IMY (Sweden) - DI-2021-3422: Difference between revisions

From GDPRhub
No edit summary
 
Line 64: Line 64:


=== Facts ===
=== Facts ===
The Swedish DPA s received complaints alleging that on January 20 2021, Indecap (the controller) sent an email message containing a file with personal data about, among other things, customers' finances to other customers.
The Swedish DPA received complaints alleging that on January 20 2021, Indecap (the controller) sent an email message containing a file with personal data about, among other things, customers' finances to other customers.


The controller acknowledged the mistake and explained that the breach was due to human error. An employee had attached the incorrect Excel sheet by mistake because it was named similarly to the correct file. The incorrect file contained information about information about customers' name, social security number, bank, name of bank advisor, e-mail address, selected risk level, allocation to funds (limited to individual fund selection) and the last loaded value of the customers' holdings in these funds. The erroneous mailings involved the personal data of 52,364 data subjects and were received by a maximum of 2,813 individuals. The exact number of recipients could not be determined as Indecap's own investigations showed that the email has been stuck in the mail filter of many of the customers.
The controller acknowledged the mistake and explained that the breach was due to human error. An employee had attached the incorrect Excel sheet by mistake because it was named similarly to the correct file. The incorrect file contained information about customers' name, social security number, bank, name of bank advisor, e-mail address, selected risk level, allocation to funds (limited to individual fund selection) and the last loaded value of the customers' holdings in these funds. The erroneous mailings involved the personal data of 52,364 data subjects and were received by a maximum of 2,813 individuals. The exact number of recipients could not be determined as Indecap's own investigations showed that the email has been stuck in the mail filter of many of the customers.


Indecap took various steps to mitigate the damage of the breach. It initiated a major incident investigation together with external experts to identify internal risks and create an internal action plan. They sent information to data subjects about the incident, implemented additional technical security security measures and held extra training sessions for employees. They also contacted the recipients who had received the email with personal data and asked them to delete the message and to confirm that the message had been deleted. Finally, Indecap filed a personal data breach notification to the Swedish DPA and also made a report to the Swedish Financial Supervisory Authority.
Indecap took various steps to mitigate the damage of the breach. It initiated a major incident investigation together with external experts to identify internal risks and create an internal action plan. They sent information to data subjects about the incident, implemented additional technical security security measures and held extra training sessions for employees. They also contacted the recipients who had received the email with personal data and asked them to delete the message and to confirm that the message had been deleted. Finally, Indecap filed a personal data breach notification to the Swedish DPA and also made a report to the Swedish Financial Supervisory Authority.

Latest revision as of 10:26, 29 November 2023

IMY - DI-2021-3422
LogoSE.png
Authority: IMY (Sweden)
Jurisdiction: Sweden
Relevant Law: Article 32(1) GDPR
Type: Complaint
Outcome: Upheld
Started:
Decided:
Published: 07.11.2023
Fine: 500,000 SEK
Parties: n/a
National Case Number/Name: DI-2021-3422
European Case Law Identifier: n/a
Appeal: n/a
Original Language(s): Swedish
Original Source: DI-2021-3422 (in SV)
Initial Contributor: sh

The Swedish DPA fined a securities company 500,000 SEK (around €43,700) for incorrectly sending an email containing a file with personal data, resulting in a breach of Article 32(1) GDPR.

English Summary

Facts

The Swedish DPA received complaints alleging that on January 20 2021, Indecap (the controller) sent an email message containing a file with personal data about, among other things, customers' finances to other customers.

The controller acknowledged the mistake and explained that the breach was due to human error. An employee had attached the incorrect Excel sheet by mistake because it was named similarly to the correct file. The incorrect file contained information about customers' name, social security number, bank, name of bank advisor, e-mail address, selected risk level, allocation to funds (limited to individual fund selection) and the last loaded value of the customers' holdings in these funds. The erroneous mailings involved the personal data of 52,364 data subjects and were received by a maximum of 2,813 individuals. The exact number of recipients could not be determined as Indecap's own investigations showed that the email has been stuck in the mail filter of many of the customers.

Indecap took various steps to mitigate the damage of the breach. It initiated a major incident investigation together with external experts to identify internal risks and create an internal action plan. They sent information to data subjects about the incident, implemented additional technical security security measures and held extra training sessions for employees. They also contacted the recipients who had received the email with personal data and asked them to delete the message and to confirm that the message had been deleted. Finally, Indecap filed a personal data breach notification to the Swedish DPA and also made a report to the Swedish Financial Supervisory Authority.

Holding

Indecap had stated that the file was attached to the email as a result of a mistake made by an an individual employee. However, as the data controller, Indecap is responsible for all the processing of personal data that takes place under its management or on its behalf. Thus, the Swedish DPA chose to fine Indecap and not the employee.

Indecap is a securities company, meaning that the nature of its work imposed high protection standards as it processed, among other things, financial information and national security numbers. These high standards are also reflected in national law. Chapter 1, section 11, first paragraph of the Securities Market Act (2007:528) states that a person who is or has been affiliated with a securities company may not unauthorisedly disclose or use what he or she has learned in his or her employment or during the assignment about someone else's business or personal circumstances. It was clear that the processing in question therefore entailed high risk.

In accordance with Article 32 of the GDPR, Indecap has an obligation to protect the personal data that the company processes by taking appropriate technical and organisational measures. The personal data processing took place within the framework of Indecap's core business, for which the company should have had a good ability to ensure an appropriate level of security. According to Indecap's own information, the reason for the erroneously attatched file was that it had been named a similar name to another file that contained general information about the funds' performance. This suggests that Indecap did not had sufficiently clear instructions to prevent documents containing customer data from being mixed with other public documents. Moreover, the breach involved a large number of data subjects (approximately 52,000 persons).

For these reasons, the Swedish DPA held Indecap to have breached Article 32(1) GDPR and fined them around €43,700.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Swedish original. Please refer to the Swedish original for more details.

1(11)






                                                                      Indecap AB









Diary number:
DI-2021-3422 Decision after supervision according to

Date: Data Protection Regulation –
2023-11-07

                                Indecap AB





                                The Privacy Protection Authority's decision


                                The Swedish Privacy Protection Authority notes that Indecap AB (556622–4480) has
                                processed personal data in violation of article 32.1 of the data protection regulation through
                                that, in connection with a mailing on January 20, 2021, not having secured a
                                appropriate safety level in relation to the risks of the treatment.


                                The Privacy Protection Authority decides with the support of articles 58.2 and 83 i
                                data protection regulation that Indecap AB must pay an administrative penalty fee of

                                SEK 500,000 for the violation of Article 32.1 of the data protection regulation.


                                Account of the supervisory matter

                                The Swedish Privacy Agency (IMY) has received complaints that

                                Indecap AB (Indecap) on 20 January 2021 incorrectly sent an email
                                containing a file with personal information about, among other things, customers' finances to others
                                customers. IMY has initiated supervision of Indecap with the aim of investigating what appears from

                                the complaints.

                                Indecap has stated that it considers itself responsible for the personal data of the person in question
                                the processing of personal data. In addition, the company has stated in summary

                                following.

                                All information in Indecap's system was protected and required user login

                                to access the information that was included in the erroneous mailing. That which
                                occurred in the current case was that an employee retrieved information from
                                the system containing personal data to process the information into a report i
                                Excel. During processing, the Excel file was saved and unluckily renamed to one

Mailing address: similar name to the general PDF report on the development of the funds that would
Box 8114 is sent out to customers. When the employee would later attach the PDF report in the mailing
104 20 Stockholm, the employee happened to attach the Excel file which was being processed and which contained
Website:
                                personal data, instead of the correct PDF report. Because of the human
www.imy.se
E-mail:
imy@imy.se 1
                                 European Parliament and Council Regulation (EU) 2016/679 of 27 April 2016 on the protection of natural persons with
Telephone: regarding the processing of personal data and on the free flow of such data and on the cancellation of
08-657 61 00 directive 95/46/EC (general data protection regulation). Data Protection Agency Diary number: DI-2021-3422 2(11)
                                Date: 2023-11-07






                                the mistake, the incorrect file was thus sent out to a number of customers before the error
                                was noticed and the shipment was stopped.


                                The erroneously attached file that was sent by e-mail to the company's customers contained
                                information about customers' names, social security number, bank, name of bank adviser,
                                email address, selected risk level, allocation to funds (limited to individual fund selection) and that

                                last read the value of the customers' holdings in these funds. The file did not contain any
                                information about account numbers, login details, shareholdings in specific funds,
                                or information about fund portfolios regarding capital insurance, service or

                                private pensions. The incorrect mailings comprised 52,364 were registered
                                personal data, and was received by a maximum of 2,813 people. The exact number of recipients
                                cannot be determined as Indecap's own investigations show that the email has been stuck in

                                the mail filter of many of the customers.

