BroBizz A/S discloses personal data to unauthorized persons

Henrik Christian StrandAssociate Partner, Holst, Advokater

BroBizz A/S (Danish business developing and managing the BroBizz® concept, which ensures automatic payment on bridges, ferries and toll roads, and in car parks etc) has become subject to serious criticism from the Danish DPA in three cases where Brobizz A/S in connection with replying to customer inquiries disclosed personal data, including information about location to unauthorised third parties.In one of the cases, a customer service representative disclosed a customer’s location data (regarding use of BroBizz transmitter) to the customer’s ex upon only having been provided with a phone number. In addition to location data, the ex was also confirmed of the fact that there were two passengers in the customer’s car when the customer passed the toll station on the Great Belt Bridge. 

Brobizz A/S reported the three cases themselves as personal data breaches. In the light of the reported breaches, the DPA asked Brobizz A/S to forward, among others, their risk assessment for customer verification and several copies of the company’s specific procedures and instructions, in particular regarding the identity of natural persons requesting access. On the basis of the risk assessment, the DPA found that BroBizz A/S when assessing the level of a sufficient security level had not taken adequate account of the risks posed by the processing, in particular the risk posed by the unauthorised disclosure of or access to personal data. 

Read the decision here (in Danish).The Danish Data Protection Agency has also addressed the subject of ID validation in the Pandora decision, which is available here.