IMY (Sweden) - DI-2021-1905
From GDPRhub
| IMY - DI-2021-1905 | |
|---|---|
 | |
| Authority: | IMY (Sweden) |
| Jurisdiction: | Sweden |
| Relevant Law: | Article 5(1)(f) GDPR Article 32(1) GDPR Article 58(2) GDPR Article 83 GDPR |
| Type: | Investigation |
| Outcome: | Violation Found |
| Started: | |
| Decided: | 28.08.2023 |
| Published: | 28.08.2023 |
| Fine: | 35,000,000 SEK |
| Parties: | n/a |
| National Case Number/Name: | DI-2021-1905 |
| European Case Law Identifier: | n/a |
| Appeal: | Unknown |
| Original Language(s): | Swedish |
| Original Source: | IMY (in SV) |
| Initial Contributor: | Maximilien Hjortland |
The Swedish DPA issued a penalty fee of SEK 35 million (around €3 million) against Trygg-Hansa. The insurance company had serious security flaws via faulty URLs resulting in a data breach of 650,000 customers' data over a period of two years.
English Summary
Facts
On the 30th of November 2020, an external phone call notified the controller about a data breach. This was initially not recognised as a security flaw, and therefore was not immediately reported further within the controller organisation.
The controller,the insurance company Moderna Försäkringar (since April 2022 Trygg-Hansa A/S), notified Swedish DPA in December 2020, that a data breach had occurred. As a result, unauthorised access to the personal data of 650,000 customers, including special categories listed in Article 9(1) GDPR, was made possible.
In March 2021, the Swedish DPA initiated an investigation to uncover whether the controller had implemented appropriate safeguards and mitigated risks to the data subject resulting from the data processing, in line with Articles 5(1)(f) and 32 of the GDPR.
The data breach notification pertained to16 different document types, that the Swedish DPA subsequently reviewed. The documents contained multiple categories of personal data: names, contact information, health accounts, ID numbers, economic data, etc. The controller had not conducted a data protection impact assessment prior to the processing in question, which would have identified the high risk associated with it.
The investigation revealed that data breach occurred in 4 steps:
1) An existing or potential customer called customer service enquiring about an insurance offer. The customer service representative sent an SMS or email to the customer after the phone call ended.
2) This SMS or email contained a URL to an insurance offer on Trygg-Hansa’s website.
3) Trygg-Hansa's website contained additional links to documents with insurance information.
4) These documents contained URLs that were (able to be changed) on the website browser allowing access to other customers' documents.
Trygg-Hansa's backend database was therefore, accessible without requiring authentication, and anyone could browse private documents from other individuals by modifying in the URL the client ID number.
Holding
IMY found the data breach to compromise (Article 5(1)(f) GDPR). The processing operation carried a high risk and would have required equivalent security levels. Appropriate technical and organizational measures (TOMs), as prescribed in Article 32 GDPR, were not implemented.
The long duration of the data breach combined with the very detailed records (including largely descriptive health data) underscores the severity of the incident. Analyses of behavioural patterns in the controller's logs indicated that 202 customers probably were directly affected. This means that their personal data were leaked and made accessible to non-authorised third parties.
IMY stated that data subjects expectations of high degrees of confidentiality are justified, especially in this case, where personal data was collected to make decisions about the insurance of registered individuals. Nevertheless, the controller failed to implement adequate authorisation control, encryption, logging, and access control, to remedy these technical shortcomings. The breach was of such an elementary character, that Trygg-Hansa should have identified and remedied the compromised system before it was implemented.
The investigation established that no routine was in place to verify the identity of persons making data access requests. Lack of pseudonymisation meant that individual accounts were accessible in plain text to a broad audience simply by rendering a few digits of a numeric URL sub-string. Once obtained, these individual records could have easily been distributed.
TOMs were implemented only after IMY contacted the controller about the data breach, and were found not to exceed minimum expectations. As such, they did not positively impact the calculation of the administrative fine.
Because the violation only concerned the Swedish branch of the company, the administrative fine was calculated based on the reported annual turnover of Moderna Försäkringar and not the parent company. The Swedish DPA fined Trygg-Hansa SEK 35 million (around €3 million) for breaching Article 5(1) GDPR and Article 32 GDPR.
Comment
In April 2022, Moderna Försäkringar was acquired by Trygg-Hansa, which is the company IMY addresses as the controller in its decision. Trygg-Hansa A/S is a branch of Tryg Forsikring A/S, which is the largest non-life insurer in Scandinavia.
