BRABANK ASA (former Easybank ASA) – €34,800 Fine (Norway, 2021)
General GDPR enforcement action
This case relates to broader data protection obligations, not specifically to cookie or consent banner compliance. It is not included in cookie statistics or the Risk Calculator.
BRAbank ASA was fined EUR 34,800 by Norway's Datatilsynet after a data breach allowed customers to see incorrect or other customers' data. The bank did not properly assess risks or document their processes, leading to this oversight. This case highlights the need for thorough testing and risk assessments in online banking services.
What happened
BRAbank ASA's online portal allowed customers to view incorrect or other customers' data due to a lack of proper risk assessment and testing.
Who was affected
Customers using BRAbank ASA's online portal who saw incorrect loan details or other customers' personal information.
What the authority found
The DPA found that BRAbank ASA did not comply with GDPR requirements for risk assessments and security measures when launching their online portal.
Why this matters
This case emphasizes the importance of conducting and documenting thorough risk assessments and testing before launching digital services. It serves as a warning to financial institutions about the potential consequences of inadequate security measures.
GDPR Articles Cited
A bank launched a new online portal for a selection of customers (about 500) where they would be able to see their loans. However, as a result of "frequent navigation" and, consequently, a problem with verifying sessions per user, some customers were able to see other customers' data, including contact information, while others only saw incorrect loan details. After a customer notified the bank that her loan details were incorrect, the bank immediately shut the portal down. By then, 91 customers had logged on and had potentially viewed incorrect data/ data of other data subjects. When asked about the exact reason why the discrepancy occurred, the bank was not able to recreate the error. The bank claimed they tested the portal between May and August 2019. After this incident, they conducted thorough testing and added an extra verification measure in the system, before they testing once again and did another launch for a selection of customer. After 14 days without errors, they launched the portal to all customers and after six months operations, no new errors have been discovered. When asked by the DPA, the bank said that they had assessed the risks for the rights and freedoms of the customers as "low" because they could not change the information themselves and the personal data presented were not of a sensitive nature. However, they were not able to document that they had made this assessment. Did the bank comply with the requirements of Articles 24 and 32 GDPR when introducing the new online customer portal? First, the DPA held that the bank did not comply with the GDPR requirements for conducting risk assessments. Both Article 24 and Article 32 GDPR impose such an obligation. Considering the individual case a thorough assessment would have been necessary. This is due to the following facts: Although financial data do not constitute special categories of personal data within the meaning of Article 9 GDPR, they are nevertheless to be considered sensitive dat
Related Enforcement Actions (0)
No other enforcement actions found for BRABANK ASA (former Easybank ASA) in NO
This is the only recorded action for this entity in this jurisdiction.
Details
Fine Date
28 May 2021
Authority
Datatilsynet (Norway)
Fine Amount
€34,800
400,000 NOK
GDPRhub ID
gdprhub-3573About this data
Cite as: Cookie Fines. BRABANK ASA (former Easybank ASA) - Norway (2021). Retrieved from cookiefines.eu
Last updated: