IMY (Sweden) - DI-2021-3422
From GDPRhub
| IMY - DI-2021-3422 | |
|---|---|
 | |
| Authority: | IMY (Sweden) |
| Jurisdiction: | Sweden |
| Relevant Law: | Article 32(1) GDPR |
| Type: | Complaint |
| Outcome: | Upheld |
| Started: | |
| Decided: | |
| Published: | 07.11.2023 |
| Fine: | 500,000 SEK |
| Parties: | n/a |
| National Case Number/Name: | DI-2021-3422 |
| European Case Law Identifier: | n/a |
| Appeal: | n/a |
| Original Language(s): | Swedish |
| Original Source: | DI-2021-3422 (in SV) |
| Initial Contributor: | sh |
The Swedish DPA fined a securities company 500,000 SEK (around €43,700) for incorrectly sending an email containing a file with personal data, resulting in a breach of Article 32(1) GDPR.
English Summary
Facts
The Swedish DPA received complaints alleging that on January 20 2021, Indecap (the controller) sent an email message containing a file with personal data about, among other things, customers' finances to other customers.
The controller acknowledged the mistake and explained that the breach was due to human error. An employee had attached the incorrect Excel sheet by mistake because it was named similarly to the correct file. The incorrect file contained information about customers' name, social security number, bank, name of bank advisor, e-mail address, selected risk level, allocation to funds (limited to individual fund selection) and the last loaded value of the customers' holdings in these funds. The erroneous mailings involved the personal data of 52,364 data subjects and were received by a maximum of 2,813 individuals. The exact number of recipients could not be determined as Indecap's own investigations showed that the email has been stuck in the mail filter of many of the customers.
Indecap took various steps to mitigate the damage of the breach. It initiated a major incident investigation together with external experts to identify internal risks and create an internal action plan. They sent information to data subjects about the incident, implemented additional technical security security measures and held extra training sessions for employees. They also contacted the recipients who had received the email with personal data and asked them to delete the message and to confirm that the message had been deleted. Finally, Indecap filed a personal data breach notification to the Swedish DPA and also made a report to the Swedish Financial Supervisory Authority.
Holding
Indecap had stated that the file was attached to the email as a result of a mistake made by an an individual employee. However, as the data controller, Indecap is responsible for all the processing of personal data that takes place under its management or on its behalf. Thus, the Swedish DPA chose to fine Indecap and not the employee.
Indecap is a securities company, meaning that the nature of its work imposed high protection standards as it processed, among other things, financial information and national security numbers. These high standards are also reflected in national law. Chapter 1, section 11, first paragraph of the Securities Market Act (2007:528) states that a person who is or has been affiliated with a securities company may not unauthorisedly disclose or use what he or she has learned in his or her employment or during the assignment about someone else's business or personal circumstances. It was clear that the processing in question therefore entailed high risk.
In accordance with Article 32 of the GDPR, Indecap has an obligation to protect the personal data that the company processes by taking appropriate technical and organisational measures. The personal data processing took place within the framework of Indecap's core business, for which the company should have had a good ability to ensure an appropriate level of security. According to Indecap's own information, the reason for the erroneously attatched file was that it had been named a similar name to another file that contained general information about the funds' performance. This suggests that Indecap did not had sufficiently clear instructions to prevent documents containing customer data from being mixed with other public documents. Moreover, the breach involved a large number of data subjects (approximately 52,000 persons).
For these reasons, the Swedish DPA held Indecap to have breached Article 32(1) GDPR and fined them around €43,700.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Swedish original. Please refer to the Swedish original for more details.
1(11)
Indecap AB
Diary number:
DI-2021-3422 Decision after supervision according to
Date: Data Protection Regulation –
2023-11-07
Indecap AB
The Privacy Protection Authority's decision
The Swedish Privacy Protection Authority notes that Indecap AB (556622–4480) has
processed personal data in violation of article 32.1 of the data protection regulation through
that, in connection with a mailing on January 20, 2021, not having secured a
appropriate safety level in relation to the risks of the treatment.
The Privacy Protection Authority decides with the support of articles 58.2 and 83 i
data protection regulation that Indecap AB must pay an administrative penalty fee of
SEK 500,000 for the violation of Article 32.1 of the data protection regulation.
