Persónuvernd - 2020010649
The Icelandic DPA (Personuvernd) established that by granting access to the complainant's online banking account to an unauthorised person, Íslandsbanki (bank) was processing personal data in violation of Articles 8(1)(6), 23, 24, and 27 Act 90/2018 (Articles 5(1)(f), 24, 25 and 32 GDPR).
English Summary
Facts
The complainant complained to the Icelandic DPA (Personuvernd) that an unauthorized person (his mother) was given access to his online banking account by his bank Íslandsbanki. The complainant’s mother was able to read his financial information and portfolio of securities without his consent. The complainant claimed that this was a violation of his right to confidentiality and privacy.
Íslandsbanki argued that the complainants mother was given access to his personal data on online banking due to a human error by an employee. Íslandsbanki stated that the complainant’s consent nor a proxy had been obtained for the purpose of granting access to an unauthorized person. Íslandsbanki also stated that it did not report the security breach to the DPA because it was unlikely to pose a risk to the complainant’s rights and freedoms (Article 27(2) Act 90/2018). There was limited risk to the data subject as the unauthorized person granted access was a member of his family and the read access was limited to the complainant’s portfolio of securities.
Dispute
Was granting access to the complainant's online banking to an unauthorised person as a result of a human error a violation of the Act 90/2018 and the GDPR?
Holding
The Icelandic DPA clarified that a legal basis for processing was required under Act 90/2018. This could either be on the basis of consent (Article 9(1) Act 90/2018) or necessity for the legitimate interests of the controller (Article 9(6) Act 90/2018). The DPA established that there was no such legal basis as access to the complainant’s online banking personal data was granted to his mother as a resuslt of a human error of an employee at Íslandsbanki.
The Icelandic DPA established that there is a duty to respect principle that processing of personal data must be secured according to Article 8(1)(6) Act 90/2018 (Article 5(1)(f) GDPR). This was interpreted as requiring that personal data must be kept secret from unauthorised persons. The Iceland DPA then referred to Article 23 Act 90/2018 (Article 24 GDPR) to establish that appropriate technical and organisation measures should be taken by the data controller (Íslandsbanki). The DPA also mentioned that there was a duty to ensure that safety measures guaranteed privacy by design and by default according to Article 24 Act 90/2018 (Article 25 GDPR). Finally, the Icelandic DPA outlined that Article 24(2) and Article 27 Act 90/2018 (Article 25(2) and Article 32 GDPR) required controllers to have technical and organisational measures to protect personal data against unauthorised access. Íslandsbanki did not provide appropriate security of the complainant’s personal data by granting access to an unauthorised person. Therefore, Íslandsbanki’s processing of personal data was not in accordance with Articles 8(1)(6), 23, 24, and 27 Act 90/2018.
The Icelandic DPA suggested that Íslandsbanki takes additional security measures and ensures that it verifies its procedures for granting access to online banking. Íslandsbanki must provide confirmation of having achieved this by next September to the Icelandic DPA.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Icelandic original. Please refer to the Icelandic original for more details.
