| Datatilsynet - 2019-441-3399 | |
|---|---|
 | |
| Authority: | Datatilsynet (Denmark) |
| Jurisdiction: | Denmark |
| Relevant Law: | Article 32 GDPR Article 33(2) GDPR Article 34(1) GDPR |
| Type: | Investigation |
| Outcome: | Violation Found |
| Started: | |
| Decided: | 05.03.2020 |
| Published: | |
| Fine: | None |
| Parties: | n/a |
| National Case Number/Name: | 2019-441-3399 |
| European Case Law Identifier: | n/a |
| Appeal: | n/a |
| Original Language(s): | Danish |
| Original Source: | Datatilsynet (in DA) |
| Initial Contributor: | n/a |
The Danish Data Protection Authority (Datatilsynet) expressed serious criticism regarding the lack of appropriate measures to ensure the identity of the natural person making a request according to Articles 15-21 GDPR. Datatilsynet ordered the conduction of a new assessment of the breach for the required communication of a data breach according to Article 34 (1), (2) GDPR not only dealing with the incident but also with possible risks to the rights of the data subjects in case the information is provided to the wrong customer.
English Summary
Facts
The Danish company “BroBizz” that provides automatic payment on bridges and ferries reported three breaches of personal data security regarding the identification of natural persons.
It follows from Article 12 (1) GDPR that, without prejudice to Article 11, if there is reasonable doubt as to the identity of the natural person making a request under Articles 15 to 21, the data controller may request additional information necessary to confirm the identity of the data subject.
It further follows from Article 32 (1) GDPR that the data controller must take appropriate technical and organizational measures to ensure a level of security appropriate to the risks inherent in the data controller's processing of personal data.
In the opinion of Datatilsynet, this means, among other things, that data controllers must ensure that information about data subjects does not come to the attention of unauthorized persons.
Dispute
Datatilsynet investigated whether BroBizz undertook appropriate measures to secure the identity of natural persons making a request according to Articles 15 to 21 and conducted a proper risk assessment.
Holding
After a review of the cases, Datatilsynet found that there is reason to express serious criticism that BroBizz's processing of personal data has not taken place in accordance with the rules of Article 32 GDPR since BroBizz has failed to comply with the requirement to implement appropriate organizational security measures in securing the identity of the natural person making a request within the meaning of Articles 15-21 GDPR.
Datatilsynet emphasized that the same type of incident happened three times within a short time. Therefore, the cases indicate that BroBizz's internal procedures and instructions are either insufficient or that employees are not sufficiently familiar with them.
Datatilsynet also found grounds for issuing an order from BroBizz to assess the risks to data subjects associated with the type of personal data processing undertaken by the company in securing the identity of the natural person making a request . The risk assessment is a part of the communication of the data breach to the data subject according to Article 34 (1), (2) GDPR and must include a mapping of the risk to the rights of the data subjects and then a balance of these risks in relation to the measures taken to protect these rights.
Datatilsynet stated that the copy of a risk assessment submitted by BroBizz is not considered to include an assessment of what risks a disclosure to unauthorized persons may pose to the rights and freedoms of customers. Datatilsynet ruled that the document deals only with the incident itself and does not affect possible risks to the rights of the data subjects, especially exemplified by the fact that the document shows that the consequence for the customer is that "information is provided to the wrong customer". The assessment may, for example, mention possible theft, for example. In addition, location information can have extremely unpleasant consequences for the data subject in the hands of people with bad intentions, for example in cases of harassment or stalking.
In addition, Datatilsynet lacks documentation on how BroBizz has arrived at the assessed consequences and probabilities, including special documentation on how BroBizz has concluded that the likelihood that employees process customer inquiries without verification is considered "very small". Datatilsynet did not agree, especially considering that this has happened in three cases shortly.
Comment
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Danish original. Please refer to the Danish original for more details.
Risk assessment when disclosing personal data
Published 05-03-2020
Decision Private companies
Following three reported breaches of personal data security, the Danish Data Protection Agency has taken a closer position on processing security and requirements for risk assessments.
Journal number: 2019-441-3399
Summary
The Data Inspectorate has dealt with three cases where BroBizz A / S has reported that in connection with the company's response to customer inquiries, personal data - including location information - was disclosed to unauthorized persons.
