Background information
Date of final decision: 19 January 2022
Cross-border case or national case: National
Controller: Santander Bank Polska S.A.
Legal Reference: Communication of a personal data breach to the data subject (Article 34(1))
Decision: Infringement of the GDPR, administrative fine
Key words: information to the data subject.
Summary of the Decision
Origin of the case
The controller, Santander Bank Polska S.A. notified the personal data breach to the Polish SA when it established that a former employee of the bank, despite the termination of his/her employment contract, had unauthorised access to the controller's profile on the Electronic Services Platform of the Social Insurance Institution (PUE ZUS platform). As a result, the former employee of the controller had access to the bank employees' data contained in the controller's profile on the PUE ZUS platform.
Key Findings
One of the bank’s employees, after termination of his/her employment contract, kept his/her accesses and logged into the platform five times. The Polish SA concluded that a breach of data confidentiality occurred, which simultaneously involved a high risk to the rights or freedoms of the data subjects. The bank posted a message on the internal communication platform, but it was general and not referred to a specified case. It was addressed only to those employed at the time of notification, which could leave many data subjects unaware. What’s relevant is not whether the unauthorized person actually got acquainted with the stored personal data, but that there was a high risk of it occurring. Consequently, given the scope of the data (including the health data), there was a high risk to the rights or freedoms of the data subjects and the controller should have communicated the incident to them.
The Polish SA imposed an administrative fine of 120,000 EUR on Santander Bank Polska S. A. The Polish SA also ordered the controller to communicate the personal data breach to the data subjects, i.e. all employees of the bank who were employed during the period when the former employee of the controller had unauthorized access to the data collected on PUE ZUS platform.
For further information: https://www.uodo.gov.pl/decyzje/DKN.5131.33.2021
The news published here does not constitute official EDPB communication, nor an EDPB endorsement. This news item was originally published by the national supervisory authority and was published here at the request of the SA for information purposes. Any questions regarding this news item should be directed to the supervisory authority concerned.