Bank millennium fined €80,000 by Polish DPA for failure to report, and sufficiently inform data subjects of a breach.
Recently, a fine was imposed on Bank Millennium by the Polish DPA for a data breach which the bank failed to report, and about which they failed to sufficiently inform the affected customers. The supervisory authority was informed of the breach when a complaint was made against the bank for documents which contained personal data, and which were misplaced by a courier service, according to this report from the EDPB. The correspondence which was lost contained information including customers’ name, personal identification number, registered address, bank account numbers, as well as identification numbers assigned to the bank’s customers. While the customers, who went on to file a complaint, were informed of the data breach, the information provided to them was not sufficient according to the requirements of the GDPR.
Bank Millennium considered the breach to be of medium severity and therefore did not think it necessary to inform any more than it did.
Depending on the severity of a data breach, there are different steps which need to be taken with regard to reporting a data breach. Bank Millennium, perceiving the threat of this data breach to be at a medium level, did not see it necessary to inform the Polish DPA of the breach. They also gave customers limited information on how their data may have been compromised. According to the DPA, the information given to customers was insufficient and did not meet the standard required by the GDPR. The Polish DPA stated that they could have provided guidance to the data controller in this instance, regarding how much information would need to be conveyed to the affected data subjects, had they been informed of the data breach.
Bank Millennium was fined €80,000 as a result of their failure to report a data breach.
The Polish DPA fined Bank Millennium a total of €80,000 for this violation of data protection law, and ordered the bank to communicate the breach to the persons affected by the breach in the manner set out in the GDPR. The Polish DPA considered the fact that during the proceedings the bank still failed to fulfill its obligations, as well as the gravity of the breach. In addition, the Supervisory Authority found the bank’s level of cooperation during the proceedings unsatisfactory. This fine is intended to serve a repressive function and serve as a deterrent to other banks and various organizations who may not be as vigilant with fulfilling their data protection obligations.