Sambla Group – €950,000 Fine (Finland, 2024)

On the 23 December 2022, the data subject filed a complaint against Sambla Group, a loan comparison service provider. The data subject alleged that their loan application was accessible through an URL which had been sent to the data subject. However, if a third party were to find out the URL address, they would be able to see the entire loan application. The complaint initiated a broader investigation by the Finnish DPA against Sambla Group. The investigation by the DPA found the following. The DPA investigated access logs of URL between the 24 February 2017 (the GDPR came into force 25 May 2018) until the 24 March 2024. URLs were published on two different public websites and included fully filled-in loan applications. The loan applications submitted included: the applicant’s personal identification number, e-mail address, account number, home address, nationality, telephone number, monthly income, sources of income, possible additional applicant, marital status, monthly income of a potential spouse, possible children, occupation, training, possible military service performance, housing, housing expenditure and ownership of a holiday home. Some of this data was accessible from the page directly while some was accessible from the session storage property of the browser. The controller argued that the information on the loan application has been visible only to the person who has been sent a link to the loan application by SMS at their request. Other IP address would not have been able to view personal data. Further, it argued that excessive access requests from the same IP address would have been blocked by the firewall. However, the investigation found countless instances of access by third parties. In tens of thousands of situations, one single IP address visited more than ten URLs containing a loan application within the same day. At its maximum, 22,193 visits were made by a single IP address in a single day and the firewall did not block these access requests