                                Indecap has an information security policy and applies documented processes

                                and routines linked to personal data and information security management. Before
                                the incident occurred, Indecap had limited access to the relevant systems which
                                concerns customer data, so that only four employees had access to these. Indecap

                                had further trained all staff in personal data and
                                information security management.


                                The internal investigation carried out by Indecap after the current incident has shown that
                                difficulties in complying with Indecap's duality routine which is applied in larger handling of
                                personal data. The routine means that two individuals must approve/verify a certain one

                                action before it can be implemented. The reason for the difficulties in complying with this
                                routine is explained by the increased distance work required due to Covid-19
                                the pandemic. The part that was not carried out in the incident was to visually, with
                                a so-called four-eyes principle, ensure that the correct data is entered into the system and attached

                                correct before the data was sent out via e-mail. This could not be done remotely
                                and made it possible to attach the incorrect file. The file that was incorrectly included in the
                                for this reason, the email was not encrypted or contained any reading restrictions.

                                However, access to the original computer was limited based on authorization as well as
                                password protected.


                                Before the incident occurred, Indecap had launched a system-based application with
                                login via BankID in order to reduce the risks that arise when data is sent via
                                E-mail. Before the incident, Indecap had made a decision to phase out its

                                routine for sending emails. Since the incident occurred, quarterly reports are no longer sent
                                out by email. Nowadays, customers are instead directed to log in with BankID at Indecap
                                to see their portfolio development. Furthermore, reports containing customer data are now available

                                encrypted and password protected.

                                In addition to immediately stopping all planned customer communication through letters/emails

                                Indecap took a number of measures in connection with the incident occurring. The company
                                initiated a major incident investigation together with external experts to
                                map and document the incident, as well as to carry out an inspection of Indecaps

                                systematic data protection work. The internal investigation, which has been completed, includes a
                                analysis of the seriousness of the personal data incident according to ENISA's method for
                                assessment of personal data incidents and plan for measures. In addition, Indecap has

                                among other things, updated routines around homework and the duality process, sent
                                information to data subjects about the incident, took additional technical measures
                                security measures and held extra training sessions for employees. The Swedish Privacy Protection Agency Diary number: DI-2021-3422 3(11)
                                Date: 2023-11-07






                                Indecap has submitted a personal data incident report to IMY and made a
                                incident report to the Financial Supervisory Authority due to the incident being investigated in
                                the case. In the notification to IMY, Indecap stated, among other things, that the company had contacted them

                                recipient who received the e-mail with personal data and asked them to delete it
                                the message and confirm that the message had been deleted.


                                Justification of the decision


                                Applicable regulations

                                According to Article 4.7 of the Data Protection Regulation, the person in charge of personal data is a physical or

                                legal person, public authority, institution or other body which alone or
                                together with others determines the purposes and means of the processing of
                                personal data. If the purposes and means of the processing are determined by

                                Union law or the national law of the Member States can the personal data controller
                                or the special criteria for how he is to be appointed are prescribed in Union law or in
                                national law of the Member States. The personal data controller is responsible for and must

                                be able to demonstrate that the basic principles in Article 5 of the Data Protection Regulation are followed.
                                This is apparent from Article 5.2 of the data protection regulation.

                                According to Article 5.1 f of the data protection regulation, personal data must be processed in one way

                                which ensures appropriate security for the personal data, including protection against
                                unauthorized or unauthorized processing and against loss, destruction or damage by
                                accident, using appropriate technical or organizational measures.


                                It follows from Article 32.1 of the Data Protection Regulation that the person in charge of personal data shall
                                take appropriate technical and organizational measures to ensure a

                                safety level that is appropriate in relation to the risk of the treatment. At
                                the assessment of which technical and organizational measures are appropriate must
                                data controllers take into account the latest developments, implementation costs
                                and the nature, scope, context and purpose of the treatment as well as the risks for

                                rights and freedoms of natural persons.

                                According to Article 32(1), appropriate safeguards include, where appropriate,

                                a) pseudonymisation and encryption of personal data,
                                b) the ability to continuously ensure confidentiality, integrity, availability and
                                resilience of treatment systems and services;

                                c) the ability to restore availability and access to personal data in a reasonable time
                                in the event of a physical or technical incident, and
                                d) a procedure for regularly testing, investigating and evaluating the effectiveness of

                                the technical and organizational measures that must ensure the security of the processing.

                                According to article 32.2 of the data protection regulation, when assessing the appropriate
                                security level special consideration is given to the risks that the treatment entails, in particular

                                for accidental or unlawful destruction, loss or alteration or for unauthorized disclosure of
                                or unauthorized access to the personal data transmitted, stored or otherwise
                                treated.


                                According to Article 87 of the Data Protection Regulation, the member states may decide in more detail
                                which special conditions a national identification number or something else accepted

                                methods of identification may be processed. A national identification number or another
                                In such cases, the accepted method of identification must only be used in compliance with the Swedish Data Protection Agency Diary number: DI-2021-3422 4(11)
                               Date: 2023-11-07






                               appropriate protective measures for the rights and freedoms of the data subjects according to this
                               regulation.


                               According to ch. 3 Section 10 of the law (2018:218) with supplementary regulations to the EU's
                               data protection regulation, social security numbers and coordination numbers may be processed without
                               consent only when it is clearly justified with regard to the purpose of

                               the processing, the importance of a secure identification or any other considerable reason.

                               The Swedish Privacy Protection Authority's assessment


                               Through the investigation into the matter, it has emerged that Indecap has mistakenly sent
                               an unencrypted file containing personal data on approx. 52,000 customers with e-mails to approx

                               2,800 recipients who were not authorized to receive the current information. The
                               the file in question contained, among other things, information about customers' names, email addresses,
                               social security number, bank, risk level, individual fund selection and the last loaded value of

                               the customer's holdings in these funds.

                               Indecap is responsible for personal data

                               Indecap has stated that the company is responsible for personal data for it
                               personal data processing that is reviewed in the case.


                               The investigation shows that the purpose of sending the message in question was to
                               inform customers about the general development of funds. IMY notes that Indecap has
                               determined purpose and means of the processing of the personal data, i.e. how

                               and why the personal data is to be processed. It is thus Indecap as per article
                               4.7 of the data protection regulation has been responsible for personal data for the person in question
                               the processing of personal data.


                               The treatment involved a high risk
                               According to Article 32 of the Data Protection Regulation, Indecap has an obligation to protect them

                               personal data that the company processes by taking appropriate technical and
                               organizational measures. The measures must ensure an appropriate level of security. At
                               the assessment of which level of security is appropriate shall be the responsibility of the personal data controller

                               take into account the costs, the nature, scope, context and purpose of the processing and the
                               risks to the rights and freedoms of natural persons that the processing entails.


                               From ch. 1 Section 11 first paragraph of the Act (2007:528) on the securities market follows that
                               anyone who is or has been connected to a securities company may not disclose information without authorization
                               or make use of what he or she has learned about in the employment or during the assignment
                               someone else's business or personal relationships. Because Indecap is one

                               securities company applies these legal requirements on confidentiality in the company's operations. The
                               places high demands on the protection of the personal data processed in the business.


                               In this case, the data that has been handled has, among other things, consisted of special protection officers
                               personal data, namely social security numbers, which may only be processed under certain conditions
                               conditions. There has also been a question of financial information, such as the latest one

                               the holdings in funds and the most recently read value of the customers' holdings in these funds,
                               for which data subjects have legitimate expectations of a high degree of
                               confidentiality and robust protection against unauthorized access. IMY notes that

                               the context for the processing of personal data has resulted in an even higher demand for
                               the protection level. Personal data processing has taken place within the framework of Indecaps
                               core business for which the company should have had good ability to secure a

                               security that was appropriate based on the scope and sensitivity of the processing. The Swedish Privacy Protection Agency Diary number: DI-2021-3422 5(11)
                                Date: 2023-11-07






                                Compiling a large amount of privacy-sensitive personal data entails
                                in addition, special risks as loss of control over such a compilation may result
                                to the detriment of many registered users. In the current case, the processing concerned data

                                about a large number of registered users (approx. 52,000 people).

