Datatilsynet (Norway) - 20/02144: Difference between revisions

From GDPRhub
mNo edit summary
m (changed online app to mobile app and rephrased one sentence with regards to entering incorrect phone numbers)
 
(3 intermediate revisions by 3 users not shown)
Line 69: Line 69:
}}
}}


The Norwegian DPA held a courier and logistics company violated [[Article 32 GDPR|Article 32]] for insufficient risk assessment of and security in the app ''MyPostNord,'' allowing several people to access others' personal data when using their new phone number in the app, where the number used to belong to a former app user.
The Norwegian DPA held that a courier and logistics company violated [[Article 32 GDPR]] for insufficient risk assessment and the lack of security measures in the app ''MyPostNord,'' which used phone numbers as the only means of authentication to access a customer profile.  


== English Summary ==
== English Summary ==


=== Facts ===
=== Facts ===
The courier and logistics company PostNord (the controller) offers their customers the service "MyPostNord", where they can schedule and track parcels and obtain advantages such as faster bookings. MyPostNord can also be accessed through an online app.  
The courier and logistics company PostNord (the controller) offers their customers a service ''MyPostNord'', where they can schedule and track parcels as well as obtain advantages such as faster bookings. ''MyPostNord'' can also be accessed through an mobile app.  


In February and March 2020, the controller submitted two data breach notifications to the Norwegian DPA Datatilsynet, relating to cases where unauthorized people could access the customer profile of others. This was possible because the controller used phone numbers as the only means of authentication and entering someone else's number (for example an incorrect one) could give them access to their personal data in the profile, including name, gender, postal address, email address, phone number, order- and payment history, shipments underway and sender name. The same happened in cases where someone got a new phone number which was already used for the MyPostNord service.
In February and March 2020, the controller submitted two data breach notifications to the Norwegian DPA, relating to cases where unauthorised persons were able to access customer profiles of others. The unauthorised persons were able to access the profiles because the controller used phone numbers as the only means of authentication. Entering someone else's number (for example an incorrect one) could give them access to other persons' personal data, including name, gender, postal address, email address, phone number, order- and payment history, shipments underway and sender name. The same happened in cases where there was a new owner of the phone number previously used in the ''MyPostNord'' service and where the pervious owner of the same phone number did not update their profile information.


In addition to the controller's breach notifications, the DPA received tips from the public about similar incidents.
In addition to the controller's breach notifications, the DPA received information from the public about similar incidents. The DPA initiated an investigation and requested information from the controller. Specifically, the DPA asked for the risk assessment of the service ''MyPostNord'' and related processing systems. The controller submitted the risk assessment, but could not state ''when'' the risk assessment was conducted.


For the DPA's request for information to the controller, they specifically asked for the risk assessment for the service MyPostNord and related processing systems. The controller submitted one, but could not state ''when'' the risk assessment was conducted. The DPA stresses in the decision that controllers must be able to report this to sufficiently demonstrate compliance with [[Article 5 GDPR#2|Article 5(2) GDPR]] and [[Article 24 GDPR#1|Article 24(1) GDPR]]. In addition, the DPA notes that the risk assessment lacked a systematic overview of relevant risks related to the controller's processing of personal data in the service, and the assessment was further insufficient. The DPA recommends that the controller implements an established methodology, for example based on ISO 27001.
=== Holding ===
The DPA assessed whether the controller took measures to ensure an appropriate level of security in accordance with [[Article 32 GDPR]]. One of the requirements under [[Article 32 GDPR|Article 32(1) GDPR]] is to identify risks associated with the processing of personal data. Controllers must perform and be able to report a risk assessment in order to sufficiently demonstrate compliance with [[Article 5 GDPR#2|Article 5(2)]] and [[Article 24 GDPR#1|Article 24(1) GDPR]]. The DPA noted that the risk assessment of the controller was not conducted before the processing began, and it lacked a systematic overview of relevant risks related to the processing of personal data, including the lack of an assessment of the risk of confidentiality breaches. The DPA recommended the controller to implement an established methodology, for example based on ISO 27001.


