Trumf – €435,000 Fine (Norway, 2021)

"Trumf" is a customer loyalty program owned and run by the company with the same name (the controller). Users can register their Trumf card at various stores, gas stations, airlines and other Trumf partners to collect bonus points, which can then be used to purchase goods or be withdrawn as cash. In 2016, it was discovered that people could register other people's bank account numbers to get access to their detailed purchase history. At the time, the Norwegian DPA (Datatilsynet) instructed the controller to mitigate this security risk. The controller confirmed that this would be dealt with promptly by implementing a verification mechanism which would solve the problem. However, in 2020, the DPA, through various news stories, became aware that the security issue was still unresolved. The controller explained that it had been too challenging to resolve it and, further, that they did not report these breaches because they thought they did not have to. Consequently, they did not adhere to Article 33(5) GDPR, nor Article 33(1). The Norwegian DPA held that Trumf had breached Article 33(1) for failing to notify them of repeated personal data breaches, Article 33(5) for failing to document these breaches, and Article 32 for failing to implement sufficient technical and organizational measures. For these violations, the DPA fined the controller €500,185 (NOK 5,000,000).