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Swedish original. Please refer to the Swedish original for more details.
1(12)
Trygg-Hansa Insurance branch
Diary number:
DI-2021-1905 Decision after supervision according to
Date: data protection regulation - Trygg-
2023-08-28
Hansa Insurance branch
The Privacy Protection Authority's decision
The Swedish Privacy Protection Authority states that Trygg-Hansa Försäkring branch
(organization number 516403-8662) has processed personal data in violation of
articles 5.1 f and 32.1 of the data protection regulation by during the period October
2018 – February 2021 not having taken appropriate technical measures and thereby
enabled unauthorized access to privacy-sensitive personal data about its customers.
The Privacy Protection Authority decides with the support of articles 58.2 and 83 i
data protection regulation that Trygg-Hansa Försäkring filial must pay an administrative
penalty fee of SEK 35,000,000 (thirty-five million) for the violation of
articles 5.1 f and 32.1.
Account of the supervisory matter
Background
In December 2020, the Swedish Privacy Agency (IMY) received tips that Moderna
Försäkringar, branch of Tryg Forsikring A/S (Moderna Försäkringar) had made it possible
access by unauthorized persons to personal data that concerned data of sensitive
character of Moderna Försäkringar's customers. In March 2021, IMY began supervision of
Moderna Försäkringar in order to review whether Moderna Försäkringar had taken
appropriate measures to ensure a level of security that was appropriate in relation to
the risk of personal data processing, in accordance with articles 5.1 f and 32 i
data protection regulation.
As part of its review, IMY has taken note of the 16 documents that the tip refers to. The
is a question of several different types of insurance documents, including claims,
Postal address: invoices, insurance letters, insurance decisions, response cards regarding insurance compensation,
Box 8114 scope change and request for additional information for insurance investigation.
104 20 Stockholm The documents contain a large number of categories of personal data, such as e.g. name,
Website:
contact details, health details, social security number, financial details,
www.imy.se insurance holdings, sequence of events (for example time, place, actions and others
E-mail:
imy@imy.se 1
Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with
Telephone: regarding the processing of personal data and on the free flow of such data and on the cancellation of
08-657 61 00 directive 95/46/EC (general data protection regulation). Data Protection Agency Diary number: DI-2021-1905 2(12)
Date: 2023-08-28
information provided by the data subject in free text fields) and information regarding ownership
and property damage.
In April 2022, Moderna Försäkringar merged with Trygg-Hansa. Modern
Försäkringar subsequently changed its name to Trygg-Hansa branch (Trygg-Hansa) but continued to
operate under the same organization number as before (516403-8662).
In the decision, IMY will consistently use the supervised object's new name, Trygg-
Hansa, when explaining what happened.
Statement from the subject of supervision
Trygg-Hansa has essentially stated the following.
On November 30, 2020, Trygg-Hansa was contacted by a person by phone who
informed of the deficiency. The recipient of the tip at Trygg-Hansa did not understand that it
was a possible incident, and the deficiency was therefore not reported further within
Trygg-Hansa's organization.
The security breach has occurred in the following way:
1. An existing or new potential customer has contacted customer service by phone
and wanted to get a quote for insurance. The customer service manager has after
ended phone call sent an SMS or e-mail to the customer.
2. The SMS or email has contained a unique web address to a
quote page on Trygg-Hansa's website.
3. On the quote page there have been clickable links with URLs leading
to documents with insurance information. The person who contacted Trygg-
Hansa as above has been able to open the documents by clicking on
the links.
4. These documents have had web addresses which at the time could be modified by
the person in their browser by replacing numbers with other numbers. On
in this way, the person has been able to retrieve other customers' documents.
There has been internet access to data on approximately 650,000 customers
during the period October 2018 up to and including when IMY contacted the company at the end of
February 2021. The information covered is name, social security number, contact information
(address, e-mail address, phone number), insurance number, claims number,
financial information, health information, insurance holdings, ownership information
(such as animal ownership, vehicle details, property details), property damage (such as details
about workshop, notice of compensation), sequence of events (for example time, place, actions
and other information that the data subject provided in free text fields) and other free text fields. It can
it cannot be ruled out that there was also information about violations of the law (such as in connection
with claims) or information about membership of a trade union (such as when
insurance has been taken out with a trade union).
