Selected GDPR decisions from the month of March – Disclosure of protected addresses subject to severe criticism

Henrik Christian StrandAssociate Partner, Holst, Advokater

BEC, a Danish IT company developing and operating IT systems for financial institutions operating in Denmark, has become subject to severe criticism by the Danish DPA. 

In 2019, it was established that in connection with automatic money transfers between financial institutions, personal data were also disclosed, including information on addresses of individuals who in the central national register (CPR) were registered with a protected or omitted address.

In connection with the DPA’s investigation, BEC informed that the system processing the automatic money transfers between financial institutions also sends a notification containing data about the payer/sender, including data on such individual’s address. No assessment was made whether it was a case of information on protected addresses not to be disclosed.

BEC estimated that more than 20,000 individuals have been affected by these transfers. Against the DPA, BEC argued that conflicting provisions in legislation on money laundering and legislation pertaining to the central national register, respectively, were a contributory cause for BEC not being able to decide whether information about addresses should be submitted together with the transactions.

When establishing the breach, BEC rectified the error in the system transferring the data, erased the unauthorised address information that had been disclosed, and notified the affected individuals. 

In its decision, the DPA took into account the fact that BEC had not complied with Article 5 (1), lit f of the GDPR to take adequate and appropriate technical or organisational measures to ensure sufficient security of the said data, including protection against unauthorised or illegal processing.

It was in particular in connection with the conversion of personal data from a prior IT system to a more recent one that addresses protection was not applied. It was an aggravating circumstance that the errors in the IT system had been present since September 2015, without this being detected until 2019. 

On the other hand, it was a mitigating circumstance that there were conflicting provisions in legislation on money laundering and legislation pertaining to the central national register and that BEC quickly and effectively – after establishing the breach – brought the breach to an end erased all disclosed addresses. 

The decision from the Danish DPA is available here (in Danish).