Datatilsynet (Denmark) - 2021-442-12980
Datatilsynet - INC000003185717 | |
---|---|
Authority: | Datatilsynet (Denmark) |
Jurisdiction: | Denmark |
Relevant Law: | Article 32(1) GDPR |
Type: | Other |
Outcome: | n/a |
Started: | 12.05.2021 |
Decided: | 13.06.2022 |
Published: | 23.01.2023 |
Fine: | n/a |
Parties: | Danske Bank |
National Case Number/Name: | INC000003185717 |
European Case Law Identifier: | n/a |
Appeal: | Unknown |
Original Language(s): | English |
Original Source: | EDPB (in EN) |
Initial Contributor: | n/a |
In an Article 60 GDPR procedure, the Danish DPA reprimanded Dankse bank for a violation of Article 32(1) GDPR. A technical error resulted in the unauthorised disclosure of invoices to Finnish business customers of the bank.
English Summary
Facts
A technical error at the side of Danske Bank (Controller) resulted in a data breach which concerned 132 electronic invoices, which were disclosed to Finnish business customers. The breach occurred because the invoices in question were uploaded in the controller's database, which was specifically designed for business users. However, these invoices were uploaded without the account details of the person who was supposed to receive the specific invoice. This lack of a receiver in the controller's system allowed another user to search these invoices by performing a 'blank search', a search without using the search box for 'recipient'
The invoices contained the name, address an invoice number of the controller's customers in Finland. These invoices were searchable and visible for 14.511 Finish business customers between 5 May 2021 and 10 May 2021.
The controller notified the Danish DPA on 12 May 2021 of this data breach.
Holding
The DPA stated that Article 32 GDPR normally implies that when a controller is using systems with a large number of confidential information concerning a large number of users, the controller has to comply with higher requirements to ensure that there is no unauthorised access to personal data. In this case, it meant that the controller should have assessed all likely out-comes in the context of the development of software used to process personal data. The DPA specifically referred to Article 32(1)(d) GDPR, which states that the controller should implement a procedure for the regular testing, assessment and evaluation of the effectiveness of the technical and organisational measures to ensure security of processing.
The DPA considered considers that the controller had not taken appropriate organisational and technical measures by not continuously testing its own technical measures, resulting in a violation of Article 32(1) GDPR. The DPA reprimanded the controller for this violation.
Comment
It was not specified in the decision itself why this decision was the result of an Article 60 GDPR procedure.
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the English original. Please refer to the English original for more details.
Danske Bank A/S 13 June 2022 Holmens Kanal 2-12 1092 København K J.No. 2021-442-12980 IMI case no. 483097 Caseworker Betty Husted Sendt via Digital Post til CVR 61126228 Regarding personal data breach, your case no. INC000003185717 The Danish Data Protection Agency The Danish Data Protection Agency hereby returns to the case where Danske Bank A/S has Carl Jacobsens Vej 35 notified a personal data breach to the Danish Data Protection Agency on 12 May 2021. 2500 Valby Denmark T 3319 3200 1. Decision dt@datatilsynet.dk After examining the case, the Danish Data Protection Agency considers that there are grounds datatilsynet.dk for issuing a reprimand that Danske Bank’s processing of personal data has not been carried VAT No. 11883729 out in accordance with the rules laid down in Article 32(1) of the GDPR. Below is an examination of the case and a statement of reasons for the Danish Data Protection Agency’s decision. 2. Summary of facts Danske Bank notified a personal data breach to the Danish Data Protection Agency on 12 May 2021. According to the notification, a technical error in sending 132 electronic invoices containing the name, address and invoice number to Danske Bank’s customers in Finland resulted in the 132 invoices being searchable and visible to 14.511 Finnish business customers in the period be- tween 5 May 2021 and 10 May 2021. The breach occurred due to a technical error in which 132 invoices were placed in the 'District platform' system without the recipients’ account details. The blank receiver field allowed these invoices to be searched if the user performed a search without entering receiver’s information (a blank search). Danske Bank’s investigation of the breach shows that 371 Finnish users accessed the elec- tronic invoices between 5 May 2021 and 10 May 2021. However, the number of users who performed a search without entering the receiver’s information (a blank search) would most likely be lower. District Platform is an application developed by Danske Bank for the bank’s business custom- ers to search for invoices, among other things.Danske Bank stated that on 10 May 2021, recipient information was added manually to the Page 2 of 2 132 electronic invoices. On 20 May 2021, a safety mechanism was verified and released en- suring the possibility of performing a search for electronic invoices with no receiver information was disabled. 3. Reasons for the Danish Data Protection Agency’s decision On the basis of the information provided by Danske Bank, the Danish Data Protection Agency considers that from 5 May 2021 to 10 May 2021 it has been possible for the bank’s business customers in Finland to see unrelated invoices. According to Article 32(1) of the GDPR the controller must take appropriate technical and or- ganisational measures to ensure a level of security appropriate to the risks posed by the pro- cessing of personal data by the controller. There is thus an obligation on the controller to identify the risks that the controller’s processing poses to data subjects and to ensure that appropriate safeguards are put in place to protect data subjects from those risks. The Data Protection Agency is of the opinion that the requirement under Article 32 on adequate security will normally imply that in systems with a large number of confidential information about a large number of users, higher requirements must be imposed on the controller’s care- fulness in ensuring that there is no unauthorised access to personal data, that all likely out- comes should be tested in the context of the development of software where personal data are processed and that a relevant security measure in Article 32(1)(d) specifically mentions that the controller implements a procedure for the regular testing, assessment and evaluation of the effectiveness of the technical and organisational measures to ensure security of pro- cessing. In the light of the above, the Danish Data Protection Agency considers that Danske Bank – by not having continuously tested the Bank’s technical measures – has not taken appropriate organisational and technical measures to ensure a level of security appropriate to the risks associated with the processing of personal data by Danske Bank, cf. Article 32(1) of the GDPR. After examining the case, the Danish Data Protection Agency considers that there are grounds for issuing a reprimand that Danske Bank’s processing of personal data has not been carried out in accordance with the rules laid down in Article 32(1) of the GDPR. As a mitigating fact, the Danish Data Protection Agency has taken into account that the breach concerned only information on name, address and invoice number. Kind regards Betty Husted