Datatilsynet - 2019-431-0044

From GDPRhub
Datatilsynet - 2019-431-0044
LogoDK.png
Authority: Datatilsynet (Denmark)
Jurisdiction: Denmark
Relevant Law: Article 5(1)(f) GDPR

Article 32(1) GDPR

Type: Investigation
Outcome: Violation found
Decided: 26. 2. 2020
Published: 26. 2. 2020
Fine: None
Parties: Bankernes EDB Central (BEC)
National Case Number: 2019-431-0044
European Case Law Identifier: n/a
Appeal: n/a
Original Language: Danish
Original Source: Datatilsynet (in DK)

The Danish software supplier BEC received serious criticism from the Danish Data Protection Authority (Datatilsynet) for the accidental disclosure of personal data based on a system error.

English Summary[edit | edit source]

Facts[edit | edit source]

The Danish Data Protection Authority has received a number of reported data breaches from more than twenty Danish banks in accordance with Article 33 GDPR. The reported data breaches concern the accidental disclosure of personal addresses in connection with automated payment transfers between banks. Automated payment transfers between the 25. May 2018 and the 22. August 2019 were affected. It is estimated that more than 20,000 customers have been affected by the error.

The Danish company Bankernes EDB Central (BEC) supplies software to banks and financial institutions. Payment transfers from BEC are usually accompanied by address information so the payee can identify the payer. BEC has access to personal addresses in the Danish Central Person Register (CPR). The CPR contains the possibility to protect personal addresses from disclosure. An error in the system operated by BEC led to the disclosure of personal addresses, regardless of a requested non-disclosure of addresses in the CPR.

Dispute[edit | edit source]

The question for the Danish DPA to decide was whether the BEC as the data processor implemented appropriate technical and organisational measures to ensure a level of security appropriate to the risk pursuant to Article 32 GDPR.

Holding[edit | edit source]

The Danish DPA decided that BEC did not implement appropriate technical and organisational measures to protect personal data from unauthorized disclosure.

Subject to the critics is the fact that BEC initially used an older IT solution without the implementation of address protection. After the shift to a new system, errors occurred in connection with the marking of the protection of the addresses resulting in an unauthorized disclosure.

The Danish DPA emphasized that BEC has in response to the discovery of the unauthorized disclosures quickly and effectively made some changes to the patches in the IT-system which ended the breach. Further, adequate deletion measures have been taken.

Comment[edit | edit source]

Share your comments here!

Further Resources[edit | edit source]

Share blogs or news articles here!

English Machine Translation of the Decision[edit | edit source]

The decision below is a machine translation of the original. Please refer to the Danish original for more details.

The Data Inspectorate is seriously criticizing BEC's processing of personal data in connection with automatic transfers between banks.

Journal number: 2019-431-0044
Summary

The Data Protection Authority has dealt with a case in which a number of banks and savings banks have reported that personal data - including address information - for persons registered with a protected or omitted address in the CPR were transmitted in connection with automatic money transfers between banks.

Due to the many reviews, the Danish Data Protection Agency decided to initiate an investigation of its own operation.

The Bank's EDB Central (BEC) has stated that from the system which dealt with the automatic transfers between banks, an advisory was provided containing information about the payer, including information on his address. The system did not make an assessment as to whether it was protected address information, which should therefore not be disclosed. BEC has stated that more than 20,000 people have been affected by these transfers.

BEC submits that contradictory rules - the money laundering rules on the one hand and the CPR law on the other - have been a contributing reason why BEC has not been able to unambiguously decide whether address information should be included in the payment transactions or not.

After finding the breach, BEC has corrected the transmission system error, erased the unjustifiably disclosed address information and notified the data subjects concerned.

The following is a detailed examination of the case and a justification for the Danish Data Protection Agency's decision.

Decision

The Data Inspectorate has been informed that in the period from May 25, 2018 to August 22, 2019, there have been a number of incidents related to the Bank's EDB Central A.M.B.A's (hereafter BEC) IT system. The incidents have resulted in accidental disclosure of address information for persons who had address protection.
1. Decision

Following a review of the case, the Data Inspectorate finds that there is reason to express serious criticism that BEC's processing of personal data did not comply with the rules of Article 5 (1) of the Data Protection Regulation. 1 (f) and Article 32 (1) of the Data Protection Regulation. First

The following is a detailed examination of the case and a justification for the Danish Data Protection Agency's decision.
2. Case making

The Data Inspectorate has received a number of reports of breaches of personal data security from data controllers, in accordance with Article 33 of the Data Protection Regulation.

Among other things, the Data Inspectorate has received reviews from Maj Bank A / S, Skandinaviska Enskilda Bank, Financial Stability, Salling bank, Hvidbjerg Bank, Frøslev-Mollerup Sparekasse, BIL Denmark, Fynske Bank, Møns Bank, Merkur Andelskasse, Coop Bank A / S, Handelsbanken , PFA Bank, Lolland Bank A / S, Swedbank, Totalbanken, Vestjyske bank, Danske Andelskasse Bank, Frørup Andelskasse, Nykredit Bank A / S, Spar Nord Bank A / S, Faster Andelskasse, Andelskassen Community Bank, Lægernes Bank, Den Jyske Sparekasse and Workers Landsbank.

The reviews are about the transfer of address information for persons registered with a protected address in the Central Person Register (CPR)

The address information was inadvertently disclosed in connection with automated transfers between banks. It is estimated that more than 20,000 customers have been affected by the error.

The sectoral agreements have been drawn up on the basis of the rules for the transmission of information in payments as set out in Regulation (EU) 2015/847 of the European Parliament and of the Council of 20 May 2015 on information to be transmitted by wire transfers. This Regulation does not deal with address protection.

Rules for processing protected addresses are set out in LBK No. 646 of 02/06/2017

(CPR Act), i.a. Section 28 on establishment of address protection and Section 44 on transfer to other individuals. For example, the CPR Act mentions credit reporting agencies, but does not express itself clearly on payment transactions and clearing.

However, BEC has assumed that it will be in accordance with the intention of the CPR Act that address information about persons with (name and address protection) is not disclosed to payees in connection with payments, which was inadvertently done in this case.

BEC further states that addresses, including also protected addresses, will continue to be sent to foreign payment intermediaries, otherwise they will be rejected in receiving banks due to anti-money laundering and anti-terrorist financing controls.

BEC has conducted a systematic review of its systems and for this reason carried out a number of patches. An internal system test at BEC showed on October 22, 2019 that in certain cases, when withdrawing entries via online banking, under certain conditions and conditions, it was possible to include addresses of third-person transfers within the same bank - including protected addresses - in file extracts . These are file extracts that are typically used by business customers to use their internal financial systems.

BEC has handled this identified risk in relation to the specific data controllers as an addition to the original incident and sent data to the data controllers for their specific risk assessment and further processing of the case.

BEC has stated that their systems have been running for many years. The payment transactions run in closed systems, and there is no manual handling or control of the transactions, from being initiated by a bank customer or a bank adviser, until they are received by the payee. Thus, a finding of the error was due to the fact that a bank customer contacted his bank because he suspected or found that a payee received a protected address.



It is clear from the case that BEC is a data processor for a number of banks, of which some are co-owners, and thus member customers, and another is service customers.

The data processing has taken place within the framework of standardized data processor agreements.

A system error in a system operated by BEC for the data controllers has resulted in a number of payment transfers (clearances) to payees in another bank at BEC or at other data centers have provided address information on persons who in the CPR register is marked with address protection.

The following four different conditions were to blame for the incident:

there has been an older solution where no address protection has been implemented
in connection with the conversion of information from an older system to a new system, an incorrect conversion of a marking that governs the protection of the address has occurred
the mark-up of address protection - in connection with customer updating of payments in the online bank - has been reset by mistake.
Customers' choice to associate a so-called "special address" with their account, which is not checked for address protection in the system, was mistakenly communicated during the transfer.

It is apparent from the case that BEC has corrected the error in making a number of patches in the system, and in addition, has foreclosed the fraudulent information for payees in BEC's online systems (online banking and mobile banking). On September 3, 2019, BEC deleted the historical postings from Danish banks and subsequently, on October 14, 2019, deleted 2000 postings, from foreign banks, it was not possible to delete in the first place.
3. BEC's comments

By letter of 27 December 2019, the BEC confirmed the facts stated.

