Tietosuojavaltuutetun toimisto (Finland) - TSV/5875/2024

Summary

Finland's Data Protection Authority (Tietosuojavaltuutetun toimisto) issued a formal reprimand to an insurance company for violations of GDPR Articles 5(1)(f) and 25(1) after its e-invoice system allowed unauthorized access to customer data due to missing check digit verification on reference numbers. From April 2013 to January 2024, customer A could access customer B's invoices, personal details, and payment information after entering a wrong reference number—a breach that affected approximately 130 invoices and remained undetected for over a decade. The DPA found that the controller failed to implement adequate technical safeguards "by design and by default" and emphasized that the violation could have been prevented with proper input validation.

Full text

Help Tietosuojavaltuutetun toimisto (Finland) - TSV/5875/2024: Difference between revisions From GDPRhub Jump to:navigation, search VisualWikitext Revision as of 11:42, 30 April 2026 view sourcePanpan (talk | contribs)11 edits Tag: submission [1.0] Latest revision as of 11:56, 30 April 2026 view source Panpan (talk | contribs)11 editsTag: Visual edit Line 77: Line 77: === Holding ====== Holding === The DPA held that the controller’s e-invoice ordering procedure violated Articles 5(1)(f) and 25(1) of the GDPR and issued a formal reprimand.The DPA held that the controller’s e-invoice ordering procedure violated Articles 5(1)(f) and 25(1) of the GDPR and issued a formal reprimand. The DPA reasoned that a controller is legally obligated to ensure the security of personal data through appropriate technical measures and must integrate data protection into the processing system "by design and by default."The DPA reasoned that a controller is legally obligated to ensure the security of personal data through appropriate technical measures, integrating data protection into the system "by design and by default." These measures must be implemented both prior to and throughout the processing period, with the controller continuously evaluating the effectiveness of the selected safeguards. In this case, the DPA found that relying solely on an unverified reference number was insufficient to prevent unauthorized access. The DPA emphasized that the breach could have been avoided if the check digit had been verified before the invoice was targeted to a specific account. Furthermore, as the violation lasted for over five years under the GDPR’s application and in light of established legal practice regarding e-invoice security, the DPA issued a reprimand to the data controller.In this case, the DPA found that relying solely on an unverified reference number was insufficient to prevent unauthorized access. The DPA emphasized that the breach could have been avoided if the check digit had been verified before the invoice was targeted to a specific account. Furthermore, as the violation lasted for over five years under the GDPR’s application and in light of established legal practice regarding e-invoice security, the DPA issued a reprimand to the data controller. Latest revision as of 11:56, 30 April 2026 Tietosuojavaltuutetun toimisto - TSV/5875/2024 Authority: Tietosuojavaltuutetun toimisto (Finland) Jurisdiction: Finland Relevant Law: Article 5(1)(f) GDPR Article 25(1) GDPR Article 58(2)(b) GDPR Type: Investigation Outcome: Violation Found Started: Decided: 31.03.2026 Published: Fine: n/a Parties: n/a National Case Number/Name: TSV/5875/2024 European Case Law Identifier: n/a Appeal: Unknown Original Language(s): Finnish Original Source: FINLEX-Data Protection Ombudsman (in FI) Initial Contributor: Panpan The DPA reprimanded an insurance company for allowing e-invoice subscriptions via unverified reference numbers alone. This lack of security enabled a client to access another client's personal data following a simple typing error, violating Articles 5(1)(f) and 25(1) of the GDPR. Contents 1 English Summary 1.1 Facts 1.2 Holding 2 Comment 3 Further Resources 4 English Machine Translation of the Decision English Summary Facts An insurance company (the controller) launched its e-invoice system in 2012. It conducted functionality tests and maintained a process to flag reference numbers that failed to link to any existing agreement. When the system was updated in 2013, the controller did not implement check digit verification for reference numbers. In April 2013, customer A changed their e-invoice agreement but entered the wrong reference number. Because this incorrect number belonged to customer B’s contract, customer B’s e-invoices were automatically directed to customer A's online bank. This resulted in the disclosure of customer B's name, address, contract number, insurance details, and payment plans. This unauthorized access persisted from April 2013 until January 2024, involving approximately 130 invoices. Although the controller implemented internal check digit verification in 2020 to prevent future errors, this specific instance of unauthorized access remained undetected until 2023 and was reported to the DPA in May 2024. Furthermore, following a 2021 DPA ruling, the controller committed to implementing a second identifier for identity verification, with full implementation scheduled for late 2025. Holding The DPA held that the controller’s e-invoice ordering procedure violated Articles 5(1)(f) and 25(1) of the GDPR and issued a formal reprimand. The DPA reasoned that a controller is legally obligated to ensure the security of personal data through appropriate technical measures, integrating data protection into the system "by design and by default." These measures must be implemented both prior to and throughout the processing period, with the controller continuously evaluating the effectiveness of the selected safeguards. In this case, the DPA found that relying solely on an unverified reference number was insufficient to prevent unauthorized access. The DPA emphasized that the breach could have been avoided if the check digit had been verified before the invoice was targeted to a specific account. Furthermore, as the violation lasted for over five years under the GDPR’s application and in light of established legal practice regarding e-invoice security, the DPA issued a reprimand to the data controller. Comment Share your comments here! Further Resources Share blogs or news articles here! English Machine Translation of the Decision The decision below is a machine translation of the Finnish original. Please refer to the Finnish original for more details. Access to e-invoice data by a third party Keywords: Personal data breach, Built-in and default data protection Year of incident: 2026 Date of issue: 31.3.2026 Diary number: TSV/5875/2024 Legal basis: Decision in accordance with the EU General Data Protection Regulation Decision of the Deputy Data Protection Commissioner: Parts of the decision have been encrypted. Encryption is based on Section 24, Subsection 1, Paragraph 20 of the Freedom of Information Act. Subject: Access to e-invoice data by a third party Data controller: Insurance company Description of the data breach On 31.5.2024, the data controller has notified the Office of the Data Protection Commissioner of a personal data breach. According to the data controller, e-invoices belonging to a person who is an insurance customer of the data controller [confidential information deleted] had ended up with the wrong customer as a result of an error that occurred in connection with the conclusion of the e-invoicing agreement. According to the data controller, the recipients of the data are also a married couple who are customers of the data controller [confidential information deleted]. According to the notification, the data controller's customers had made a change to their e-invoicing agreement in April 2013 and mistakenly used the wrong reference number. According to the data controller, the reference number served as identification information when ordering an e-invoice. Using the wrong reference number has led to [confidential information deleted]. In addition, e-invoices belonging to the wrong person have been transmitted to the online bank of the couple, which contain the personal information of another customer. According to the data controller, invoices were sent once a month between April 2013 and January 2024, i.e. a total of presumably 130 times. According to the data controller, the e-invoice agreement was terminated on 20 December 2023. According to the data controller's investigation, the data controller had provided its customers with the correct reference number and it would appear that the customer had entered the reference number incorrectly when paying the invoice when ordering the e-invoice agreement through their own online bank. According

Entities