Account of the supervisory matter
The Swedish Privacy Agency (IMY) has received complaints that
Indecap AB (Indecap) on 20 January 2021 incorrectly sent an email
containing a file with personal information about, among other things, customers' finances to others
customers. IMY has initiated supervision of Indecap with the aim of investigating what appears from
the complaints.
Indecap has stated that it considers itself responsible for the personal data of the person in question
the processing of personal data. In addition, the company has stated in summary
following.
All information in Indecap's system was protected and required user login
to access the information that was included in the erroneous mailing. That which
occurred in the current case was that an employee retrieved information from
the system containing personal data to process the information into a report i
Excel. During processing, the Excel file was saved and unluckily renamed to one
Mailing address: similar name to the general PDF report on the development of the funds that would
Box 8114 is sent out to customers. When the employee would later attach the PDF report in the mailing
104 20 Stockholm, the employee happened to attach the Excel file which was being processed and which contained
Website:
personal data, instead of the correct PDF report. Because of the human
www.imy.se
E-mail:
imy@imy.se 1
European Parliament and Council Regulation (EU) 2016/679 of 27 April 2016 on the protection of natural persons with
Telephone: regarding the processing of personal data and on the free flow of such data and on the cancellation of
08-657 61 00 directive 95/46/EC (general data protection regulation). Data Protection Agency Diary number: DI-2021-3422 2(11)
Date: 2023-11-07
the mistake, the incorrect file was thus sent out to a number of customers before the error
was noticed and the shipment was stopped.
The erroneously attached file that was sent by e-mail to the company's customers contained
information about customers' names, social security number, bank, name of bank adviser,
email address, selected risk level, allocation to funds (limited to individual fund selection) and that
last read the value of the customers' holdings in these funds. The file did not contain any
information about account numbers, login details, shareholdings in specific funds,
or information about fund portfolios regarding capital insurance, service or
private pensions. The incorrect mailings comprised 52,364 were registered
personal data, and was received by a maximum of 2,813 people. The exact number of recipients
cannot be determined as Indecap's own investigations show that the email has been stuck in
the mail filter of many of the customers.
Indecap has an information security policy and applies documented processes
and routines linked to personal data and information security management. Before
the incident occurred, Indecap had limited access to the relevant systems which
concerns customer data, so that only four employees had access to these. Indecap
had further trained all staff in personal data and
information security management.
The internal investigation carried out by Indecap after the current incident has shown that
difficulties in complying with Indecap's duality routine which is applied in larger handling of
personal data. The routine means that two individuals must approve/verify a certain one
action before it can be implemented. The reason for the difficulties in complying with this
routine is explained by the increased distance work required due to Covid-19
the pandemic. The part that was not carried out in the incident was to visually, with
a so-called four-eyes principle, ensure that the correct data is entered into the system and attached
correct before the data was sent out via e-mail. This could not be done remotely
and made it possible to attach the incorrect file. The file that was incorrectly included in the
for this reason, the email was not encrypted or contained any reading restrictions.
However, access to the original computer was limited based on authorization as well as
password protected.
Before the incident occurred, Indecap had launched a system-based application with
login via BankID in order to reduce the risks that arise when data is sent via
E-mail. Before the incident, Indecap had made a decision to phase out its
routine for sending emails. Since the incident occurred, quarterly reports are no longer sent
out by email. Nowadays, customers are instead directed to log in with BankID at Indecap
to see their portfolio development. Furthermore, reports containing customer data are now available
encrypted and password protected.
In addition to immediately stopping all planned customer communication through letters/emails
Indecap took a number of measures in connection with the incident occurring. The company
initiated a major incident investigation together with external experts to
map and document the incident, as well as to carry out an inspection of Indecaps
systematic data protection work. The internal investigation, which has been completed, includes a
analysis of the seriousness of the personal data incident according to ENISA's method for
assessment of personal data incidents and plan for measures. In addition, Indecap has
among other things, updated routines around homework and the duality process, sent
information to data subjects about the incident, took additional technical measures
security measures and held extra training sessions for employees. The Swedish Privacy Protection Agency Diary number: DI-2021-3422 3(11)
Date: 2023-11-07
Indecap has submitted a personal data incident report to IMY and made a
incident report to the Financial Supervisory Authority due to the incident being investigated in
the case. In the notification to IMY, Indecap stated, among other things, that the company had contacted them
recipient who received the e-mail with personal data and asked them to delete it
the message and confirm that the message had been deleted.