In August 2022 the DPA informed the controller of their intent to impose an order to implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk as per [[Article 32 GDPR|Article 32 GDPR]]. The controller accepted the notification and informed the DPA that they were planning to implement two-factor authentication to ensure confidentiality in the service MyPostNord.
Further, the DPA noted that using telephone numbers as an identifier to access the ''MyPostNord'' service could pose problems with regard to the principle of confidentiality ([[Article 5 GDPR|Article 5(1)(f) GDPR]]), especially when phone numbers are assigned to new owners but the service profiles are not updated. The DPA held that the controller violated [[Article 32 GDPR#1|Articles 32(1)]] and [[Article 32 GDPR#2|32(2) GDPR]] for insufficient risk assessment of security measures in the ''MyPostNord'' service, and ordered the controller, pursuant to [[Article 58 GDPR|Article 58(2)(d) GDPR]], to implement sufficient technical and organisational measures as per [[Article 32 GDPR]]. The controller accepted the notification and informed the DPA of plans to implement two-factor authentication in order to ensure confidentiality in the service.
 
=== Holding ===
The DPA held that PostNord, the controller, had violated [[Article 32 GDPR#1|Article 32(1)]] and [[Article 32 GDPR#2|32(2) GDPR]] for insufficient risk assessment of and security in the service MyPostNord, and ordered them to implement sufficient technical and organisational measures.


== Comment ==
== Comment ==

Latest revision as of 14:08, 18 January 2023

Datatilsynet - 20/02144
LogoNO.png
Authority: Datatilsynet (Norway)
Jurisdiction: Norway
Relevant Law: Article 32(1) GDPR
Article 32(2) GDPR
Article 58(2)(d) GDPR
Type: Investigation
Outcome: Violation Found
Started: 24.02.2020
Decided: 09.01.2023
Published: 11.01.2023
Fine: n/a
Parties: PostNord AS
National Case Number/Name: 20/02144
European Case Law Identifier: n/a
Appeal: Not appealed
Original Language(s): Norwegian
Norwegian
Original Source: Norwegian DPA Datatilsynet (in NO)
Norwegian DPA Datatilsynet (press release) (in NO)
Initial Contributor: Rie Aleksandra Walle

The Norwegian DPA held that a courier and logistics company violated Article 32 GDPR for insufficient risk assessment and the lack of security measures in the app MyPostNord, which used phone numbers as the only means of authentication to access a customer profile.

English Summary

Facts

The courier and logistics company PostNord (the controller) offers their customers a service MyPostNord, where they can schedule and track parcels as well as obtain advantages such as faster bookings. MyPostNord can also be accessed through an mobile app.

In February and March 2020, the controller submitted two data breach notifications to the Norwegian DPA, relating to cases where unauthorised persons were able to access customer profiles of others. The unauthorised persons were able to access the profiles because the controller used phone numbers as the only means of authentication. Entering someone else's number (for example an incorrect one) could give them access to other persons' personal data, including name, gender, postal address, email address, phone number, order- and payment history, shipments underway and sender name. The same happened in cases where there was a new owner of the phone number previously used in the MyPostNord service and where the pervious owner of the same phone number did not update their profile information.

In addition to the controller's breach notifications, the DPA received information from the public about similar incidents. The DPA initiated an investigation and requested information from the controller. Specifically, the DPA asked for the risk assessment of the service MyPostNord and related processing systems. The controller submitted the risk assessment, but could not state when the risk assessment was conducted.

Holding

The DPA assessed whether the controller took measures to ensure an appropriate level of security in accordance with Article 32 GDPR. One of the requirements under Article 32(1) GDPR is to identify risks associated with the processing of personal data. Controllers must perform and be able to report a risk assessment in order to sufficiently demonstrate compliance with Article 5(2) and Article 24(1) GDPR. The DPA noted that the risk assessment of the controller was not conducted before the processing began, and it lacked a systematic overview of relevant risks related to the processing of personal data, including the lack of an assessment of the risk of confidentiality breaches. The DPA recommended the controller to implement an established methodology, for example based on ISO 27001.

Further, the DPA noted that using telephone numbers as an identifier to access the MyPostNord service could pose problems with regard to the principle of confidentiality (Article 5(1)(f) GDPR), especially when phone numbers are assigned to new owners but the service profiles are not updated. The DPA held that the controller violated Articles 32(1) and 32(2) GDPR for insufficient risk assessment of security measures in the MyPostNord service, and ordered the controller, pursuant to Article 58(2)(d) GDPR, to implement sufficient technical and organisational measures as per Article 32 GDPR. The controller accepted the notification and informed the DPA of plans to implement two-factor authentication in order to ensure confidentiality in the service.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Norwegian original. Please refer to the Norwegian original for more details.

POSTNORD AS
PO Box 6441 Etterstad
0605 OSLO









Your reference Our reference Date
                        20/02144-16 09.01.2023



Decision on order - PostNord AS

1 Introduction

We refer to the notice of order of 25 May 2022 and their comments of 25 August 2022.


We understand the comments to mean that PostNord AS accepts the notified order, and that the company
plans to introduce two-factor authentication using a personal password and one-time code on
SMS to ensure confidentiality in "mypostnord".


Based on your comments, we make decisions in line with the notice.

2 Resolution

         Pursuant to the Personal Protection Regulation article 58 no. 2 letter d is imposed

         POSTNORD AS, reg. no. 984 054 564, to implement suitable technical measures to
         achieve a suitable level of protection that ensures the confidentiality of the service
         "mypostnord", cf. the personal protection regulation article 32 no. 1 and no. 2.


The deadline for carrying out the orders appears in section 7 of the decision.

3 More about the facts of the case

The background to the case is two notifications of breaches of personal data security from POSTNORD
AS ("PostNord").


The notice of 24 February 2020 (doc. no. 20/00643-1) applies to a person who has taken over a
mobile phone number and thus gained access to the previous owner of the number's customer profile at
POSTNORD ("Message 1").


The notice of 6 March 2020 (doc. no. 20/00799-1) applies to a POSTNORD customer who
registration entered the wrong mobile number. All subsequent information was then sent to this

the mobile number, and the owner of the mistyped mobile number gained access to the whole
the customer profile ("Message 2").

Postal address: Office address: Telephone: Org. no: Website:
PO Box 458 SentrumTrelastgata 3 22 39 69 00 974 761 467 www.datatilsynet.no 1
0105 OSLO 0191 OSLOAs both messages concern unauthorized access to customer profiles, we process
the messages together.

You explain in the messages that access to customer profiles means access to the customer's name,
gender, date of birth, postal address, e-mail address, telephone number, order and payment history,
as well as an overview of consignments en route and sender name. In addition, gives access to a

customer profile possibility to change notification settings.

In the report of 24 February, it appears that the breach took place between 31 March 2017 and 21
February 2020. In the report of 6 March, it appears that the breach took place between 8 August 2019 and
March 6, 2020.

The Norwegian Data Protection Authority has on two occasions asked PostNord to explain the facts of the case,

including for risk assessment of and security in the mypostnord service, as well as for the location
of processing responsibility in the PostNord group.

In addition to the messages from PostNord and the company's explanations, the Norwegian Data Protection Authority has received tips
from users who have experienced gaining access to other users' personal data.

In the notes to the notice, PostNord writes that the company takes note of the notice of order,

and that the company has now carried out a risk assessment and identified suitable measures to ensure
the confidentiality of the mypostnord service.


4 The requirements of the regulations

4.1 Data controller

The "controller" is the person who determines the purpose of the processing and which ones
means to be used, cf. the Personal Data Protection Ordinance, Article 4 No. 7.

4.2 Basic principles for processing personal data

The basic principles for processing personal data follow
the personal protection regulation article 5 no. 1. We refer to article 5 no. 1 letter a, b, c and f:


      1. Personal data must

         a) is processed in a legal, fair and transparent manner with regard to the data subject
            ("legality, fairness and transparency"),

         b) is collected for specific, expressly stated and legitimate purposes and not
            is further processed in a way that is incompatible with these purposes (...)

