Datatilsynet (Denmark) - 2021-442-12425

From GDPRhub
Datatilsynet (Denmark) - 2021-442-12425
LogoDK.png
Authority: Datatilsynet (Denmark)
Jurisdiction: Denmark
Relevant Law: Article 32(1) GDPR
Type: Investigation
Outcome: Violation Found
Started:
Decided: 04.03.2022
Published: 22.03.2022
Fine: None
Parties: Danish Agency for Digitisation
National Case Number/Name: 2021-442-12425
European Case Law Identifier: n/a
Appeal: Not appealed
Original Language(s): Danish
Original Source: Datatilsynet (in DA)
Initial Contributor: Giel Ritzen

The Danish DPA held that a controller had not adopted appropriate technical and organisational measures pursuant to Article 32(1) GDPR, which led to a personal data breach caused by an employee's error.

English Summary[edit | edit source]

Facts[edit | edit source]

The controller is the Danish Agency for Digitisation. As the responsible authority, it grants curators reading access to companies’ (digital) mailboxes in cases of bankruptcy, cessation, etc. The controller receives this access from the company e-Boks, a digital platform that, inter alia, manages access to mailboxes. The procedure is as follows: the controller compiles a list of which person/legal entity requests reading access to which mailbox, and provides this list to e-Boks, so that the latter can grant technical access to the mailbox.

On 29 March 2021, a law firm contacted the controller because, as trustee, they had received access to a companies’ mailbox. However, the law firm had received access to the mailbox of the wrong company. Hence, the controller had e-Boks, which is the digital platform that provides the controller with access to mailboxes, close access to the mailboxes. On 31 March 2021, the controller notified a personal data breach to the Danish DPA. From the controller’s investigation, it became clear that 26 curators had gotten access to the wrong companies’ digital mailbox. Moreover, the controller found that the data breach was caused because the controller had sent an incorrect list to e-Boks, and claimed that a technical error was the reason for this mistake. However, the controller also claimed there was no procedure in place to check the list for mistakes since, until then, mistakes had never occurred.

Holding[edit | edit source]

First, the DPA considered that the controller provides curators/trustees access to a large number of confidential information, and thus, higher requirements are placed on the controller’s diligence to ensure that there is no unauthorised access to the personal data. Moreover, the DPA considered that the controller had a procedure in place where a single human error could lead to major personal data breaches, and that the controller found this procedure sufficient since no errors had previously occurred. The DPA concluded that the controller did not have appropriate organisational and technical measures in place to ensure a level of security appropriate to the risks, and therefore violated Article 32(1) GDPR.

The DPA criticised the controller for this violation, but also noted that the controller had implemented a procedure where the lists were checked by multiple people to check for human errors.

Comment[edit | edit source]

In March 2021, the DPA also investigated another case that involved e-Boks. However, in that case, e-Boks was the controller.

Further Resources[edit | edit source]

Share blogs or news articles here!

English Machine Translation of the Decision[edit | edit source]

The decision below is a machine translation of the Danish original. Please refer to the Danish original for more details.

The Danish Digitization Agency is criticized for not having had adequate security

Date: 04-03-2022

Decision Public authorities

By mistake, the Danish Digitization Agency gave 26 curators access to the wrong companies' digital mailboxes. The Danish Data Protection Agency criticizes this decision, which emphasizes that it is not enough to base its certainty on the fact that no human error has occurred in the past.

Journal number: 2021-442-12425

Summary

The Danish Data Protection Agency has expressed criticism in a case where the Danish Digitization Agency had reported a breach of personal data security to the Authority.

The Danish Digitization Agency mistakenly gave 26 trustees access to the digital companies' digital mailboxes. The error was probably due to the fact that the lines with cvr numbers had been shifted on the list that the board had sent to their supplier e-Boks.

During the processing of the case, the Danish Digitization Agency claimed that the agency had not previously experienced that errors had occurred in the preparation of the list in question. Following the incident, the agency introduced a procedure whereby an additional employee reviews the lists of errors before sending them to the supplier, to minimize the risk of errors.

The Danish Data Protection Agency found that the Danish Digitization Agency - by not having introduced measures to ensure that the lists were correct and - according to the information - only based the assurance that no human errors had occurred before - had not complied with the rules with treatment safety.

The decision is interesting because it shows that it is not enough to base one's security on the fact that no human error has occurred in the past, as it is common knowledge that human error occurs, which is why security cannot - alone - be based on a belief to ensure that people do not make mistakes.

Decision

After a review of the case, the Danish Data Protection Agency finds that there are grounds for expressing criticism that the Danish Digitization Agency's processing of personal data has not taken place in accordance with the rules in the Data Protection Regulation [1], Article 32 (1). 1.

Below is a more detailed review of the case and a justification for the Danish Data Protection Agency's decision.

2. Case presentation

On 31 March 2021, the Danish Digitization Agency reported a breach of personal data security to the Danish Data Protection Agency.

It appears from the notification that the Danish Digitization Agency was contacted on 29 and 30 March 2021 by a law firm regarding an unauthorized access to a company's digital mailbox. As a trustee, the law firm had asked the Danish Digitization Agency to gain access to another company's digital mailbox. However, the law firm discovered that they had been given access to the wrong corporate mailbox, and they then contacted the Danish Digitization Agency.

It further appears from the notification that the Danish Digitization Agency, following the inquiry from the law firm, contacted the agency's supplier, e-Boks, and asked them to close the unauthorized access on 30 March 2021. e-Boks confirmed that the access was closed on 30 March 2021 On the basis of the specific inquiry, the Danish Digitization Agency carried out a further investigation on 31 March 2021, which showed that a further 25 incorrect accesses had been granted.