Justification of the decision
Applicable regulations
According to Article 4.7 of the Data Protection Regulation, the person in charge of personal data is a physical or
legal person, public authority, institution or other body which alone or
together with others determines the purposes and means of the processing of
personal data. If the purposes and means of the processing are determined by
Union law or the national law of the Member States can the personal data controller
or the special criteria for how he is to be appointed are prescribed in Union law or in
national law of the Member States. The personal data controller is responsible for and must
be able to demonstrate that the basic principles in Article 5 of the Data Protection Regulation are followed.
This is apparent from Article 5.2 of the data protection regulation.
According to Article 5.1 f of the data protection regulation, personal data must be processed in one way
which ensures appropriate security for the personal data, including protection against
unauthorized or unauthorized processing and against loss, destruction or damage by
accident, using appropriate technical or organizational measures.
It follows from Article 32.1 of the Data Protection Regulation that the person in charge of personal data shall
take appropriate technical and organizational measures to ensure a
safety level that is appropriate in relation to the risk of the treatment. At
the assessment of which technical and organizational measures are appropriate must
data controllers take into account the latest developments, implementation costs
and the nature, scope, context and purpose of the treatment as well as the risks for
rights and freedoms of natural persons.
According to Article 32(1), appropriate safeguards include, where appropriate,
a) pseudonymisation and encryption of personal data,
b) the ability to continuously ensure confidentiality, integrity, availability and
resilience of treatment systems and services;
c) the ability to restore availability and access to personal data in a reasonable time
in the event of a physical or technical incident, and
d) a procedure for regularly testing, investigating and evaluating the effectiveness of
the technical and organizational measures that must ensure the security of the processing.
According to article 32.2 of the data protection regulation, when assessing the appropriate
security level special consideration is given to the risks that the treatment entails, in particular
for accidental or unlawful destruction, loss or alteration or for unauthorized disclosure of
or unauthorized access to the personal data transmitted, stored or otherwise
treated.
According to Article 87 of the Data Protection Regulation, the member states may decide in more detail
which special conditions a national identification number or something else accepted
methods of identification may be processed. A national identification number or another
In such cases, the accepted method of identification must only be used in compliance with the Swedish Data Protection Agency Diary number: DI-2021-3422 4(11)
Date: 2023-11-07
appropriate protective measures for the rights and freedoms of the data subjects according to this
regulation.
According to ch. 3 Section 10 of the law (2018:218) with supplementary regulations to the EU's
data protection regulation, social security numbers and coordination numbers may be processed without
consent only when it is clearly justified with regard to the purpose of
the processing, the importance of a secure identification or any other considerable reason.
The Swedish Privacy Protection Authority's assessment
Through the investigation into the matter, it has emerged that Indecap has mistakenly sent
an unencrypted file containing personal data on approx. 52,000 customers with e-mails to approx
2,800 recipients who were not authorized to receive the current information. The
the file in question contained, among other things, information about customers' names, email addresses,
social security number, bank, risk level, individual fund selection and the last loaded value of
the customer's holdings in these funds.
Indecap is responsible for personal data
Indecap has stated that the company is responsible for personal data for it
personal data processing that is reviewed in the case.
The investigation shows that the purpose of sending the message in question was to
inform customers about the general development of funds. IMY notes that Indecap has
determined purpose and means of the processing of the personal data, i.e. how
and why the personal data is to be processed. It is thus Indecap as per article
4.7 of the data protection regulation has been responsible for personal data for the person in question
the processing of personal data.
The treatment involved a high risk
According to Article 32 of the Data Protection Regulation, Indecap has an obligation to protect them
personal data that the company processes by taking appropriate technical and
organizational measures. The measures must ensure an appropriate level of security. At
the assessment of which level of security is appropriate shall be the responsibility of the personal data controller
take into account the costs, the nature, scope, context and purpose of the processing and the
risks to the rights and freedoms of natural persons that the processing entails.
From ch. 1 Section 11 first paragraph of the Act (2007:528) on the securities market follows that
anyone who is or has been connected to a securities company may not disclose information without authorization
or make use of what he or she has learned about in the employment or during the assignment
someone else's business or personal relationships. Because Indecap is one
securities company applies these legal requirements on confidentiality in the company's operations. The
places high demands on the protection of the personal data processed in the business.
