Support Centre

You have out of 5 free articles left for the month

Signup for a trial to access unlimited content.

Start Trial

Continue reading on DataGuidance with:

Free Member

Limited Articles

Create an account to continue accessing select articles, resources, and guidance notes.

Free Trial

Unlimited Access

Start your free trial to access unlimited articles, resources, guidance notes, and workspaces.

Denmark: Datatilsynet issues decision criticising Kombit of insufficient data security measures

The Danish data protection authority ('Datatilsynet') issued, on 18 March 2022, its decision in Case No. 2020-442-6168, as issued on 23 February 2022, in which it had expressed criticism against Kombit A/S for violations of Article 32(1) of the General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR'), following data breaches reported by 30 municipalities. 

Background to the case

In particular, the Datatilsynet stated that the breaches reported by the municipalities took place in late 2019 and concerned an error in the platform 'Aula' used by the municipalities, where a user could access another user's files, which included personal data, on the platform if the latter was not logged out of their computer. More specifically, the Datatilsynet noted that the error was caused by a programming error in connection with implementing a change to the platform. 

Findings of the Datatilsynet

Notably, following its investigation, the Datatilsynet found that Kombit, as a data processor, had not complied with the rules on data security as the company had not ensured that sufficient testing of the platform was carried out in connection with the change of the code implemented, thereby leaving the platform in operation without sufficient access right controls. In this regard, the Datatilsynet specified that the requirement to undertake appropriate security measures in Article 32 of the GDPR will normally mean that all probable error scenarios should be tested in connection with the development and modification of software where personal data is processed. As such, the Datatilsynet found that Kombit, by not undertaking sufficient testing of the platform following code changes, had not taken appropriate technical and organisation measures to ensure a level of security appropriate to the risks involved in its processing of personal data in accordance with Article 32(1) of the GDPR. 

Moreover, the Datatilsynet emphasised that Kombit along with another company, Netcompany, could not agree on what tests could be expected to be performed in connection with the code changes, and that the same parties are not seen to agree on whether Netcompany acted as a sub-processor or not. In this regard, the Datatilsynet stated that it must be made clear in the instructions from the controller how such a disagreement is to be handled. Notably, the Datatilsynet clarified that a sub-data processor cannot make decisions on its own about specific matters about the security measures necessary when changes to be carried out affect processes that only take place under the controller's responsibility and instructions. 

Furthermore, the Datatilsynet specified that the following should be considered as aggravating circumstances in assessing the choice of sanction to be imposed on Kombit: 

  • the extent of the breach could not be uncovered, however with regards to Gentofte Municipality alone, there were about 1,500 people whose access could have been abused;
  • the information concerned that of minors and in Gentofte Municipality alone, they could relate to several thousand minors; and
  • there does not seem to be clarity about the division of responsibilities between Kombit and Netcompany. 

And the following as mitigating factors: 

  • only those who would have been able to access the same type of data had access in any event; and 
  • the error could only be exploited if a user had not protected their login.

Outcomes

Ultimately, the Datatilsynet expressed criticism against Kombit's processing of personal data in violation of Article 32(1) of the GDPR.

You can read the press release here and the decision here, both only available in Danish.