevant and necessary in order to catch critical errors in time ," says Vibeke Dyssemark Thomsen, chief consultant at the Norwegian Data Protection Authority.

Bearing in mind the purpose of mit.dk, the personal data that is given access to, and the large number of users who would use the solution, the Danish Data Protection Authority further assesses that the administration and use of mit.dk entailed a high risk for the users. However, an impact analysis had not been prepared.

"Preparing an impact analysis is not a formality. The analysis is an important guarantee of legal certainty for citizens' rights when the processing of their information has an inherent high risk. The work with such an analysis involves a thorough and structured process, which provides a better and more detailed overview of the risks associated with a certain solution, just as in the process the necessary measures must be found and implemented to address and reduce the risk . The impact analysis must be done before the treatment starts, so that you are sure that all key risks have been handled and all high risks reduced," explains Vibeke Dyssemark Thomsen.

Why report to the police?

The Danish Data Protection Authority always makes a concrete assessment of the seriousness of the case pursuant to Article 83, paragraph 1 of the Data Protection Regulation. 2, when assessing which sanction is the correct one in the opinion of the supervisory authority.

In this case, in the opinion of the Danish Data Protection Authority, it was partly a question of a flawed process in relation to impact analysis, an inappropriate coding which should not have been used for this type of solution, just as better testing of the solution before commissioning should have uncovered the error, so that the solution did not fail immediately at commissioning.

"Danish society is highly digitized, and therefore it is crucial that citizens can trust that the security of the national critical infrastructure is in order. A case like this can go beyond that trust, and for this reason, the Danish Data Protection Authority is also have to crack down hard. Solutions like mit.dk have to manage citizens' data responsibly, securely and with respect for the individual's privacy," says Vibeke Dyssemark Thomsen.

It is the largest fine that the Danish Data Protection Authority has proposed so far. In addition to the seriousness of the matter, the amount also reflects the fact that this is a very large company. It thus follows from the data protection regulation that fines in each individual case must be effective, proportionate to the infringement and have a deterrent effect.

Do you want to know more?

You can read more about impact assessments here.

Press inquiries can be directed to communications consultant Anders Due on tel. 29 49 32 83.

Facts

Fines according to the GDPR

In most European countries, the national data supervisory authorities themselves can issue administrative fines for violations of the common European rules in the General Data Protection Regulation (GDPR). In Denmark, fines according to the regulation must so far be decided by the courts.

The Danish Data Protection Authority can recommend both private actors and public authorities to fines. In connection with the notification of the case to the police, the Data Protection Authority assesses the amount of the fine, and it is then up to the police and the prosecution to bring charges and conduct the criminal case in the courts.

According to the rules, a fine must be effective, proportionate to the infringement and have a deterrent effect. The Danish Data Protection Authority therefore takes into account a number of considerations and considerations in both aggravating and mitigating directions when the supervisory authority makes a statement on the size of the fine. You can read more about what the Norwegian Data Protection Authority attaches importance to in the guidelines on setting fines that the authority has prepared in collaboration with the Norwegian Police and the Attorney General, as well as in the European Data Protection Board's guidelines on setting fines.

Fine guidance - assessment of fines for natural persons Fine guidance - assessment of fines for companies EDPB's guidance on calculating fines according to the GDPR

It is stipulated in the rules that the level of fines for public authorities is generally lower than for private actors.

See an overview of fine settings according to GDPR

The Norwegian Data Protection Authority

Carl Jacobsens Vej 35
2500 Valby
Tel. 33 19 32 00
dt@datatilsynet.dk

About us

About the Norwegian Data Protection AuthorityPresseHome pagePrivacy policyAvailability statement

Shortcuts

Guidance on GDPRCall usNewsletterThe National Whistleblower Scheme

follow us

The Norwegian Data Protection Authority on LinkedIn

Police report

Netcompany is fined

Date: 12-01-2024

Decision Private companies Police report Reported breach of personal data security Processing security Sensitive information Risk assessment and impact analysis CPR number Unauthorized access

The Danish Data Protection Authority reports Netcompany to the police and recommends a fine of at least DKK 15 million. DKK. During the development of mit.dk, the company did not ensure an appropriate level of security, and a consequence analysis should have been prepared, the inspection assesses.

