Danske Bank – Violation Found (Denmark, 2022)

Danske Bank (controller) had developed an electronic registry database for invoices, which was connected to the controller's 'District platform' application. This application was developed by the controller to, among other things, allow its business customers to search for their own invoices. On 5 May 2021, 132 electronic invoices were uploaded to the database but no information about the "receiver" of such invoices was included. Due to a technical error, this lack of information on the invoices allowed other users of the application to search for these 132 invoices by performing a search in the application without typing anything in the 'receiver' field (performing a blank search). These invoices without receiver information were searchable and visible between 5 May 2021 and 10 May 2021. The controller's own investigation into the matter showed that 371 Finish users had accessed these electronic invoices in this period. On 10 May 2021, the information regarding the recipients was added manually to these 132 invoices. The controller notified the Danish DPA of this personal data breach on 12 May 2021. On 20 May 2021, the controller implemented a safety mechanism to ensure it was no longer possible to perform a blank search when searching for invoices. The DPA stated that Article 32 GDPR normally implies that when a controller is using systems with a large amount of confidential information concerning a large number of users, the controller has to comply with higher diligence to ensure that there is no unauthorised access to or disclosure of personal data. In this case, it meant that the controller should have assessed all likely out-comes in the context of the development of software used to process personal data. The DPA specifically referred to Article 32(1)(d) GDPR, which states that the controller should implement a procedure for the regular testing, assessment and evaluation of the effectiveness of the technical and organisational measures to en