Blog details

Bank Millennium fined €80,000 by Polish DPA for failure to report a breach

Bank Millennium fined €80,000 by Polish DPA for failure to report a breach

Bank millennium fined €80,000 by Polish DPA for failure to report, and sufficiently inform data subjects of a breach.


Recently, a fine was imposed on Bank Millennium by the Polish DPA for a data breach which the bank failed to report, and about which they failed to sufficiently inform the affected customers. The supervisory authority was informed of the breach when a complaint was made against the bank for documents which contained personal data, and which were misplaced by a courier service, according to this report from the EDPB. The correspondence which was lost contained information including customers’ name, personal identification number, registered address, bank account numbers, as well as identification numbers assigned to the bank’s customers. While the customers, who went on to file a complaint, were informed of the data breach, the information provided to them was not sufficient according to the requirements of the GDPR.


Bank Millennium considered the breach to be of medium severity and therefore did not think  it necessary to inform any more than it did.


Depending on the severity of a data breach, there are different steps which need to be taken with regard to reporting a data breach. Bank Millennium, perceiving the threat of this data breach to be at a medium level, did not see it necessary to inform the Polish DPA of the breach. They also gave customers limited information on how their data may have been compromised. According to the DPA, the information given to customers was insufficient and did not meet the standard required by the GDPR. The Polish DPA stated that they could have provided guidance to the data controller in this instance, regarding how much information would need to be conveyed to the affected data subjects, had they been informed of the data breach.


Bank Millennium was fined €80,000 as a result of their failure to report a data breach.


The Polish DPA fined Bank Millennium a total of €80,000 for this violation of data protection law, and ordered the bank to communicate the breach to the persons affected by the breach in the manner set out in the GDPR. The Polish DPA considered the fact that during the proceedings the bank still failed to fulfill its obligations, as well as the gravity of the breach. In addition, the Supervisory Authority found the bank’s level of cooperation during the proceedings unsatisfactory. This fine is intended to serve a repressive function and serve as a deterrent to other banks and various organizations who may not be as vigilant with fulfilling their data protection obligations.





Does your company have all of the mandated safeguards in place to ensure the safety of the personal data to collect or process? Aphaia can help. Aphaia also provides both GDPR and Data Protection Act 2018 consultancy services, including data protection impact assessments, and Data Protection Officer outsourcing. We can help your company get on track towards full compliance. Contact us today.

Prev post
Banco Millennium, multado con 80.000€ por la autoridad de control de Polonia tras no informar de una brecha de seguridad
December 14, 2021
Next post
Controller and processor fined after app collected an unnecessary amount of data
December 16, 2021

Leave a Comment