Not just negative consequences, but the risk of their occurrence as a reason for breach notification

The supervisory authority imposed an administrative fine of over PLN 545,000 (EUR 120,000) on Santander Bank Polska S. A. The reason for this decision was that the Bank breached the provisions of the GDPR by failing to communicate the incident to the data subjects without undue delay. Thus, the Polish DPA ordered to communicate the situation and potential consequences related to it to these persons.

The controller notified the personal data protection breach to the DPA when he established that a former employee of the bank, despite leaving his job at the institution, had unauthorised access to the payer's profile on the Electronic Services Platform of the Social Insurance Company (PUE ZUS). As a result he was able to browse through the data of the employees of the bank located on the payer's profile of Santander Bank Polska S.A. In the course of proceedings it was established that the employee, after terminating work, used his rights and logged on to the platform five times.

Having analysed the breach notification, the DPA has concluded that a breach of data confidentiality occurred, which simultaneously involves a high risk to the rights or freedoms of data subjects. Therefore, in the opinion of the supervisory authority, it is necessary to communicate the incident to data subjects.

However, in the bank's assessment, no unlawful data processing was identified and it was concluded that there was no data breach within the meaning of the GDPR. As explained by the controller, it initially notified the data breach only for precautionary reasons. Having analyzed the case, it concluded that the incident did not involve a high risk to the rights or freedoms of natural persons, hence the breach was not communicated to the data subjects.

However, the bank has posted a message on the internal communication platform reminding the principles of personal data processing.

In the opinion of the DPA, this type of communication was too general and did not refer to a specific case, but only presented exemplary types of breaches. Since there was no indication in the message that such a situation de facto occurred, the potential recipient had no reason to take it seriously, draw conclusions from it and react accordingly.

The DPA also expressed its reservations as to the choice of addressees to whom the message was addressed, that is only current employees of the bank using the internal communication platform. It should be mentioned that the breach should be communicated to all persons who were employed at the bank during the period when the access to the data by an unauthorized person was open, and who currently may no longer work at the bank.

In the opinion of the DPA, in the presented case there were all circumstances that supported the necessity to communicate the breach to the data subjects. Access to such a wide scope of data poses a risk to the rights or freedoms of data subjects. Data processed on the PUE ZUS platform may be used by unauthorised persons, among other things, to gain access to health care services and access to data on the state of health, or to gain access to data enabling third parties to take out loans in non-banking institutions.

In this case, what is relevant is not whether the unauthorized person actually got acquainted with the personal data of other persons, but that there was such a risk (he or she had the opportunity to get acquainted with that data). Consequently, this means that, given the scope of the data, there was a high risk to the rights or freedoms of data subjects.

What is equally important and needs to be emphasized is that the controller made a conscious decision not to communicate the breach to the data subjects.

In the proceedings before the supervisory authority, the controller consistently maintained that it did not intend to comply with the obligation to communicate the incident to these persons.

According to the DPA, such omission results in the lack of possibility for those persons to take remedial action and appropriate steps to protect their rights. Moreover, it may lead to material or non-material damage to the persons whose data have been breached.

Considering the above, the President of the DPA not only decided to impose an administrative fine of over PLN 545,000 (EUR 120,000), but also ordered to comply with the obligation to communicate the incident to the persons as provided for in the GDPR.

The full text of the decision is available in Polish here.