Notwithstanding the somewhat principle-based regulation regarding the security of processing personal data, the GDPR reshapes how organizations should approach data security, demanding robust, risk-based security frameworks and careful testing of new functionalities rather than compliance checklists. The Finnish Deputy Data Protection Ombudsman's decisions against S-Bank (TSV/3606/2024) (the “S-Bank Ruling”) – resulting in a EUR 1.8 million administrative fine – and against Aktia Bank (TSV/1671/2023)(the “Aktia Ruling”) – resulting in a EUR 865,000 administrative fine – demonstrate the consequences that can follow from failing to implement adequate security measures in protecting personal data.
What happened?
Between April and August 2022, S-Bank's online banking service contained software vulnerability in its authentication functionality that allowed users to access other customers' bank accounts and personal information. The incident affected over 8,000 customers and exposed sensitive data for the use of unauthorized recipients. The flaw remained undetected for approximately three months despite the multiple contacts by customers reporting the issue. The Deputy Data Protection Ombudsman found that S-Bank had failed to adequately test the system before deployment and lacked sufficient monitoring to detect the breach promptly.
In Aktia’s case, a data security breach in the bank’s identification service enabled some users to log in to other user’s digital services such as the tax administration and healthcare accounts, and see each other's personal data in these digital services requiring strong electronic authentication. The breach lasted just 47 minutes, but exposed personal data, including special categories of personal data, to unauthorized recipients. The Finnish Deputy Data Protection Ombudsman found that Aktia had shortcomings in designing, implementing and testing the technical modification made to their authentication service.
Risk assessment, testing and anticipation
Articles 5(f) (“integrity and confidentiality”), 25 (“data protection by design and by default”) and 32 (“security of processing”) of the GDPR impose data security requirements for data controllers, however, the requirements can be considered somewhat “high-level”. In the S-Bank Ruling, S-Bank sought to argue that the GDPR does not require anticipation or identification of detailed circumstances in which risks may materialize in the future. According to S-Bank, such anticipation would be “practically impossible” as risks may materialize in countless different situations. However, the Deputy Data Protection Ombudsman rejected the argument noting that S-Bank should also have considered, when designing the product, all its user pathways and the associated use cases, prevented unacceptable user pathways, and eliminated user pathways so that the software would not contain pathways that are impossible to manage.
In the Aktia Ruling, the Deputy Data Protection Ombudsman argued that technical modifications must be conducted carefully and the service's functionalities must be adequately tested following such modifications. Aktia drew attention to the fact that an exhaustive list of the “appropriate technical and organizational measures” under Article 32 of the GDPR does not exist, and therefore the requirements should be interpreted on a sector-specific and case-by-case basis. The Deputy Data Protection Ombudsman rejected the argument and stated that since login malfunctions are a central risk for the operation of identification services, Aktia should have paid particular attention to assessing the said risk.
The reasoning of the Deputy Data Protection Ombudsman demonstrates that data controllers must anticipate risks comprehensively and invoking “unforeseeable risk” as justification for occurred incident is deemed insufficient.
S-Bank – Competence of the Deputy Data Protection Ombudsman and overlapping regulatory frameworks
In the S-Bank Ruling, S-Bank sought to argue that the supervision of risk assessment carried out pursuant to legislation concerning payment services and strong electronic identification does not fall within the competence of the Deputy Data Protection Ombudsman. S-Bank stated that the interpretation of the GDPR's “flexible norms” cannot be used to govern details falling within the scope of sector-specific regulation. This, however, did not hold the Deputy Data Protection Ombudsman from ruling in the matter. Instead, the Deputy Data Protection Ombudsman maintained that it cannot assess the controller's conduct in relation to regulation outside its competence, however, the sector-specific regulation did not prevent the application of the GDPR in the matter.
The S-Bank Ruling also highlights the complexities that arise when a conduct violates multiple regulatory frameworks. The incident that led to the Ruling also resulted in enforcement action by the Finnish Financial Supervisory Authority (fi: Finanssivalvonta), which imposed its own administrative fine and public warning based on violations of banking and payment services legislation. This raises a question of the risk of double jeopardy (ne bis in idem). The Ruling carefully addresses these concerns, noting that whilst both authorities sanctioned the same conduct, they enforced different legal frameworks protecting different interests: the GDPR protects individuals' right to data protection, whilst banking regulation protects financial system stability and payment service users from operational risks.
The European Court of Justice has confirmed that multiple sanctions for the same conduct do not violate the ne bis in idem principle where the regulatory frameworks pursue different legitimate objectives, the cumulative burden is not disproportionate, there are clear rules allowing parties to anticipate potential cumulation, and the proceedings are coordinated and temporally proximate. The Deputy Data Protection Ombudsman concluded that these conditions were satisfied, justifying both the reprimands and the administrative fine under the GDPR.
To be continued
For financial institutions and other organizations processing large amounts of personal data, the message is clear: security measures must genuinely reflect the risks involved, and organizations must be prepared to demonstrate through clear evidence that their approach meets GDPR's requirements. The somewhat “high-level” regulation does not create ambiguity about core obligations – it demands thoughtful, risk-based implementation that supervisory authorities will rigorously scrutinize.
Nevertheless, the position outlined above may be subject to certain refinement, given that S-Bank has appealed the S-Bank Ruling to the Administrative Court and the Aktia Ruling is not legally binding, as it is still subject to the appeal process.
For more information in the topic and advice in relation to data protection, please contact Martina Simpanen, Sonja Heiskala or Kati Rantala.