IMY (Sweden) - DI-2021-4664
| IMY - DI-2021-4664 | |
|---|---|
 | |
| Authority: | IMY (Sweden) |
| Jurisdiction: | Sweden |
| Relevant Law: | Article 5(1)(f) GDPR Article 32(1) GDPR Article 58(2)(b) GDPR |
| Type: | Complaint |
| Outcome: | Upheld |
| Started: | |
| Decided: | 29.03.2022 |
| Published: | |
| Fine: | n/a |
| Parties: | Ellos Group AB |
| National Case Number/Name: | DI-2021-4664 |
| European Case Law Identifier: | EDPBI:SE:OSS:D:2022:352 |
| Appeal: | n/a |
| Original Language(s): | English |
| Original Source: | EDPB (in EN) |
| Initial Contributor: | n/a |
In an Article 60 GDPR procedure, the Swedish DPA determined that the controller violated Article 32(1) GDPR by failing to provide an appropriate level of security for the internal handling of customers' accounts.
English Summary
Facts
The controller was an e-commerce website, which had a practice of "merging" customer profiles in case two or more accounts were created using the same personal data. The aim of this process was to limit processing of personal data. Seemingly, the controller did not ensure that the data provided actually belonged to the same customer. The merging system would automatically link accounts, which resulted in some customers losing access to their original account and others gaining access to personal data of third parties, such as their purchase history.
A data subject, who was not able to use their original account anymore due to a "merging" process, filed a complaint at the Norwegian DPA, which transferred the complaint to the Swedish DPA. The latter was the lead supervisory authority in this decision pursuant to Article 56 GDPR. The concerned supervisory authorities were located in Norway, Denmark and Finland.
Holding
The DPA held that any processing of personal data must comply with the principles in Article 5 GDPR. One of these principles is the requirement of security under Article 5(1)(f) GDPR (‘integrity and confidentiality’). Article 32 GDPR regulates the security of processing.
The DPA determined that the controller violated Article 32(1) GDPR by failing to take appropriate measures to ensure an appropriate level of security for the “merge process”. The DPA determined that, after supervision started on May 21 2021, the controller had taken steps to ensure that the purchase history was no longer available upon activation of the “merge customer process” and intended to take security measures. The DPA determined that there were no reasons to doubt the use of the “merge customer” process, based on its purpose of limiting processing, after the mentioned improvements had been made by the controller.
However, the DPA found that the “merge process” (prior to the start of supervision by the DPA on 21 May 2021) was designed that a customer’s purchase and return history could be made available to unauthorised persons by creating a new account with an existing customer’s first name, surname, street name, street code and postal code. Because this information was publicly available in open sources, information on customers’ buying habits was not sufficiently protected against unauthorised disclosure. The DPA determined that this deficiency should have been detected at an early stage prior to the start of the processing of personal data. Therefore, the controller violated Article 32(1) GDPR.
The DPA reprimanded the controller pursuant of Article 58(2)(b) GDPR and held that this was a minor infringement (recital 148 GDPR). It considered amongst other things that the controller had taken measures to protect information about customers’ buying habits from unauthorised disclosure. Also, neither sensitive nor integrity-sensitive data was involved.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the English original. Please refer to the English original for more details.
1(5)
Notice: This document is an unofficial translation of the
Swedish Authority for Privacy Protection’s (IMY) final
decision 2022-03-29, no. DI-2021-4664. Only the Swedish
version of the decision is deemed authentic.
Ref no:
DI-2021-4664, IMI case no. Supervision under the General Data
134632
Protection Regulation – Ellos Group
Date of final decision:
2022-03-29 AB
Date of translation:
2022-03-31
Final decision of the Swedish Authority for
Privacy Protection (IMY)
The Swedish Authority for Privacy Protection (IMY) finds that Ellos Group AB has
processed personal data in breach of Article 32(1) of the General Data Protection
1
Regulation (GDPR) by failing to take appropriate technical and organizational
measures until 21 May 2021 to ensure an appropriate level of security for the
company’s “merge customer” process. 2
The Authority for Privacy Protection issues Ellos Group AB a reprimand pursuant to
Article 58(2)(b) of the GDPR for the infringement of Article 32(1) of the GDPR.
