Persónuvernd (Iceland) - Case no. 2021122409
Persónuvernd - Case no. 2021122409 | |
---|---|
Authority: | Persónuvernd (Iceland) |
Jurisdiction: | Iceland |
Relevant Law: | Article 5(1)(f) GDPR Article 6 GDPR Article 32 GDPR |
Type: | Complaint |
Outcome: | Rejected |
Started: | |
Decided: | 09.11.2022 |
Published: | |
Fine: | n/a |
Parties: | Nova hf. |
National Case Number/Name: | Case no. 2021122409 |
European Case Law Identifier: | n/a |
Appeal: | Unknown |
Original Language(s): | Icelandic |
Original Source: | Icelandic DPA (in IS) |
Initial Contributor: | n/a |
The Icelandic DPA ordered a phone company to introduce appropriate security measures against the accidental reassigning of its costumers phone numbers as required by Article 32 GDPR.
English Summary
Facts
The data subject has a phone contract with the controller. The incident in question concerned the controller's accidental assigning of the data subject's phone number to a third party. As a result, the phone number on the data subject's phone became inactive and active on the phone of the third party. The dispute concerned the question whether the incident involved a security breach which should be notified. Moreover, the parties have differing opinions about whether personal data of the data subject was made available to a third party and whether the security measures of the controller were insufficient.
The data subject argued that the third party had access to, among other things, text messages that could have been received at the phone number during the period they had access to it. Additionally, the third-party would be capable of accessing websites and smart apps that use the phone number as an identifier.
The controller argued to the contrary that no security breach occurred. The incident was caused by a human error on the part of the relevant employee who handed over the phone number to an unauthorized party. No information about previous calls, text messages or other information was made available when the phone number was transferred. The controller also does not see itself responsible for other personal data that may be connected to the data subject's phone number, such as the use of authentication methods in services unrelated to the controller. The controller believed that its current processes minimize the risk of mistakes like this occurring, and pointed out that incidents like this have only occurred three times since 2015. The controller therefore assessment that the technical and organizational measures are in accordance with the security standards required by Article 32 GDPR.
Holding
The DPA made two assessments. First, it held that the controller did not ensure the security of the data subject's personal information pursuant to Article 32 GDPR. Second, it also held that the controller did not appropriately notify the security breach as required by Article 33(1) and Article 34(1) GDPR.
Regarding its first holding, the DPA pointed out that a phone number in itself constituted personal data according to Article 4(1) GDPR. Moreover, it noted that all processing of personal data has to comply with Article 6 GDPR and the principles of Article 5(1) GDPR, which also includes the requirement of appropriate security standards (Article 5(1)(f) GDPR). Article 32 GDPR requires that controllers shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk of processing personal data.
The DPA considered it given that a weakness in the controller's security system led to an unauthorized party gaining access to the data subject's phone number and was therefore able to access additional personal information about the complainant, i.e. accessing websites and smart applications that use a phone number as an identifier. Although it is not clear that the third party has in practice used the phone number to access personal information about the data subject, it is indisputable that it was made possible for them due to the incident. It is likely that the nature of the information that can be accessed in such smart applications and websites may be extensive and may even contain sensitive personal information within the meaning of Article 9 GDPR, including information on sexuality. The risk that may arise from such access is therefore significant. The controller therefore had a special duty to take appropriate technical and organizational measures to prevent the accidental reassignment of phone numbers already in use. Consequently, the DPA held that the controller breached Article 32 GDPR.
Concerning its second holding, the DPA pointed out that incident involved a lack of security within the meaning of Article 4(12) GDPR. In such cases, Article 33(1) GDPR and Article 34(1) GDPR respectively require controllers to notify the competent supervisory authority as well as the affected data subject. The DPA elaborated that in establishing whether there is a notification obligation, it must be considered, among other things, that the security breach notifications are intended to give the affected data subjects the opportunity to take the necessary precautions in order to reduce the risk of damage that may result from a security breach.
However, as was clear from the facts of the case, the controller did not report the security breach as it did not believe it was obligated to do so. With reference to what has already been discussed, the DPA considered it clear that it and the data subject should have been notified of the security breach in accordance with the GDPR provisions. It was clear to the DPA that such notifications should have taken place.
