Gjensidige Svigt

GDPR Breach: Gjensidige's Compliance Officer Sends Password in Plaintext

9/10
Insurer: Gjensidige • Affected cases: gjensidige_sag4 • Legal basis: GDPR Art. 32, Databeskyttelsesloven § 41, GDPR Art. 5, stk. 1, litra f

GDPR Breach (EN)

What Happened

In connection with Case 4 (asbestos), Gjensidige's Compliance Officer sent the password 'Gjensidige2026!' in a plaintext email. The password was for a document containing personal data about the Claimant.

Why It Is Illegal

GDPR Article 32 (Security of processing) requires the data controller to implement "appropriate technical and organisational measures" to ensure a level of security appropriate to the risk. Sending a password in plaintext over email is a direct violation of this obligation.

GDPR Article 5(1)(f) establishes the principle of "integrity and confidentiality" — personal data must be processed in a manner ensuring appropriate security.

The Danish Data Protection Act § 41 requires the data controller to take the necessary security measures against unauthorized access.

Aggravating Circumstances

  1. It was the Compliance Officer: The very person whose job is to ensure GDPR compliance broke the rules
  2. The password was predictable: 'Gjensidige2026!' — the company name plus the current year with an exclamation mark. This indicates a systematic practice of weak passwords
  3. The content was sensitive: The document contained personal data relating to an insurance case
  4. Email is unencrypted in transit: Emails are transmitted in plaintext over the internet by default

Legal Consequence

GDPR violations can result in fines of up to 4% of global annual turnover or EUR 20 million (whichever is higher). For a company like Gjensidige, this potentially amounts to billions of DKK.

The Claimant has the right to file a complaint with the Danish Data Protection Agency (Datatilsynet), per GDPR Art. 77.

Perspective

When an insurance company's own Compliance department cannot comply with basic security requirements in an email, it raises fundamental questions about the organization's overall data security posture. If this is standard practice — and the password format (company name + year) suggests it is — it is not an individual mistake but a systemic issue.

← Insurance Act § 18: 229 Days... All violations Ignored Precedent: Insurance Board... →