Banner1.jpg

Tietosuojavaltuutetun toimisto (Finland) - TSV/132/2022

From GDPRhub
Tietosuojavaltuutetun toimisto - TSV/132/2022
LogoFI.png
Authority: Tietosuojavaltuutetun toimisto (Finland)
Jurisdiction: Finland
Relevant Law: Article 5(1)(f) GDPR
Article 25(1) GDPR
Article 25(2) GDPR
Article 32(1) GDPR
Article 32(2) GDPR
Type: Complaint
Outcome: Upheld
Started: 23.12.2022
Decided: 17.12.2024
Published: 20.12.2024
Fine: 950,000 EUR
Parties: Sambla Group
National Case Number/Name: TSV/132/2022
European Case Law Identifier: n/a
Appeal: n/a
Original Language(s): Finnish
Original Source: Finlex (in FI)
Initial Contributor: ao

The DPA fined a loan comparison service provider €950,000 for making loan applications available to the public without implementing appropriate safeguards, thus violating the principle of integrity and confidentiality.

English Summary

Facts

On the 23 December 2022, the data subject filed a complaint against Sambla Group, a loan comparison service provider.

The data subject alleged that their loan application was accessible through an URL which had been sent to the data subject. However, if a third party were to find out the URL address, they would be able to see the entire loan application.

The complaint initiated a broader investigation by the Finnish DPA against Sambla Group. The investigation by the DPA found the following.

The DPA investigated access logs of URL between the 24 February 2017 (the GDPR came into force 25 May 2018) until the 24 March 2024. URLs were published on two different public websites and included fully filled-in loan applications. The loan applications submitted included: the applicant’s personal identification number, e-mail address, account number, home address, nationality, telephone number, monthly income, sources of income, possible additional applicant, marital status, monthly income of a potential spouse, possible children, occupation, training, possible military service performance, housing, housing expenditure and ownership of a holiday home. Some of this data was accessible from the page directly while some was accessible from the session storage property of the browser.

The controller argued that the information on the loan application has been visible only to the person who has been sent a link to the loan application by SMS at their request. Other IP address would not have been able to view personal data. Further, it argued that excessive access requests from the same IP address would have been blocked by the firewall.

However, the investigation found countless instances of access by third parties. In tens of thousands of situations, one single IP address visited more than ten URLs containing a loan application within the same day. At its maximum, 22,193 visits were made by a single IP address in a single day and the firewall did not block these access requests.

Further, the URLs and therefore the personal data were subject to automated requests such as through the Python request agent. In addition, search engine bots, such as Googlebot, indexed the controller's short URLs. The logs include a total of 3,330,563 access requests made by Googlebot.

Holding

The DPA found that the controller had infringed Article 5(1)(f) GDPR, Article 25(1)&(2) GDPR and Article 32(1)&(2) GDPR.

When the seriousness of the security flaws became apparent, the controller was ordered to stop processing personal data of loan applicants. The company was further ordered to inform its customers of the data breach.

The DPA found that the controller had not implemented required measures under Article 32 GDPR as well as a system which would regularly test, examine and evaluate the security measures. These shortcomings have been present since the implementation of the system used by the controller on the 24 February 2017 which was listed as an aggravating factor by the DPA. Further, the DPA highlighted that the entire business model of the controller relied on the processing of personal data and that the inadequate security measures proved its negligence.

The sanctioning panel of the Finnish DPA decided that a fine of €950,000 was appropriate for the infringement.

Comment

This decision is closely related to interim decision given on 25.3.2024 where the DPA ordered the controller to stop processing personal data of loan applicants and parallel decision TSV/12501/2024 where the DPA ordered the controller to inform its customers of the data breach.

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Finnish original. Please refer to the Finnish original for more details.