Analysis of behavioral patterns in logs indicates that 202 customers are likely direct
concerned in such a way that information about them (documents) may have been shown to someone unauthorized.
As far as Trygg-Hansa has been able to ascertain, after examining the logs, it is only
the tipster and IMY who gained access to the documents. In order to similar security flaws
would not arise, Trygg-Hansa had taken before the event in question
measures by drawing up an IT security policy, implementing regular
penetration tests and logging on nodes, transactions and customer management systems
as well as by holding an annual training in data protection and security and ongoing
Date: 2023-08-28
training for employees with special responsibility for data protection issues. Trygg Hansa
follows the ISO 27001 standard, which i.a. involves continuous penetration testing and
segmentation of networks. Trygg-Hansa did not carry out an impact assessment
concerning the treatment in question before the treatment began. This had, however
carried out if the personal data processing started today because Trygg-Hansa
nowadays have routines for this. Since approximately the middle of 2019, Trygg implements
Hansa a compliance system that Trygg-Hansa describes in a structured way
processes, data, storage, contracts, suppliers, etc. along with
impact assessments.
In order to access documents with information about other customers, according to Trygg-
Hansa required knowledge of the structure of Internet addresses and how to take part in it
the underlying content with, for example, a browser. Furthermore, it has been required
changing part of the URL digits in the Document ID.
Since the incident in question has been identified, Trygg-Hansa has taken further steps
security measures, such as addressing the current flaw by encrypting and
ensure that access can only take place by someone who is authorized. After the event
identified, Trygg-Hansa has also carried out two independently of each other
penetration tests by two different external security companies, updated IT
the security policy, took measures to improve the procedures for testing activities,
decided to establish an architecture council with security control and code review at
development, reviewed the internal customer complaint process and decided to implement
additional training for employees in customer service as well as for developers and testers.
Trygg-Hansa has also contacted registered persons by letter, and in some cases by telephone, for
to inform about what happened and informed on its website.
Justification of the decision
Has Trygg-Hansa ensured an appropriate security level for
the personal data?
Applicable regulations
According to article 5.1 f of the data protection regulation, the personal data controller must
process the personal data in a way that ensures appropriate security, including
protection against unauthorized or unauthorized processing and against loss, destruction or damage
by accident, using appropriate technical or organizational measures
measures (integrity and confidentiality).
According to article 9.1 of the data protection regulation, it is prohibited as a starting point to
process special categories of personal data (so-called sensitive
personal data), including information about health. In Article 9.2 certain exceptions are specified
from the ban.
It follows from Article 32.1 of the Data Protection Regulation that the person in charge of personal data shall
take appropriate technical and organizational measures to ensure a
safety level that is appropriate in relation to the risk of the treatment. It shall, according to
the same provision, take into account the latest developments,
the implementation costs and the nature, extent, context and
purpose and the risks, of varying degree of probability and seriousness, for physical
rights and freedoms of persons. When assessing the appropriate level of security, the Privacy Protection Agency Diary number: DI-2021-1905 4(12)
Date: 2023-08-28
according to article 32.2, special consideration is given to the risks that the processing entails, i
in particular from accidental or unlawful destruction, loss or alteration or to unauthorized
disclosure of or unauthorized access to the personal data transmitted, stored or on
otherwise treated.
The Swedish Privacy Protection Authority's assessment
Trygg-Hansa is responsible for personal data
Trygg-Hansa has stated that Trygg-Hansa is responsible for personal data for them
personal data processing that the tip intended, which is supported by the investigation i
the case. IMY assesses that Trygg-Hansa is the personal data controller for that processing
which the supervision covers.
The treatment involved major privacy risks and required a high level of protection
The person in charge of personal data must provide security that is suitable from the outside
the risks of the treatment. The assessment of the appropriate level of protection must be done with
taking into account, among other things, the nature, scope, context and purpose of the processing
as well as the risks, of varying degrees of probability and seriousness, for natural persons
rights and freedoms. During the assessment, special consideration must be given to the risks that
the processing entails, among other things, unauthorized disclosure of or unauthorized access to
the personal data.
IMY notes that the processing of personal data has included a large number
registered within Trygg-Hansa's core business. According to Trygg-Hansa's own information
has been a question of data on approximately 650,000 customers.