            ("purpose limitation"),






                                                                                                 2 c) be adequate, relevant and limited to what is necessary for the purposes they
            processed for ("data minimization"), (...)

         f) processed in a way that ensures sufficient security for the personal data,
            including protection against unauthorized or illegal processing (...) using suitable
            technical or organizational measures ("integrity and confidentiality")".


      2. The controller is responsible for and must be able to demonstrate that
         the privacy principles are observed, cf. Article 5 no. 2.

4.3 Safety of processing

Article 32 of the Personal Data Protection Regulation sets out requirements for security around the processing of
personal data:

      1. Taking into account the technical development, implementation costs and

         the nature, scope, purpose and context of the processing, as well as the risks
         of varying degrees of probability and severity for the rights of natural persons
         and freedoms, the data controller and the data processor must carry out suitable
         technical and organizational measures to achieve a level of security that is suitable with
         consideration of the risk, including, among other things, depending on what is suitable,

         a) pseudonymisation and encryption of personal data,


         b) ability to ensure continued confidentiality, integrity, availability and robustness
            in the treatment systems and services, (…)

         d) a process for regular testing, analysis and assessment of how effective
            the processing's technical and organizational security measures are.


      2. When assessing the appropriate level of security, special consideration must be given to the risks
         associated with the processing, particularly as a result of (...) unauthorized disclosure of
         or access to personal data that has been transferred, stored or otherwise
         treated".


5 The Norwegian Data Protection Authority's assessment

5.1 Data controller

Based on the information PostNord has sent us, we assume that the company
PostNord AS is responsible for the processing of personal data through
the mypostnord service, cf. the personal data protection regulation article 4 no. 7.









                                                                                               35.2 Security of processing
 According to PostNord, "mypostnord" is a service created for private customers who use the company's
forwarding services. The purpose of the service is to give the customer an overview of consignments on their way

to or from them:

      The purpose of MyPostNord for private recipients is to give consumers their own, private space
      towards PostNord, where they can get information about their consignments and adapt their delivery
      by making changes to shipments that are on their way to them.


The background to this case is two notifications of a breach of personal data security from
PostNord, where new users have gained access to previous users' personal data. This
happened because the new users had been assigned phone numbers that previously belonged to others
users at PostNord. The Norwegian Data Protection Authority has also received tips from people who have experienced receiving
access to other users' personal data in mypostnord.

PostNord explains the incidents the company has reported as follows:


        Access to the "previous owner's" profile will be possible if the mobile number changes ownership
        telecom operator, and "former owner" of the telephone number has not deleted his profile at
        PostNord before changing the telephone number or it has not been at least 2 years since "previously
        owner" cancels his number with the telecom operator until the "new owner" is assigned the number from
        telecom operator. "New owner" will then be able to log in to the profile linked to the telephone number
        (since this is verified through SMS that the "new owner" can receive, and will not be asked

        about creating a new profile at PostNord.

        For the telecommunications operators, it is also common practice that telephone numbers that become available,
        blue. because subscriptions are terminated, not transferred from to a new owner before three have passed
        months precisely to ensure that new owners receive inquiries concerning the previous owner
        which is the situation here. The exception is in the case of direct sales of telephone numbers between two people
        persons, i.e. "former owner" and "new owner", where you go outside the system to

        the telecommunications operators, see case 2 below. "Previous owner" in this case has not updated
        the services within this period. Previous shipments are also not available in
        profile this procedure of not transferring phone numbers after a minimum of three
        months, since shipments are deleted from the profile after 14 days.

        The reason why the "new owner" will gain access to the profile is that the "previous owner" e.g. do not have

        updated his profile with his new phone number in the online store that makes
        shipments through PostNord and/or in the profile at PostNord or that "old
        owner" in the event of an oversight, enter their previous telephone number when ordering i
        online store. The online store will then use the former number of the "former owner" at
        shipment to "new owner", and "new owner" will then receive notification with shipment from
        PostNord with link to profile at PostNord. On the other hand, "previous owner" enters his new one
        phone number when ordering or have updated their profile, the relationship will not arise,

        and that may be part of the reason why such events happen very rarely.





