.svg)
The Polish Personal Data Protection Office has imposed a EUR 80,000 fine on Bank Millennium, after finding that the bank did not report an incident to the authority.
The incident took place in April 2019 when a courier company lost documentation of customers who had opened new bank accounts at Bank Millennium the previous month. The person data lost by the bank included name, personal identification number, registered address, bank account numbers, and bank client identification number.
Based on the European ENISA methodology, the bank qualified the risks as medium, meaning that it is possible that the threat could materializes. However, the bank decided not to report the incident to the data protection office.
In fining Bank Millennium, the Polish authority found that the bank should have notified the agency within 72 hours following the incident.
“Reporting breaches of personal data protection by administrators is an effective tool contributing to a real improvement in the security of personal data processing,” the data protection authority says in the document.
Additionally, the bank failed to comply properly with its obligation to inform the affected persons about the incident. It gave only general information about the nature of the breach, without indicating the category of data affected, and measures to minimize its possible negative effects.
“Notifying natural persons about a breach enables them to be informed about the risk related to the breach and to indicate actions that these persons can take to protect themselves against the potential negative consequences of the breach,” the decision reads.
It adds: “It should be emphasized that the obligation to notify a natural person about a breach does not depend on the materialization of negative consequences for such a person but on the very possibility of such a risk.”
In other words, it does not matter whether an unauthorized individual actually obtains the personal data and makes use of it, but the fact that there was a risk of violation of the rights of data subjects.
In light of the above, and also due to the scope of data lost, the authority concluded that such a risk was high in this case.
When setting the level of the fine, the authority took into account that the bank did not take steps to correct the failure, it cooperated with the agency on an “unsatisfactory level,” as well as the intentional nature of the activity and the nature and gravity of the breach.
