The president of the Office for individual Data Protection (UODO), Mirosław Wróblewski, imposed a financial punishment of PLN 1 440 000 on Santander Bank Polska S.A. for not reporting a breach of data protection. Similarly, Toyota Bank Polska S.A. was punished for the same reason.
The individual data breach in Santander Bank Polska S.A. was revealed through the media. It consisted of making public bank papers which were found in an abandoned consignment on 1 of the settlements. The package was previously stolen by a courier company. The data included names, dates of birth, bank account numbers, address and contact details, PESEL numbers, user names and bank passwords, earnings data, series and ID numbers, and information on bank products.
The data admin explained that he did not study this breach as the consignment was found by 1 individual who delivered it to the police station, ensuring that she did not copy the documents. It was besides established that no papers were missing in the consignment.
The president of UODO noted that the bank should measure the hazard of breach by the prism of persons whose data has been disclosed alternatively than by the prism of its own interests, which was considered to be an inappropriate assessment.
"The deficiency of a announcement of breach of the protection of individual data of persons affected by this breach, in the event of a advanced hazard of breach of their rights or freedoms, deprives them not only of the ability to respond adequately to the breach, but besides of the anticipation to make an independent assessment of the breach, which may have serious consequences for them. The failure to study a breach of individual data protection to the president of UODO deprives the supervisory authority of the ability to respond adequately to the breach, i.e. to measure the hazard of a breach to the rights or freedoms of a natural person, but besides to verify whether the controller has taken appropriate measures to remedy the infringement and to minimise the adverse effects on data subjects. The Authority is then incapable to measure whether the admin has taken appropriate safety measures to minimise the hazard of recurrence of the infringement."
He besides felt that it was irrelevant that the data was only made available to 1 identified person. What matters is that the consignment was found by this person. In addition, the admin is not certain how many people may have previously had access to the abandoned shipment.
This is not the first breach of data protection, nor is it the only bank to commit specified an offence. The supervisory authority indicated that Santander Bank Polska S.A. has again broken individual data protection regulations, which was another incidental of this type. In 2021, a erstwhile worker of the bank informed that after he finished his work for Santander Bank S.A., she was not denied access to the employer's profile on the ZUS Electronic Services Platform, which allowed her further access to the data for the next 8 months. In January 2022 Santander Bank Polska S.A. was punished with an administrative fine of PLN 545 1000 (DKN.5131.33.2021) for violating the work to study the incidental to persons affected by the incident.
President of UODO besides imposed a punishment on Toyota Bank Polska S.A. In this case, the punishment amounted to PLN 78 1000 and was imposed for the hold in reporting a individual data breach to the president of UODO, which was to be made immediately, no later than 72 hours after the incidental was established. The admin did not study a breach of data protection until a year and a half after his speech, only erstwhile the supervisory authority addressed him after receiving a complaint from the injured person.
The infringement consisted of sending individual data to the unauthorised recipient by the bank. The scope of the correspondence data posed a advanced hazard of violating the rights and freedoms of the individual whose data has been disclosed (e.g. the hazard of identity theft). In its decision, the supervisory authority besides noted that the admin was not certain that the unauthorised recipient had not made a copy of the data before it was returned, or otherwise stored it, for example by writing it down.
Dear reader, we remind you that all legal matters in this substance we compose about can be complicated and frequently require the aid of a lawyer. It's worth discussing it with a lawyer before taking legal action.
Contact us now. We'll review your case and see precisely what we can do about you. Our experts have already helped a number of clients who thought they were already in an impossible situation.
Attention! This article should be considered as a clue, a hint, not a prescription, how to solve your own problem. The legal opinion has no binding power for offices, courts, so we urge that legal matters be consulted straight with a lawyer. Each case is different and requires individual analysis.
Write us or call us now.
579-636-527
[email protected]
