Personal data protection /

What to do when there is a violation of the GDPR in the financial sector? Important PUODO recommendations

The President of the Office for the Protection of Personal Data (“PUODO”) recently issued two decisions imposing administrative fines on data controllers for failing to report data protection violations to the supervisory authority when required to do so.

The PUODO made recommendations on how to conduct a risk assessment of the violation of data subjects’ rights or freedoms.

 

What is a data protection breach according to the GDPR?

According to the provisions of the GDPR, a data protection breach is a breach of security leading to accidental or unlawful:

  • destruction,
  • loss,
  • modification,
  • unauthorized disclosure, or
  • unauthorized access

This applies to personal data:

  • transmitted,
  • stored or
  • otherwise processed.

The term “incident” is also commonly used to describe a data breach.

 

What are examples of data breaches?

Common types of breaches are:

  • so-called data leaks – involving unauthorized access to data by, for example, cyber criminals,
  • data theft,
  • accidental loss of data by the data controller (e.g., loss of a shipment or computer).

 

What to do when there is a data breach according to the GDPR?

According to the GDPR, each data breach must be assessed in terms of the risk of violating the rights or freedoms of data subjects. In the event that such a risk is assessed as unlikely, it is sufficient to carry out internal proceedings in accordance with established procedures.

The most common actions will consist of:

  • determining the causes of the violation,
  • applying measures to remove the effects of the violation,
  • improving safeguards to eliminate the risk of recurrence of the breach – in accordance with the administrator’s internal procedures,
  • making an entry in the register of data protection violations.

If the risk of violation of the rights or freedoms of data subjects is assessed at a level higher than unlikely, in addition to the internal procedure described above, the PUODO should also be notified. The notification must be made within 72 hours of its discovery.

When a breach results in a high risk, it is also necessary to notify the data subject.

Data act - General Data Protection Regulation (GDPR)

Key PUODO decisions on data protection violations

The PUODO has recently issued two administrative decisions due to irregularities committed by personal data controllers in connection with the handling of data protection violations.

Let’s now take a look at specific situations and see how they were assessed by PUODO.

 

Loss of a shipment by a courier company and GDPR regulations

As far as the personal data inside the shipment is concerned, it is the sender who remains the controller. Even if the loss of the shipment occurs on the part of the courier company, the bank, as the controller, cannot escape liability under the GDPR. 

One PUODO decision was issued against a bank that sent a package of bank documents to a customer by courier. The package included the following data: names, dates of birth, bank account numbers, address and contact information, PESEL numbers, usernames, and passwords for the bank, or salary data, ID card series and numbers, and information about bank products.

The package was stolen from a courier, then found by an individual finder, who handed it over to the police, stating that he had not copied the contents of the documents contained in the package.

The bank assessed the risk of violating the rights or freedoms of the persons whose data was in the shipment and determined it to be low (unlikely). As a result, no notification of the violation was made to PUODO, nor were the data subjects notified.

The Bank justified the low severity of the risk of violation of the rights and freedoms of data subjects with the following circumstances:

  • the shipment was found by one identified person within a short period of time, after it was lost by a courier;
  • it was verified that no documents were missing; the person who found the documents took them directly to the police station;
  • the person admitted that he had not copied the documents.

 

Incorrectly addressed shipment

The second decision was issued against another bank. It concerned the situation of mistakenly incorrectly addressing a parcel containing a loan agreement with a repayment schedule – it was received by another bank customer.

The parcel contained personal information in the following areas: first and last name, bank account number, home address, PESEL registration number, ID card series and number. The parcel was received and opened by this customer. After the bank sent a courier to the person in possession of the misdirected package, the correspondence was returned to the bank.

The bank assessed the risk of violating the rights or freedoms of the persons whose data was in the package and determined it to be low (unlikely). As a result, no notification of the violation was made to PUODO, nor were the data subjects notified.