                                With regard, among other things, to the fact that the data processed by Indecap has been deleted

                                Indecaps have protective nature and affected a very large number of people
                                processing of the personal data in total entailed a high risk of physical
                                rights and freedoms of persons. The nature, scope and context of the treatment have

                                thereby entailing a requirement for strong data protection. The measures would include
                                otherwise ensure that the personal data was protected against unauthorized disclosure and unauthorized
                                access.


                                Indecap has not taken sufficient measures to protect the data
                                From the complaints and Indecap's account it appears that the file with personal data has

                                attached to an e-mail message sent out to a large number of people. Uncaps
                                The sending of the file in question has meant that people who do not have the right to take part
                                the data has been accessed.


                                Indecap has stated that the file was attached to the email as a result of a mistake by
                                an individual employee. Indecap, as the personal data controller, is responsible for all

                                personal data processing that takes place under the company's management or on behalf of the company. IN
                                in this case, the incorrect attachment of the file has occurred within the scope of the employee
                                service. Indecap is responsible for the processing of personal data carried out by it

                                employee took place in accordance with the data protection regulation's requirements for a suitable
                                security level.


                                IMY also assesses that the mistake in question could have been prevented or at least
                                becomes more difficult. In its operations, Indecap treats both the public and security guards
                                information. Depending on, among other things, the sensitivity of the information, different requirements are placed on

                                appropriate level of protection and thus the content of the routines for handling this data.
                                In the handling of public information, there is, for example, no reason to consider
                                the risk of unauthorized access when choosing appropriate communication channels. To not
                                jeopardize the protection of information of a nature worthy of protection, Indecap should have been clear

                                procedures to ensure that the handling of information worthy of protection would not
                                mixed with the handling of public information. From Indecap's own data
                                appears that one reason an incorrect file was attached was that it had been renamed to one

                                similar name to another file that contained general information about funds
                                development. This suggests that Indecap did not have clear enough instructions to
                                prevent documents containing customer data from being mixed up with others

                                public documents.

                                Nor has it emerged that Indecap implemented any technical or

                                organizational barriers or control functions that have made the incorrect
                                the handling of the file, e.g. technical obstacles or warnings in connection with the file
                                attached in e-mail. Admittedly, Indecap has had a routine which means that every dispatch must

                                checked by fellow staff in order to prevent the type of mistake in question. It has
                                however, it emerged that the current routine was not used as a result of difficulties to
                                maintaining the routine for home work during the then prevailing Covid-19 pandemic. IMY

                                however, believes that Indecap in the situation that has arisen, especially with regard to the sensitivity of the
                                data the company processes in its core business, should have taken other measures for
                                to ensure a sufficient level of protection for the relevant data when the current one

                                the protective measure could not be taken as a result of the pandemic. The pandemic has thus not The Swedish Privacy Agency Diary number: DI-2021-3422 6(11)
                                Date: 2023-11-07






                                constituted a reasonable excuse for deviating from existing security procedures without
                                replace these with some other equivalent protection.


                                IMY states that the lack of measures to prevent the privacy sensitive
                                the information about the customers was sent out has meant that the risk that employees would
                                make incorrect mailings been high.


                                IMY further notes that the file in question lacked protection in the form of, for example
                                read restrictions or encryption. After the file was mistakenly attached in the email

                                unauthorized persons have therefore been able to gain access to privacy-sensitive information about over
                                50,000 identifiable individuals in plain text. There has also been a risk that the data
                                would be spread further, for example by one of the unauthorized recipients

                                forwarded the email.

                                According to IMY, there have been shortcomings regarding the protection of personal data partly through

                                that Indecap has not taken sufficient technical or organizational measures to prevent
                                employees from incorrectly sending out customer data by e-mail to unauthorized persons
                                recipient, partly because the data was not protected against unauthorized access, e.g.

                                through encryption.

                                Indecap's protective measures would ensure that personal data about the company's customers

                                was protected against unauthorized disclosure and unauthorized access. Indecap has, however, through e-
                                the January 20, 2021 mail that was sent to a large number of unauthorized persons
                                recipients disclosed unencrypted personal data about their customers, including information about

                                customers' finances.

                                IMY concludes in summary that Indecap has not taken sufficient technical measures
                                and organizational measures to ensure a level of security that has been appropriate in

                                relation to the risk. Indecap has thus processed personal data in violation of article
                                32.1 of the data protection regulation.


