The Danish Data Protection Agency has been criticised in a case where a data processor, Mindworking A/S, had not ensured adequate security in the development of a platform (a web application) targeted at real estate agents.
The Danish Data Protection Agency has made a decision in a case where Mindworking A/S, as data processor and supplier of a platform for property transactions, had not ensured that unauthorised persons – by inspecting the source code (XML code) – could access personal data on the platform.
Breach of personal data security
The information that could be accessed on the platform was the information that the individual estate agent had linked to a specific property for sale. This included the names of potential buyers and the price they had offered for the property, as well as documents containing personal data. These were, for example, draft purchase agreements that – in addition to various identity information – in some cases also contained social security numbers. Some of the personal data was already published information from land registration portals.
The information could be accessed by users who were linked to specific sales cases and after logging in with a username and password. The user could access the information by pressing a function key and activating so-called “Dev tools”.
Lack of relevant tests
In the decision, the Danish Data Protection Agency states that, in general, personal data must not appear in the source code or in the comment fields of the display layer. This also applies to information that is not personal data, but which could compromise the security of processing – for example, if it is possible to see in clear text the management parameters of services, certificates or the like.
The Danish Data Protection Agency further states that it is not to be considered a security measure that access to the information required the individual user to activate “Dev Tools” in the browser.
It is the opinion of the Danish Data Protection Agency that the functionality of using the function key in question is a commonly known process for inspecting the source code that does not require special competences within IT security.
The Danish Data Protection Agency concluded that the data processor should have carried out relevant tests of the platform before commissioning, as this is a known and elementary error that could and should have been easily avoided. Thus, Mindworking A/S, as data processor, had violated Article 32 of the Regulation by not having taken appropriate organisational and technical measures to ensure a level of security appropriate to the risks inherent in the processing of personal data.