The Bank justified the low severity of the risk of violation of the rights and freedoms of data subjects with the following circumstances:

  • the breach affected only one person,
  • the document, containing the data, was quickly recovered,
  • the good faith of the consignee of the shipment was assumed. In particular, due to the fact that the person was a customer of the bank, informed the bank of the incident, and cooperated with the bank to return the misaddressed shipment.,
  • the bank knew the personal data of the consignee of the shipment, which, in the bank’s view, was a circumstance that reduced the risk of the bank’s unauthorized use of this data to the detriment of the affected person.

 

But what was PUODO’s assessment?

In the two decisions in question, PUODO presented a position focusing on protecting the rights and freedoms of data subjects. Challenging the assessments made by the controller, it pointed out that:

  • the scale and subject of the bank’s activities focus on providing financial services to a very large number of customers – the bank’s large-scale processing of personal data,
  • there was a disclosure of data related to the fact of concluding contracts and their content, which in the case of financial data is a significant factor that increases the risk of violation of rights and freedoms (even though it is not a special category of data),
  • there is no certainty that, in addition to the person who found or received the documents in question, the documents were not seen by other people and that the data was not copied.

The PDUO stressed that:

The assessment by the controller of the breach in terms of the risk of infringement of the rights or freedoms of individuals necessary to determine whether there has been a data protection breach resulting in the need to notify the President of the DPA (…) should, as should be emphasized once again, be made through the prism of the person affected by the breach.”

And also:

“It should be emphasized that the assessment of the risk of violation of the rights or freedoms of an individual should be made through the prism of the data subject, and not the interests of the controller.

The full text of the decision along with the banks’ and PUODO’s arguments are available here:

https://www.uodo.gov.pl/decyzje/DKN.5131.59.2022

https://www.uodo.gov.pl/decyzje/DKN.5131.28.2023

 

Privacy data - GDPR

What can be done to avoid fines for data protection violations under GDPR?

In the cases in question, PUODO imposed fines on administrators (PLN 1,440,000 and PLN 78,000). These fines are appreciable, and their amount is due not only to the fact that data protection violations occurred, but also because the way they were handled did not meet the standards under GDPR.

In the process of analyzing the breach and recognizing the risk of violating the rights and freedoms of data subjects, it is worthwhile to support the European Data Protection Board (EDP) guidelines, including in particular Guideline 01/2021 and Guideline 9/2022.

To protect against the unpleasant consequences of violations of the GDPR, it is worth implementing a complete system of personal data protection, consisting of:

    • appropriate procedures,
    • documenting assessments, justifying decisions on personal data protection (accountability),
    • raising staff awareness – through periodic training,
    • conducting assessments and analyses, and updating them – based, for example, on the conclusions of incidents that have occurred,
  • implementing adequate security measures.

Our law firm and reputable team of specialists offer data protection compliance audits, preparation of required documentation and training. During the audit, we conduct a comprehensive verification of the data processes at the entrepreneur in order to propose the best solutions to ensure the security of personal data.

Ensure your company’s full compliance and protection of personal data. Contact us to learn more at [email protected].

Author team leader DKP Legal Alicja Mruczkiewicz
Contact our expert
Write an inquiry: [email protected]
check full info of team member: Alicja Mruczkiewicz

Contact us

Flaga Polski.POZNANPOLAND
Młyńska 16
61-730 Poznań
+48 61 853 56 48[email protected]
Flaga Polski.WARSAWPOLAND
Rondo ONZ 1
00-124 Warsaw
+48 22 300 16 74[email protected]
Flaga Polski.WROCLAWPOLAND
Swobodna 1
50-088 Wrocław
+48 61 853 56 48[email protected]
Flaga Polski.KRAKOWPOLAND
Opolska 110
31-355 Kraków
+48 61 853 56 48[email protected]
Flaga Polski.ZIELONA GÓRAPOLAND
Jana Sobieskiego 2/3
65-071 Zielona Góra
+48 61 853 56 48[email protected]