In Monday’s announcement by the Office for Personal Data Protection (UODO) it was reported that mBank failed to comply with its obligations under the GDPR after, on June 30, 2022, the personal data of a group of customers was sent to an unauthorized recipient. “In this case, data subjects must be informed of what happened, presented with possible consequences and corrective measures, as well as provide the contact details of the person responsible for protecting personal data.which could provide more information about the breach,” the Personal Data Protection Office said.
As the office explains, an employee of a company that processes personal data on behalf of a bank made a mistake and sent customer documents to another financial institution. The documents were returned to the bank, but the envelope was previously opened. Third parties could have had access to the documents and it cannot be ruled out that they were familiar with the documentation – data. The documents included: surnames and first names, parents’ names, dates of birth, bank account number, address of residence or stay, PESEL number, data on income and/or assets, mother’s maiden name, series and number of identity card, others (information on loans).
Personal Data Protection Office: mBank failed to notify customers whose data was leaked
“The bank did not notify customers about the problem, even though – after reporting the violation – the president of the Personal Data Protection Office informed them about the need to take such actions. The explanations explained that the documents were sent by mistake to an institution also subject to banking secrecy, an entity with which the bank cooperates and which, according to the bank, has the status of a trustworthy entity. The employees of this institution confirmed that they do not have copies of the documents received by mistake. In the bank’s opinion, the matter did not need to be disclosed”, we read in the statement.
As mentioned, the President of the Personal Data Protection Office did not accept mBank’s position regarding the trusted entity. In justifying this decision, he stressed, among other things, that “an in-depth analysis of Guideline 9/2022 clearly indicates that it is not the status of the recipient, recognizing it as a so-called institution (person) of public trust, or acting within the framework of the applicable legal provisions, but the existence of a direct (permanent) relationship between the sender and the recipient of the incorrectly sent correspondence determines the admissibility of recognizing a given entity as a so-called “trusted recipient”.
READ ALSO: Cezary Stypułkowski has resigned as chairman of mBank. He had been running it for 14 years
“The above-mentioned guidelines emphasize the long-term relationship between the administrator (the sender of the mistakenly sent correspondence) and the recipient (of this correspondence) and – resulting from this long-term relationship – the administrator’s knowledge of the procedures, history and other relevant details about the recipient, allowing the administrator to reasonably expect that the unauthorized recipient will not attempt to read or gain access to the mistakenly sent correspondence containing personal data, and even if the mistakenly sent personal data is accessed, the recipient will not take any further action and will immediately return the personal data to the administrator,” it added.
The President of the Personal Data Protection Office concluded that the possibility of disclosing such a large amount of data creates a huge risk for the data subjects. Since they were not notified about the problem, they were unable to neutralize the possible negative effects of the breach.
“The bank reasoned incorrectly by focusing only on who had access to the disclosed data. In its explanations, it relied on assurances from people with access to the disclosed data that nothing bad had happened. In this situation, the rights of those affected by the breach must always be taken into account. It should be emphasized that compliance with other legally protected secrets does not exempt the application of the GDPR,” the office noted.
In the opinion of the president of the Personal Data Protection Office, the action of the bank in question constitutes an example of disrespect for the rights of people whose personal data are processed by the administrator.
>>> Praca.Wirtualnemedia.pl – thousands of media and marketing ads
“Taking into account that, according to the provisions of the GDPR, the penalty may amount to PLN 337 million, it should be considered relatively light. Based on the analyses of the cases reaching the supervisory authority, it can be assumed that the adopted practice of not informing persons whose data has been violated, justified as in the case of the discussed violation of personal data protection, is a manifestation of the bank’s systemic (political) attitude, which deserves an extremely negative assessment by the President of the Personal Data Protection Office,” the statement emphasized.
mBank: the penalty is inadequate, there will be a judicial appeal
The press office of mBank told Wirtualnemedia.pl that the formerank does not agree with the decision of the President of the Personal Data Protection Office and will appeal to the Provincial Administrative Court in Warsaw
– In July 2022, we independently reported to the Personal Data Protection Office that our subcontractor, instead of sending them to mBank, mistakenly sent the documents of three clients to another bank. The subcontractor also cooperated with this bank. After the error was discovered, all documents were immediately returned to us – the press office described.
Did you notice that the data of the three mentioned customers therefore remained among the persons obliged to apply banking secrecy and were authorized to process data in accordance with the GDPR. – Our assessment of the situation was influenced by the fact that the documents were sent to a trusted entitytherefore there will be no significant risk of violating the rights and freedoms of our customers – it was explained.
– We submitted our arguments regarding the assessment of this event in 2022 to the President of the Personal Data Protection Office. It also included a request for a reassessment of the decision made on the need to inform our customers about this event. Unfortunately, we have not received a final response from the Personal Data Protection Office. We have cooperated with the Office from the very beginning and have answered all questions sent to us reliably and completely. In light of these facts, we believe that the punishment imposed on us is inadequate. – added to the ad.