In this case, the data that has been handled has, among other things, consisted of special protection officers
personal data, namely social security numbers, which may only be processed under certain conditions
conditions. There has also been a question of financial information, such as the latest one
the holdings in funds and the most recently read value of the customers' holdings in these funds,
for which data subjects have legitimate expectations of a high degree of
confidentiality and robust protection against unauthorized access. IMY notes that
the context for the processing of personal data has resulted in an even higher demand for
the protection level. Personal data processing has taken place within the framework of Indecaps
core business for which the company should have had good ability to secure a
security that was appropriate based on the scope and sensitivity of the processing. The Swedish Privacy Protection Agency Diary number: DI-2021-3422 5(11)
Date: 2023-11-07
Compiling a large amount of privacy-sensitive personal data entails
in addition, special risks as loss of control over such a compilation may result
to the detriment of many registered users. In the current case, the processing concerned data
about a large number of registered users (approx. 52,000 people).
With regard, among other things, to the fact that the data processed by Indecap has been deleted
Indecaps have protective nature and affected a very large number of people
processing of the personal data in total entailed a high risk of physical
rights and freedoms of persons. The nature, scope and context of the treatment have
thereby entailing a requirement for strong data protection. The measures would include
otherwise ensure that the personal data was protected against unauthorized disclosure and unauthorized
access.
Indecap has not taken sufficient measures to protect the data
From the complaints and Indecap's account it appears that the file with personal data has
attached to an e-mail message sent out to a large number of people. Uncaps
The sending of the file in question has meant that people who do not have the right to take part
the data has been accessed.
Indecap has stated that the file was attached to the email as a result of a mistake by
an individual employee. Indecap, as the personal data controller, is responsible for all
personal data processing that takes place under the company's management or on behalf of the company. IN
in this case, the incorrect attachment of the file has occurred within the scope of the employee
service. Indecap is responsible for the processing of personal data carried out by it
employee took place in accordance with the data protection regulation's requirements for a suitable
security level.
IMY also assesses that the mistake in question could have been prevented or at least
becomes more difficult. In its operations, Indecap treats both the public and security guards
information. Depending on, among other things, the sensitivity of the information, different requirements are placed on
appropriate level of protection and thus the content of the routines for handling this data.
In the handling of public information, there is, for example, no reason to consider
the risk of unauthorized access when choosing appropriate communication channels. To not
jeopardize the protection of information of a nature worthy of protection, Indecap should have been clear
procedures to ensure that the handling of information worthy of protection would not
mixed with the handling of public information. From Indecap's own data
appears that one reason an incorrect file was attached was that it had been renamed to one
similar name to another file that contained general information about funds
development. This suggests that Indecap did not have clear enough instructions to
prevent documents containing customer data from being mixed up with others
public documents.
Nor has it emerged that Indecap implemented any technical or
organizational barriers or control functions that have made the incorrect
the handling of the file, e.g. technical obstacles or warnings in connection with the file
attached in e-mail. Admittedly, Indecap has had a routine which means that every dispatch must
checked by fellow staff in order to prevent the type of mistake in question. It has
however, it emerged that the current routine was not used as a result of difficulties to
maintaining the routine for home work during the then prevailing Covid-19 pandemic. IMY
however, believes that Indecap in the situation that has arisen, especially with regard to the sensitivity of the
data the company processes in its core business, should have taken other measures for
to ensure a sufficient level of protection for the relevant data when the current one
the protective measure could not be taken as a result of the pandemic. The pandemic has thus not The Swedish Privacy Agency Diary number: DI-2021-3422 6(11)
Date: 2023-11-07
constituted a reasonable excuse for deviating from existing security procedures without
replace these with some other equivalent protection.
IMY states that the lack of measures to prevent the privacy sensitive
the information about the customers was sent out has meant that the risk that employees would
make incorrect mailings been high.
IMY further notes that the file in question lacked protection in the form of, for example
read restrictions or encryption. After the file was mistakenly attached in the email
unauthorized persons have therefore been able to gain access to privacy-sensitive information about over
50,000 identifiable individuals in plain text. There has also been a risk that the data
would be spread further, for example by one of the unauthorized recipients
forwarded the email.
