The president of the Office for individual Data Protection (UODO) imposed a punishment of over PLN 4 million on mBank for failing to inform customers about the safety of their individual data. Although the amount of the fine may seem large, it represents only 0.0024% of the bank's yearly turnover.
What happened? mistake in processing individual data
On June 30, 2022, a serious incidental occurred involving the protection of mBank clients' individual data. The worker of the company processing the data on behalf of the bank has mistakenly sent client papers to another financial institution. Although the papers were returned to the bank, the envelope was already open. The Office for individual Data Protection pointed out that there was a anticipation that 3rd parties had access to the data and could so be consulted.
Data that went to an unauthorised consignee included very delicate information specified as names, names, parents' names, dates of birth, bank account numbers, residence addresses, PESEL numbers, earnings information, mother's household names, series and identity card numbers, as well as credit and property details. specified information can be utilized for many forms of abuse, including identity theft.
The bank did not inform customers – why?
After reporting the infringement to UODO, mBank was informed of the request to take action to inform the injured customers of the data leak. However, the bank decided not to inform customers, explaining its action by the fact that the papers were sent to an institution which is besides subject to banking secrecy. mBank considered that since the receiving financial institute is simply a trusted entity, there is no request to notify customers of the incident.
The staff of the institution to which the papers were mistakenly sent assured that no copies of the incorrectly sent materials were made. The Bank considered that this is adequate reason not to disclose the case to customers, based on the assurances received by the entity.
President of UODO: ‘A immense hazard to customers’
President UODO disagreed with the bank's argument. In the assessment of UODO, mBank disregarded the hazard posed by the disclosure of specified a large amount of data to customers. As highlighted in the Communication, the bank focused only on who had access to the disclosed data, ignoring the work to notify data subjects.
The president of UODO pointed out that, in accordance with Guideline 9/2022, the position of the recipient does not prejudge whether it can be regarded as a ‘trusted recipient’. It is crucial to have a direct and permanent relation between the consignor and the recipient of incorrect papers sent. This relation should be based on long-term cooperation, allowing the controller to reasonably anticipate that the recipient will not effort to access individual data and will not take any further action with respect to their receipt.
President UODO besides stressed that "the observance of another legally protected secrets does not exempt from the application of the GDPR". This means that even if the institution to which the data were received is subject to banking secrecy, the bank was required to notify customers of the infringement in order to let them to take appropriate preventive measures.
The punishment could have been higher – up to 337 million PLN
In the assessment of UODO, the operation of the bank is an example of disregarding the rights of persons whose data were processed. Although the punishment imposed is over PLN 4 million, it could be much higher. According to GDPR regulations, the maximum punishment could amount to as much as 337 million PLN, which makes the current sanctions comparatively mild.
The President's decision is final and cannot be appealed against. The only way for a convicted entity is to file a complaint with an administrative court. The first instance is the Provincial Administrative Court in Warsaw and the next ultimate Administrative Court.
Summary
The mBank case is an crucial reminder of the request to comply with the provisions of the GDPR, especially in the context of informing people about breaches of their individual data. Even if the data is transferred to an institution covered by professional secrecy, the data controller is required to defend the interests of data subjects and their rights should be a priority.
It is worth monitoring further developments, especially in the context of possible legal action by mBank in consequence to the UODO decision.
Continued here:
mBank punished by UODO for leaking individual data