The Danish Digitization Agency has stated that the agency is data responsible for the allocation of curator access to corporate mailboxes in Digital Post. As the responsible authority for the joint public digital port solution "Digital Post", the Danish Digitization Agency handles the work of granting read access to companies' digital mailboxes in the event of bankruptcy, termination, etc. By contacting the Danish Digitization Agency, the liquidator or liquidator can request access to the company's digital mailbox, provided that legal access to the mailbox in question can be documented.

It appears from the Danish Digitization Agency's statement to the Danish Data Protection Agency that in the specific incident, the Agency's further investigations have revealed that the error occurred when the access holder (the person / legal entity requesting read access to a company mailbox) and the access provider (the person / s given mailbox read access to) had been compiled incorrectly on the basis of a list of 25 March 2021, which the Agency had prepared and subsequently sent to the supplier e-Boks.

The Danish Digitization Agency has argued that the erroneous allocation was probably due to the lines with cvr numbers being shifted, so that the cvr numbers of the access holder and the access provider have been composed incorrectly in the submitted list. On the basis of this list, the Agency's supplier e-Boks set up the technical access, as neither the Agency nor e-Boks were aware at the time that there were errors in the list in question.

In addition, the Danish Digitization Agency has stated that the agency prepares three lists a week, depending on the type of company that is granted access to, as well as the company's status in the CVR register. This is a manual process, which consists of several different steps, and it is the Board's presumption that the error occurred in one of the last stages in the preparation of this list. The Board's investigation has also indicated that the error occurred in connection with the manual part of the process.

The Danish Digitization Agency has also stated that the agency has not previously experienced that errors have occurred in the preparation of the list in question. The list where the security incident occurred and where the cvr numbers were put together incorrectly was not part of the multi-eye principle at the time.

In this connection, the Danish Digitization Agency has stated that this multi-eye principle is currently implemented on all three lists, so that the risk of errors is minimized.

In continuation of this, the Danish Digitization Agency has stated that the agency has implemented a number of measures to minimize the risk of this type of security incident. The Danish Digitization Agency has i.a. introduced a procedure whereby an additional employee reviews the lists of errors before sending them to the supplier. In addition, the Agency has noted that the list where the security incident in question occurred was not covered by this procedure at that time, as the Agency had not previously experienced problems with this specific list. Which was the reason why the error was not detected by the other employee.

In addition, the Danish Digitization Agency has stated that when the agency became aware of the security incident, they ordered log files from the supplier e-Boks. The logs showed that none of the 26 incorrectly assigned accesses had been used. The law firm, which drew the Agency's attention to the security incident, also confirmed in writing to the Agency on 31 March 2021 that the law firm had not accessed the contents of the corporate mailbox to which they had been incorrectly given access.

The Danish Digitization Agency has stated that it is the Agency's assessment that the other 25 incorrectly allocated company accesses and the registered ones (both the personal information that appears in the post and the relevant law firms that have been appointed as trustees) should not be notified of the breach of personal data security. In this connection, the Danish Digitization Agency has stated that it is because the log files document that the accesses have not been used, which is why it is the Agency's assessment that this is not a security breach that probably involves a high risk to natural persons' rights and freedoms.

Justification for the Danish Data Protection Agency's decision

On the basis of what the Danish Digitization Agency has stated, the Danish Data Protection Agency assumes that the Danish Digitization Agency, due to a human error, granted 26 trustees access to the digital mailboxes of incorrect companies.

It follows from Article 32 (1) of the Data Protection Regulation 1, that the data controller must take appropriate technical and organizational measures to ensure a level of security appropriate to the risks involved in the data controller's processing of personal data.

Thus, the data controller has a duty to identify the risks that the data controller's processing poses to the data subjects and to ensure that appropriate security measures are put in place to protect the data subjects against these risks.

The Danish Data Protection Agency is of the opinion that the requirement pursuant to Article 32 for appropriate security will normally mean that in systems with a large number of confidential information about a large number of users, higher requirements must be placed on the data controller's care in ensuring that no unauthorized access to personal data, and that greater access to data in such systems places greater demands on security against the fact that a single human error may result in a greater breach of personal data security.

The Danish Data Protection Agency is of the opinion that the allocation of access to mailboxes belonging to third parties, even where a trustee is given access to the estate's assets and digital mail, must be verified before access is effected. It will therefore usually be an expression of appropriate security that before the access is opened, a check is made that it is the curator - who has been appointed - who actually also gets the access.

On the basis of the above, the Danish Data Protection Agency finds that the Danish Digitization Agency - by not having introduced measures to ensure that the lists were correct and - according to the information - has only based the assurance that no human errors had occurred before - has not taken appropriate organizational and technical measures to ensure a level of security appropriate to the risks involved in the Agency's processing of personal data, in accordance with Article 32 (1) of the Data Protection Regulation; 1.

After a review of the case, the Danish Data Protection Agency finds that there are grounds for expressing criticism that the Danish Digitization Agency's processing of personal data has not taken place in accordance with the rules in Article 32 (1) of the Data Protection Ordinance. 1.

When choosing a reaction in an aggravating direction, the Danish Data Protection Agency has emphasized that the Danish Digitization Agency has experienced similar errors before in the notifications of the Danish Data Protection Agency's cases with j.nr. 2020-442-10578 and 2020-442-9811, and that it is common knowledge that human error occurs, which is why security cannot - alone - be based on a belief that people do not make mistakes.

The Danish Data Protection Agency has noted that the Danish Digitization Agency has subsequently implemented a multi-eye principle on the lists of corporate mailboxes to which the Agency provides access.



[1] Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46 / EC (General data protection regulation).