                                Choice of intervention


                                Legal regulation
                                In the event of violations of the data protection regulation, IMY has a number of corrective measures
                                powers, including reprimands, injunctions and penalty charges. It follows from

                                article 58.2 a–j of the data protection regulation. IMY shall impose penalty fees in addition to or
                                instead of other corrective measures referred to in Article 58(2), depending
                                the circumstances of each individual case.


                                Each supervisory authority must ensure that the imposition of administrative
                                penalty charges in each individual case are effective, proportionate and dissuasive. The

                                stated in Article 83.1 of the Data Protection Regulation. Article 83.2 specifies the factors that must
                                taken into account in determining whether an administrative penalty fee should be imposed and, if so,
                                with what amount.


                                According to Article 83.4, in the event of violations of, among other things, Article 32, it must be imposed
                                administrative penalty fees of up to EUR 10,000,000 or, if one applies
                                company, of up to 2% of the total global annual turnover in the previous year

                                budget year, depending on which value is the highest. The Swedish Privacy Protection Agency Diary number: DI-2021-3422 7(11)

                                Date: 2023-11-07






                                The European Data Protection Board (EDPB) has adopted guidelines on the calculation of
                                administrative penalty charges according to the data protection regulation which aims to create
                                                                                                            2
                                a harmonized method and principles for calculating penalty fees.


                                If it is a question of a minor violation, IMY receives according to what is stated in reason 148 i
                                instead of imposing a penalty charge, issue a reprimand in accordance with Article 58.2 b i
                                the regulation.


                                IMY's assessment

                                A penalty fee must be imposed
                                IMY has made the assessment that Indecap has processed personal data in violation of

                                article 32.1 of the data protection regulation.

                                The violation has occurred through Indecap processing personal data with a

                                insufficient level of security, which has led to, among other things, financial information about
                                over 50,000 registrants sent via email to around 2,800 unauthorized recipients.

                                Indecap has been aware of the risks of emailing and had therefore introduced
                                special control routines, but due to the pandemic, made deviations from the control routine

                                without taking compensatory protective measures. The incorrect dispatch has resulted in a
                                high risk for the freedoms and rights of the registered, including loss of
                                confidentiality of data worthy of protection.


                                Against this background, IMY assesses that it was not a question of a minor violation.

                                Indecap must therefore be charged an administrative sanction fee for the violation. At
                                determining the size of the penalty fee, IMY must take into account the circumstances that

                                stated in Article 83.2 as well as ensuring that the administrative sanction fee is
                                effective, proportionate and dissuasive.


                                The parent company's annual turnover must be used as the basis for the calculation
                                When determining the maximum amount for the penalty fee, the definition of

                                the concept of company is used as follows from the practice of the European Court of Justice according to Articles 101
                                and 102 of the TFEU (see recital 150 of the Data Protection Regulation). Of the court's practice

                                it appears that the concept of company includes every entity that carries out economic activities,
                                regardless of the entity's legal form and the method of its financing, as well as whether the entity
                                in the legal sense consists of several natural or legal persons.


                                What constitutes a company must therefore be based on the definitions of competition law.

                                The rules for group liability in EU competition law revolve around the concept
                                economic unit. A parent company and a subsidiary company are considered part of the same

                                economic unit when the parent company exercises decisive influence over
                                the subsidiary. The decisive influence (ie control) can be achieved either through
                                ownership or by agreement. It appears from the practice of the European Court of Justice that one hundred percent

                                or almost one hundred percent ownership involves a presumption for control to be considered
                                exist. However, the presumption can be rebutted if the company provides sufficient evidence
                                                                                                     3
                                to prove that the subsidiary acts independently on the market. To refute
                                the presumption, the company must therefore provide evidence relating to the organizational,

                                the financial and legal links between the subsidiary and its parent company which
                                shows that they do not constitute an economic unit even though the parent company owns 100 percent
                                or almost 100 percent of the shares. 4


                                2EDPB's guidelines Guidelines 04/2022 on the calculation of administrative fines under the GDPR, adopted on 24 May
                                2023.
                                3Case C-97/08, para. 59-61
                                4 Cf. EDPB's guidelines Guidelines 04/2022 on the calculation of administrative fines under the GDPR, point 125 and
                                where reported rulings. The Swedish Privacy Agency Diary number: DI-2021-3422 8(11)
                                Date: 2023-11-07








                                The group in which Indecap is a part consists of three companies, the parent company Indecap

                                Holding AB and the two sister companies Indecap and Indecap Fonder AB. Indecap
                                Holding AB's commission income consists of Indecap's and Indecap Fonder AB's
                                commission income.


