e-Boks – Violation Found (Denmark, 2022)

The controller is e-Boks, a digital platform for dialogue, shipping and storage of documents. The controller also manages e-Boks Express, a self-service portal where companies can send messages and documents. In March 2021, the Danish DPA carried out an investigation after it became aware that it was possible to access someone else’s user profile when logged in to e-Boks Express. According to the controller, the problem was not caused by them. Their procedure requires the user to access the portal via a NemID Erhverv/NemID signature (which is a key file, key card or key app). According to the controller, the fact that a user, after signing in with a NemID keycard, was signed in to another user account, was caused by a technical error by Nets Danmark A/S (which manages the NemID Erhverv/NemID signatures). Nets confirmed this, and stated that the error only existed when a user signed in to e-Boks Express with a NemID key card (and not with a key file or key app). Moreover, they argued that it is clear from the log-files that ‘only’ 304 people could potentially have exploited the bug, and that the security breach ‘only’ lasted from 4 March 2021 to 27 April 2021. First, the DPA noted that the unauthorised access to user profiles, meant that there was a personal data breach pursuant to Article 4(12) GDPR. Moreover, it stated that Article 32(1) GDPR obliges controllers to take appropriate technical and organisational measures to ensure a level of security appropriate to the risks associated with the controller’s processing of personal data. In this regard, it noted that this obligation normally implies that changes to existing IT platforms, and developments of new IT platforms, can only take place if security can be ensured. The DPA noted also that the controller did not carry out tests of all possible scenarios in which errors could occur. After all, it was not aware of the error that users were signed into the wrong account when they used a NemID key card as authent