Datatilsynet (Denmark) - 2021-442-12980: Difference between revisions
m (Kv moved page Datatilsynet (Denmark) - INC000003185717 to Datatilsynet (Denmark) - 2021-442-12980) |
m (typo) |
||
| Line 61: | Line 61: | ||
}} | }} | ||
In an [[Article 60 GDPR]] procedure, the Danish DPA reprimanded | In an [[Article 60 GDPR]] procedure, the Danish DPA reprimanded Danske bank for a violation of [[Article 32 GDPR|Article 32(1) GDPR]]. A technical error resulted in the unauthorised disclosure of invoices to business customers of the bank. | ||
== English Summary == | == English Summary == | ||
Latest revision as of 11:39, 22 March 2024
| Datatilsynet - INC000003185717 | |
|---|---|
 | |
| Authority: | Datatilsynet (Denmark) |
| Jurisdiction: | Denmark |
| Relevant Law: | Article 32(1) GDPR |
| Type: | Other |
| Outcome: | n/a |
| Started: | 12.05.2021 |
| Decided: | 13.06.2022 |
| Published: | 23.01.2023 |
| Fine: | n/a |
| Parties: | Danske Bank |
| National Case Number/Name: | INC000003185717 |
| European Case Law Identifier: | n/a |
| Appeal: | Unknown |
| Original Language(s): | English |
| Original Source: | EDPB (in EN) |
| Initial Contributor: | n/a |
In an Article 60 GDPR procedure, the Danish DPA reprimanded Danske bank for a violation of Article 32(1) GDPR. A technical error resulted in the unauthorised disclosure of invoices to business customers of the bank.
English Summary
Facts
Danske Bank (controller) had developed an electronic registry database for invoices, which was connected to the controller's 'District platform' application. This application was developed by the controller to, among other things, allow its business customers to search for their own invoices.
On 5 May 2021, 132 electronic invoices were uploaded to the database but no information about the "receiver" of such invoices was included. Due to a technical error, this lack of information on the invoices allowed other users of the application to search for these 132 invoices by performing a search in the application without typing anything in the 'receiver' field (performing a blank search).
These invoices without receiver information were searchable and visible between 5 May 2021 and 10 May 2021. The controller's own investigation into the matter showed that 371 Finish users had accessed these electronic invoices in this period. On 10 May 2021, the information regarding the recipients was added manually to these 132 invoices.
The controller notified the Danish DPA of this personal data breach on 12 May 2021.
On 20 May 2021, the controller implemented a safety mechanism to ensure it was no longer possible to perform a blank search when searching for invoices.
Holding
The DPA stated that Article 32 GDPR normally implies that when a controller is using systems with a large amount of confidential information concerning a large number of users, the controller has to comply with higher diligence to ensure that there is no unauthorised access to or disclosure of personal data.
In this case, it meant that the controller should have assessed all likely out-comes in the context of the development of software used to process personal data. The DPA specifically referred to Article 32(1)(d) GDPR, which states that the controller should implement a procedure for the regular testing, assessment and evaluation of the effectiveness of the technical and organisational measures to ensure security of processing.
The DPA considered that the controller had not taken appropriate organisational and technical measures by not continuously testing its own technical measures, resulting in a violation of Article 32(1) GDPR. The DPA reprimanded the controller for this violation.
Comment
It was not specified in the decision itself why this decision was the result of an Article 60 GDPR procedure.
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the English original. Please refer to the English original for more details.
Danske Bank A/S
13 June 2022
Holmens Kanal 2-12
1092 København K J.No. 2021-442-12980
IMI case no. 483097
Caseworker
Betty Husted
Sendt via Digital Post til CVR 61126228
Regarding personal data breach, your case no. INC000003185717 The Danish Data
Protection Agency
The Danish Data Protection Agency hereby returns to the case where Danske Bank A/S has Carl Jacobsens Vej 35
notified a personal data breach to the Danish Data Protection Agency on 12 May 2021. 2500 Valby
Denmark
T 3319 3200
1. Decision
dt@datatilsynet.dk
After examining the case, the Danish Data Protection Agency considers that there are grounds datatilsynet.dk
for issuing a reprimand that Danske Bank’s processing of personal data has not been carried
VAT No. 11883729
out in accordance with the rules laid down in Article 32(1) of the GDPR.
Below is an examination of the case and a statement of reasons for the Danish Data Protection
Agency’s decision.
2. Summary of facts
Danske Bank notified a personal data breach to the Danish Data Protection Agency on 12 May
2021.
According to the notification, a technical error in sending 132 electronic invoices containing the
name, address and invoice number to Danske Bank’s customers in Finland resulted in the 132
invoices being searchable and visible to 14.511 Finnish business customers in the period be-
tween 5 May 2021 and 10 May 2021.
The breach occurred due to a technical error in which 132 invoices were placed in the 'District
platform' system without the recipients’ account details. The blank receiver field allowed these
invoices to be searched if the user performed a search without entering receiver’s information
(a blank search).
Danske Bank’s investigation of the breach shows that 371 Finnish users accessed the elec-
tronic invoices between 5 May 2021 and 10 May 2021. However, the number of users who
performed a search without entering the receiver’s information (a blank search) would most
likely be lower.
District Platform is an application developed by Danske Bank for the bank’s business custom-
ers to search for invoices, among other things.Danske Bank stated that on 10 May 2021, recipient information was added manually to the Page 2 of 2
132 electronic invoices. On 20 May 2021, a safety mechanism was verified and released en-
suring the possibility of performing a search for electronic invoices with no receiver information
was disabled.
3. Reasons for the Danish Data Protection Agency’s decision
On the basis of the information provided by Danske Bank, the Danish Data Protection Agency
considers that from 5 May 2021 to 10 May 2021 it has been possible for the bank’s business
customers in Finland to see unrelated invoices.
According to Article 32(1) of the GDPR the controller must take appropriate technical and or-
ganisational measures to ensure a level of security appropriate to the risks posed by the pro-
cessing of personal data by the controller.
There is thus an obligation on the controller to identify the risks that the controller’s processing
poses to data subjects and to ensure that appropriate safeguards are put in place to protect
data subjects from those risks.
The Data Protection Agency is of the opinion that the requirement under Article 32 on adequate
security will normally imply that in systems with a large number of confidential information
about a large number of users, higher requirements must be imposed on the controller’s care-
fulness in ensuring that there is no unauthorised access to personal data, that all likely out-
comes should be tested in the context of the development of software where personal data
are processed and that a relevant security measure in Article 32(1)(d) specifically mentions
that the controller implements a procedure for the regular testing, assessment and evaluation
of the effectiveness of the technical and organisational measures to ensure security of pro-
cessing.
In the light of the above, the Danish Data Protection Agency considers that Danske Bank – by
not having continuously tested the Bank’s technical measures – has not taken appropriate
organisational and technical measures to ensure a level of security appropriate to the risks
associated with the processing of personal data by Danske Bank, cf. Article 32(1) of the GDPR.
After examining the case, the Danish Data Protection Agency considers that there are grounds
for issuing a reprimand that Danske Bank’s processing of personal data has not been carried
out in accordance with the rules laid down in Article 32(1) of the GDPR.
As a mitigating fact, the Danish Data Protection Agency has taken into account that the breach
concerned only information on name, address and invoice number.
Kind regards
Betty Husted
