Datatilsynet (Denmark) - 2021-441-9224

From GDPRhub
Datatilsynet - 2021-441-9224
LogoDK.png
Authority: Datatilsynet (Denmark)
Jurisdiction: Denmark
Relevant Law: Article 5(1)(d) GDPR
Article 32(1) GDPR
Directive 2016/679
Type: Other
Outcome: n/a
Started:
Decided: 11.05.2022
Published: 11.05.2022
Fine: n/a
Parties: 3F Østfyn
National Case Number/Name: 2021-441-9224
European Case Law Identifier: n/a
Appeal: Unknown
Original Language(s): Danish
Original Source: Datatilsynet udtaler alvorlig kritik af 3F Østfyn (in DA)
Initial Contributor: lou_schda

The Danish DPA issued a reprimand against the Danish Trade Union and Unemployment Fund for breaching Articles 5(1)(d) and 32 GDPR by accidentally disclosing a data subject's new name to her violent former partner.

English Summary[edit | edit source]

Facts[edit | edit source]

The data subject was a member of the Danish Trade Union and Unemployment Fund (3F Østfyn). The data subject had changed their name and address due to a violent partner and had been granted address protection by the Danish authorities.

3F Østfyn updates the members' names and addresses on the basis of address information from the Central Person Register. In cases where a member is granted address protection in the Central Person Register, 3F Østfyn no longer receives information about, among other things, the member's address, and the address field is unlocked in its system, so that the member's information can be changed manually.

In this case, the data subject informed 3F Østfyn about the changes regarding their name and address. However, only the name was changed in the system due to a human error. Consequently, when 3F Østfyn sent a magazine to the data subject, their new name was on the package but it was sent to the old address where the former partner still lived. The former partner was therefore informed about the data subject’s new name.

Holding[edit | edit source]

The Danish DPA held that 3F Østfyn violated Article 32 GDPR due to its lack of implementation of technical and organisational measures to ensure a level of security appropriate to the risk. No procedures or system support had been set up to ensure that the information in the system was updated. For instance, a warning system could have been set up to prevent the information being sent if not checked for accuracy and other factors, such as whether name and address protection was granted to the member. Such a warning should be present in an IT system and not only described in a procedure. The DPA also emphasized that the controller should identify the risks that the specific processing poses to the data subjects. It is not sufficient to simply focus on generic risk scenarios and put in place safeguards to protect data subjects from those risks.

The Danish DPA also held that 3F Østfyn violated the data accuracy principle under Article 5(1)(d) GDPR as it had not implemented procedures to ensure that the data were correct.

In considering aggravating factors, the Danish DPA emphasized the fact that the data subject specifically informed 3F Østfyn about the changes and the need for protection of the data.

Comment[edit | edit source]

Share your comments here!

Further Resources[edit | edit source]

Share blogs or news articles here!

English Machine Translation of the Decision[edit | edit source]

The decision below is a machine translation of the Danish original. Please refer to the Danish original for more details.

The Danish Data Protection Agency expresses serious criticism of 3F Østfyn

Date: 11-05-2022

Decision

The Danish Data Protection Agency has expressed serious criticism of 3F Østfyn for not having complied with the principle of correctness and the requirement for adequate security by unintentionally passing on information about a member to the member's former and violent cohabitant.

Journal number: 2021-441-9224

Summary

The Danish Data Protection Agency has made a decision in a case where 3F Østfyn has reported a breach of personal data security.

The case concerns a member of 3F who changed his name and address and received address protection in the CPR register when he or she moved away from his or her violent cohabitant.

3F Østfyn updates the members' names and addresses on the basis of address information from the CPR register. In cases where a member chooses address protection in the CPR register, 3F no longer receives information about e.g. the member’s address and the address field is unlocked in 3F’s CRM system so that the member’s information can be maintained manually

In this case, the member contacted 3F Østfyn to have his name and address information updated, but in the event of a human error, only the name was updated. In connection with the broadcast of Fagbladet from 3F, the member's name change was stated on the magazine, but sent to the member's original address, where the former cohabitant was still resident. Thereby the former cohabitant became aware of the member's new name.

