Bank Millennium fined for failure to notify the breach and the data subjects about the incident

The obligation to communicate personal data breach to the data subject does not depend on the occurrence of adverse effects for such a person, but on the mere possibility of its occurring — stressed the supervisory authority in the decision imposing on Bank Millennium S.A. a fine of over 363 000 PLN (80 000 EUR).

The Personal Data Protection Office (UODO) learnt about the personal data breach from a complaint lodged against the bank. The complaint concerned the loss by a courier company of correspondence containing personal data, such as: name, surname, personal identification number (PESEL number), registered address, bank account numbers, identification number assigned to the bank’s customers.

The complainants were informed about this fact by the bank, but the information was not sufficient — it did not meet the requirements set out in the GDPR. In the course of the case, it turned out that the data controller had failed to comply with its obligations in relation to personal data breach. The bank considered that the risk of adverse effects for persons affected by the breach was medium, therefore, it did not notify this breach to the supervisory authority and did not fully comply with the obligation to communicate it to the data subjects.

Yet, the UODO needs to be notified of the incidents where there is a probability (higher than low) of a detrimental (adverse) impact on the rights or freedoms of data subjects. And when this risk is high, the breach must also be communicated to the data subjects. These risks include, for example, identity theft or fraud, financial loss, damage to reputation. The wide range of data contained in correspondence may expose those affected by the incident to such consequences.

UODO pointed out that if the controller have had notified to the supervisory authority in this case, it would have been informed that people should also be communicated about the breach. What is important, UODO indicated that from the point of view of the provisions on the personal data protection, taking into account possibility of a detrimental impact on the rights or freedoms of data subjects, it was not relevant whether the unauthorised recipient actually came into possession of the data and got familiar with them, but the mere fact that there was such a risk. The question of the scope of personal data affected by the breach is also not insignificant, i.e. not only the name and surname but also the PESEL number, which should be protected. In the decision in question, the supervisory authority not only imposed a fine on the controller, but also ordered the controller to communicate the breach to the persons affected by the breach in the manner set out in Art. 34(2) of the GDPR.

When deciding to impose a fine, the UODO took into account i.a. the fact that during the proceedings the bank had still failed to fulfil its obligations relating to the breach, as well as the unsatisfactory level of cooperation with the supervisory authority, the intentional nature of the activity and the nature and gravity of the breach. In the opinion of the supervisory authority, the amount of the fine, will fulfil a repressive function, as not only this particular controller, but also others will properly fulfil their obligations related to data breaches.

The original press release is available in Polish here.

The full text of the decision is available in Polish here.

For further information, please contact the Polish DPA:

2021-11-16 Metadane artykułu