Fine for mBank for failure to inform data breach victims
The President of the Personal Data Protection Office has imposed a fine of more than PLN 4 million (4 053 173) on mBank for failure to inform the data breach victims. The fine seems huge, but represents only 24 thousandths of one per cent of the bank's turnover.
The bank has failed to comply with its obligations under the GDPR after the personal data of a group of customers went to an unauthorised recipient on 30 June 2022. In such a case, data subjects should be informed of the incident, the possible consequences and remedies, as well as the contact of a Data Protection Officer who could provide more information about the breach.
An employee of a company processing personal data on behalf of the bank made a mistake and sent customer documents to another financial institution. The documents returned to the bank, but the envelope had previously been opened. As a result, the documents could have been accessed by third parties and it cannot be ruled out that they became acquainted with the documentation. The documents included the following: surnames and names, parents' names, dates of birth, bank account number, address of residence or domicile, personal identification number (PESEL), data on earnings and/or assets held, mother's family name, series and number of identity card, other (information on credit and real estate).
The bank did not communicate the problem to its customers, even though - after the breach was notified – the President of the Personal Data Protection Office informed them of the need to take such action. The explanations stated that the documents mistakenly went to an institution that is also bound by bank secrecy, an entity with which the bank cooperates and which, according to the bank, has the status of a trusted entity. Employees of this institution confirmed that they did not have copies of the documents received by mistake. In the bank's view, the matter did not need to be disclosed.
The President of the Polish SA did not recognise mBank's position regarding a trusted entity. In arguing this decision, he emphasised, inter alia, that (...) A thorough analysis of the Guidelines 9/2022 unambiguously shows that it is not the status of the recipient, its recognition as a so-called institution (person) of public trust, or acting within the framework of the applicable legislation, but the existence of a direct (permanent) relationship between the sender and the recipient of the mistakenly sent correspondence that determines the admissibility of recognising a particular entity as a so-called ‘trusted recipient’. The guidelines referred to place emphasis on the lengthiness of the relationship between the controller (the sender of the erroneously sent correspondence) and the recipient (of that correspondence) and, resulting from that lengthy relationship, the controller's knowledge of the procedures, history and other relevant details of the recipient, allowing the controller to reasonably expect that an unauthorised recipient will not seek to read or access any misdirected correspondence containing personal data sent to him or her, and that even if access to the misdirected personal data does occur, that recipient will take no further action and will promptly return the personal data to the controller (pp. 25 - 26 of Guidelines 9/2022) (...).
The President of the Personal Data Protection Office considered that the possibility of disclosure of such a volume of data created a huge risk for the data subjects. As they were not informed of the problem, they could not counteract the possible negative effects of the breach. The bank reasoned erroneously by focusing only on who had access to the disclosed data. In its explanations, it relied on assurances, from those with access to the disclosed data, that nothing bad had happened. This is not enough. Because when analysing such a situation, the rights of those affected by the breach should always be taken into account as well. It should be emphasised that compliance with other legally protected secrets does not exempt from the application of the GDPR.
In the opinion of the President of the Polish SA, the bank's activity in this case is an example of disregarding the rights of persons whose personal data the controller processes. Taking into account the fact that, pursuant to the provisions of the GDPR, the fine could amount to PLN 337 million, it should be considered relatively mild. On the basis of the analyses of the cases lodged to the supervisory authority, it can be assumed that the adopted practice of not informing the persons whose data have been breached, justified as in the discussed personal data breach, is a manifestation of the bank's systemic attitude (policy), which deserves an exceptionally negative assessment by the President of the Personal Data Protection Office.