Treatment of incorrect information and lack of technical and organizational measures

The Danish Data Protection Agency found grounds for expressing serious criticism when the Authority concluded that 3F Østfyn's system was generally set up in such a way that it - in given usage scenarios - would process potentially incorrect information and that 3F Østfyn had not taken any reasonable step to ensure that the information was deleted or corrected. 3F Østfyn therefore processed personal data in violation of the principle of accuracy.

The Danish Data Protection Agency further found that 3F Østfyn had not taken appropriate organizational and technical measures to ensure a level of security that matched the specific risk to the data subjects' rights, especially as no procedures or system support had been set up to ensure that the information was updated.

The Danish Data Protection Agency emphasizes that the principle of correctness obliges that systems must not be set up in a way that contributes to the creation and processing of incorrect or incomplete data. In addition, it is important that the data controller identifies the risks that the specific processing poses to the data subjects. It is not enough just to focus on generic risk scenarios, and introduce security measures that protect the data subjects from these risks.

Possible solutions for technical and organizational measures

In the decision, the Danish Data Protection Agency has stated possible proposals for technical and organizational measures that could be considered relevant in the specific case.

The CRM system could e.g. is set up with an automatic response (warning), which makes the employee aware that there is now name / address protection after the address field is unlocked in the CRM system, and that the specific employee must check whether the information is correct before the information can used - e.g. to send material out (blocking of all automatic processing of the data in which a change has been registered). This technical measure should be supported by specific processes and guidelines for the maintenance and management of the field values in the case of a manually maintained field.

Decision

After a review of the case, the Danish Data Protection Agency finds that there are grounds for expressing serious criticism that 3F Østfyn's processing of personal data has not taken place in accordance with the rules in Article 32 (1) of the Data Protection Regulation [1]. 1 and Article 5, para. 1, letter d.

Below is a more detailed review of the case and a justification for the Danish Data Protection Agency's decision.

2. Case presentation

On 28 May 2021, 3F Østfyn reported a breach of personal data security to the Danish Data Protection Agency.

It appears from the notification that a member of 3F, upon eviction from his or her violent cohabitant, changes name and address and receives address protection in the CPR register. In connection with the distribution of Fagbladet from 3F, the member's new name is stated on the magazine, but sent to the address where the former cohabitant is still resident, with the consequence that he thus becomes aware of the member's new name.

It appears from the case that 3F registers name and address information in a CRM system. The purpose of the processing of this information is to handle the membership of 3F, including in the specific case for the distribution of Fagbladet, which is sent to members of 3F.

In relation to 3F Østfyn's procedures for updating the members 'names and addresses in the CRM system, 3F Østfyn states that the members' names and addresses are updated daily on the basis of address information from the CPR register. The updates are made in 3F's CRM system, which functions as a central source system for use by 3F's departments locally. 3F Østfyn further states that if a member chooses to receive address protection in the CPR register, 3F will no longer receive name and address information about this member from the CPR register. In cases where 3F no longer receives address information on a member from the CPR register, the address field in 3F´'s CRM is unlocked, so that the member's current CPR address can be maintained and manually updated locally by 3F´'s departments.

3F Østfyn has stated that when the address field is unlocked for the purpose of local updating, until an update of the address field is carried out manually and locally, it will be the last known address in the address field, ie. the address before the address protection came into force.

3F Østfyn has stated that the member - outside the CPR register - has by e-mail contacted 3F Østfyn and provided information about the person's new name and address. In the event of a human error in connection with the updating of the member's information, only the member's new name is updated, but not the member's new address and thus the member's new name is linked to the previous address where the member resided. The trade magazine has thus been forwarded using a previous address that has not been corrected, despite the fact that the member has made an inquiry and drawn attention to the changes in her contact information.

The Danish Data Protection Agency has noted that 3F Østfyn states that an information campaign and information and teaching activities will be carried out in 3F Østfyn in order to sharpen attention in relation to ensuring that similar breaches do not occur again. In addition, 3F Østfyn states in their statement that an update of 3F Østfyn's internal procedures will be carried out in relation to handling updates of names and addresses and their protection.

