KMD A/S – Violation Found (Denmark, 2022)

KMD A/S (processor) is a Danish IT service provider offering digital solutions for various industries, including the public sector. Between 19 and 21 January 2021, several municipalities complained to the DPA about a data breach caused by the KMD, which the DPA decided to investigate. The breach involved the AULA platform used to process children's information from schools and daycares and controlled by another processor, namely KOMBIT A/S. As a result of an update run by KMD in its systems, the information about foster parents was sent to AULA, giving them access to foster children's information which they were not supposed to have. However, the KMD denied its responsibility during the breach investigation, suggesting that it could not test how the update worked with the recipient's system AULA. The DPA held that when developing new functionality for an IT system, the processor must consider the potential consequences of an update and conduct appropriate tests. That way, the processor must ensure that the changes do not compromise the existing security requirements. Additionally, the processor must create an overview of its own IT architecture and environment, including the systems integrated with other systems by delivering or receiving data, and ensure mapping of the integrations and associated dependencies. As a result, the processor must report code changes in integrated systems to relevant controllers and processors before they go into production. These requirements must ensure that external controllers and processors are informed of the planned changes on time and can carry out appropriate tests of the integrity of personal data exchanged between the integrated systems. Consequently, the DPA considered that KMD had a duty and a possibility to test the interaction of its new functionality with AULA and therefore violated Article 32(1) GDPR by not doing so.