Based on the reported breaches, the Danish Data Protection Authority asked, inter alia, BroBizz submits their risk assessment for customer verification and a number of copies of the company's specific procedures and instructions, including specifically the identity of natural persons requesting insight.
On the basis of the risk assessment, the Data Inspectorate finds that in assessing the appropriate level of security, the company has not sufficiently taken into account the risks posed by the processing, including: by unauthorized disclosure or access to personal data transmitted, stored or otherwise processed.
Decision
On September 20, November 29, and December 12, 2019, the Data Inspectorate received three notifications from BroBizz A / S (hereinafter BroBizz) regarding breaches of personal data security (respectively, the Supervisory Authority's Nos. 2019-441-3399, 2019-441-4055 and 2019-441-4160).
1. Decision
After a review of the cases, the Data Inspectorate finds that there is reason to express serious criticism that BroBizz's processing of personal data has not taken place in accordance with the rules of Article 32 ( 1) of the Data Protection Regulation. 1 and Article 32 (1). 2nd
The Data Inspectorate also finds grounds for issuing an order from BroBizz to assess the risks to data subjects associated with the type of personal data processing undertaken by the company in securing the identity of the natural person making a request as referred to in Articles 15 to 21 of the Regulation, cf. 2nd
The risk assessment must include a mapping of the risk to the rights of the data subjects and then a balance of these risks in relation to the measures taken to protect these rights [2] .
The order is issued pursuant to Article 58 (2) of the Data Protection Regulation. 2nd
The deadline for complying with the injunction is 4 weeks from today's date. The Danish Data Protection Agency must request a copy of the risk assessment concerned by the same date.
According to section 41 (1) of the Data Protection Act [3] . Paragraph 2 (5) shall be punishable by a fine or imprisonment for up to 6 months to a person who fails to comply with an order issued by the Data Inspectorate pursuant to Article 58 (2) of the Data Protection Regulation. 2 (d).
In addition, the Data Inspectorate finds that BroBizz's processing of personal data was in accordance with Article 33 (2) of the Data Protection Regulation. 1 and Article 34 (1). First
The following is a detailed examination of the case and a justification for the Danish Data Protection Agency's decision.
2. Case making
2.1
On September 20, 2019, BroBizz reported a breach of personal data security.
It is clear from the notification that on September 17, 2019, BroBizz At 5:43 pm, it was announced that on September 13, 2019, a customer service representative had provided personal information about a customer, including location information, to unauthorized persons.
BroBizz stated in this connection, among other things. following:
“Customer service staff provide location data by phone (regarding the use of BroBizz transmitter) to a person other than the customer. It's about Person A (the customer) and Person B (the girlfriend of the customer). Person B provides person A's telephone number, and from this person A is sought in our customer system, and information on 2 passages is confirmed to person B. Subsequently, [on September 17, 2019], person A BroBizz A / S contacts and states that they are ex-girlfriends, and that person A did not want this information was provided to person B. "
Brobizz further stated that on September 20, 2019, the Customer Service Manager contacted the affected customer by telephone and notified the incident.
BroBizz has made additional statements to the case on October 24 and November 5 and December 12, 2019.
By email of October 24, 2019, at the request of the Danish Data Protection Agency, BroBizz sent a copy of the company's risk assessment regarding "general customer verification". The risk assessment is signed on August 6, 2019.
The risk assessment submitted shows that the risk of employees processing customer inquiries without verification is " very small ", which is the lowest probability level the company works with.
It also appears that "the consequence for you as a customer " is that " customer information is disclosed to the wrong customer / not the customer ". In addition, the risk assessment shows that the preventive action for the prevention and minimization of risks is that “ employee follows instructions / process ”. Finally, the risk assessment - under " outcome of preventive action / reason for approved index " - states that "data is not provided / processed to the wrong person / customer ".
By letter of November 5, 2019, BroBizz made a supplementary opinion on the matter. In this regard, Brobizz stated that the company had prepared a process for general customer verification, one for customer verification in connection with personal data requests and an instruction. The company also stated that the said procedures were not complied with in the case in question.
BroBizz further stated that various employees have undergone e-learning since May 25, 2018, and that customer service employees are being introduced to relevant personal data protection issues related to their hiring start. Ongoing training has been conducted on an ad hoc basis.
