LB Forsikring A/S – Violation Found (Denmark, 2022)

A car insurance company (controller) designed a customer portal that enabled customers to access all documents related to their case, even those that they should not have been authorised to see. These roughly 340 documents sent by counterparties, witnesses and repair personnel contained personal data such as contact information, witness statements, payment information and at least one incident of a social security number. The controller had performed a number of tests before implementing the system, however the relevant authorisation setting was not discovered during these tests as it was not considered a systemic flaw. The insurance company reported the breach to the Danish DPA which consequently opened an investigation. The Danish DPA first held that the lack of proper authorisation routines, as well as the lack of sufficient testing to discover the flaw, constituted a violation of Article 32(1) GDPR. The DPA then highlighted the controller's obligation to implement privacy by design during the development stages of the software system under Article 25(1) GDPR. Furthermore, the DPA considered that the relatively late discovery of the flaw indicated a lack of privacy by design in the controller's maintenance of the system. The DPA thus reprimanded the controller for not having a sufficient level of security and for not correctly implementing privacy by design.