Background information
- Date of final decision: 20 August 2024
- National case
- Legal Reference (s): Article 34 (Communication of a personal data breach to the data subject)
- Decision: Administrative fine, Communication order personal data breach
- Key words: Administrative fine, Data subject rights, Personal data breach, Principles relating to processing of personal data, Data security, Responsibility of the controller
Summary of the Decision
Origin of the case
The bank has failed to comply with its obligations under the GDPR after the personal data of a group of customers was sent to an unauthorised recipient on 30 June 2022. In such a case, data subjects should be informed of the incident and the possible consequences and remedies and be provided with the contact of the Data Protection Officer who could provide more information about the breach.
An employee of a company processing personal data on behalf of the bank made a mistake and sent customer documents to another financial institution. The documents were returned to the bank, but the envelope had been previously opened. As a result, the documents could have been accessed by third parties and it could not be ruled out that they became acquainted with the documentation. The documents included the following: surnames and names, parents' names, dates of birth, bank account number, address of residence or domicile, personal identification number (PESEL), data on earnings and/or assets held, mother's family name, series and number of identity card, other (information on credit and real estate).
The bank did not communicate the problem to its customers, even though - after the breach was notified – the President of the Personal Data Protection Office informed them of the need to take such action. The bank stated that the documents were mistakenly sent to an institution that is also bound by bank secrecy, which is an entity with which the bank cooperates and which, according to the bank, has the status of a trusted entity. Employees of this institution confirmed that they did not make copies of the documents received by mistake. In the bank's view, the matter did not need to be disclosed.
Key Findings
The President of the Polish SA did not agree with mBank's position regarding a trusted entity. In arguing this decision, he emphasised, inter alia, that “(...) A thorough analysis of the Guidelines 9/2022 unambiguously shows that it is not the status of the recipient, its recognition as a so-called institution (person) of public trust, or acting within the framework of the applicable legislation, but the existence of a direct (permanent) relationship between the sender and the recipient of the mistakenly sent correspondence that determines the admissibility of recognising a particular entity as a so-called ‘trusted recipient’. The Guidelines referred to place emphasis on the lengthiness of the relationship between the controller (the sender of the erroneously sent correspondence) and the recipient (of that correspondence) and, resulting from that lengthy relationship, the controller's knowledge of the procedures, history and other relevant details of the recipient, allowing the controller to reasonably expect that an unauthorised recipient will not seek to read or access any misdirected correspondence containing personal data sent to him or her, and that even if access to the misdirected personal data does occur, that recipient will take no further action and will promptly return the personal data to the controller (pp. 25 - 26 of Guidelines 9/2022) (...)”.
The President of the Personal Data Protection Office considered that the possibility of disclosure of such a volume of data created a huge risk for the data subjects. As they were not informed of the problem, they could not counteract the possible negative effects of the breach. The bank reasoned erroneously by focusing only on who had access to the disclosed data. In its explanations, it relied on assurances, from those with access to the disclosed data, that nothing bad had happened. This is not enough. Because when analysing such a situation, the rights of those affected by the breach should always be taken into account as well. It should be emphasised that compliance with other legally protected secrets does not exempt from the application of the GDPR.
Decision
The President of the Personal Data Protection Office imposed a fine of 928 498,06 € on mBank for infringement of Article 34 of the GDPR. The fine amount represents 24 thousandths of one per cent of the bank's turnover.
In the opinion of the President of the Polish SA, the bank's activity in this case is an example of disregarding the rights of persons whose personal data the controller processes. Taking into account the fact that, pursuant to the provisions of the GDPR, the fine could amount to 77 million €, it should be considered relatively mild. Based on the analyses of the cases lodged to the supervisory authority, it can be assumed that not informing the persons whose data have been breached, justified as in the discussed personal data breach, is a manifestation of the bank's systemic attitude, which deserves an exceptionally negative assessment by the President of the Personal Data Protection Office.
For further information: national decision (Polish)
The news published here does not constitute official EDPB communication, nor an EDPB endorsement. This news item was originally published by the national supervisory authority and was published here at the request of the SA for information purposes. Any questions regarding this news item should be directed to the supervisory authority concerned.