The breach occurred when a parcel containing bank documents was stolen from a courier company. The parcel was then abandoned in one of the housing estates. The documents contained therein included, among others, personal data, bank account numbers and PESEL numbers. The Personal Data Protection Office learned about the violation from the media.
Santander fined by the Personal Data Protection Office. It’s about a lost data package
The bank explained that it did not report this violation because the parcel was found shortly after the theft. Moreover, it was established that no documents were missing, and the person who found the parcel took it to the police and stated that he had not copied the documents.
However, the President of the Personal Data Protection Office, Mirosław Wróblewski, penalized Santander because he found that the risk associated with a personal data breach should be assessed from the perspective of the person at risk, and not the interests of the data controller. The Personal Data Protection Office also pointed out that because the company did not inform about the incident, the persons whose data were disclosed could not assess the risk themselves or react to the breach.
During the proceedings, the President of the Personal Data Protection Office also found that it was irrelevant that the data were made available to only one identified person. What matters is that the parcel was found by that person. Additionally, the administrator is not sure how many people may have previously had access to the abandoned shipment. The mere fact of the theft of a shipment should influence the appropriate and appropriate assessment of the incident, including the assessment of the risk of violating the rights and freedoms of natural persons.
The Personal Data Protection Office also obliged Santander Bank to notify the affected persons about the breach. The fine amount set at PLN 1.44 million was influenced by the fact that this was another personal data protection violation at this bank. In 2022, the Office imposed a PLN 545,000 penalty on Santander. PLN fine for violating the obligation arising from Art. 34 section 1 GDPR, i.e. the obligation to notify data subjects about a breach.
Toyota Bank was also fined
The Personal Data Protection Office also fined the second bank – Toyota Bank Polska SA – for exceeding the deadline for reporting a personal data breach by one and a half years. In this case, the fine amounted to PLN 78,000.
“The breach consisted in the bank sending a person’s data to an unauthorized recipient. The scope of data contained in the correspondence resulted in a high risk to the rights and freedoms of the person whose data was disclosed (e.g. risk of identity theft). In the decision, the supervisory authority also noted that the administrator it is not certain whether, before returning the correspondence, the incorrect recipient did not make a copy or did not record the personal data contained in the contract in another way, e.g. by writing them down”
Source: Gazeta
Mabel is a talented author and journalist with a passion for all things technology. As an experienced writer for the 247 News Agency, she has established a reputation for her in-depth reporting and expert analysis on the latest developments in the tech industry.
