Background information
- Date of final decision: 22 June 2022
- Cross-border case or national case: National
- Controller: Trumf
- Legal Reference: Notification of a personal data breach to the supervisory authority (Art. 33), Security of Processing (Art. 32)
- Decision: Infringement of the GDPR and fine imposed
- Key words: unauthorised access, Lack of verification, internal documentation
Summary of the Decision
Origin of the case
The basis for this fine is that Trumf members were able to register someone else’s account number on their member profile, thereby accessing the purchasing history of a third party.
By registering an account number with Trumf, users gain access to details of what they have purchased, as well as when and where they made the purchase.
Trumf members were able to access other people's purchasing histories because Trumf had not implemented a solution to verify that the Trumf member registering the bank account was the account's actual owner.
The Norwegian Supervisory Authority therefore stands by its previous notice of a EUR 500.000 (NOK 5 million) fine against Trumf, which was issued in December 2021, and we have maintained our previous assessment in this decision.
Key Findings
In the Norwegian SA’s view, Trumf had failed to ensure satisfactory security for the processing of members' purchasing histories, and had to remedy this security failing.
In its decision, the Norwegian SA gives examples where various individuals, intentionally or unintentionally, have registered bank accounts owned by other people on their membership profiles, which is a personal data breach. Trumf has an obligation to report all such incidents to the Norwegian SA, and all such incidents must also be documented internally. In its decision, the Norwegian SA outlines why we believe Trumf has failed to meet these obligations.
In the Norwegian SAs view, Trumf has not ensured that account numbers are verified before access to purchasing histories is obtained or when new account numbers are registered.
The Norwegian Supervisory Authority has decided to issue Trumf with a fine in the amount of EUR 500.000 (NOK 5 million).
For further information:
- Trumf fined (EN), Datatilsynet, Norwegian SA
- Gebyr til Trumf (NO), Datatilsynet, Norwegian SA
The news published here does not constitute official EDPB communication, nor an EDPB endorsement. This news item was originally published by the national supervisory authority and was published here at the request of the SA for information purposes. Any questions regarding this news item should be directed to the supervisory authority concerned.