Report on the supervisory report
The Authority for Privacy Protection (IMY) has initiated supervision regarding Ellos
Group AB (Ellos or the company) due to a complaint. The complaint has been
submitted to IMY, as responsible supervisory authority for the company’s operations
pursuant to Article 56 of the General Data Protection Regulation (GDPR). The
handover has been made from the supervisory authority of the country where the
complainant has lodged their complaint (Norway) in accordance with the Regulation’s
provisions on cooperation in cross-border processing.
The investigation in the case has been carried out through correspondence. In the light
of a complaint relating to cross-border processing, IMY has used the mechanisms for
cooperation and consistency contained in Chapter VII GDPR. The supervisory
authorities concerned have been the data protection authorities in Norway, Denmark
and Finland.
Postal address:
Box 8114
104 20 Stockholm
Website:
www.imy.se
1
E-mail: protection of natural persons with regard to he processing of personal data and on the free movement of such data,
imy@imy.se and repealing Directive 95/46/EC (General Data Protection Regulation).
Phone: 2The “Merge customer” process means hat two or more accounts on a website canto one, in case a
08-657 61 00 person establishes several accounts with the same personal data.Privacy Protection Authority Our ref: XXX 2(5)
Date:2022-03-29
The complaint
It is stated in the complaint that the complainant wished to assist their cousin in
receiving an order from Ellos. The cousin therefore used the complainant’s postal
address when placing the order. A few days later, when the complainant tried to log
into their Ellos account, the account was deleted or blocked. The complainant’s cousin
was then able to access, through their account, the complainant’s purchase history.
The complainant has been in contact with the company’s customer service but has not
had the problem solved. The complainant considers that there is a lack of safety. The
complainant also states that they could have had their credit card details registered in
their customer account, which they did not have.
What Ellos has stated
Ellos has mainly stated the following.
Ellos is the data controller for the processing to which the complaint relates.
The company has a process called “merge customer” which means that when a new
customer profile is created and the new profile consists of identical data already
registered in an existing customer profile, the existing customer profile is merged with
the new one. In creating an account, the complainant’s cousin used the complainant’s
first name, surname, street name, street number and postcode. The complainant’s
customer profile was then merged with the new customer profile created by the
complainant’s cousin.
According to the company, the purpose of the “merge customer” process is to merge
user accounts if there is reason to assume that a customer does not remember their
login details and therefore registers again. This is done in order to limit the processing
of personal data by the company to updated and current data. The process was
introduced as a more privacy-friendly option when the GDPR entered into force, in
order not to use social security numbers as an identifier.
When the accounts of the complainant and their cousin were merged and the cousin
tried to place an order from the new account, an e-mail was sent to the previously
registered e-mail address, i.e. the complainant’s e-mail, so that the ordering process
could be interrupted if the wrong person had attempted to place the order. When the
complainant contacted Ellos and stated that the order was placed by someone else
(the cousin), the account was temporarily blocked.
At the time when the “merge customer” process took place, the complainant’s cousin
did get access to the complainant’s purchase and return history. However, the cousin
did not have access to invoices, payment card details or other information on
payments.
Ellos states that, after receiving IMY’s inspection letter, it has taken steps to ensure
that the purchase history is not available in case the “merge customer process” is
activated. Ellos further states that it is working on implementing corresponding security
measures regarding access to the return history. According to the company, the
implementation is expected to be completed in the near future.
The company also states that they intend to contact the complainant in order to
provide information on how the complainant can lift the block on its account.Privacy Protection Authority Our ref: XXX 3(5)
Date:2022-03-29
Justification of the decision
Applicable provisions, etc.
Any processing of personal data must comply with the fundamental principles set out
in Article 5 of the GDPR. One of these is the requirement of security under Article
5(1)(f). It follows that personal data must be processed in such a way as to ensure
appropriate security of the personal data, including protection against unauthorised or
unlawful processing and accidental loss, destruction or damage, using appropriate
technical or organisational measures.
Article 32 regulates the security of processing. Paragraph 1 requires the controller,
taking into account the latest developments, the costs of implementation and the
nature, scope, context and purposes of the processing, as well as the risks, of varying
probability and severity, to the rights and freedoms of natural persons, to take
appropriate technical and organisational measures to ensure a level of security
appropriate to the risk.
According to Article 32(2), when assessing the appropriate level of security, account
shall be taken in particular of the risks that are presented by processing, in particular
from accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or
access to personal data transmitted, stored or otherwise processed.
Assessment of the Authority for Privacy Protection (IMY)
Has the company infringed Article 32(1) of the General Data Protection
Regulation?
IMY notes, first of all, that Ellos Group AB, after the supervision started on 21 May
2021, has taken steps to ensure that the purchase history is not available upon
activation of the “merge customer process” and intends to take measures to ensure
that the return history is not available. The investigation has not shown that there is
reason for IMY to question the use of the “merge customer” process based on the
company’s purpose of limiting the company’s processing to current and updated
personal data, after the abovementioned improvements have been made.
However, IMY has found that the “merge customer process” prior to the start of
supervision on 21 May 2021 was designed in such a way that a customer’s purchase
and return history could be made available to unauthorised persons by creating a new
account with an existing customer’s first name, surname, street name, street code and
postal code. Since the information required to create a new account was publicly
available in open sources, for example in online directory services, information on
customers’ buying habits has not been sufficiently protected against unauthorised
disclosure. According to IMY’s assessment, the deficiency should have been detected
at an early stage prior to the start of the processing of personal data. Ellos Group AB
has thus processed personal data in breach of Article 32(1) of the GDPR.
Choice of corrective measure
It follows from Article 58(2)(i) and Article 83(2) of the GDPR that the IMY has the
power to impose administrative fines in accordance with Article 83. Depending on the
circumstances of the case, administrative fines shall be imposed in addition to or in
place of the other measures referred to in Article 58(2), such as injunctions andPrivacy Protection Authority Our ref: XXX 4(5)
Date:2022-03-29
prohibitions. Furthermore, Article 83(2) provides which factors are to be taken into
account when deciding on administrative fines and in determining the amount of the
fine. In the case of a minor infringement, as stated in recital 148, IMY may, instead of
imposing a fine, issue a reprimand pursuant to Article 58(2)(b). Factors to consider is
the aggravating and mitigating circumstances of the case, such as the nature, gravity
and duration of the infringement and past relevant infringements.
IMY notes the following relevant facts. The company has taken measures to protect
information about customers’ buying habits from unauthorised disclosure. Neither
sensitive nor integrity-sensitive data has been involved. The infringement was
committed negligently, affected one person and, when the company understood the
complainant's intention, it took action. IMY has not previously established that the
company has infringed the GDPR.
Against this background IMY considers that it is a minor infringement within the
meaning of recital 148 and that Ellos Group AB must be given a reprimand pursuant to
Article 58(2)(b) of the GDPR.
This finaldecision has been made by the specially appointed decision-maker
after presentation by legal advisor .Privacy Protection Authority Our ref: XXX 5(5)
Date:2022-03-29
How to appeal
If you want to appeal the decision, you should write to the Authority for Privacy
Protection. Indicate in the letter which decision you appeal and the change you
request. The appeal must have been received by the Authority for Privacy Protection
no later than three weeks from the day you received the decision. If the appeal has
been received at the right time, the Authority for Privacy Protection will forward it to the
Administrative Court in Stockholm for review.
You can e-mail the appeal to the Authority for Privacy Protection if it does not contain
any privacy-sensitive personal data or information that may be covered by
confidentiality. The authority’s contact information is shown in the first page of the
decision.