Unauthorized provided online access to the custody portfolio of a client's securities holdings at Íslandsbanki Case no. 2020010649 23.9.2020 Privacy has ruled in a case where a complaint was made Íslandsbanki's processing of the complainant's financial information, but due to human by mistake, an unauthorized person was given online access to his portfolio of securities held by an online bank. the bank. It was concluded that the bank's processing had not complies with Act no. 90/2018, on personal protection and processing of personal information. It was proposed to Íslandsbanki take safety measures in accordance with the requirements of Act no. 90/2018 and regulation (ESB) 2016/679. The bank was also asked to verify in an appropriate manner that the Bank's procedures include safeguard and security measures, once established is the customer's access to electronic services so that there will be an access authorization not broader than the bank's customer confirms. Ruling On September 4, 2020, the Data Protection Authority issued a ruling in the case no. 2020010649: I. Procedure 1. Outline of case On July 14, 2019, the Data Protection Authority received complaint [A], (hereinafter referred to as the complainant), that Íslandsbanki had granted unauthorized third party read access in an online bank to the custody portfolio of a securities asset his at the bank. 2. Correspondence With letter of the day. On 3 September 2019, Íslandsbanki was invited to present explanations for the complaint. The answer was by letter dated. September 23, 2019. By letter dated October 1, s.á. the complainant was given an opportunity to attend comments on Íslandsbanki's views. The complainant's comments were received letter, dated. October 11 s.á. The resolution of the case has been taken into account all of the above data, although not all of them are specifically reported in the following ruling. 3.The complainant's views Complaining builder his complaint that an unauthorized person, who is his mother, had been granted read access via online banking to his financial information, more specifically to the portfolio of securities without his consent. Contrary to Íslandsbanki's view complaining the fact that the unauthorized person is close to him in addition to seriousness of the case. The complainant also considers that the above constitutes, among other things, a violation of rights his confidentiality and privacy. 4. Íslandsbanki's views In a letter from Íslandsbanki states that on 29 July 2019, the complainant contacted the bank and requested explanations as to why his mother had access to his data in online banking. A subsequent inspection of the bank revealed that human there was an employee's mistake which was immediately corrected. It was believed that the mistake had taken place when the museum was founded in 2000, already parties have entered into an agreement with the bank at the same time as the same employee has handled the affairs of both of them. It was also stated that neither the proxy nor the complainant's consent had been obtained for the establishment of such access. Then it was stated that it was the bank's assessment that there was no reason to announce the above-mentioned security breach to the Data Protection Authority, as the bank considered it very important unlikely to pose a risk to the complainant's rights and freedoms, sbr. Paragraph 2 Article 27 Act no. 90/2018 on privacy and processing personal information. It was a party related to the complainant family ties, which the bank believed could generally be expected to weaken risk of further breach of confidentiality and that his mother had only read access to this particular portfolio of the complainant's securities but not to his other documents or authorization to perform actions. II. Assumptions and conclusion 1. Legal interpretation and delimitation of a case Law no. 77/2000 on personal data protection and handling, which was in force when the initial events of the case took place, were replaced by Act no. 90/2018, on personal data protection and the processing of personal data, which entered into force on the 15th. July 2018. They also enacted the Privacy Regulation, (EU) 2016/679, as adapted and incorporated into the EEA Agreement. There as this complaint focuses on a situation that existed from the year 2000 to of the year 2019, in addition to the rules of the law on personal data protection that have been tried not materially changed, the matter will be resolved on the basis of Act no. 90/2018. 2. Scope - Responsible party Scope Act no. 90/2018, on personal data protection and processing, and regulations (ESB) 2016/679, sbr. Paragraph 1 Article 4 of the Act, and thus the jurisdiction Privacy, cf. Paragraph 1 Article 39 of the Act, covers the processing of personal information which is automated in part or in full and processed by methods other than automate personal information that is or should be part of a file. To personal information is considered information about the person identified or personally identifiable individual and an individual is considered personally identifiable if it can be identified, directly or indirectly, by reference to its identifier or one or more factors that are characteristic of him, cf. 2. tölul. Article 3 of the Act and point 1. Article 4 of the Regulation. With processing refers to an action or series of actions in which personal information is processed, whether the processing is automatic or not, cf. Number 4 Article 3 of the Act