As a consequence of its two holding, the DPA ordered the controller pursuant to the powers awarded to it by Article 58(2)(d) GDPR to introduce measures concerning its distribution of phone numbers which would create an appropriate level of security.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Icelandic original. Please refer to the Icelandic original for more details.
Solutions Processing of personal information by Nova hf. Case no. 2021122409 23.11.2022 Whoever processes your personal data must always ensure their appropriate security. In this case, a person's phone number was assigned to someone else, and therefore appropriate security was not observed when processing personal information. ---- The Norwegian Data Protection Authority ruled in a case where there was a complaint about the processing of personal data by Nova.hf. More specifically, there was a complaint that the complainant's phone number was assigned to an unauthorized person who had applied for a phone number with Nova. The complainant's phone number was then deactivated and activated on the relevant party's phone. The conclusion of the Personal Protection Agency was that Nova's processing of the complainant's personal information did not comply with the Act on Personal Protection and the Processing and Security of Personal Information. Directs Personal Protection to Nova to take measures that ensure appropriate security of personal information. Ruling about a complaint about the allocation of a telephone number to an external party by Nova hf. in case no. 2021122409: i Procedure On December 17, 2021, Personal Protection received a complaint from [A], (hereinafter the complainant) about the allocation of Nova hf. (hereinafter Nova) on his phone number to external parties. More specifically, the incident was such that the person in question applied for a phone number from Nova and was assigned the number of the complainant. As a result, the phone number on the complainant's phone became inactive and therefore active on the phone of the person concerned. Personal protection invited Nova to comment on the complaint by letter dated June 27, 2022, and the company's answers were received on July 29, 2022. When resolving the case, all of the above-mentioned documents have been taken into account, although not all of them are separately explained in the following ruling. ___________________ There is a dispute as to whether the incident in question involved a security breach, which was also notifiable. In this regard, it is disputed whether the complainant's personal information was made available to external parties as a result of the incident, and Nova thus did not ensure sufficient security when processing personal information. The complainant believes that there was a security breach, which included the fact that an outside party had access to, among other things, text messages that could have been received at the phone number during the period he had access to it. Also, the person in question was able to access websites and smart apps that use a phone number as an identifier. Complainant points out that Nova is supposed to have such a system. Nova believes that there was no security breach according to Act no. 90/2018, given that personal information under Nova's responsibility, which was connected to the complainant's phone number, was not at risk due to the incident. It was a human error on the part of the relevant employee who handed over the phone number to an unauthorized party. No information about previous calls, text messages or other information was available when the phone number was transferred. Usage information that is available in Nova's service solutions is only available from the time the SIM card was last changed, so the person who was assigned the number of the complainant would not have been able to obtain information about previous usage. Then it will not be seen that Nova can be responsible for anything else that may be connected to the complainant's phone number, e.g. use of authentication methods in services unrelated to the company. Nova believes that it was a security incident, which was recorded in accordance with the information security management system and the incident was treated as such. The reasons for the incident were analyzed and what organizational and technical measures could be taken to reduce the possibility of a similar incident occurring again. Nova believes that the current processes minimize the risk of mistakes like this occurring, and points out that incidents like this have only occurred three times since 2015, including this incident. It is therefore Nova's assessment that the technical and organizational measures are in accordance with the nature, scope, context and purpose of the processing and risks, unlikely and varying in severity, for the rights and freedoms of individuals, as stipulated in Article 27. Act no. 90/2018. II. Assumptions and conclusion 1. Lawfulness of processing This case concerns the fact that Nova has assigned the complainant's phone number to an unauthorized party. Nova has claimed that there was no security breach as no personal information under the company's responsibility, which was connected to the complainant's phone number, was at risk due to the incident. Regarding the above, it is pointed out that the telephone number of the complainant alone falls under the concept of personal information, according to Number 2. Article 3 Act no. 90/2018, and this case concerns the processing of personal data by Nova, which falls under the authority of the Personal Protection Authority. Nova is considered to be the party responsible for said processing according to Act no. 90/2018, on personal protection and processing of personal data, and Regulation (EU) 2016/679. All processing of personal data must be covered by one of the authorized provisions of Article 9. Act no. 90/2018, cf. Article 6 regulation (EU) 