IMY further states that the processing intended a large number of personal data about each
registered, which enabled mapping of individuals' personal circumstances. The 16
documents that IMY has seen within the framework of the supervisory case contain a large number
categories of personal data, such as names, contact details, health details,
social security number, financial information, insurance holdings, sequence of events
(e.g. time, place, actions and other information provided by the data subject
free text field) and information regarding ownership and property damage. Trygg-Hansa also has
presented that it cannot be ruled out that information about violations of the law or
information about membership in a trade union.
Through access to a document, it has been possible to directly read out a large number
information about an individual person. Thus, in some cases it has been possible to get a detailed picture of
the personal circumstances of the registered person using the documents. The comprehensive
the processing of personal data has been particularly sensitive to privacy through use
of social security numbers and other identification data that enabled a clear and direct
connection to individuals.
IMY further assesses that the nature of the personal data in itself entails a high risk.
The documents have contained sensitive personal data, i.a. information about health, such as
according to the main rule in Article 9.1 of the data protection regulation may not be processed. Such
data have been given extended protection, as processing them may constitute a
extremely serious interference with the fundamental rights regarding respect for
2
privacy and protection of personal data. The data on health has also had a
2 The judgment of the Court of Justice of the European Union in case C‑184/20, Vyriausioji tarnybinės etikos komisija, EU:C:2019:773, paragraph 126. The Swedish Data Protection Authority Diary number: DI-2021-1905 5(12)
Date: 2023-08-28
high level of detail, so that, for example, it was possible to determine how a health problem arose
or exactly what health condition it is, which meant an even higher risk.
The material has also contained other types of information that are particularly worthy of protection.
This applies, among other things, to information about social security numbers that are covered by a special
protection according to article 87 of the data protection regulation and ch. 3 Section 10 of the Act (2018:218) with
supplementary regulations to the EU data protection regulation. According to Trygg-Hansa can
it is also not excluded that there was information about legal offenses that are covered
of a strong protection according to Article 10 of the Data Protection Regulation, because processing of
they can have serious effects on individuals. There have also been reports of
individuals' financial conditions.
The documents in the case also show that it has been possible for registered users to
provide information in forms themselves. In some claims, the registrants have
provided detailed information in running text regarding health problems and how injuries
occurred. By giving Trygg-Hansa the opportunity to provide information in running text has
it has been difficult for Trygg-Hansa to fully control the content and the types of
information that appears. This has resulted in special requirements for handling the documents on
a safe way.
Overall, the large number of registrants has the extensive amount of data
if each person and the sensitive nature of the data entailed a high risk of
rights and freedoms of natural persons. Unauthorized disclosure of or unauthorized access
to the personal data has been able to lead to serious consequences for those concerned
the persons. This has led to demands for a high level of protection for the treatment.
IMY further states that the context for the processing of personal data entailed a
even higher requirements on the level of protection. Personal data processing has taken place within the framework
for Trygg-Hansa's core business. In addition, the registrants are entitled
expectations of a high degree of confidentiality and robust protection against unauthorized access
access to personal data processed in insurance operations. The data have
further collected in order to be able to make assessments and make decisions regarding
registered, which is a type of processing of personal data that may involve
higher risks and require higher protection.
In summary, the treatment has been of such a nature that high demands have been placed on it
the security of the data, for example through authorization control, encryption,
logging, access control and management of technical vulnerabilities.
The data has not been adequately protected
IMY must then assess whether Trygg-Hansa has ensured the high level of protection that
required.
IMY states that it has not been required that the person who prepared access to the data
verified their identity for Trygg-Hansa or otherwise verified their authorization to receive
access to these. Anyone who has had access to the web addresses has thus been able to
visit the websites and thereby gain access to the documents with personal data
without ensuring that it was an authorized person. The data in
3 The Council of Europe has stated in a recommendation that member states must ensure that employees of insurance companies
who receive access to personal data must be subject to rules on confidentiality (Recommendation rec[2002]9 on the
protection of personal data collected and processed for insurance purposes). See also prop. 2009/10:241 p. 43 and
Ds 2011:7. The Swedish Privacy Agency Diary number: DI-2021-1905 6(12)
Date: 2023-08-28
nor have the documents been protected by encryption, but have been available in plain text.
Furthermore, there has been a question of data that directly identified individuals, i.e.
the data has not been protected by pseudonymisation. Trygg-Hansa has thus done
a large amount of direct personal data of a privacy-sensitive nature available on
internet without taking protective measures in the form of authorization control or encryption.