                                Indecap has stated that the turnover attributable to Indecap Fonder AB should

                                excluded when calculating a penalty fee. In support of this, Indecap has stated
                                that the current violation only occurred in one of the group companies, namely
                                Indecap. Indecap is a securities company that provides individual

                                pension savings and advice on the fund market. Indecap Fonder AB is in turn
                                a fund company that manages nine funds within different equity and fixed income strategies. Indecap

                                Fonder AB has few direct customers but distributes the funds via various platforms and
                                banks. Indecap Fonder AB's funds are indeed selectable at Indecap, but Indecaps
                                fund portfolios also consist of many other funds that have no connection to the commodity

                                itself Indecap Fonder AB or Indecap Holding AB. The customer data included in
                                the mailing belonged only to customers of Indecap.


                                Indecap Holding AB owns 100 percent of the shares in Indecap and it therefore exists

                                a presumption that Indecap and Indecap Holding AB are an economic entity.
                                Indecap has not highlighted anything that shows that Indecap is acting independently in relation
                                to the parent company which causes the presumption to be broken. That subsidiaries in the group have

                                businesses with different orientations, or that an incident only occurred in one
                                subsidiaries, are not such circumstances that in themselves have any effect on

                                the presumption of the parent company's influence.

                                IMY assesses with regard to the above that the company's turnover that will

                                be added to the basis for calculating the administrative penalty fee that Indecap can
                                imposed is Indecap's parent company Indecap Holding AB (556971-6987).


                                In the EDPB's guidelines, the starting point is that the annual turnover refers to the company's
                                net sales, i.e. the amount obtained through the sale of goods and

                                provision of services after deduction of sales discounts and value added tax
                                as well as other taxes that are directly related to turnover. To determine which

                                turnover Indecap Holding AB had during the previous financial year has IMY
                                obtained information from the group's annual report for 2022. This information shows

                                that Indecap Holding AB has had commission income amounting to SEK 558,260,000.

                                Indecap has stated that Indecap Holding AB's annual report is prepared in accordance with the law

                                (1995:1559) on annual reports in credit institutions and securities companies and that the post
                                for commission income does not fairly reflect the group's net sales.

                                The current commission income is stated before the Pensions Authority's
                                agreed mandatory discount on management fees has been deducted. The agreement with
                                The pension authority's discount is a requirement for a fund company to be able to offer

                                funds on the premium pension's fund market. Discounts to the Pensions Authority amounted to year
                                2022 to SEK 394,326,770. Indecap Holding AB's net turnover is thus the sum





                                5EDPB's guidelines Guidelines 04/2022 on the calculation of administrative fines under the GDPR, point 128-130.
                                6 The definition corresponds to that stated in Article 5.2 of Directive 2013/34/EU of the European Parliament and of the Council of 26
                                June 2013 on annual accounts, consolidated accounts and reports in certain types of companies, on amendment of
                                European Parliament and Council Directive 2006/43/EC and repealing Council Directive 78/660/EEC and
                                83/349/EEC Text of importance for the EEA and which has been implemented in Swedish law through ch. 1, § 3, third point
                                Annual Accounts Act (1995:1554) Data Protection Agency Diary number: DI-2021-3422 9(11)
                               Date: 2023-11-07






                               which remains after this discount has been deducted. Indecap has submitted documents to
                               verification of the discounts submitted to the Pensions Authority.


                               IMY makes the following assessment. Indecap Holding AB's annual report contains none

                               clear accounting item that can be equated with the company's net sales. For that one
                               sanction fee shall have the corresponding effect regardless of the accounting rules that it
                               the intervention is aimed at applies, according to IMY, however, it is important that the turnover

                               is calculated in such a way that it corresponds to what would have constituted net turnover
                               if the accounting rules of the Annual Accounts Act had been applied. There is a lack of guidance
                               clarifications from the EU Court of Justice or the EDPB that clarify how the annual turnover i

                               credit institutions and securities companies must be calculated. IMY therefore assesses, against background
                               of that net turnover must be determined with deduction of discounts provided, that relevant
                               annual turnover for Indecap Holding AB must be assessed with deductions for discounts on

                               management fees. Indecap has proven through submitted documents that the discounts to
                               The pension authority in the year 2022 amounted to the amount they indicated.


