Bank Millennium fined €80,000 by Polish DPA for failure to report a breach

Bank millennium fined €80,000 by Polish DPA for failure to report, and sufficiently inform data subjects of a breach.


Recently, a fine was imposed on Bank Millennium by the Polish DPA for a data breach which the bank failed to report, and about which they failed to sufficiently inform the affected customers. The supervisory authority was informed of the breach when a complaint was made against the bank for documents which contained personal data, and which were misplaced by a courier service, according to this report from the EDPB. The correspondence which was lost contained information including customers’ name, personal identification number, registered address, bank account numbers, as well as identification numbers assigned to the bank’s customers. While the customers, who went on to file a complaint, were informed of the data breach, the information provided to them was not sufficient according to the requirements of the GDPR.


Bank Millennium considered the breach to be of medium severity and therefore did not think  it necessary to inform any more than it did.


Depending on the severity of a data breach, there are different steps which need to be taken with regard to reporting a data breach. Bank Millennium, perceiving the threat of this data breach to be at a medium level, did not see it necessary to inform the Polish DPA of the breach. They also gave customers limited information on how their data may have been compromised. According to the DPA, the information given to customers was insufficient and did not meet the standard required by the GDPR. The Polish DPA stated that they could have provided guidance to the data controller in this instance, regarding how much information would need to be conveyed to the affected data subjects, had they been informed of the data breach.


Bank Millennium was fined €80,000 as a result of their failure to report a data breach.


The Polish DPA fined Bank Millennium a total of €80,000 for this violation of data protection law, and ordered the bank to communicate the breach to the persons affected by the breach in the manner set out in the GDPR. The Polish DPA considered the fact that during the proceedings the bank still failed to fulfill its obligations, as well as the gravity of the breach. In addition, the Supervisory Authority found the bank’s level of cooperation during the proceedings unsatisfactory. This fine is intended to serve a repressive function and serve as a deterrent to other banks and various organizations who may not be as vigilant with fulfilling their data protection obligations.





Does your company have all of the mandated safeguards in place to ensure the safety of the personal data to collect or process? Aphaia can help. Aphaia also provides both GDPR and Data Protection Act 2018 consultancy services, including data protection impact assessments, and Data Protection Officer outsourcing. We can help your company get on track towards full compliance. Contact us today.

Encryption Keys and privacy: AEPD discusses how keys may be considered personal data

Encryption keys and privacy explored by the AEPD, and why some encryption keys may be considered personal data.




Encryption keys and privacy go hand in hand, and  have proven to be extremely useful in the online world. However some can be considered personal data under the GDPR, and must be treated as such. The AEPD has published an article discussing encryption keys and how they should be handled under the EU GDPR.

There are two types of encryption systems, one of which uses a public key, making it very suitable for internet use.


Encryption systems can be broken down into two main categories: symmetric and asymmetric encryptions. With symmetric encryption systems, one single key does both the encryption and decryption. On the other hand, with asymmetric encryption there is usually one key, which could be public, and another key for the decryption, which is private, with only the legitimate owner having possession. While the encryption and decryption keys are linked, it is difficult to ascertain one from the other. Asymmetric keys are inherently very suitable for the internet, thanks to the one freely accessible key. This is known as the public key and is useful for authentication, verification signatures, the exchange of symmetric keys, among other things.


As an online identifier, a public key may be considered personal data under the GDPR.


While the keys may be anonymized, it is still possible to identify a person as far as proving that different actions online are commonly linked. The public and private key can be used in this way to identify an individual. According to the GDPR, ‘personal data’ refers to any information relating to an identifiable natural person, or ‘data subject’. An identifiable person, according to Article 4, is one who can be identified directly or indirectly, by reference to an identifier. This identifier may refer to a name, identification number, location data or an online identifier to factors specific to the identity of that natural person.


Recital 30 of the GDPR states that natural persons may be associated with online identifiers provided by their devices, applications, tools etc. and that these may leave traces which, particularly when combined with unique identifiers and other information received by servers, may be used to profile or identify natural persons. To this extent, a public key is considered a unique identifier, considering the fact that the probability of two people sharing the same string of characters as a public key is practically zero. This uniqueness is what enables public keys to be used securely within encryption systems online.


There is an important link between encryption keys and privacy as public and private keys can be, and have been used to re-identify a person.



The use of the public and private keys make it possible to profile a person and even prove that different online actions are linked to the same individual. This is the case with authentication or block chain. The accuracy of this type of information is so grave that it has actually been used to successfully re-identify a person, and this service of re-identification is actually now available to law enforcement agencies. Public keys are created by third parties which identify and register the natural person to whom the public he will be assigned, and digital certificate issued. This process is made possible via public key infrastructures (PKI). While the owner or user of a public key has an inaccessible private key which allows for the process of asymmetric encryption, and which cannot be deduced from the public key, the association between the two can be used to link various online actions. Whatever is encrypted with one private key can only be decrypted with a specific public key. As a result, the public key will act as a pseudonym with the consideration of personal data, as under the GDPR (Article 4(5)), pseudonymised information is personal data.


Does your company have all of the mandated safeguards in place to ensure the safety of personal information collected on your website or app? Aphaia can help. Aphaia also provides both GDPR and Data Protection Act 2018 consultancy services, including data protection impact assessments, and Data Protection Officer outsourcing. We can help your company get on track towards full compliance. Contact us today.

GDPR Summary

GDPR Summary: here is how new EU rules will affect data

The General Data Protection Regulation (GDPR) is a new set of European legislation designed to reform and harmonise the rules on individuals’ personal data. Ratified by the European Parliament on April 2016, it will enter into force on 2018. Read more “GDPR Summary”