PostNord AS – Violation Found (Norway, 2023)
General GDPR enforcement action
This case relates to broader data protection obligations, not specifically to cookie or consent banner compliance. It is not included in cookie statistics or the Risk Calculator.
Norway's Datatilsynet found that PostNord didn't properly secure its customer profiles, allowing unauthorized access through phone numbers. This matters because it highlights the importance of strong security measures to protect customer data. No fines were issued, but the ruling emphasizes the need for businesses to assess risks and secure personal data effectively.
What happened
PostNord used phone numbers as the only authentication method, leading to unauthorized access to customer profiles.
Who was affected
Customers of PostNord whose profiles could be accessed by others using their phone numbers.
What the authority found
The Norwegian DPA found that PostNord failed to ensure an appropriate level of security for customer data, violating GDPR's security requirements.
Why this matters
This case underscores the necessity for businesses to conduct thorough risk assessments and implement robust security measures. Companies should review their authentication processes to prevent unauthorized access to personal data.
GDPR Articles Cited
The courier and logistics company PostNord (the controller) offers their customers a service MyPostNord, where they can schedule and track parcels as well as obtain advantages such as faster bookings. MyPostNord can also be accessed through an mobile app. In February and March 2020, the controller submitted two data breach notifications to the Norwegian DPA, relating to cases where unauthorised persons were able to access customer profiles of others. The unauthorised persons were able to access the profiles because the controller used phone numbers as the only means of authentication. Entering someone else's number (for example an incorrect one) could give them access to other persons' personal data, including name, gender, postal address, email address, phone number, order- and payment history, shipments underway and sender name. The same happened in cases where there was a new owner of the phone number previously used in the MyPostNord service and where the pervious owner of the same phone number did not update their profile information. In addition to the controller's breach notifications, the DPA received information from the public about similar incidents. The DPA initiated an investigation and requested information from the controller. Specifically, the DPA asked for the risk assessment of the service MyPostNord and related processing systems. The controller submitted the risk assessment, but could not state when the risk assessment was conducted. The DPA assessed whether the controller took measures to ensure an appropriate level of security in accordance with Article 32 GDPR. One of the requirements under Article 32(1) GDPR is to identify risks associated with the processing of personal data. Controllers must perform and be able to report a risk assessment in order to sufficiently demonstrate compliance with Article 5(2) and Article 24(1) GDPR. The DPA noted that the risk assessment of the controller was not conducted before the processing began, and it l
Outcome
Violation Found
The DPA found a violation but did not impose a fine.
Related Enforcement Actions (0)
No other enforcement actions found for PostNord AS in NO
This is the only recorded action for this entity in this jurisdiction.
Details
About this data
Cite as: Cookie Fines. PostNord AS - Norway (2023). Retrieved from cookiefines.eu
Last updated: