GDPR News – June 2021
Selected GDPR decisions from the month of June
Danish Ministry of Justice attracts criticism and is ordered to inform data subjects about unencrypted emails containing personal data
The Danish Ministry of Justice sent an email to the Danish Bar and Law Society containing 35 persons’ names, personal ID numbers and also reminders about transferring collection of fines to the Danish Tax authorities.
The email had been sent bypassing the usual encrypted channels, and it could not be verified whether the email had been sent encrypted. The Ministry had decided not to inform the data subjects.
The Danish Data Protection Agency criticised the Ministry of Justice for having acted contrary to the provisions of the GDPR, both when sending the email and when handling the breach.
It was in particular criticisable that three months passed from the time the Ministry was informed about the potential breach and until it was investigated, and this resulted in a delayed reporting to the DPA.
The DPA also disregarded the assessment from the Ministry of Justice that there was no need for a report being made to the DPA. The DPA found that risk assessment had not considered the actual data subjects’ potential loss of rights, but had only focused on the fact that the Ministry had no knowledge of actual consequences. Risk assessment had primarily focused on the fact that the Ministry did not have any knowledge about anyone unauthorised having accessed the email at issue, while, e.g., reputational damage and future business had not been comprised by the assessment.
Since the DPA considered the risk as high, the Ministry of Justice was ordered to inform the data subjects about the breach.
Norwegian DPA imposes EUR 39,700 fine on BRAbank
On 6 September 2019, BRAbank ASA (BRAbank) reported a personal data breach to the Norwegian DPA, as some of the bank’s customers through a new customer portal could access other customers’ personal data through “My page” on the bank’s website. The personal data contained terms of credit and addresses. Among others, “My page” was intended for creating an overview of loans taken out at BRAbank.
At the request of the DPA, BRAbank informed that the risk of the data subjects’ rights and freedoms was considered low, since the customers could not make any changes to the IT solution for the customer portal, and the data was not of a sensitive nature.
The bank informed that the IT solution was tested during May 2019 until August 2019 in their test environment. Subsequently, it was verified/tested in an inhouse environment. When launching the customer portal, the bank sent out login details to a small number of customers (about 500), of which 91 customers logged in. BRAbank established that one customer could access data on addresses, and that at least two other customers received incorrect loan information.
BRAbank discovered the personal data breach when a customer approached the bank shortly after the launching and informed that balance sheets and payment schemes did not match her loans. BRAbank shut down “My page” immediately, which was 10 minutes after launching. 91 customers had been logged in during those minutes and everyone was informed of the breach and the number of logins by SMS and email.
Based on investigations, the Norwegian DPA found that BRAbank had not complied with the requirements of the GDPR about risk assessment and adequate technical measures when launching the customer portal.
The DPA assessed that the breach could have been prevented if BRAbank had carried out a risk assessment and review as required by law; hence, BRAbank was imposed with a fine of EUR 39,700.
Danish Municipality of Vejle reported to the police and faces fine of DKK 200,000 (about EUR 27,000)
The Danish DPA has reported the Municipality of Vejle to the police and recommended a fine of DKK 200,000 (about EUR 27,000), as the DPA has assessed that the Municipality has not observed its obligation as the data controller to carry out adequate safety measures in compliance with the GDPR.
The DPA became aware of the matter when the Municipality reported a breach of personal data security. It appeared from the matter that the local children’s dental care had a standard practice on sending out welcome letters containing both parents’ addresses, and such letters were automatically sent to both parents holding custody. The Municipality had neglected from assessing in each case whether the information may be passed on to the other parent. In several cases, it entailed that parents received information about the other parent’s (and the child’s) address, regardless whether they were protected under the Danish nondisclosure of name and address scheme.
According to the GDPR, all public authorities are subject to penalties in the same way as private individuals, but the fine limits for all public authorities are lower than the ones applicable to private individuals. Special considerations must be made in relation to authorities’ special situation, which comprises that authorities – contrary to private individuals – are required according to law to attend to certain statutory assignments, hence, authorities cannot just cease processing a matter and thereby bring something that might be illegal to an end.
The DPA decided to recommend that a fine of DKK 200,000 should be imposed on the Municipality of Vejle. When recommending the fine, the DPA took into account the character and the severity of the breach, and the condition of the GDPR that a fine in each individual case should be effective, proportionate and dissuasive. Importance has also been attached to the size of the municipality in respect to population and to the aggregate operation grant.