According to IMY, there have been shortcomings regarding the protection of personal data partly through
that Indecap has not taken sufficient technical or organizational measures to prevent
employees from incorrectly sending out customer data by e-mail to unauthorized persons
recipient, partly because the data was not protected against unauthorized access, e.g.
through encryption.
Indecap's protective measures would ensure that personal data about the company's customers
was protected against unauthorized disclosure and unauthorized access. Indecap has, however, through e-
the January 20, 2021 mail that was sent to a large number of unauthorized persons
recipients disclosed unencrypted personal data about their customers, including information about
customers' finances.
IMY concludes in summary that Indecap has not taken sufficient technical measures
and organizational measures to ensure a level of security that has been appropriate in
relation to the risk. Indecap has thus processed personal data in violation of article
32.1 of the data protection regulation.
Choice of intervention
Legal regulation
In the event of violations of the data protection regulation, IMY has a number of corrective measures
powers, including reprimands, injunctions and penalty charges. It follows from
article 58.2 a–j of the data protection regulation. IMY shall impose penalty fees in addition to or
instead of other corrective measures referred to in Article 58(2), depending
the circumstances of each individual case.
Each supervisory authority must ensure that the imposition of administrative
penalty charges in each individual case are effective, proportionate and dissuasive. The
stated in Article 83.1 of the Data Protection Regulation. Article 83.2 specifies the factors that must
taken into account in determining whether an administrative penalty fee should be imposed and, if so,
with what amount.
According to Article 83.4, in the event of violations of, among other things, Article 32, it must be imposed
administrative penalty fees of up to EUR 10,000,000 or, if one applies
company, of up to 2% of the total global annual turnover in the previous year
budget year, depending on which value is the highest. The Swedish Privacy Protection Agency Diary number: DI-2021-3422 7(11)
Date: 2023-11-07
The European Data Protection Board (EDPB) has adopted guidelines on the calculation of
administrative penalty charges according to the data protection regulation which aims to create
2
a harmonized method and principles for calculating penalty fees.
If it is a question of a minor violation, IMY receives according to what is stated in reason 148 i
instead of imposing a penalty charge, issue a reprimand in accordance with Article 58.2 b i
the regulation.
IMY's assessment
A penalty fee must be imposed
IMY has made the assessment that Indecap has processed personal data in violation of
article 32.1 of the data protection regulation.
The violation has occurred through Indecap processing personal data with a
insufficient level of security, which has led to, among other things, financial information about
over 50,000 registrants sent via email to around 2,800 unauthorized recipients.
Indecap has been aware of the risks of emailing and had therefore introduced
special control routines, but due to the pandemic, made deviations from the control routine
without taking compensatory protective measures. The incorrect dispatch has resulted in a
high risk for the freedoms and rights of the registered, including loss of
confidentiality of data worthy of protection.
Against this background, IMY assesses that it was not a question of a minor violation.
Indecap must therefore be charged an administrative sanction fee for the violation. At
determining the size of the penalty fee, IMY must take into account the circumstances that
stated in Article 83.2 as well as ensuring that the administrative sanction fee is
effective, proportionate and dissuasive.
The parent company's annual turnover must be used as the basis for the calculation
When determining the maximum amount for the penalty fee, the definition of
the concept of company is used as follows from the practice of the European Court of Justice according to Articles 101
and 102 of the TFEU (see recital 150 of the Data Protection Regulation). Of the court's practice
it appears that the concept of company includes every entity that carries out economic activities,
regardless of the entity's legal form and the method of its financing, as well as whether the entity
in the legal sense consists of several natural or legal persons.
What constitutes a company must therefore be based on the definitions of competition law.
The rules for group liability in EU competition law revolve around the concept
economic unit. A parent company and a subsidiary company are considered part of the same
economic unit when the parent company exercises decisive influence over
the subsidiary. The decisive influence (ie control) can be achieved either through
ownership or by agreement. It appears from the practice of the European Court of Justice that one hundred percent
or almost one hundred percent ownership involves a presumption for control to be considered
exist. However, the presumption can be rebutted if the company provides sufficient evidence
3
to prove that the subsidiary acts independently on the market. To refute
the presumption, the company must therefore provide evidence relating to the organizational,
the financial and legal links between the subsidiary and its parent company which
shows that they do not constitute an economic unit even though the parent company owns 100 percent
or almost 100 percent of the shares. 4
2EDPB's guidelines Guidelines 04/2022 on the calculation of administrative fines under the GDPR, adopted on 24 May
2023.