                               IMY assesses with regard to the above that the relevant annual turnover for
                               Indecap Holding AB is approximately SEK 140,199,260. Two percent of that annual turnover is approx
                               SEK 2,800,000. The maximum penalty amount that can be determined in the case is therefore

                               10,000,000 EUR.

                               The seriousness of the violation

                               IMY assesses that the following factors are important for the assessment of the infringement
                               seriousness.


                               IMY has established that Indecap did not take sufficient technical and organizational measures
                               measures to reduce the risk that personal data about the company's customers would be disseminated

                               to unauthorized persons. The current security flaws have led to an incident that has affected one
                               large number of registered and a large number of unauthorized recipients have been able to take part
                               others' personal data in plain text. The information has included financial information and

                               information about social security numbers, i.e. information that requires strong protection. The management
                               of the personal data was also part of Indecap's core business where the data
                               covered by statutory confidentiality. Indecap has also been aware of

                               the risks of emailing and had therefore introduced special control routines, but on grounds
                               of the pandemic, deviated from the control routine without taking compensatory measures
                               protective measures.


                               When assessing the seriousness of the violation, IMY takes into account, in mitigation, that
                               Indecap already started work on replacement before the current incident

                               mailing to a more secure alternative. This process was also accelerated after it
                               current incident.


                               It appears from the EDPB's guidelines that the supervisory authority must assess whether the violation is
                               of low, medium or high severity. IMY assesses against the background of

                               above circumstances that in total it is a violation of
                               Article 32.1 of the Data Protection Regulation of medium severity.


                               As a mitigating circumstance, it is taken into account that Indecap, before IMY started supervision,
                               immediately and in a clear manner informed the data subjects concerned about what
                               occurred. IMY also considers that Indecap contacted the recipients of the erroneously sent e-




                               7 EDPB's guidelines Guidelines 04/2022 on the calculation of administrative fines under the GDPR, point 60. The Data Protection Authority Diary number: DI-2021-3422 10(11)
                                Date: 2023-11-07






                                the mail message and ask them to delete the message, as well as confirm that this has been done,
                                as a mitigating circumstance.


                                The penalty fee must be effective, proportionate and dissuasive
                                The administrative penalty fee must be effective, proportionate and

                                deterrent. This means that the amount must be determined so that the administrative
                                the penalty fee leads to correction, that it provides a preventive effect and that it
                                in addition, is proportionate in relation to current violations as well as to

                                the supervised entity's ability to pay.

                                IMY assesses that a penalty fee calculated on the parent company's total

                                net turnover would not, in the present case, lead to the imposition of the penalty fee
                                far too high in relation to the violation established in the case. It exists therefore
                                not reason to reduce the penalty fee on the basis that the violation only

                                intended for a company in the group.

                                In light of the seriousness of the violation, aggravating and mitigating circumstances

                                IMY determines the administrative sanction fee for Indecap at SEK 500,000 for
                                the established violation. IMY considers this amount to be effective,
                                proportionate and dissuasive.


                                This decision has been taken by the head of unit Catharina Fernquist after a presentation by
                                the lawyer Evelin Palmér. In the final proceedings, the Chief Justice David also has
                                Törngren, the lawyer Cecilia Agnehall and the IT and information security specialist

                                Katarina Bengtsson participated.




                                Catharina Fernquist, 2023-11-07 (This is an electronic signature)




                                Copy to:
                                     1. The complainants The Swedish Privacy Agency Diary number: DI-2021-3422 11(11)
                                 Date: 2023-11-07






                                 How to appeal


                                 If you want to appeal the decision, you must write to the Swedish Privacy Agency. Enter in
                                 the letter which decision you are appealing and the change you are requesting. The appeal shall

                                 have entered IMY no later than three weeks from the day you were informed of the decision. If
                                 the appeal has been received in time, IMY forwards it to the Administrative Court i
                                 Stockholm for examination.


                                 You can e-mail the appeal to IMY if it does not contain any privacy-sensitive information
                                 personal data or information that may be subject to confidentiality. The authority's
                                 contact details appear on the first page of the decision.