Trygg-Hansa has stated that special knowledge is required to access documents
with personal data via the web addresses. However, IMY has observed through
the documents and web addresses in the case that it has been possible to access
documents by changing the last digits of the URLs. In some cases they have
first six digits out of eight have been the same in the different URLs, which means that
few numbers in these cases have had to be changed for unauthorized access
document.
It has also been possible to forward the URLs, which lead to unprotected
information about policyholders, to other unauthorized persons. These people have in their
luckily, without having to change any numbers, was able to access the information in the documents
only by clicking on the URL. That in some cases it was required that an individual
changed numbers in the web address field to access documents does not mean that Trygg-
Hansa has taken appropriate measures, for example authentication and authorization control, for
to prevent unauthorized persons from accessing the relevant information.
IMY has been able to access information in the documents without hindrance, simply by visiting
the URLs and without having to change the address bar of the browser.
Against this background, IMY notes that Trygg-Hansa made a large amount
privacy-sensitive personal data accessible in plain text on the internet. It has not been required
some authentication to ensure that only the right people could access
the data. Persons who obtained or prepared unauthorized access to the dispatches
the URLs – or manipulated versions of the sent URLs –
has thus been able to gain access to the privacy-sensitive personal data.
Based on these circumstances, IMY makes the assessment that there were major deficiencies in
the protection of the data. The investigation also shows that the deficiencies have led to unauthorized access
access to the data. IMY notes that Trygg-Hansa's own logs indicate that
202 customers likely to have been directly affected in such a way that their data may have been shown to
someone unauthorized. However, it should be emphasized that the fact that it has been easy for
unauthorized to prepare access to a large amount of personal data of the subject
the battle itself is a serious flaw, regardless of how many instances of unauthorized use occurred
access that has been possible to ascertain.
The shortcomings have been of such a fundamental nature that Trygg-Hansa should have
detected and fixed them before the system was implemented. Trygg-Hansa has, however, introduced
the system with the flaws, nor during the long period in which the system was used
able to identify and remedy them. This despite the fact that Trygg-Hansa received information about
the shortcomings through a tip from the outside. IMY further states that the processing of personal data
is part of the insurance company's core business and that Trygg-Hansa should therefore
have had a good ability to ensure a security that was suitable from the outside
the scope and sensitivity of the treatment.
Overall, IMY assesses that Trygg-Hansa has not taken appropriate technical measures
measures to ensure a level of security that is appropriate in relation to the risk.
Trygg-Hansa has thus processed personal data in violation of article 32.1 of the Swedish Privacy Protection Agency Diary number: DI-2021-1905 7(12)
Date: 2023-08-28
data protection regulation. That a large amount of personal data, including sensitive
data, for a longer period of time has been processed in a way that entailed a risk of unauthorized access
access means, according to IMY, that the lack of security was of such a serious nature that it
also involves a violation of Article 5.1 f of the data protection regulation.
Choice of intervention
Legal regulation
If there has been a breach of the data protection regulation, IMY has a number
corrective powers to be available according to Article 58.2 of the Data Protection Regulation.
It follows from Article 58.2 of the data protection regulation that IMY in accordance with Article 83 shall
impose penalty charges in addition to or in lieu of other corrective measures which
referred to in Article 58(2), depending on the circumstances of each individual case.
Each supervisory authority must ensure that the imposition of administrative
penalty charges in each individual case are effective, proportionate and dissuasive. The
stated in Article 83.1 of the Data Protection Regulation.
In Article 83.2, the factors to be taken into account in deciding whether an administrative
penalty fee must be imposed, but also what will affect the penalty fee
size. Important for the assessment of the seriousness of the violation is, among other things, its
nature, severity and duration.
According to Article 83.4, in the event of violations of, among other things, Article 32, it must be imposed
administrative penalty fees of up to EUR 10,000,000 or, if one applies
company, of up to 2% of the total global annual turnover in the previous year
budget year, depending on which value is the highest.
According to Article 83.5, in the event of violations of, among other things, Article 5, it must be imposed
administrative penalty fees of up to EUR 20,000,000 or, if one applies
company, of up to 4% of the total global annual turnover in the previous year
budget year, depending on which value is the highest.
If it is a question of a minor violation, IMY receives according to what is stated in reason 148 i
instead of imposing a penalty charge, issue a reprimand in accordance with Article 58.2 b i
the regulation.