                                                                                                  4 "New owner" does not have to access the profile to get information about shipments
        (The SMS provides the name of recipient, sender (company) and collection point, or to
        receive packages. But the "new owner" can then choose to access the profile themselves. This
        despite the fact that the person concerned is aware that the SMS is not for him, since that
        appears from the SMS by who is the recipient. "New owner" has thus accessed one
        profile this person knows does not have the right to access.


Article 32 of the Personal Data Protection Regulation requires the data controller to carry out
technical and organizational measures to achieve a level of security that is suitable with regard to
the risk.

The question in our case is whether the level of protection in mypostnord is suitable with regard to the risks
when processing personal data in the system, including the current level of protection i
sufficiently ensures ongoing confidentiality of the personal data in the system, cf.

article 32 no. 1 letter b.

The risks to the rights and freedoms of natural persons

Before we assess whether the current level of protection is suitable, we want to say something about the risks involved
data subject's rights and freedoms related to the processing of personal data i
mypostnord.


According to Article 32 no. 1 and no. 2, the data controller must carry out suitable technical
measures in their treatment systems based on the risks associated with the treatment.
The measures must, among other things, safeguard the "ability to ensure continued confidentiality" in it
the controller's systems and services, cf. article 32 no. 1 letter b.


When assessing which measures are suitable, the data controller must take into account
the technical development, implementation costs and the nature, scope, purpose of the processing,
and the context in which it is carried out, as well as the risks of varying probability and
degree of severity for the rights and freedoms of the data subjects.

As a first step in ensuring an appropriate level of security, Article 32(1) imposes it
controllers to identify the risks associated with the processing of personal data.

This objective assessment, often called "risk assessment", must identify the risks of
the rights and freedoms of natural persons. The risks identified by the controller
through the assessment is the governing body for which technical and organizational measures it takes
data controllers must implement to ensure a suitable level of protection, cf. article 32 no.
1 and No. 2.

Paragraph 76 of the Personal Data Protection Regulation states the following about the assessment:


        How likely and serious the risk to the data subject's rights and freedoms is, should
        determined based on the nature, scope, purpose and context of the processing in which it is carried out.
        The risk should be assessed based on an objective assessment in which it is determined whether the treatment of
        the personal data involves a risk or a high risk.




                                                                                                  5 (our emphasis).

In our demand for an explanation, we asked PostNord to send us the company's risk assessment
mypostnord and related processing systems. In its statement, PostNord refers to
the document "Security assessment MyPostNord".

In the submission, PostNord has not documented when the assessment was carried out.


In order to be able to demonstrate that the principles are adhered to, cf. art. 5 no. 2, and to be able to "ensure and demonstrate that
the processing is carried out in accordance with this regulation", cf. art. 24 no. 1, it is necessary
a systematic approach to the work with regulatory compliance. PostNord must be able to demonstrate
the time of the assessment, including so that the Norwegian Data Protection Authority can check that it was
carried out before the processing of personal data started. This is not possible from
the documentation PostNord has sent.


Furthermore, the submitted risk assessment lacks a systematic overview and assessment of
relevant risks related to the company's processing of personal data in the service.

The Personal Data Protection Regulation does not specify a methodology for carrying out risk assessments, but
the controller must, in light of the accountability principle, have a systematic approach
to regulatory compliance, which means that it has documented and can demonstrate compliance, cf. Article 5

No. 2.

The data controller must at least be able to demonstrate that they have an overview of relevant data
risks, that they have assessed them to a sufficient extent and implemented suitable measures to reduce them
the risk of a breach of personal data security. We cannot see that the risk of that one
user receives their personal data astray via mypostnord is assessed to a sufficient extent i

the documentation the company has sent us. PostNord has not assessed the special one either
the risk of breach of confidentiality that the service entails for new users
telephone number via direct sales, where confidential information can be disclosed
unauthorized.

The most widespread way of carrying out risk assessments is to list relevant ones
risk scenarios and assess the probability and consequence of these. With basis in it

the assessment determines whether the risks are acceptable or whether measures must be implemented.
If the risks are not acceptable, various risk-reducing measures are assessed and a decision made
which are suitable. You then specify who will carry out the various measures and
the deadline for implementation. We recommend that PostNord adopts a recognized methodology for
implementation of risk assessments, for example based on ISO27001.