2016/679, and are compatible with all the principles of paragraph 1. Article 8 of the law, cf. Paragraph 1 Article 5 of the regulation, which prescribe, among other things, that personal data must be processed in such a way that their appropriate security is guaranteed. It includes, among other things, cf. Article 27 of the law, that the responsible party shall take appropriate technical and organizational measures to ensure adequate security of personal data, taking into account the latest technology, the cost of implementation, the nature, scope, context and purpose of the processing and risks, unlikely and of varying severity, to the rights and freedoms of individuals according to further instructions Article 32 of the regulation. In Article 32 of the regulation, it is stated that when assessing acceptable security, the risk that the processing entails must be taken into account, especially with regard to the unintentional or illegal processing of personal data or that it is lost, changed, published or accessed without permission . It is clear that a weakness in Nova's security system led to an unauthorized party gaining access to the complainant's phone number and was able to access additional personal information about the complainant, i.e. with the possibility of accessing websites and smart applications that use a phone number as an identifier. As mentioned above, human error led to the incident. Twice before, since 2015, however, similar incidents had occurred, and Nova did not become aware of the mistakes discussed here until after the incident had occurred. Although it is not clear that the relevant party has in practice used the aforementioned means to access personal information about the complainant, it is indisputable that it was made possible for him due to the incident. It is likely that the nature of the information that can be accessed in such smart applications and websites may be extensive and may even contain sensitive personal information within the meaning of paragraph 3. Article 3 Act no. 90/2018, s.s. including information about sexuality. The risk that may arise from such access, for the rights and freedoms of registered persons, i.e. on m. complainant in this case, is therefore significant in the opinion of the Data Protection Authority. Nova therefore has a special duty to take appropriate technical and organizational measures to ensure the appropriate security of personal information by means of a measure that prevents the allocation of a phone number that is already in use to unauthorized parties. In the opinion of the Data Protection Authority, Nova therefore did not ensure the security of the complainant's personal information in the manner required by the provisions of Article 27. Act no. 90/2018 and Article 32 of regulation (EU) 2016/679. 2. Security breach notification Taking into account the above, in the opinion of the Data Protection Authority, it is also clear that the incident in question involved a lack of security within the meaning of section 11. Article 3 Act no. 90/2018 and No. 12 Article 4 of regulation (EU) 2016/679. According to paragraph 2 Article 27 Act no. 90/2018, the responsible party must notify Personal Data Protection of a security breach in the processing of personal data without undue delay and, if possible, no later than 72 hours after the breach occurs, unless it is considered unlikely that it will lead to a risk to the rights and freedoms of individuals, cf. also paragraph 1 Article 33 of regulation (EU) 2016/679. The responsible party must also notify the registered person of a security breach, if it results in a high risk for the rights and freedoms of the registered person, cf. Paragraph 3 Article 27 of the Act and paragraph 1 Article 34 of the regulation. When assessing whether there is a notification obligation, it must be considered, among other things, that such notifications are mainly intended to give the registered person the opportunity to take the necessary precautions in order to reduce the risk of damage that may result from a security breach. Refer to the comments on Article 27. in the bill that became law no. 90/2018, cf. also sections 84 and 86 of the preamble of Regulation (EU) 2016/679. It is clear that Nova did not report the security breach as the company did not believe it was obligated to do so. With reference to what has already been discussed about risk, the Personal Protection Authority considers it clear that the organization and the complainant should have been notified of the security breach in accordance with the above provisions. In accordance with this conclusion, and with reference to item 4 of Article 42. Act no. 90/2018, cf. point d, paragraph 2 Article 58 of Regulation (EU) 2016/679, Nova is hereby proposed to take measures to work with information about telephone numbers at the company in such a way that their appropriate security is guaranteed. Such measures shall include, among other things, that unauthorized parties cannot be assigned a telephone number by the company that is already in use by another party. Confirmation that these instructions have been complied with, together with a description of the measures taken for this purpose, must be received by Personal Protection no later than 21 December 2022. Ruling: Processing Nova hf. on personal information about [A] did not comply with the provisions of Act no. 90/2018, on personal protection and processing of personal information, cf. regulation (EU) 2016/679, on the security of personal information. Personal protection directs those instructions to Nova hf. to take measures to work with personal information about telephone numbers at the company in such a way that their appropriate security is guaranteed. Confirmation that these instructions have been complied with must be received by Personal Protection no later than 21 December 2022. Privacy, November 23, 2022 Bjarni Freyr Rúnarsson Inga Amal Hasan