IMY's assessment
A penalty fee must be imposed
IMY has made the assessment that Trygg-Hansa has processed personal data in violation of
article article 32.1 and that the violation is of such a serious nature that it is also
question of a violation of the principle of integrity and confidentiality in Article 5.1 f.
The violation has occurred through Trygg-Hansa processing personal data with a
insufficient level of security, which has entailed the risk that unauthorized persons could obtain
access to approximately 650,000 customer data during the period October 2018 to and including
with February 2021. The personal data has, among other things, made up of sensitive personal data
and social security number, and unauthorized access to these data entails a high risk of
the freedoms and rights of the data subjects. The Swedish Privacy Agency Diary number: DI-2021-1905 8(12)
Date: 2023-08-28
IMY does not consider it to be a question of less serious violations. Trygg-Hansa will
therefore, an administrative penalty fee is imposed for the violations. When deciding
of the amount of the sanction fee, IMY must take into account the circumstances stated in article
83.2 and ensure that the administrative penalty fee is effective, proportionate
and discouraging.
The parent company's annual turnover must be used as the basis for the calculation
When determining the maximum amount of a penalty charge to be imposed on a company
shall the definition of the concept of company be used as used by the EU Court of Justice
application of Articles 101 and 102 of the TFEU (see recital 150 i
data protection regulation). It appears from the court's practice that this includes every entity
that carries out economic activities, regardless of the legal form of the entity and the way of doing so
financing as well as even if the unit in the legal sense consists of several physical or
legal entities.
What constitutes a company must therefore be based on the definitions of competition law.
The rules for group liability in EU competition law revolve around the concept
economic unit. A parent company and a subsidiary company are considered part of the same
economic unit when the parent company exercises decisive influence over
the subsidiary. The decisive influence (ie control) can be achieved either through
ownership or by agreement. Jurisprudence shows that one hundred percent or almost
100% ownership implies a presumption that control is deemed to exist.
However, the presumption can be rebutted if the company provides sufficient evidence that
proof that the subsidiary acts independently on the market. To refute
the presumption, the company must therefore provide evidence relating to the organizational,
the financial and legal links between the subsidiary and its parent company which
shows that they do not constitute an economic unit even though the parent company owns 100 percent
5
or almost 100 percent of the shares.
Trygg-Hansa is a branch of the Danish company Tryg Forsikring A/S. Tryg Forsikring
A/S is in turn a wholly owned subsidiary of Tryg A/S ("Tryg"). According to the one described above
the presumption is therefore Tryg's turnover that must be used as a basis for calculation
of the maximum penalty fee amount. To depart from the presumption it is required that
Trygg-Hansa provides sufficient evidence that another turnover must be added
basis for the calculation.
Trygg-Hansa has stated that it is the part of Tryg's turnover that corresponds
the turnover of Moderna Försäkringar which should be used as a basis for the calculation of
the maximum penalty fee. Trygg-Hansa has estimated this turnover to
2,406,294,859 Danish kroner. Secondly, Trygg-Hansa believes that the maximum
the penalty fee should be based on Modern Insurance and Tryg's turnover, whereby
the turnover of the companies that have been acquired by Tryg after the time period which
the review should be excluded from the calculation of the penalty fee. Trygg Hansa
has estimated this turnover at 23,622,304,333 Danish kroner.
IMY has understood Trygg-Hansa's approach so that the maximum sanction fee i
primarily should be calculated on the hypothetical turnover as the branch Moderna
Insurance would have had during 2022 if not for Trygg-Hansa and Moderna
Insurances had merged in April 2022. Furthermore, IMY has understood that Trygg-Hansa
4 Case C-97/08, para. 59-61
5 Cf. EDPB's guidelines Guidelines 04/2022 on the calculation of administrative fines under the GDPR, point 125 and
where reported rulings. Privacy Protection Agency Diary number: DI-2021-1905 9(12)
Date: 2023-08-28
secondarily believes that it is Tryg in the organization that applied when the deficiency existed, i
which Moderna Försäkringar is included, which constitutes the financial unit on which
a maximum penalty fee must be calculated. In determining the relevant
the annual turnover for Tryg must thus be the estimated turnover for the companies that
acquired after the time of infringement is exempted.
In support of his view, Trygg-Hansa has stated in summary that Moderna
Insurance at the time of the review was seen as an independent business
from Tryg in technical and organizational terms. Trygg-Hansa has thereby highlighted i
mainly the following. Moderna Försäkringar was a branch only for tax reasons.