Our preliminary assessment is that the risk assessment PostNord has sent us is not sufficient

degree identifies the risks associated with the company's processing of personal data i
mypostnord. The assessment has key shortcomings that make it unsuitable for identifying the risks
in the processing as required by Article 32 no. 1 and no. 2.






                                                                                                6In what follows, we will say something overall about the risk to the rights and freedoms of the data subjects
when using mypostnord, as the risks govern which technical measures PostNord takes
which the data controller must carry out in the service.


According to PostNord, the following information is stored in a customer profile in mypostnord:

  • First name, last name, mobile number, e-mail, photo, date of birth and gender (where the last three
      is not required to be filled in, and is rarely filled in by users).
  • Address

  • Packages on the way with the name of the sender (company name). This information is kept only
      for 14 days in the archive in the profile.
  • Notification settings, i.e. which notifications the person concerned wants to receive from PostNord,
      as e-mail or SMS.

  • Business recipients or contract customers you are associated with (and administration of these if
      the role dictates it).
  • What types of notification (ie notification of receipt of shipment) sent when,
      channel and status (but not content).
  • Payment history (date, type, shipment number, amount, status, payment method,

      reference and transaction identifier). This is only data against PostNord if there is
      purchased additional services from PostNord, such as Flex, i.e. changed delivery location (but then says
      only "Flex" in the profile), own shipment (then only "Mypack GO") or cash on delivery (is
      then only "CashOnDelivery"). Payment history may be deleted by the user.
  • PostNord Plus level, if you are a member of PostNord, which only indicates how many

      packages sent from PostNord and which user level you are at ("Gold", "Silver"
      or "Basic"), but no information about packages etc.

This information is not, in principle, special categories of personal data according to
Article 9 of the Personal Data Protection Regulation.


However, the information may still be of a sensitive nature for the data subjects, and this
applies in particular to the dispatch history with information on the name of the sender. PostNord has one
large market share in the Nordics, and is used by many different types of online shops, including pharmacies. 1

PostNord is not only covered by the provisions of the Personal Data Protection Ordinance, but also

the Postal Act. Section 30 of the Postal Act states that providers of postal services have a duty of confidentiality for:

      [...] information about the sender's and recipient's use of the postal service, [...] the sender and
      recipient's business or personal circumstances and [...] content of postal delivery'.

According to the Postal Act, the provider is obliged to "implement measures to prevent that

unauthorized parties become aware of the information". The Norwegian Data Protection Authority is not the supervisory authority for


1See, for example, the online stores of Apotek 1, Boots Apotek, Vitusapotek and Farmasiet.no,
https://www.apotek1.no/kundesenter/frakt-og-levering, https://www.boots.no/frakt-og-levering,
https://www.vitusapotek.no/kundeservice/levering-og-betaling/a/A1361,
https://www.farmasiet.no/kundesenter/frakt-og-levering (last visited 25.05.22).



                                                                                               7 of the Postal Act, but the provision on confidentiality is nevertheless suitable to say something about sensitivity
for the information to which this case applies.

We also note that the correspondence of natural persons is at the core of the right to privacy
Article 8 of the European Convention on Human Rights.

The integrity and confidentiality principle is a fundamental principle for the processing of

personal data. cf. article 5 no. 1 letter f.

Measures to achieve a suitable level of security with respect to the risk

The next question is whether PostNord has implemented suitable technical measures that ensure a
suitable level of protection in mypostnord in light of the risks involved in processing personal data,
cf. the personal protection regulation article 32 no. 1.


PostNord states that the technical measures which as of today have been introduced in mypostnord fulfill
the requirement for technical measures and ensures a suitable level of security according to Article 32:

        Confidentiality is ensured by requiring authentication from a telephone number, see
        above, and that the risk of access when changing the telephone number is very small. Plus
        are there no alternative measures that would increase security with regard to personal data

        which is available in the solution and accessibility for users, see below. Use of
        telephone number is also an industry standard, and this is also the solution that, among other things, The mail
        uses.

