Gyldendal A/S – Violation Found (Denmark, 2023)

The Danish publishing house Gyldendal A/S (the processor) offered a service to secondary education institutions. The service was used by teachers to create tests to screen students for their academic skill strengths and weaknesses. The tests were accessed with URLs and completed in a browser. The URLs providing access to the tests consisted of 8 characters in total of which 2 characters were randomised. In practice, this meant that a student – knowingly or unknowingly (e.g. as a result of mistyping the URL) – could complete a test set up by a teacher from another school. In this case, the teacher from another school would gain unauthorised access to the student's personal data (name, email and test results). The shortened URLs (with 8 characters) were specifically requested by the secondary education institutions (the controllers) whose IT systems did not allow longer URLs. It was assumed by the DPA, that teachers from other schools have indeed gained unauthorised access to students' test results, including the students' names and e-mails. As a result, the DPA found that a data breach pursuant to Article 4(12) GDPR had occured. It follows from Article 32(1) GDPR, that the processor must take appropriate technical and organisational measures to ensure a level of security appropriate to the risks included in the processor's processing activities. The DPA emphasised that access through URLs must take place in a way that ensures the confidentiality of personal data. The DPA viewed that a service clearly aiming to process and evaluate personal data about professional ability places great demands on the processor's design of their technical solution. URL manipulation was also considered a type of error source which is common knowledge and should be easily countered. Additionally, the DPA did not consider that technical limitations in a controller's IT setup could justify inadequate protection of the data subjects' rights. The DPA held that the publishing house violate