Moderna Försäkringar decided independently on its actions and had its own
management team. The server environment where the current personal data processing took place
was run and developed by Moderna Försäkringar which also had its own IT manager and
IT organization. Only customers of Moderna Försäkringar are affected in this matter.
The personal data processing reviewed in the case was also not sanctioned by
Tryg and the insurance systems for the two businesses were different and separate from
each other without any logical, organizational or technical connection.
According to Trygg Hansa, the turnover of the acquired companies should under all circumstances
are excluded from Tryg's turnover when determining the maximum sanction amount
then the responsibility for an infringement according to competition law practice must be attributed to the one who
had controlling influence over the business at the time of the incident.
IMY makes the following assessment. Trygg-Hansa is a branch of Tryg Forsikring A/S, and is
thus not an independent legal person. Trygg-Hansa's turnover is included as one
integral part of Tryg's total turnover, and is fully integrated with the turnover for
Tryg Forsikring A/S. These circumstances strongly suggest that Trygg-Hansa, Tryg
Forsikring A/S and Tryg must be regarded as one and the same financial entity. The
circumstances that Trygg-Hansa highlighted that the branch, when it went under the name
Moderna Försäkringar, had its own management team, IT system and IT organization
not something which in itself contradicts the fact that it is a question of one and the same economic unit.
Overall, IMY assesses that there is no reason to deviate from the presumption that
is Tryg's turnover that must be added to the calculation of the maximum
the penalty fee.
What does Trygg-Hansa's attitude mean that the turnover of the acquired companies should
is excluded from the calculation of the maximum amount of the sanction fee, IMY does the following
assessment. At the time of the infringement, Trygg-Hansa was, as it is today, another branch
Safe. There have therefore been no organizational changes that in themselves have an impact
the liability relationship between the branch and the company. It may further be noted that the fact
that the relevant annual turnover for the calculation of the penalty fee is that
annual turnover determined in the year immediately preceding that of the supervisory authority
decision can mean that major changes in the annual turnover have taken place since then
the time of the violation, both decreases and increases. Such changes
may be due to business events, such as increasing or decreasing market share and
profitability, or changes to the company's organization, such as sales or
acquisition of companies. There is, to a certain extent, the possibility of taking such into account
changes within the framework of the proportionality assessment that must always be made at
imposition of penalty charges under the Data Protection Regulation to ensure that
the sanction fee imposed is proportional in the individual case. IMY assesses
on the other hand, that the maximum penalty fee amount should be based on the determined amount
the annual turnover, without deduction for hypothetical amounts for the companies that have been acquired
during this time period. The Swedish Data Protection Agency Diary number: DI-2021-1905 10(12)
Date: 2023-08-28
However, IMY takes into account both the fact that the violation occurred in a limited part of Trygs
activities that the organizational changes Trygg-Hansa has highlighted, within the framework
for the proportionality assessment, which is reported below under the heading
"The penalty fee must be effective, proportionate and dissuasive".
IMY assesses overall that the turnover of the company to be used as a basis for
calculation of the administrative penalty fees that Trygg-Hansa can impose is
Guaranteed turnover. From Tryg's annual report for the year 2022, it appears that the annual turnover in
2022 was approx. 33,938,000,000 Danish kroner, which corresponds to approx. 54,000,000,000 6
Swedish crowns. The maximum penalty amount that can be determined in the case is four
percent of this amount, i.e. approximately SEK 2,160,000,000.
The seriousness of the violation
IMY makes the following considerations regarding the seriousness of the violation. That there was one
possible unauthorized access to approximately 650,000 customers' data implies that there was
a risk to a high number of people. The data has included sensitive personal data,
such as health data, and other data of a privacy-sensitive nature, such as
social security number and financial information. It cannot be ruled out that information about
violations of the law have been revealed. The personal data processing has meant
significant risks. Individuals were directly identifiable, which meant that
information of a sensitive nature could be linked to identified persons. The data have
processed in a context where the data subjects have legitimate expectations of a
high level of confidentiality and robust protection against unauthorized access.
The data has been collected in order to be able to make assessments and make decisions regarding
registered, which is a type of processing of personal data that may involve
higher risks and require higher protection. Information about, for example, ownership, which would
could entail a risk of theft, could easily be linked to names in case of unauthorized access
and address. Due to the nature of the information, and since the documents contained a
numerous collected data, any unauthorized access has meant a high risk of
damaged reputation and loss of confidentiality. Trygg-Hansa's analysis of
behavior patterns in logs indicate that 202 customers are likely to be directly affected by so
way that information about them in documents may actually have been shown to unauthorized persons, and IMY
states that unauthorized access occurred on at least one occasion, in connection with
the tip about shortage was given to IMY.