At the Data Protection Authority's request, by letter dated December 11, 2019, BroBizz provided a number of copies of the company's specific procedures and instructions, including in particular the identity of the natural person making a request under Articles 15-21, pursuant to Article 12 (2) of the Data Protection Regulation. . 6th
The company's internal instructions ("BBAS - Verification of Customers in BBAS") state that customers must provide two customer-specific information based on a list of four types of information that must ensure that the customer is verified before the inquiry is processed in the usual way. In relation to customer inquiries where a request is made regarding the data subject's rights under the Data Protection Regulation, BroBizz has set instructions ("BBAS - GDPR verification of customers"). It is clear from this that the customer is requested by telephone to make his inquiry in writing and that the team leader verifies the customer based on the customer's information provided before answering. Similar safeguards appear in, inter alia, BroBizz's information security policies.
Finally, BroBizz has stated that it has been tightened up with the relevant customer service staff that information must be sent using the company's internal processor and that relevant employees have been further guided in how to comply with internal instructions under the Data Protection Regulation going forward.
2.2
By letter of November 29, 2019, BroBizz has reported yet another breach of personal data security.
It appears from the notification that on November 27, 2019, BroBizz became aware that a customer service representative on November 15, 2019 - at the request of ForSea Helsingborg AB on behalf of Customer A - accidentally updated Customer A's email address with Customer B's e email address, and subsequently sent a new code to the updated email address, after which Customer A had access to Customer B's account.
In this regard, BroBizz stated:
”ForSea Helsingborg AB contacts BroBizz A / S on behalf of one of their customers A in order to change customer A's email address at Brobizz A / S. Brobizz A / S and customer A have entered into an agreement to issue an Autobizz which can be used to pay for ferry crossings. In connection with updating customer A's email address, ForSea Helsingborg AB also requests that customer A be sent a new password to Brobizz A / S "My Account". As Forsea meets BroBizz's internal customer verification requirements, the employee updates what he believes is customer A's account with the new email address. However, there is a manual error here as the Brobizz employee updates another customer's account with customer A's email address. Then a new code is sent to the updated email address, after which customer A has access to the other customer's "My account". ”
BroBizz further stated that the company will notify the registered person, and has been in contact with Customer A and asked him to delete any. saved information.
BroBizz further stated that it has been emphasized to the customer service staff that there must be only one customer image open at a time.
2.3
By letter of December 12, 2019, BroBizz has reported another breach of personal data security.
It is clear from the notification that on December 11, 2019, BroBizz At 11:15 am, it was announced that on November 27, 2019, a customer service representative updated Customer A's email address under Customer B's Customer Number, after which Customer A could access Customer B's BroBizz profile.
In this connection, BroBizz stated following:
”Customer A will apply on November 26, 2019 via a form in the BroBizz IT system where he requests an email address update on a customer number which this allegedly thinks is his own but turns out to be Customer B's customer number. In this regard, BroBizz's internal validation procedure will not be complied with as BroBizz will not be provided at least two information that can verify the customer, after which the customer service representative will update the e-mail address under the wrong customer number on 27 November 2019. Customer A then orders a new password which is sent to the newly updated email address. After that, customer A can log into Customer B's account, which this does and updates the associated credit card on December 11, 2019 to his own credit card. Later in the day on the 11th.December is the error and Customer B account is blocked so that only Customer B can log on. After that, Customer B is contacted by phone and informed of the process and he is requested to update his debit card, which means that Customer B can see Customer A debit card in limited condition. Customer A also states that on December 11, 2019 he himself contacted Customer B with a view to clarifying the matter (this confirms Customer B by telephone). In addition, Customer A shows up at the reception to open his Brobizz. "December 2019 itself has contacted Customer B with a view to clarifying the matter (this confirms Customer B by telephone). In addition, Customer A shows up at the reception to open his Brobizz. "December 2019 itself has contacted Customer B with a view to clarifying the matter (this confirms Customer B by telephone). In addition, Customer A shows up at the reception to open his Brobizz. "
BroBizz further stated that the company has been in contact with both affected customers, just as the customers themselves have been in contact with each other, which is why it is considered that no informing of the affected persons should be made.
BroBizz has further stated that only one employee in the company's customer service processes these inquiries going forward. In addition, all customers are requested to contact us via e-mail, after which proper verification can be carried out.
3. Justification for the Danish Data Protection Agency's decision
3.1 Article 32 (1) of the Data Protection Regulation. 1
The Data Inspectorate assumes that BroBizz, on September 13, November 16 and November 27, 2019 - due to a failure to secure and confirm the identity of the natural person who made a request under Article 15-21 - disclosed personal information, including .a. location information, about three unauthorized customers.
It follows from Article 12 (1) of the Data Protection Regulation. 6 that, without prejudice to Article 11, if there is reasonable doubt as to the identity of the natural person making a request under Articles 15 to 21, the data controller may request additional information necessary to confirm the identity of the data subject.
It further follows from Article 32 (1) of the Data Protection Regulation. 1 that the data controller must take appropriate technical and organizational measures to ensure a level of security appropriate to the risks inherent in the data controller's processing of personal data. In the opinion of the Data Inspectorate, this means, among other things, that as data controller you must ensure that information about data subjects does not come to the attention of unauthorized persons.
The Data Inspectorate finds that BroBizz's processing of personal data did not comply with the rules of Article 32 (2) of the Data Protection Regulation. 1, since BroBizz has failed to comply with the requirement to implement appropriate organizational security measures in securing the identity of the natural person making a request within the meaning of Articles 15-21 of the Regulation.
In this connection, the Danish Data Protection Agency emphasized that the same type of incident happened three times within a short time. The Data Inspectorate finds that the cases indicate that BroBizz's internal procedures and instructions are either insufficient or that employees are not sufficiently familiar with them.
The Danish Data Protection Agency has further emphasized that there is insufficient training and training of employees in data protection, including processing security. The actions that were reportedly taken, namely that various employees have completed one course since May 25, 2018, that customer service employees are introduced to relevant personal data related issues related to their start of employment, and that ongoing training is conducted on an ad hoc basis. in the opinion of the Data Inspectorate is not sufficient. This is confirmed by Brobizz having provided information to unauthorized persons in three cases in two and a half months.
In addition, the Data Inspectorate has emphasized that personal data on location is covered by the one breach of personal data security, which entails a relatively high risk of the data subject's rights , since exposure of the information may entail, for example, privacy breach for the person concerned.
Against this background, the Data Inspectorate finds that BroBizz has not taken appropriate organizational and organizational measures to ensure a level of security appropriate to the risks inherent in the company's processing of personal data in accordance with Article 32 (2) of the Data Protection Regulation. First
3.2. Article 32 (2) of the Data Protection Regulation 2
Article 32 (2) of the Regulation Paragraph 2 states that in assessing the appropriate level of security, account is taken, in particular, of the risks posed by processing, in particular through accidental or unlawful destruction, loss, alteration, unauthorized disclosure or access to personal data transmitted, stored. or otherwise treated.
The risk assessment must thus be based on risks for natural persons (the data subjects), and not for example. risks to the data controller (legal entities), in this case BroBizz.
The Data Inspectorate finds that the copy of a risk assessment submitted by BroBizz is not considered to include an assessment of what risks a disclosure to unauthorized persons may pose to the rights and freedoms of customers. The Data Inspectorate finds that the document deals only with the incident itself and does not affect possible risks to the rights of the data subjects, especially exemplified by the fact that the document shows that the consequence for the customer is that "information is provided to the wrong customer".
The Danish Data Protection Agency may, for example, mention possible theft, for example. In addition, location information can have extremely unpleasant consequences for the data subject in the hands of people with bad intentions, for example in cases of harassment or stalking. In this connection, the Data Inspectorate can note that in one case, information on location was passed on to a customer's ex-girlfriend.
In addition, the Data Inspectorate lacks documentation on how BroBizz has arrived at the assessed consequences and probabilities, including special documentation on how BroBizz has concluded that the likelihood that employees process customer inquiries without verification is considered "very small". This is problematic for the Data Inspectorate, especially considering that this has happened in three cases shortly. Therefore, the Data Inspectorate cannot agree with BroBizz's assessment that the risk of employees treating customer inquiries without verification as "very small".
In addition, the Data Inspectorate does not find that it can be described as a sufficiently clear preventive act that “employees follow instructions / process”. The Authority finds this preventive action extremely obscure.
Against this background, the Data Inspectorate finds that BroBizz - in assessing the appropriate level of security - did not take particular account of the risks posed by the processing, in particular through accidental or unlawful destruction, loss, alteration, unauthorized disclosure or access to personal data. transmitted, stored or otherwise processed in accordance with Article 32 (2) of the Regulation. 2nd
3.3. Article 33 (1) of the Data Protection Regulation 1 and Article 34 (1). 1
The Data Inspectorate finds that BroBizz - by notifying the incident in question to the audit without undue delay and, if possible, within 72 hours after the company became aware of it - acted in accordance with Article 33 (1) of the Data Protection Regulation. First
The Data Inspectorate further finds that BroBizz - by notifying the affected customers in the supervision cases with j. 2019-441-3399 and 2019-441-4055 - acted in accordance with Article 34 (2) of the Data Protection Regulation. 1. In this connection, the Data Inspectorate emphasized BroBizz's information that in one case a manager in the department, among other things, has contacted one of the affected parties by telephone and that in the other case, BroBizz will notify the customer whose information is covered by the incident.
In addition, the Danish Data Protection Agency agrees with BroBizz's assessment in the audit case with j. No. 2019-441-4160 that there is no high risk to the rights and freedoms of the persons concerned and therefore should not be notified. In this connection, the Data Inspectorate has emphasized BroBizz's information that the company has been in contact with both affected customers and that the customers have been in contact with each other.
Against this background, the Data Inspectorate finds that BroBizz has acted in accordance with the rules of Article 33 (2) of the Data Protection Regulation. 1 and Article 34 (1). First
3.4. The Authority's conclusion
In summary, the Data Inspectorate finds that there are grounds for expressing serious criticism that BroBizz's processing of personal data has not taken place in accordance with the rules of Article 32 (2) of the Data Protection Regulation. 1 and Article 32 (1). 2nd
The Data Inspectorate also finds grounds for issuing an order from BroBizz to assess the risks to data subjects associated with the type of personal data processing undertaken by the company in securing the identity of the natural person making a request as referred to in Articles 15 to 21 of the Regulation, cf. 2nd
The risk assessment must include a mapping of the risk to the data subjects' rights and then a balance of these risks in relation to the measures taken to protect these rights. [4]
The order is issued pursuant to Article 58 (2) of the Data Protection Regulation. 2nd
The deadline for complying with the injunction is 4 weeks from today's date. The Danish Data Protection Agency must request a copy of the relevant risk assessment by the same date.
According to section 41 (1) of the Data Protection Act. Paragraph 2 (5) shall be punishable by a fine or imprisonment for up to 6 months to a person who fails to comply with an order issued by the Data Inspectorate pursuant to Article 58 (2) of the Data Protection Regulation. 2 (d).
In addition, the Data Inspectorate finds that BroBizz's processing of personal data was in accordance with Article 33 (2) of the Data Protection Regulation. 1 and Article 34 (1). First
4. Concluding remarks
The Danish Data Protection Agency shall, at the latest 4 weeks from today, obtain a copy of the relevant risk assessment.
The Data Inspectorate has taken note of BroBizz's comments that the company has taken a number of measures to comply with data protection rules.
Finally, the Data Inspectorate should note that - based on the mapping of the risk of the data subjects' rights - BroBizz must take / implement appropriate security measures in order to reduce / eliminate the identified risks to the data subjects.
[1] Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such information and repealing Directive 95/46 / EC (general data protection regulation).
[2] For further guidance, please refer to the Danish Data Protection Authority and the Council for Digital Security Guidance on risk assessment:https://www.datatilsynet.dk/media/7900/guiding-text-of-riskRisk Assessment.pdf
[3] Law No 502 of 23 May 2018 on additional provisions for a regulation on the protection of individuals with regard to the processing of personal data and on the free exchange of such information (Data Protection Act).
[4] For further guidance, please refer to the Danish Data Protection Authority and the Council for Digital Security Guidance on risk assessment:https://www.datatilsynet.dk/media/7900/guiding-text-of-riskRisk Assessment.pdf