3Case C-97/08, para. 59-61
4 Cf. EDPB's guidelines Guidelines 04/2022 on the calculation of administrative fines under the GDPR, point 125 and
where reported rulings. The Swedish Privacy Agency Diary number: DI-2021-3422 8(11)
Date: 2023-11-07
The group in which Indecap is a part consists of three companies, the parent company Indecap
Holding AB and the two sister companies Indecap and Indecap Fonder AB. Indecap
Holding AB's commission income consists of Indecap's and Indecap Fonder AB's
commission income.
Indecap has stated that the turnover attributable to Indecap Fonder AB should
excluded when calculating a penalty fee. In support of this, Indecap has stated
that the current violation only occurred in one of the group companies, namely
Indecap. Indecap is a securities company that provides individual
pension savings and advice on the fund market. Indecap Fonder AB is in turn
a fund company that manages nine funds within different equity and fixed income strategies. Indecap
Fonder AB has few direct customers but distributes the funds via various platforms and
banks. Indecap Fonder AB's funds are indeed selectable at Indecap, but Indecaps
fund portfolios also consist of many other funds that have no connection to the commodity
itself Indecap Fonder AB or Indecap Holding AB. The customer data included in
the mailing belonged only to customers of Indecap.
Indecap Holding AB owns 100 percent of the shares in Indecap and it therefore exists
a presumption that Indecap and Indecap Holding AB are an economic entity.
Indecap has not highlighted anything that shows that Indecap is acting independently in relation
to the parent company which causes the presumption to be broken. That subsidiaries in the group have
businesses with different orientations, or that an incident only occurred in one
subsidiaries, are not such circumstances that in themselves have any effect on
the presumption of the parent company's influence.
IMY assesses with regard to the above that the company's turnover that will
be added to the basis for calculating the administrative penalty fee that Indecap can
imposed is Indecap's parent company Indecap Holding AB (556971-6987).
In the EDPB's guidelines, the starting point is that the annual turnover refers to the company's
net sales, i.e. the amount obtained through the sale of goods and
provision of services after deduction of sales discounts and value added tax
as well as other taxes that are directly related to turnover. To determine which
turnover Indecap Holding AB had during the previous financial year has IMY
obtained information from the group's annual report for 2022. This information shows
that Indecap Holding AB has had commission income amounting to SEK 558,260,000.
Indecap has stated that Indecap Holding AB's annual report is prepared in accordance with the law
(1995:1559) on annual reports in credit institutions and securities companies and that the post
for commission income does not fairly reflect the group's net sales.
The current commission income is stated before the Pensions Authority's
agreed mandatory discount on management fees has been deducted. The agreement with
The pension authority's discount is a requirement for a fund company to be able to offer
funds on the premium pension's fund market. Discounts to the Pensions Authority amounted to year
2022 to SEK 394,326,770. Indecap Holding AB's net turnover is thus the sum
5EDPB's guidelines Guidelines 04/2022 on the calculation of administrative fines under the GDPR, point 128-130.
6 The definition corresponds to that stated in Article 5.2 of Directive 2013/34/EU of the European Parliament and of the Council of 26
June 2013 on annual accounts, consolidated accounts and reports in certain types of companies, on amendment of
European Parliament and Council Directive 2006/43/EC and repealing Council Directive 78/660/EEC and
83/349/EEC Text of importance for the EEA and which has been implemented in Swedish law through ch. 1, § 3, third point
Annual Accounts Act (1995:1554) Data Protection Agency Diary number: DI-2021-3422 9(11)
Date: 2023-11-07
which remains after this discount has been deducted. Indecap has submitted documents to
verification of the discounts submitted to the Pensions Authority.