Justification for the Danish Data Protection Agency's decision

On the basis of the information provided by 3F Østfyn, the Danish Data Protection Agency assumes that the CRM system uses the last known address as the default value for the member's choice of address protection in the CPR register. In addition, in accordance with 3F Østfyn's explanation in this regard, it is assumed that the department did not erroneously correct the address of the member's new residence, but only the name of the member.

By sending the trade magazine to the original address, with the member's new name, an unauthorized transfer of personal information to the former cohabitant took place.

Against this background, the Authority finds that there has been a breach of personal data security, in accordance with Article 4 (12) of the Data Protection Regulation.

3.1. Article 5 (1) of the Data Protection Regulation 1, letter d

It follows from Article 5 (1) of the Data Protection Regulation 1 (d) that personal data must be accurate and, if necessary, up-to-date and that every reasonable step must be taken to ensure that personal data which are incorrect in relation to the purposes for which they are processed are immediately deleted or corrected;

The Danish Data Protection Agency is of the opinion that this principle entails an obligation that the technical support of the business processes must not generally be implemented in a way that creates incorrect data. The principle of data protection in the design of solutions, cf. Article 25 of the Data Protection Regulation, also dictates that the system effectively implements the data protection principles.

It is the opinion of the Danish Data Protection Agency that a retention of the original address, in situations where the member chooses to have a protected address in the CPR register, not without a secure verification of the member's correctness, should be stated in the CRM system. A situation such as the present one, where the value of the address is retained by default, creates several possible risk scenarios for the data subjects' rights.

A possible solution scenario would be if the field was either left without value, or the value was blocked for use, e.g. sending out the trade magazine and it required a positive action to activate the address. This should be supported by specific processes and guidelines for maintaining the field value, as in this usage scenario it is a manually maintained field.

By not having such procedures and by using the original address as a system standard as a value and as the Data Inspectorate is of the opinion that this will systematically lead to processing of incorrect information, 3F Østfyn has not complied with Article 5 (1) (d). .

3.2. Article 32 of the Data Protection Regulation

It follows from Article 32 (1) of the Data Protection Regulation 1, that the data controller must take and implement appropriate technical and organizational measures to ensure a level of security that is appropriate to the risks involved in the data controller's processing of personal data, including i.a. to ensure lasting integrity (eg that information is accurate and reliable), in accordance with Article 32 (2); 1, letter b.

Thus, the data controller has a duty to identify the risks that the data controller's processing poses to the data subjects and to ensure that appropriate security measures are put in place to protect the data subjects against these risks.

The Danish Data Protection Agency is of the opinion that the requirement pursuant to Article 32 for appropriate security will normally mean that in systems with a large number of confidential information about a large number of users, higher requirements must be placed on the data controller's care in ensuring that no unauthorized disclosure of personal data, and that you as the data controller ensure that information about data subjects does not come to the knowledge of unauthorized persons. Furthermore, the Danish Data Protection Agency finds that appropriate control and handling of information on name and address protection should be carried out and that this places greater demands on the employees' care in connection with the transmission of personal data, including ensuring that these are sent to the right recipient.

Furthermore, the Data Inspectorate is of the opinion that the requirement in Article 32, paragraph 1, letter b, for the processing of correct information will normally mean that the data controller must have established procedures to ensure that information is updated in the necessary places and correctly when the data controller becomes aware of the inaccuracy of the information. Furthermore, the Danish Data Protection Agency is of the opinion that data controllers have an obligation to instruct relevant employees about these procedures and, to the extent necessary, to check whether the employees update the information correctly.

It is the Data Inspectorate's opinion that organizational measures must be secured against the normally occurring error scenarios. In particular, a breach of personal data security must give rise to reflection on the measures that have been implemented.

Therefore, there may be a need to implement additional measures to compensate for human error.

The CRM system could e.g. is set up with an automatic response (warning), which makes the employee aware that there is name / address protection, after the address field is unlocked in the CRM system and that the specific employee before this takes further action, must perform human control of members' conditions (e.g. whether there is name and address protection and whether the information provided is correct.

