Provincial Administrative Court (PAC) in Warsaw dismissed the complaint of Bank Millennium S.A. regarding the decision of Personal Data Protection Office (PDPO).
PDPO imposed a financial penalty on the bank for data breach. It regarded the loss of correspondence sent by the financial institution which was produced by a courier service provider. The shipment contained personal data: names, surnames, PESEL numbers, permanent addresses, bank account numbers and identification numbers assigned to the bank’s customers.
Under the circumstances, the risk of negative consequences for those affected by the breach was assessed by the financial institution as medium. It was therefore under an obligation to at least report the breach to the supervisory authority. However, it did not happen. Moreover, the bank failed to properly fulfil its obligation to notify people whose data was at risk. The financial penalty was imposed for failing to notify both the supervisory authority and people whose data could have been exposed. In this situation, it was an obligation of the controller due to the high risk of violation of the applicants’ rights or freedoms.
The court concluded that the incident described clearly breached the obligation to protect personal data under Article 4 item 12 of the RODO. The breach of security could have led to the unauthorised disclosure of the bank customers’ data. As the shipment of documents containing the customers’ personal data was not found, the controller lost control over the processed personal data. There was a risk of unauthorised disclosure, which violated the attribute of confidentiality of personal data. The financial entity has no information about what happened to the shipment. This means that it is not possible to determine whether unauthorised persons have become acquainted with the data on the documents.
A personal data breach does not only cover situations where the controller is certain that the personal data has been accessed by an unauthorised person but also the cases when the controller cannot exclude the risk that such a familiarisation has occurred, so when there is no information to make such a statement. The latter case is treated as a breach of data confidentiality.
The court ruled that the supervisory authority correctly considered the bank to be the controller of the personal data. This is because the financial institution determined the purposes and means of data processing. Let’s recall that the controller is the entity sending the data and having knowledge of the content of the consignment. Such information was not in the possession of the courier service provider. Similarly to the postal operator, the latter is the controller only of the data visible on the envelope, i.e. data of senders and addressees – to the extent necessary for proper delivery of the shipment.
The lost consignment contained banking documents, therefore the bank can be clearly considered the controller. It sent the consignment and was obliged to fulfil the controller’s obligations alleged in the contested decision.
ref. II SA/Wa 4143/21