        The duty of confidentiality under the Postal Act is respected according to the solution that has been chosen, and it will not
        be solutions or measures that provide more security. Previously, a notification about a package was sent

        out by post in the mailbox, and such a solution provides less security (because most people do not have
        locked mailboxes) than the solution currently used.

        It should also be specified that given the level of security as mentioned, the incident is due to it
        data subject's own relationship, as well as that the recipient of the SMS notification ("new owner") has acted
        against their better judgment, if the person concerned has accessed the previous owner's profile.


As of today, PostNord uses the telephone number as an identifier for access to services and profiles
at the company:

        Mobile number is used as identifier for access to services and profiles at
        PostNord which, according to PostNord's assessment, see the attached risk assessment, provides a
        adequate security level and risk level considering the information that is processed and
        which is available on the recipient's (the registered person's) profile as well as in the SMS notification, that this is

        limited information and not of a sensitive nature or special categories and that it is
        need to receive notifications about packages quickly and easily, and correspondingly for access to
        own profile and the services therein (type, scope, purpose and the context in which they are performed), see
        also below, the availability of the services (usability), the level of security
        which is available and practices for such information and services (the technical




                                                                                                  8 the development), the implementation costs (such that this is a more expensive solution than
        e-mail (a cost of approx. NOK 2.6 million per year, but BankID is a very expensive
        solution, with approx. NOK 10.8 million per year).

(Our emphasis)

We disagree with this assessment.


Our view is that the authentication of users in mypostnord only with the use of a telephone number does not
ensures a suitable level of protection that ensures the confidentiality of the service, cf.
the personal data protection regulation article 32 no. 1 letter b.

Firstly, the current arrangement with a telephone number as the only authentication means that
people who buy phone numbers via direct sales, and who visit mypostnord, will get

access to the previous owner's personal data, including shipment information.

PostNord states that the shipment information is only stored for 14 days, and that confidentiality for
this information can only be broken if a telephone number changes owner through one
direct transaction, where the telephone number is not covered by the telecommunications operators' quarantine period.

PostNord is aware that direct sales of telephone numbers take place in Norway, and that this is not the case

illegal, even if it takes place to a lesser extent than the allocation of telephone numbers from
the telecom operators. As telephone numbers are a limited resource, and there are still more of us in Norway,
it follows logically that there will be an increasing probability of similar cases of
breach of confidentiality in the future. If PostNord's market share increases in Norway, it will
the probability increases further.


Secondly, the current arrangement means that people who are allocated a new telephone number from
a telecommunications operator, will gain access to the personal data of the former owner of
the phone number, when the new owner uses mypostnord.

According to the Personal Data Protection Ordinance, PostNord is further obliged to ensure the confidentiality of everyone
personal data it processes as data controller.


After shipment information has been deleted after 14 days, mypostnord stores the rest
the personal data for one year before they are deleted. As the quarantine period for reuse of
telephone numbers distributed via the telecom operators is less than a year, it is much higher
likelihood that the confidentiality of this information will be breached. The arguments about
telephone numbers as a limited resource and potential increase in PostNord's market share is yet to come
more relevant here.


PostNord itself states that "The information [...] is basic information that is
necessary for recipients from PostNord, and not to be regarded as sensitive or intrusive
the receiver". This is hardly a valid argument for all users, and in any case not a free pass
to allow breaches of confidentiality, even if this applies to a small number of users.





                                                                                                9Our assessment is that with the current level of protection, unauthorized persons will regularly receive
access to users' personal data in mypostnord.

We note that the responsibility for ensuring the security of personal data according to
the data protection regulation lies with the data controller, and that PostNord cannot push
this responsibility on the end user with the argument that a user with a new telephone number
should have understood that it was in the process of gaining access to other people's personal data and thus

"acts against better judgment".

Based on this, our assessment is that PostNord has not carried out suitable technical measures
measures to achieve a suitable level of protection in the mypostnord service. The company has not
implemented suitable measures that ensure continued confidentiality in the service.

Our conclusion is therefore that PostNord has breached Article 32 of the Personal Data Protection Regulation.