IMY makes the following assessment. Indecap Holding AB's annual report contains none
clear accounting item that can be equated with the company's net sales. For that one
sanction fee shall have the corresponding effect regardless of the accounting rules that it
the intervention is aimed at applies, according to IMY, however, it is important that the turnover
is calculated in such a way that it corresponds to what would have constituted net turnover
if the accounting rules of the Annual Accounts Act had been applied. There is a lack of guidance
clarifications from the EU Court of Justice or the EDPB that clarify how the annual turnover i
credit institutions and securities companies must be calculated. IMY therefore assesses, against background
of that net turnover must be determined with deduction of discounts provided, that relevant
annual turnover for Indecap Holding AB must be assessed with deductions for discounts on
management fees. Indecap has proven through submitted documents that the discounts to
The pension authority in the year 2022 amounted to the amount they indicated.
IMY assesses with regard to the above that the relevant annual turnover for
Indecap Holding AB is approximately SEK 140,199,260. Two percent of that annual turnover is approx
SEK 2,800,000. The maximum penalty amount that can be determined in the case is therefore
10,000,000 EUR.
The seriousness of the violation
IMY assesses that the following factors are important for the assessment of the infringement
seriousness.
IMY has established that Indecap did not take sufficient technical and organizational measures
measures to reduce the risk that personal data about the company's customers would be disseminated
to unauthorized persons. The current security flaws have led to an incident that has affected one
large number of registered and a large number of unauthorized recipients have been able to take part
others' personal data in plain text. The information has included financial information and
information about social security numbers, i.e. information that requires strong protection. The management
of the personal data was also part of Indecap's core business where the data
covered by statutory confidentiality. Indecap has also been aware of
the risks of emailing and had therefore introduced special control routines, but on grounds
of the pandemic, deviated from the control routine without taking compensatory measures
protective measures.
When assessing the seriousness of the violation, IMY takes into account, in mitigation, that
Indecap already started work on replacement before the current incident
mailing to a more secure alternative. This process was also accelerated after it
current incident.
It appears from the EDPB's guidelines that the supervisory authority must assess whether the violation is
of low, medium or high severity. IMY assesses against the background of
above circumstances that in total it is a violation of
Article 32.1 of the Data Protection Regulation of medium severity.
As a mitigating circumstance, it is taken into account that Indecap, before IMY started supervision,
immediately and in a clear manner informed the data subjects concerned about what
occurred. IMY also considers that Indecap contacted the recipients of the erroneously sent e-
7 EDPB's guidelines Guidelines 04/2022 on the calculation of administrative fines under the GDPR, point 60. The Data Protection Authority Diary number: DI-2021-3422 10(11)
Date: 2023-11-07
the mail message and ask them to delete the message, as well as confirm that this has been done,
as a mitigating circumstance.
The penalty fee must be effective, proportionate and dissuasive
The administrative penalty fee must be effective, proportionate and
deterrent. This means that the amount must be determined so that the administrative
the penalty fee leads to correction, that it provides a preventive effect and that it
in addition, is proportionate in relation to current violations as well as to
the supervised entity's ability to pay.
IMY assesses that a penalty fee calculated on the parent company's total
net turnover would not, in the present case, lead to the imposition of the penalty fee
far too high in relation to the violation established in the case. It exists therefore
not reason to reduce the penalty fee on the basis that the violation only
intended for a company in the group.
In light of the seriousness of the violation, aggravating and mitigating circumstances
IMY determines the administrative sanction fee for Indecap at SEK 500,000 for
the established violation. IMY considers this amount to be effective,
proportionate and dissuasive.
This decision has been taken by the head of unit Catharina Fernquist after a presentation by
the lawyer Evelin Palmér. In the final proceedings, the Chief Justice David also has
Törngren, the lawyer Cecilia Agnehall and the IT and information security specialist
Katarina Bengtsson participated.
Catharina Fernquist, 2023-11-07 (This is an electronic signature)
Copy to:
1. The complainants The Swedish Privacy Agency Diary number: DI-2021-3422 11(11)
Date: 2023-11-07
How to appeal
If you want to appeal the decision, you must write to the Swedish Privacy Agency. Enter in
the letter which decision you are appealing and the change you are requesting. The appeal shall
have entered IMY no later than three weeks from the day you were informed of the decision. If
the appeal has been received in time, IMY forwards it to the Administrative Court i
Stockholm for examination.
You can e-mail the appeal to IMY if it does not contain any privacy-sensitive information
personal data or information that may be subject to confidentiality. The authority's
contact details appear on the first page of the decision.
