In October this year, the President of the Personal Data Protection Office imposed a high fine on Bank Millenium SA, in the amount of PLN 363,832 (€80,000), for failing to report a personal data breach to the authority within the statutory deadline of 72 hours from the moment it was discovered, as well as for failing to properly inform the affected persons about it.

Event

In 2019, a courier company lost two packages containing documents related to the procedure for opening bank accounts for two Millennium Bank clients. The personal data contained in the documentation included names, addresses, PESEL (Polish National Identification Number), CIF (Customer Identification Number), and bank account numbers.

Customers were informed about the incident, but the bank, which is the personal data controller in this situation, after conducting an analysis, decided that the risk of negative consequences for the persons affected by the breach was not high enough to report the breach to the supervisory authority (UODO).

The President of the Personal Data Protection Office emphasized in his decision that "for the obligation to notify a breach to arise (...), it is not necessary for the negative consequences of the breach to materialize; the mere possibility (risk) of such consequences occurring is sufficient in this respect." Additionally, following the recommendations of the Article 29 Working Party, it was recalled that "In case of any doubts, the controller should report the breach, even if such caution could prove excessive .

Additionally, it was noted that if it is necessary to inform the persons affected by the breach, all the elements indicated in the GDPR must be met (Article 34, paragraph 2).

Penalty

The Personal Data Protection Office (UODO) imposed a high fine on Bank Millenium SA, in the amount of PLN 363,832 (€80,000), for failing to report a personal data breach to the authority within the statutory period of 72 hours from the moment it was discovered, as well as for failing to properly inform the persons affected by the incident.

Recommendation

It's important to remember to process personal data appropriately. However, if a breach is detected, as this case demonstrates, it's essential to conduct a thorough analysis to determine the risk of violating the rights and freedoms of those affected. If the analysis indicates that such a risk is unlikely to occur, there's no need to report the incident to the relevant authority. However, it's important to note that the Personal Data Protection Office (UODO) may request justification for such a decision. Therefore, the conclusions from the analyses should be recorded in the internal breach records.

This alert is for informational purposes only and does not constitute legal advice.


|

    Have any questions? Contact us – we'll respond as quickly as possible.

    Post Views: 6