and 2. tölul. Article 4 of the Regulation. This case concerns an irrelevant was granted access to the complainant's financial information with internet access in online banking, ie. to a specific portfolio of his securities holdings. In this respect and in the light of the above provisions This case concerns the processing of personal data which falls within the jurisdiction Privacy. According to Act no. 90/2018 and Regulation (EU) 2016/679 are considered financial information general personal information. Sá who is responsible for ensuring that the processing of personal information complies with Act no. 90/2018 is named guarantor. According to point 6. Article 3 of the Act refers to it an individual, legal entity, governmental authority or other party that decides alone or in co-operation with other purposes and methods for the processing of personal information, cf. 7. tölul. Article 4 of the Regulation. As such, Íslandsbanki is considered to be responsible for the matter in question processing. 3. Legitimacy processing All processing personal data must comply with one of the requirements of Article 9. Act no. 90/2018. It may be mentioned that processing can be considered permissible on the basis of consent of the data subject, cf. 1. tölul. Paragraph 1 of that article, or that the processing is necessary for the legitimate interests of the guarantor, or a third party except for the fundamental rights and freedoms of the data subject which require protection personal information outweighs, cf. 6. tölul. the same paragraphs. Auk authorization according to the above, the processing of personal information must be satisfied all the basic requirements of the first paragraph. Article 8 Act no. 90/2018, Coll. Article 5 of the Regulation (ESB) 2016/679. Is there among other things provides that they shall be processed in such a way as to ensure safety the personal information is secured (item 6). The above basic requirement is further elaborated in Articles 23 and 24. of the aforementioned Act. It states that the duty it is the responsibility of the responsible party to ensure the security of the personal information that is processed with. Information security is involved among other things, that personal information is kept secret from unauthorized persons and that it is only accessible to those who need them most. According to Article 23 Act no. 90/2019, Coll. Article 24 of Regulation (EU) 2016/679, shall the responsible party shall take the appropriate technical and organizational measures considering the nature, scope, context and purpose of the processing and the risk to rights and the freedom of registered persons to secure and demonstrate that processing personal information meets the requirements of the regulation. It is also stated in Article 24. of the Act, cf. Article 25 of the Regulation, that with the aforementioned measures shall ensure that privacy is built-in and default. It is also stated in the second paragraph. the same Articles of the Act that the responsible party shall make appropriate technical and organizational measures to ensure that by default only personal information is processed that is necessary for the purpose of processing each time according to further instructions in the second paragraph. Article 25 of the Regulation. Í the above means, among other things, that measures are taken to protect personal information against unauthorized access. According to the information available in In this case, Íslandsbanki's disclosure of the personal information in question was an unintended consequence a mistake which took place without the consent of the complainant and there was no authority for it under Article 9 Act no. 90/2018. Was appropriate security s of the information is therefore not secured as required in point 6. Paragraph 1 Article 8, Articles 23, 24 and 27 Act no. 90/2018, Coll. paragraph 1 (f) 5th, 24th, 25th and 32nd. gr. Regulation (EU) 2016/679. It was therefore contrary to the provisions of the law. In view of the above, it is a conclusion The Data Protection Authority that Íslandsbanki's processing of personal information about the complainant, has not in accordance with Act no. 90/2018, on personal protection and processing of personal information. It is proposed that Íslandsbanki do so safety measures in accordance with the requirements of Act no. 90/2018. Then it is proposed the bank to verify in an appropriate manner that the bank's procedures are included protection and security measures, eg when establishing customer access to electronic services, so that access will not be more extensive than the bank's customer confirms. Íslandsbanki shall send the Data Protection Authority confirmation of the above before 25 September next. Ú rskur ð aror ð: Íslandsbanki's processing that led to unauthorized access to financial information [A], did not comply with Act no. 90/2018 on privacy and processing personal information. It is proposed that Íslandsbanki do so safety measures in accordance with the requirements of Act no. 90/2018 and Regulation (EU) 2016/679. It is also proposed that the bank verify in an appropriate manner The Bank's procedures include safeguards and security measures, eg when established is the customer's access to electronic services so that there will be an access authorization not broader than the bank's customer confirms. Íslandsbanki shall send Privacy confirmation of the above before September 25 next. In Privacy, 4 September 2020 Helga Þórisdóttir Vigdís Eva Líndal