The Office for Personal Data Protection imposed an administrative fine of over PLN 545 000 on Santander Bank Polska. The reason for the penalty was the bank’s violation of the provisions of General Data Protection Regulations by failing to notify data subjects of an incident without undue delay.
The Office for Personal Data Protection was notified of the breach by the controller after it found that a former bank employee, despite termination of his employment, had unauthorized access to the payer’s profile on the ZUS Electronic Services Platform. As a result, he was able to view the bank employees’ data contained in the profile. As was established in the course of the proceedings, the employee logged on to the platform five times after leaving the employment relationship. The Personal Data Protection Office concluded that the confidentiality of the data had been breached, which is connected with a high risk of infringement of rights or freedoms of the data subject. According to the authority, it is necessary to inform these persons about an incident.
According to Santander Bank Polska, the illegal data processing was not identified. It was considered that a personal data breach within the meaning of GDPR did not occur. The controller explained that she had notified the breach for precautionary reasons. Despite this, the bank posted a message on the communication platform reminding of the rules of personal data processing. It did not contain information about this particular case, it only presented example types of breaches. According to the Personal Data Protection Office, the recipient had no reason to treat the communication with due seriousness. Moreover, the communication was addressed only to the current bank employees. According to the PDPA, it should have been sent to all persons who were employed by the institution at the time when access to the data by an unauthorised person was open.
What is important in the case is the very fact that the unauthorized person was able to get acquainted with the personal data of others. Whether she did so is not important. What is important is the occurrence of the risk itself.
The controller, which is also relevant to the case, decided not to notify data subjects of the breach. In the proceedings before the Data Protection Office, it maintained that it did not intend to fulfil its obligation to notify those affected of the incident. According to the supervisory authority, this omission makes it impossible for individuals to take remedial action to protect their rights.
The President of the Office for Personal Data Protection decided that he would impose an administrative fine and ordered that data subjects be notified of the incident.