In order to prevent human error, such a warning should be present in an IT system and not only described in a procedure, especially in a situation like the present one, where the situation arises from a technical integration. It is the Data Inspectorate's general opinion that a data controller - in addition to establishing organizational security measures such as guidelines, procedures, awares, etc. Shall establish appropriate technical safety measures, if necessary to achieve an appropriate level of safety.

A possible technical and organizational measure could be to automatically stop sending material to the member after ceasing to receive address information from the CPR register until an employee has the opportunity to verify the correct address of the member when the address can no longer be updated via CPR.

In addition, 3F Østfyn should make an assessment of whether a specific procedure for handling the situation, where members receive both name and address protection as well as a change of name and address, gives rise to a change in the risk assessment of the use scenario, which requires a mitigating measure. prepared and implemented in the future.

By not having taken measures that were appropriate to the specific risk of processing the member's information in connection with both address and name change, at the same time as registering a secret address in the CPR register, 3F Østfyn has not complied with the data protection regulation's article. 32, para. 1.

3.3. Measure

After a review of the case, the Danish Data Protection Agency finds that there are grounds for expressing serious criticism that 3F ØStfyn's system support was set up to process potentially incorrect information and has not sufficiently ensured that the processed information was correct and that 3F Østfyn has not taken appropriate organizational and technical measures to ensure the updating and accuracy of the information processed, cf. Article 5 (1) of the Data Protection Regulation. Article 32 (1) (d) and Article 32 (1) 1.

When choosing a response, the Danish Data Protection Agency has emphasized that 3F Østfyn's procedures and procedures were not set up to handle situations concerning name and address protection and where members move in connection with address protection. In the specific situation, it is a member who has made a name change, moved to a new address and received names and address protection. Based on what is stated in 3F Østfyn's statement, handling such an update of the members' information is not described in procedures or by a technical setup of systems able to give an employee a notice to this effect.

The Danish Data Protection Agency emphasized that when the data subject receives address protection in the CPR register, 3F no longer receives information about address and address field in 3F Østfyn's CRM system is unlocked with the latest known address until it is manually updated by an employee in the local departments. In this context, the Danish Data Protection Agency considers it contrary to the principles of data protection law that the address before the address protection came into force without further ado and without control and verification is used as a basis.

In addition, the Danish Data Protection Agency has emphasized that there is no technical or organizational control in the CRM system that stops all sending of letters / magazines / etc. until the address can be verified, in addition to the described workflow.

The Danish Data Protection Agency has further emphasized that the lack of technical and organizational measures deals with the situations where there is information about name and address protection. In relation to the technical setup of the CRM system, 3F Østfyn is not considered to have taken into account the risks and consequences that unintentional disclosure will and may entail when processing information about persons with name and address protection.

In addition, the Danish Data Protection Agency has emphasized that the consequences for the data subject in the specific case are considered to be serious, as with this breach of personal data security, personal data has been passed on to the person who is the reason why the member has been forced to change name and address and get name and address protection in the CPR register. In the assessment, the Danish Data Protection Agency has thus emphasized the nature of the information and the consequences that a loss of confidentiality may have for the data subjects in these situations, taking into account the consideration behind persons being given a protected name and address.

In the aggravating circumstance, the Danish Data Protection Agency has emphasized that the member has made an extra effort by informing 3F Østfyn and made special and specific attention to address protection and risks for the data subject associated with loss of confidentiality of personal data. In conclusion, it is emphasized that the lack of and inadequate procedure and procedures for updating the protected name and address are considered to be the direct cause of the breach.

3.4. Summary

On the basis of the above, the Danish Data Protection Agency finds that there are grounds for expressing serious criticism that 3F Østfyn's processing of personal data has not taken place in accordance with the rules in Article 32 (1) of the Data Protection Regulation [2]. 1 and Article 5, para. 1, letter d.



[1] Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46 / EC (General data protection regulation).

[2] Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46 / EC (General data protection regulation).