The Polish Data Protection Authority (UODO) has fined the Bank Millenium S.A. EUR 80,000 after an investigation following a complaint received from a data subject found that it had failed to comply with its data breach notification obligations according to the articles 33 and 34 of the GDPR.
Specifically, the case involved the loss of documents by a courier company. These documents contained, among other things, the surname, first name, personal identification number, address and account number of customers of the bank.
Although the bank had informed the data subjects about the incident, this information was not sufficient. Thus, the bank considered that the personal data breach posed only a medium risk to the data subjects and therefore did not notify the incident to the supervisory authorities and did not comply with all the requirements regarding the notification of the data subjects.
According to the supervisory authority, the reason for the amount of the fine was, among other things, the fact that the bank had not complied with its obligations even during the ongoing proceedings, had only insufficiently cooperated with the supervisory authority, as well as the intentional commiting and the nature and severity of the violation of the protection of personal data.
Once again, it becomes clear how important it is to check the event of a data protection breach conscientiously and thoroughly and not to take it lightly. If proceedings do occur, the responsible supervisory authority should be collaborated with in a cooperative and understanding manner.