Netcompany has been fined no less than DKK 15 million. DKK for having violated the data protection regulation in several cases, as the company as data controller had not implemented appropriate security measures in connection with the development of mit.dk, including not ensuring that appropriate security measures were built into the design of the solution itself - so-called privacy by design - and for not having prepared an impact analysis in connection with the development of mit.dk.

Improper coding allowed access to other users' information

The IT solution mit.dk is operated and owned by Netcompany, and citizens and businesses can choose to use the solution to access digital mail from, among other things. public authorities.

In connection with the development of mit.dk, Netcompany used inappropriate coding in the component that must authenticate the users of mit.dk. When the solution was put into operation on 22 March 2022, an error therefore occurred almost immediately when several users logged into the solution at the same time - and the error meant that users gained unauthorized access to other users' digital mail and thus to personal data of both confidential and sensitive nature. This led to an unnecessarily high risk for all users of mit.dk.

Netcompany became aware of the inappropriate coding shortly after the launch of mit.dk, when several users approached the company that they could access other users' information. The solution was then shut down until the inappropriate coding was corrected, and the breach was reported to the Danish Data Protection Authority.

Critical risk scenarios must be in focus

Before the launch of mit.dk, a number of tests were carried out, including code review, static code analysis and performance tests, but the inappropriate coding was not discovered.

It is the Danish Data Protection Authority's opinion that, considering the purpose of mit.dk, one of the most critical and obvious risks of the solution was that other users gained access to digital mail that they were not authorized to access, including mail with confidential and sensitive information.

"When developing IT solutions, you must – before starting to process personal data – identify the specific risks and especially the most critical risk scenarios that the individual IT solution may involve, so that you can take them into account with appropriate security measures. And when you subsequently test your solution, it is crucial that there is an extra focus on the particularly critical risk scenarios. In this way, you can select and carry out just the tests that are relevant and necessary in order to catch critical errors in time ," says Vibeke Dyssemark Thomsen, chief consultant at the Norwegian Data Protection Authority.

Bearing in mind the purpose of mit.dk, the personal data that is given access to, and the large number of users who would use the solution, the Danish Data Protection Authority further assesses that the administration and use of mit.dk entailed a high risk for the users. However, an impact analysis had not been prepared.

"Preparing an impact analysis is not a formality. The analysis is an important guarantee of legal certainty for citizens' rights when the processing of their information has an inherent high risk. The work with such an analysis involves a thorough and structured process, which provides a better and more detailed overview of the risks associated with a certain solution, just as in the process the necessary measures must be found and implemented to address and reduce the risk . The impact analysis must be done before the treatment starts, so that you are sure that all key risks have been handled and all high risks reduced," explains Vibeke Dyssemark Thomsen.

Why report to the police?

The Danish Data Protection Authority always makes a concrete assessment of the seriousness of the case pursuant to Article 83, paragraph 1 of the Data Protection Regulation. 2, when assessing which sanction is the correct one in the opinion of the supervisory authority.

In this case, in the opinion of the Danish Data Protection Authority, it was partly a question of a flawed process in relation to impact analysis, an inappropriate coding which should not have been used for this type of solution, just as better testing of the solution before commissioning should have uncovered the error, so that the solution did not fail immediately at commissioning.

"Danish society is highly digitized, and therefore it is crucial that citizens can trust that the security of the national critical infrastructure is in order. A case like this can go beyond that trust, and for this reason, the Danish Data Protection Authority is also have to crack down hard. Solutions like mit.dk have to manage citizens' data responsibly, securely and with respect for the individual's privacy," says Vibeke Dyssemark Thomsen.

It is the largest fine that the Danish Data Protection Authority has proposed so far. In addition to the seriousness of the matter, the amount also reflects the fact that this is a very large company. It thus follows from the data protection regulation that fines in each individual case must be effective, proportionate to the infringement and have a deterrent effect.

Do you want to know more?

You can read more about impact assessments here.

Press inquiries can be directed to communications consultant Anders Due on tel. 29 49 32 83.