In its statement, BEC notes that sectoral agreements (Handbook for Sumclearing, Handbook for Intraday Clearing and Handbook for Straightclearing) state that payment transfers between two parties are usually accompanied by address information so that the payee can identify the payer. In the sectoral agreements the concept of address protection is not addressed.
In general, BEC's systems have handled address protection since September 18, 2015. However, analyzes have shown that the functionality of a number of systems has not been implemented or not working as intended.

The manuals that form the basis for payment transactions are prepared by Finans Danmark, and the manuals have so far not mentioned the problem of address protection.

Therefore, development and testing of systems has so far focused on the requirements specification arising from the sectoral agreements, as well as Regulation (EU) 2015/847 of the European Parliament and of the Council of 20 May 2015, where Article 4 (1) provides. Paragraph 1 states that the payer's address, official personal document number, customer ID number or date of birth and place of residence must be provided by money transfers. Thus, the main focus has been on transaction flow. Since address protection is not specifically mentioned in the aforementioned directive and sectoral agreements, address protection issues have unfortunately not been addressed to the extent necessary.

This may be one of the reasons why there has been insufficient attention and explicit requirements regarding address protection in payment transactions.

BEC has stated that address protection is activated by the citizen in the CPR register through the municipality of residence for a certain period at a time or permanently after an official assessment.

BEC therefore only has access to information from the CPR about currently protected addresses and the time of establishment of the address protection. Therefore, it is not possible to accurately calculate the number of historically concerned data subjects.

On September 10, 2019, upon request to the CPR Office, the BEC rejected a request to receive historical CPR data on address protection from the Ministry of Social Affairs and the Interior, citing Section 38 of the CPR Act.

4. Justification for the Danish Data Protection Agency's decision

Based on BEC's own explanation, the Data Inspectorate assumes that in this case, BEC has unjustifiably disclosed address information for persons to unauthorized persons, even though the persons were registered in the CPR with a protected address, which was therefore not to be disclosed.

In doing so, BEC has not sufficiently complied with the rules of Article 5 (1) of the Data Protection Regulation. 1, point f.

Since BEC's systems have, since 2015, contained errors that have resulted in customer's protected address information being disclosed to unauthorized persons, BEC has not taken adequate and appropriate technical or organizational measures, taking into account the current technical level, the cost of implementation and the nature of the treatment concerned. to ensure adequate security of the information in question, including protection against unauthorized or unlawful processing, and there has been no procedure for regular testing, assessment and evaluation of the effectiveness of these measures.

The Data Inspectorate finds that BEC is using an older IT solution where no address protection was implemented and that the conversion of personal data from an older system to a new system did not occur properly and without any established control measures that could detect this, just like the marking of address protection - in connection with customer updating of payments in the online bank - was accidentally reset and a number of customers associating a self-selected address to their accounts were not checked for address protection and were therefore disclosed, did not comply with the rules of the Data Protection Regulation article 32, par. First

In the opinion of the Data Inspectorate, in connection with the processing of personal data, tests and continuous follow-up must be carried out to ensure that the personal data is processed with persistent confidentiality, integrity, accessibility and robustness.

The Danish Data Protection Agency considers it aggravating the fact that a very large number of customers' address information has been disclosed, although these were registered as protected in the CPR and that the errors in BEC's systems have been present since September 18, 2015, without this being detected.

In mitigating direction, the Danish Data Protection Agency has emphasized that the conflicting rules in Regulation (EU) 2015/847 of the European Parliament and of the Council of 20 May 2015 on information - including address information - to be communicated by remittances and the rules on protected addresses in LBK no. 646 of 02/06/2017 (CPR Act), may be a contributing reason why BEC has not been able to unambiguously decide whether address information should be included in payment transactions or not.

The Data Inspectorate also emphasizes that BEC has quickly and effectively - after finding the breach - brought an end to the breach and caused all the transmitted addresses to be deleted.

Overall, the Data Inspectorate must issue serious criticism of the Bankers EDB Central A.M.B.A. for the transgressions occurred.