The violation has also continued for a longer period of time, between October 2018 and
time when IMY contacted Trygg-Hansa and pointed out the deficiency in February 2021. Trygg-
Hansa received information about the shortcomings in November 2020 through an external tip
the security that could have been used to remedy the deficiencies and thereby
reduce privacy risks for individuals. However, Trygg-Hansa was unable to use it
the information to remedy the deficiencies. The violation has concerned Trygg-Hansa
core business, where Trygg-Hansa can be assumed to have knowledge of risks and requirements for
the protection of personal data.
It appears from the EDPB's guidelines that the supervisory authority must assess whether the violation is
of low, medium, or high severity.7
IMY has established that the violation is so serious that it also constitutes a violation
of the fundamental principle of integrity and confidentiality according to Article 5.1 f i
6 Based on the exchange rate on 23 August 2023, published on riksbanken.se
7 EDPB's guidelines Guidelines 04/2022 on the calculation of administrative fines under the GDPR, point 60. Data Protection Authority Diary number: DI-2021-1905 11(12)
Date: 2023-08-28
data protection regulation, which means that the maximum sanction fee is 4
percent of the annual turnover instead of the 2 percent that applies in case of violation of article
32. Overall, IMY assesses that the violation in question has a medium level
degree of seriousness within the range of violations of Article 5.1 f
data protection regulation.
Trygg-Hansa has taken a number of measures before and after the deficiencies were identified.
Trygg-Hansa has, among other things, had two carried out independently of each other
penetration tests by two different external security companies and initiated measures in order to
improve routines for testing activities. Trygg-Hansa has also decided to establish one
architecture board with security control and code review during development, decided to
implement additional training for employees in customer service as well as for developers and
tester. Trygg-Hansa has also provided certain information to registered users about it
occurred. This and other measures described by Trygg-Hansa were carried out
however, after IMY contacted the company to inform about the deficiency, and does not go beyond
what can be expected. The measures are not of such a nature that they affect IMY's
assessment in the case in a mitigating direction.
The penalty fee must be effective, proportionate and dissuasive
The administrative penalty fee must be effective, proportionate and
deterrent. This means that the amount must be determined so that the administrative
the penalty fee leads to correction, that it provides a preventive effect and that it
in addition, is proportionate in relation to current violations as well as to
the supervised entity's ability to pay.
In the proportionality assessment, IMY considers that Tryg's annual turnover has increased
significant due to the acquisition of companies that were not included in the company's total
turnover at the time of the infringement.
In addition, IMY attaches great importance to the fact that the violation, as revealed in
the matter, only happened in the Swedish branch. To be based solely on the group's turnover
in this case, where the violation affected a limited part of the business, would
result in the penalty fee being set far too high in relation to what has occurred. IMY
therefore sees reason that in a proportionality assessment, taking it into account
turnover for Moderna Försäkringar as reported by Trygg-Hansa, determine
the penalty fee to a significantly lower amount than an assessment solely based on
Tryg's turnover had resulted in
IMY decides based on an overall assessment that Trygg-Hansa must pay a
administrative sanction fee of SEK 35 million.
This decision has been taken by the general manager Lena Lindgren Schelin after a presentation
by lawyer Evelin Palmér. In the final proceedings, the Chief Justice David also has
Törngren and unit manager Catharina Fernquist as well as IT and
information security specialist Magnus Bergström participated.
Lena Lindgren Schelin, 2023-08-28 (This is an electronic signature) Privacy Protection Agency Diary number: DI-2021-1905 12(12)
Date: 2023-08-28
How to appeal
If you want to appeal the decision, you must write to the Swedish Privacy Agency. Enter in
the letter which decision you are appealing and the change you are requesting. The appeal shall
have been received by the Privacy Protection Authority no later than three weeks from the day you received it
part of the decision. If the appeal has been received in time, send
The Privacy Protection Authority forwards it to the Administrative Court in Stockholm
examination.
You can e-mail the appeal to the Privacy Protection Authority if it does not contain
any privacy-sensitive personal data or information that may be covered by
secrecy. The authority's contact details appear on the first page of the decision.
