Banner1.jpg

Tietosuojavaltuutetun toimisto (Finland) - TSV/132/2022

From GDPRhub
Revision as of 16:20, 13 January 2025 by Ao (talk | contribs) (Created page with "{{DPAdecisionBOX |Jurisdiction=Finland |DPA-BG-Color= |DPAlogo=LogoFI.png |DPA_Abbrevation=Tietosuojavaltuutetun toimisto |DPA_With_Country=Tietosuojavaltuutetun toimisto (Finland) |Case_Number_Name=TSV/12501/2024 |ECLI= |Original_Source_Name_1=Finlex |Original_Source_Link_1=https://finlex.fi/fi/viranomaiset/tsv/2024/20242384 |Original_Source_Language_1=Finnish |Original_Source_Language__Code_1=FI |Original_Source_Name_2= |Original_Source_Link_2= |Original_Source_Lang...")
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Tietosuojavaltuutetun toimisto - TSV/12501/2024
LogoFI.png
Authority: Tietosuojavaltuutetun toimisto (Finland)
Jurisdiction: Finland
Relevant Law: Article 5(1)(f) GDPR
Article 25(1) GDPR
Article 25(2) GDPR
Article 32(1) GDPR
Article 32(2) GDPR
Type: Complaint
Outcome: Upheld
Started: 23.12.2022
Decided: 17.12.2024
Published: 20.12.2024
Fine: 950,000 EUR
Parties: Sambla Group
National Case Number/Name: TSV/12501/2024
European Case Law Identifier: n/a
Appeal: n/a
Original Language(s): Finnish
Original Source: Finlex (in FI)
Initial Contributor: ao

The DPA fined a loan comparison service provider €950,000 for providing publicly accessible links including filled-in loan applications.

English Summary

Facts

On the 23 December 2022, the data subject filed a complaint against Sambla Group, a loan comparison service provider. The data subject alleged that their loan application was available through a URL which had been sent to the data subject. However, if a third party were to find out the URL address, they would be able to see the entire loan application.

The complaint initiated a broader investigation by the Finnish DPA against Sambla Group. The investigation by the DPA found: The DPA investigated access logs of URL between the 25 May 2018 (when the GDPR came into force) until the 24 March 2024. URLs were published on two different public websites and included fully filled-in loan applications. The loan applications submitted included: the applicant’s personal identification number, e-mail address, account number, home address, nationality, telephone number, monthly income, sources of income, possible applicant, marital status, monthly income of a potential spouse, possible children, occupation, training, possible military service performance, housing, housing expenditure and ownership of a holiday home.

The controller argued that the information on the loan application has been visible only to the person who has been sent a link to the loan application by SMS at their request. Other IP address would not have been able to view personal data. Further, it posited that excessive access requests from the same IP address would have been blocked by the firewall.

However, the investigation found countless instances of access by third parties. In tens of thousands of situations, one single IP address visited more than ten URLs containing a loan application within the same day. At its maximum, 22,193 visits were made by a single IP address in a single day and the firewall did not block these access requests.

Further, the URLs and therefore the personal data were subject to machine requests such as through the Python request agent. In addition, search engine bots, such as Googlebot, indexed the controller's short URLs. The logs include a total of 3,330,563 access requests made by Googlebot.

Holding

The DPA found that the controller had infringed Article 5(1)(f) GDPR, Article 25(1)&(2) GDPR and Article 32(1)&(2) GDPR. When the seriousness of the security flaws became apparent, the controller was ordered to stop processing personal data of loan applicants. The company was further ordered to inform its customers of the data breach.

The DPA found that the controller had not implemented required measures under Article 32 GDPR as well as a system which would regularly test, examine and evaluate the security measures. These shortcomings have been present since the implementation of the system used by the controller on the 24 February 2017 which was listed as an aggravating factor by the DPA. Further, the DPA highlighted that the entire business model of the controller relied on the processing of personal data and that the inadequate security measures proved its negligence.

The sanctioning panel of the Finnish DPA decided that a fine of €950,000 was appropriate for the infringement.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Finnish original. Please refer to the Finnish original for more details.