Datatilsynet (Denmark) - 2021-442-12980

From GDPRhub
Revision as of 10:22, 1 February 2023 by SR (talk | contribs) (→‎Facts)
Datatilsynet - INC000003185717
LogoDK.png
Authority: Datatilsynet (Denmark)
Jurisdiction: Denmark
Relevant Law: Article 32(1) GDPR
Type: Other
Outcome: n/a
Started: 12.05.2021
Decided: 13.06.2022
Published: 23.01.2023
Fine: n/a
Parties: Danske Bank
National Case Number/Name: INC000003185717
European Case Law Identifier: n/a
Appeal: Unknown
Original Language(s): English
Original Source: EDPB (in EN)
Initial Contributor: n/a

In an Article 60 GDPR procedure, the Danish DPA reprimanded Dankse bank for a violation of Article 32(1) GDPR. A technical error resulted in the unauthorised disclosure of invoices to business customers of the bank.

English Summary

Facts

Danske Bank (controller) had developed an electronic registry database for invoices, which was connected to the controller's 'District platform' application. This application was developed by the controller to, among other things, allow its business customers to search for their own invoices.

On 5 May 2021, 132 electronic invoices were uploaded to the database but no information about the "receiver" of such invoices was included. Due to a technical error, this lack of information on the invoices allowed other users of the application to search for these 132 invoices by performing a search in the application without typing anything in the 'receiver' field (performing a blank search).

These invoices without receiver information were searchable and visible between 5 May 2021 and 10 May 2021. The controller's own investigation into the matter showed that 371 Finish users had accessed these electronic invoices in this period. On 10 May 2021, the information regarding the recipients was added manually to these 132 invoices.

The controller notified the Danish DPA of this personal data breach on 12 May 2021.

On 20 May 2021, the controller implemented a safety mechanism to ensure it was no longer possible to perform a blank search when searching for invoices.

Holding

The DPA stated that Article 32 GDPR normally implies that when a controller is using systems with a large amount of confidential information concerning a large number of users, the controller has to comply with higher diligence to ensure that there is no unauthorised access to or disclosure of personal data.

In this case, it meant that the controller should have assessed all likely out-comes in the context of the development of software used to process personal data. The DPA specifically referred to Article 32(1)(d) GDPR, which states that the controller should implement a procedure for the regular testing, assessment and evaluation of the effectiveness of the technical and organisational measures to ensure security of processing.

The DPA considered that the controller had not taken appropriate organisational and technical measures by not continuously testing its own technical measures, resulting in a violation of Article 32(1) GDPR. The DPA reprimanded the controller for this violation.

Comment

It was not specified in the decision itself why this decision was the result of an Article 60 GDPR procedure.

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the English original. Please refer to the English original for more details.

Danske Bank A/S
                                                                                                      13 June 2022
Holmens Kanal 2-12
1092 København K                                                                                      J.No. 2021-442-12980
                                                                                                      IMI case no. 483097

                                                                                                      Caseworker
                                                                                                      Betty Husted
Sendt via Digital Post til CVR 61126228










Regarding personal data breach, your case no. INC000003185717                                         The Danish Data
                                                                                                      Protection Agency

The Danish Data Protection Agency hereby returns to the case where Danske Bank A/S has                Carl Jacobsens Vej 35
notified a personal data breach to the Danish Data Protection Agency on 12 May 2021.                  2500 Valby
                                                                                                      Denmark
                                                                                                      T 3319 3200
1. Decision
                                                                                                      dt@datatilsynet.dk
After examining the case, the Danish Data Protection Agency considers that there are grounds          datatilsynet.dk
for issuing a reprimand that Danske Bank’s processing of personal data has not been carried
                                                                                                      VAT No. 11883729
out in accordance with the rules laid down in Article 32(1) of the GDPR.


Below is an examination of the case and a statement of reasons for the Danish Data Protection

Agency’s decision.


2. Summary of facts
Danske Bank notified a personal data breach to the Danish Data Protection Agency on 12 May

2021.


According to the notification, a technical error in sending 132 electronic invoices containing the
name, address and invoice number to Danske Bank’s customers in Finland resulted in the 132

invoices being searchable and visible to 14.511 Finnish business customers in the period be-

tween 5 May 2021 and 10 May 2021.


The breach occurred due to a technical error in which 132 invoices were placed in the 'District
platform' system without the recipients’ account details. The blank receiver field allowed these

invoices to be searched if the user performed a search without entering receiver’s information

(a blank search).


Danske Bank’s investigation of the breach shows that 371 Finnish users accessed the elec-
tronic invoices between 5 May 2021 and 10 May 2021. However, the number of users who

performed a search without entering the receiver’s information (a blank search) would most
likely be lower.



District Platform is an application developed by Danske Bank for the bank’s business custom-
ers to search for invoices, among other things.Danske Bank stated that on 10 May 2021, recipient information was added manually to the              Page 2 of 2

132 electronic invoices. On 20 May 2021, a safety mechanism was verified and released en-
suring the possibility of performing a search for electronic invoices with no receiver information

was disabled.

3. Reasons for the Danish Data Protection Agency’s decision

On the basis of the information provided by Danske Bank, the Danish Data Protection Agency
considers that from 5 May 2021 to 10 May 2021 it has been possible for the bank’s business

customers in Finland to see unrelated invoices.


According to Article 32(1) of the GDPR the controller must take appropriate technical and or-
ganisational measures to ensure a level of security appropriate to the risks posed by the pro-

cessing of personal data by the controller.


There is thus an obligation on the controller to identify the risks that the controller’s processing
poses to data subjects and to ensure that appropriate safeguards are put in place to protect

data subjects from those risks.


The Data Protection Agency is of the opinion that the requirement under Article 32 on adequate
security will normally imply that in systems with a large number of confidential information

about a large number of users, higher requirements must be imposed on the controller’s care-
fulness in ensuring that there is no unauthorised access to personal data, that all likely out-

comes should be tested in the context of the development of software where personal data
are processed and that a relevant security measure in Article 32(1)(d) specifically mentions

that the controller implements a procedure for the regular testing, assessment and evaluation
of the effectiveness of the technical and organisational measures to ensure security of pro-

cessing.

In the light of the above, the Danish Data Protection Agency considers that Danske Bank – by

not having continuously tested the Bank’s technical measures – has not taken appropriate
organisational and technical measures to ensure a level of security appropriate to the risks

associated with the processing of personal data by Danske Bank, cf. Article 32(1) of the GDPR.


After examining the case, the Danish Data Protection Agency considers that there are grounds
for issuing a reprimand that Danske Bank’s processing of personal data has not been carried

out in accordance with the rules laid down in Article 32(1) of the GDPR.


As a mitigating fact, the Danish Data Protection Agency has taken into account that the breach
concerned only information on name, address and invoice number.




Kind regards


Betty Husted