6 Assessment of corrective measures

Our assessment is that PostNord has not implemented suitable technical measures to ensure a suitable
level of protection and confidentiality in mypostnord, cf. the personal data protection regulation article 32 and
article 5 no. 1 letter f, as the service is designed today.

We therefore consider it necessary to order PostNord to carry out technical measures to ensure a
adequate level of protection and safeguard confidentiality in mypostnord.


The order means, firstly, that PostNord must identify the risks associated with
the processing of personal data in mypostnord in line with article 32 no. 1 and no. 2, cf.
advocacy point 76.

Furthermore, the order implies that PostNord must implement suitable technical measures to ensure a
suitable level of protection and confidentiality in mypostnord. The company must take measures such as
prevents people who get a new telephone number through direct sales or allocation from a

telecom operator gains unauthorized access to other users' personal data at PostNord.

In the notes to the notice, PostNord writes the following:

        On the basis of this case, PostNord has carried out a risk assessment (see
        attached appendix). In the risk assessment, we have mapped the risks we perceive to be relevant, i

        in addition to identifying suitable technical and organizational risk-reducing measures.
        PostNord has assessed that the risk will be reduced considerably by the introduction of suitable
        measures.

        In order to satisfy PostNord's own target requirements for adequate security, PostNord has
        decided to introduce additional requirements for logging into the MyPostNord application.
        PostNord has assessed that the introduction of two-factor identification will raise

        the security level in MyPostNord. This will mean introducing in person
        password in addition to the current solution with a code via SMS. Furthermore, considered



                                                                                                10 the probability of an unauthorized person gaining access to the system as negligible
        (provided that one does not have access to the personal password or SMS code).

As mentioned in the notice, we do not require PostNord to carry out certain technical measures in order to
achieve a suitable level of security and confidentiality. This is because it is the company's task to itself
identify suitable technical measures in light of the identified risk to natural persons
rights and freedoms arising from the processing of personal data in the service.

We nevertheless mention that we agree that the described measures will be an appropriate way to
ensure the confidentiality of mypostnord on

Our authority to order the company to implement suitable technical measures to achieve a
suitable level of protection and confidentiality is the Personal Data Protection Regulation article 58 no. 2 letter
d.

7 Right of appeal and further proceedings

You can appeal the decision. Any complaint must be sent to us within three weeks of this
the letter has been received, cf. the Public Administration Act §§ 28 and 29. If we uphold our decision, we will

forward the case to the Privacy Board for complaint processing.

The deadline for carrying out the order is 4 weeks after the expiry of the appeal period. If you don't
appeal the order, you must send us a written confirmation within this deadline, as well as
documentation that the order has been carried out.


8 Publicity, transparency and confidentiality

We would like to inform you that all documents are basically public, cf.
Public Relations Act § 3. If you believe there are grounds for exempting all or part of

the document from public inspection, we ask you to give reasons for this.

The Norwegian Data Protection Authority has a duty of confidentiality regarding who has notified us of a breach
the Personal Data Act with the Personal Data Protection Regulation, and about their personal circumstances.
The duty of confidentiality follows, among other things, from the Personal Information Act § 24 and the Administration Act § 13.
As a party to the case, you may nevertheless be made aware of such information by the Norwegian Data Protection Authority, cf.
Administration Act § 13 b first paragraph no. 1. You also have the right to inspect the case's documents,

cf. Section 18 of the Public Administration Act.

We draw your attention to the fact that you have a duty of confidentiality regarding information you receive from the Norwegian Data Protection Authority
the identity of persons who report breaches of the Personal Data Act with
the Personal Data Protection Regulation, personal circumstances and other identifying information, and that you
can only use this information to the extent necessary to safeguard
their interests in this matter, cf. the Public Administration Act § 13 b second paragraph. We do too

note that breach of this duty of confidentiality can be punished according to Section 209 of the Criminal Code.







                                                                                                11 If you have any questions about the case, you can contact us by e-mail omm@datatilsynet.no or
telephone 22 39 69 59.




With best regards


Ylva Marrable
section manager

                                                                 Ole Martin Moe
                                                                 senior legal advisor

The document is electronically approved and therefore has no handwritten signatures




































                                                                                             12