Bankernes EDB Central (BEC) – Violation Found (Denmark, 2020)

The Danish Data Protection Authority has received a number of reported data breaches from more than twenty Danish banks in accordance with Article 33 GDPR. The reported data breaches concern the accidental disclosure of personal addresses in connection with automated payment transfers between banks. Automated payment transfers between the 25. May 2018 and the 22. August 2019 were affected. It is estimated that more than 20,000 customers have been affected by the error. The Danish company Bankernes EDB Central (BEC) supplies software to banks and financial institutions. Payment transfers from BEC are usually accompanied by address information so the payee can identify the payer. BEC has access to personal addresses in the Danish Central Person Register (CPR). The CPR contains the possibility to protect personal addresses from disclosure. An error in the system operated by BEC led to the disclosure of personal addresses, regardless of a requested non-disclosure of addresses in the CPR. The question for the Danish DPA to decide was whether the BEC as the data processor implemented appropriate technical and organisational measures to ensure a level of security appropriate to the risk pursuant to Article 32 GDPR. The Danish DPA decided that BEC did not implement appropriate technical and organisational measures to protect personal data from unauthorized disclosure. Subject to the critics is the fact that BEC initially used an older IT solution without the implementation of address protection. After the shift to a new system, errors occurred in connection with the marking of the protection of the addresses resulting in an unauthorized disclosure. The Danish DPA emphasized that BEC has in response to the discovery of the unauthorized disclosures quickly and effectively made some changes to the patches in the IT-system which ended the breach. Further, adequate deletion measures have been taken.