Datatilsynet (Denmark) - 2021-441-9356

From GDPRhub
Datatilsynet - 2021-441-9356
LogoDK.png
Authority: Datatilsynet (Denmark)
Jurisdiction: Denmark
Relevant Law: Article 4(12) GDPR
Article 32(1) GDPR
Article 33(1) GDPR
Type: Investigation
Outcome: Violation Found
Started:
Decided: 04.11.2021
Published: 04.11.2021
Fine: n/a
Parties: Coop Danmark A/S
National Case Number/Name: 2021-441-9356
European Case Law Identifier: n/a
Appeal: n/a
Original Language(s): Danish
Original Source: Datatilsynet (in DA)
Initial Contributor: Vadym Kublik

The Danish DPA reprimanded a large consumer goods retailer for failing to implement adequate access control to the personal information of its employees stored on the company's shared drive.

English Summary[edit | edit source]

Facts[edit | edit source]

When testing a new scanning tool, Coop Danmark A/S had become aware that it was storing personal information on the company's shared drive without sufficient access control. The information concerned 477 employees and external consultants. It included, among other things, health information, financial information, and social security numbers.

Some information was placed in the folders by the data subjects themselves, and the controller saved other information as part of the employment processes. The personal data related to the time period from 2013 until 2017, when there was not the same policy for user management as the company has today.

On 12 June 2021, the controller reported the data breach to the supervisory authority. After three months, it initiated the notification of affected data subjects. At the same time, it also started moving the information to a more secure solution with better user management and logging.

Holding[edit | edit source]

The DPA held that in systems with a large amount of sensitive information about many users, controllers must have more stringent measures in place to ensure that only authorized people have access to it.

The DPA emphasized that a controller the size of Coop Danmark A/S should have previously been aware that employees may have erroneously placed personal information on the company's joint drive. Therefore, it should have checked and cleaned up that data and introduced relevant security measures earlier.

Comment[edit | edit source]

Share your comments here!

Further Resources[edit | edit source]

Share blogs or news articles here!

English Machine Translation of the Decision[edit | edit source]

The decision below is a machine translation of the Danish original. Please refer to the Danish original for more details.

Serious criticism of Coop Danmark A / S 'processing of information on the company's joint drive
Date: 04-11-2021
Decision
The Danish Data Protection Agency has expressed serious criticism that Coop Danmark A / S has not complied with the requirement for necessary security measures in Article 32 of the Data Protection Ordinance.

Journal number: 2021-441-9356.

The Danish Data Protection Agency hereby returns to the case where Coop Danmark A / S on 12 June 2021 reported a breach of personal data security to the Danish Data Protection Agency. The review has the following reference number:

bf3548a01674bfdb09e5472d3c1cbf776494b2fd.

Coop Danmark A / S then submitted a follow-up notification on 3 September 2021 and, at the request of the Danish Data Protection Agency, appeared on 8 October 2021 with a statement in the case.

Summary
The Danish Data Protection Agency has made a decision in a case where Coop has reported a breach of personal data security to the Authority.

Coop had become aware that personal information was located on the company's shared drive without adequate access control. The information concerned a total of 477 employees and external consultants. Coop discovered the breach in connection with the company testing a new scanning tool.

The Danish Data Protection Agency found that Coop had not complied with the requirement for necessary security measures because the company should have previously been aware that employees could have incorrectly placed personal data on the company's shared drive. Therefore, in the opinion of the Danish Data Protection Agency, the company should have checked and cleaned up the company's common drive and introduced relevant security measures at an earlier stage.

The Danish Data Protection Agency also found that Coop reported the security breach to the Authority in a timely manner, as the notification took place within the time limit of 72 hours.

Decision
After a review of the case, the Danish Data Protection Agency finds that there are grounds for expressing serious criticism that Coop Danmark A / S 'processing of personal data has not taken place in accordance with the rules in the Data Protection Ordinance [1] Article 32 (1). 1.

The Danish Data Protection Agency also finds that Coop Danmark A / S has acted in accordance with Article 33 (1) of the Data Protection Ordinance. 1.

Below is a more detailed review of the case and a justification for the Danish Data Protection Agency's decision.

2. Case presentation
It appears from Coop Danmark A / S 'submitted material that the company became aware on 9 June 2019 that files with personal information had been placed in folders on the company's shared drive without sufficient access control. Some of the information had been placed in the folders by the registered persons themselves, where other information had been placed by Coop Danmark A / S as part of the employment. The oldest documents were placed on the common drive in 2013.

The information concerned a total of 477 employees and external consultants. For 20 of these persons the information concerned the health of the persons, for 10 persons the information concerned the professional affiliation of the persons, for 46 persons the information concerned the financial situation of the persons in connection with remuneration, allowance, subsidy and payment for benefits, and for 474 persons the information concerned the personal numbers.

Coop Danmark A / S discovered the breach in connection with the company testing a new scanning tool. The tool was set to search for social security numbers and credit card numbers. The scan identified 35 files, which were quarantined on 11 June 2021. This meant that the files were moved to a folder where only employees who work daily with the treatment of security breaches in Coop Danmark A / S could access them. However, the run of the scan tool turned out not to be completed correctly as the number of files found was not complete. Therefore, work was subsequently in progress on a reconfiguration. After the technical challenges were resolved, the scanning tool was run again on August 24, 2021 using the same criteria. In this connection, an additional 266 files that met the criteria for the scan were identified. These new files were quarantined on 28 August 2021. After both the first and second scans, it has been necessary for Coop Danmark A / S to manually review each individual file identified by the scanning tool, as the company is aware that the scanning tool false positives may appear and the same information may appear several times.

Coop Danmark A / S has submitted a copy of the company's policy from December 2019 regarding access control and user management and the company's process for managing user rights. It appears from this that in the company it is not possible for the individual employee to create a folder on a shared drive. This can only be done through a request for a service function in Coop Danmark A / S 'IT department. Access is granted on the basis of the principle of work-related needs.

In Coop Danmark A / S 'opinion, this process has worked to a large extent. The company justifies this with the fact that the personal information in question was found on a file drive containing over 17 terabytes of data. Coop Danmark A / S has also referred to the fact that the personal data relates to 2013-2017, where there was not the same policy for user management as today.

Notification of all affected data subjects was initiated on September 3, 2021.

In conclusion, Coop Danmark A / s has assessed that the previous approach to handling shared files can be improved, which is why the company has for some time been in the process of preparing for the transition to a different and better way of handling such data. Coop Danmark A / S is in a process which aims to close down joint drives in the traditional sense in order to move to a more secure solution, where e.g. will be better user management as well as logging. It is therefore also the company's expectation that the risk of similar breaches will be reduced in the future.

Justification for the Danish Data Protection Agency's decision
On the basis of information provided by Coop Danmark A / S, the Danish Data Protection Agency assumes that information on 477 natural persons has been available on the company's joint drive, and that the oldest information has been available from 2013. The Danish Data Protection Agency also assumes that Coop Danmark A / S has cleaned up the files from 11 June 2021 until 28 August 2021, and that these were moved to a folder where only employees with a work-related need had access to the information.

On this basis, the Danish Data Protection Agency assumes that there has been unauthorized access to personal data, which is why the Authority finds that there has been a breach of personal data security, cf. Article 4, no. 12 of the Data Protection Regulation.

3.1. Article 32 of the Data Protection Regulation
It follows from Article 32 (1) of the Data Protection Regulation 1, that the data controller must take appropriate technical and organizational measures to ensure a level of security that is appropriate to the risks involved in the data controller's processing of personal data.

Thus, the data controller has a duty to identify the risks that the data controller's processing poses to the data subjects and to ensure that appropriate security measures are put in place to protect the data subjects against these risks.

The Danish Data Protection Agency is of the opinion that the requirement pursuant to Article 32 for appropriate security will normally mean that in systems with a large number of information about a large number of users, higher requirements must be placed on the data controller's care in ensuring that unauthorized access to personal data, and that you as the data controller ensure that information about data subjects, including particularly sensitive information, does not come to the knowledge of unauthorized persons.

On this basis, the Danish Data Protection Agency finds that Coop Danmark A / S has not complied with the requirement for necessary security measures in Article 32 (1) of the Data Protection Ordinance. 1.

The Danish Data Protection Agency has emphasized that the information was available in the period 2013 to 2021, and that a company the size of Coop Danmark A / S should have previously been aware that employees may have erroneously placed personal information on the company's joint drive. It is the Data Inspectorate's opinion that Coop Danmark A / S should have checked and cleaned up the company's common drive and introduced relevant security measures at an earlier stage. In addition, the Danish Data Protection Agency has emphasized that the information, among other things, relates to health information, financial information and social security number information.

After a review of the case, the Danish Data Protection Agency finds that there are grounds for expressing serious criticism that Coop Danmark A / S 'processing of personal data has not taken place in accordance with the rules in Article 32 (1) of the Data Protection Ordinance. 1.

The Danish Data Protection Agency has noted that Coop Danmark A / S is in the process of moving to a more secure solution, where e.g. will be a better user management and logging.

3.2. Article 33 of the Data Protection Regulation
It follows from Article 33 (1) of the Regulation 1, that the data controller in the event of a breach of personal data security without undue delay, and if possible within 72 hours, must report the breach to the Danish Data Protection Agency, unless it is unlikely that the breach of personal data security entails a risk to natural persons' rights or freedoms.

The Danish Data Protection Agency finds that Coop Danmark A / S has acted in accordance with Article 33 (1) of the Data Protection Ordinance. 1.

In this connection, the Danish Data Protection Agency has emphasized that Coop Danmark A / S became aware of the incident on 9 June 2021, and reported the breach of personal data security to the Danish Data Protection Agency on 12 June 2021. The Danish Data Protection Agency finds that the company has reported the incident to The Danish Data Protection Agency without undue delay and, if possible, no later than 72 hours after the company became aware of this.

Concluding remarks
The Danish Data Protection Agency notes that the Danish Data Protection Agency's decision cannot be appealed to another administrative authority, cf. section 30 of the Data Protection Act.

The Danish Data Protection Agency's decision may, however, be brought before the courts, cf. section 63 of the Constitution.

The Danish Data Protection Agency expects to publish this decision on the Authority's website.

The Danish Data Protection Agency hereby considers the case closed and does not take any further action in the case.

 

[1] Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46 / EC (General data protection regulation).