HDPA (Greece) - 35/2023: Difference between revisions

From GDPRhub
mNo edit summary
No edit summary
 
(12 intermediate revisions by 5 users not shown)
Line 1: Line 1:
The Hellenic DPA established the violation of two of the principles of legality of Article 5 of the GDPR, committed through the unlawful transfer of the complainant's personal data, as well as the violation of the obligation to notify the incident to the supervisory authority, in accordance with Article 33 of the GDPR.In particular, it was first found that "the provision by  the complainant Bank of personal data relating to the use of the complainant's credit card to his wife was unlawful, in violation  of the principle of legality, objectivity and transparency of processing (Article 5 para. 1 a GDPR) and in violation  of the principle of data confidentiality (Article 5 (1) f GDPR). This unauthorized processing (disclosure by transmission)  constitutes an incident of personal data breach, according to the definition of Article 4 no. 12 GDPR, which is attributed to an error of an employee of the Bank
{{DPAdecisionBOX
 
|Jurisdiction=Greece
|DPA-BG-Color=background-color:#ffffff;
|DPAlogo=LogoGR.jpg
|DPA_Abbrevation=HDPA
|DPA_With_Country=HDPA (Greece)
 
|Case_Number_Name=35/2023
|ECLI=
 
|Original_Source_Name_1=Hellenic DPA
|Original_Source_Link_1=https://www.dpa.gr/sites/default/files/2023-12/35_2023%20anonym.pdf
|Original_Source_Language_1=Greek
|Original_Source_Language__Code_1=EL
|Original_Source_Name_2=
|Original_Source_Link_2=
|Original_Source_Language_2=
|Original_Source_Language__Code_2=
 
|Type=Complaint
|Outcome=Upheld
|Date_Started=28.09.2023
|Date_Decided=08.11.2023
|Date_Published=05.12.2023
|Year=2023
|Fine=60.0000
|Currency=EUR
 
|GDPR_Article_1=Article 4(12) GDPR
|GDPR_Article_Link_1=Article 4 GDPR#12
|GDPR_Article_2=Article 5(1) GDPR
|GDPR_Article_Link_2=Article 5 GDPR#1
|GDPR_Article_3=Article 24(1) GDPR
|GDPR_Article_Link_3=Article 24 GDPR#1
|GDPR_Article_4=Article 33(1) GDPR
|GDPR_Article_Link_4=Article 33 GDPR#1
|GDPR_Article_5=Article 34(1) GDPR
|GDPR_Article_Link_5=Article 34 GDPR#1
|GDPR_Article_6=
|GDPR_Article_Link_6=
|GDPR_Article_7=
|GDPR_Article_Link_7=
 
|EU_Law_Name_1=
|EU_Law_Link_1=
|EU_Law_Name_2=
|EU_Law_Link_2=
 
|National_Law_Name_1=
|National_Law_Link_1=
|National_Law_Name_2=
|National_Law_Link_2=
 
|Party_Name_1=
|Party_Link_1=
|Party_Name_2=
|Party_Link_2=
 
|Appeal_To_Body=
|Appeal_To_Case_Number_Name=
|Appeal_To_Status=Unknown
|Appeal_To_Link=
 
|Initial_Contributor=Nikolaos. Konstantis
|
}}
 
The Hellenic DPA fined a controller €60,000 for unauthorised disclosure of personal data to a data subject's wife.  
 
== English Summary ==
== English Summary ==


=== Facts ===
=== Facts ===
The Hellenic Personal Data Protection Authority imposed a fine of €60,000 on a Bank  for the illegal provision of personal data to the complainant's wife, but also mainly for her mistakes and omissions in the management of the data breach incident.
A data subject complained that Alpha Bank (the controller) provided the complainant's wife with information about the maintenance of a credit card in his name, as well as printed receipts of all transactions he had made in the previous 3-4 months, without informing him. This resulted in in the significant disruption of the family peace and the relationship of the complainant with his wife.
 
The Authority invited the controller to provide information, specifying in particular:
 
At the same time, the Bank was requested to submit its relevant policies and to clarify whether the provisions therein were complied with and whether the alleged were treated as a data breach incident, in accordance with Articles 33-34 of the GDPR.
 
The  Bank launched an internal investigation and confirmed the committal of the violation, which it attributed to an error of an employee of its local branch. The investigation concluded that employee acted without intention to deceive. This was because:
 
Regarding the management of the breach, based on [[Article 33 GDPR|Articles 33-34 of the GDPR]], the Bank claimed that the incident was treated as a personal data breach, all relevant procedures for recording and handling it were followed, the responsible employee was referred to the Disciplinary Board and severely punished with a disciplinary dismissal penalty of one (1) month. No notification was made to the Authority under [[Article 33 GDPR|Article 33 GDPR,]] because it concerned only one subject and the controller thought that there was no possibility that it would affect the rights and freedoms of the subject himself or of other natural persons. While no notification was made to the data subject pursuant to [[Article 34 GDPR]], the controller did not consider this necessary as the data subject had been the one to inform the controller about the incident.  


=== Holding ===
=== Holding ===
According to the complaint, Alpha Bank provided the complainant's wife with information about the maintenance of a credit card in his name, as well as printed receipts of all transactions he had made in the previous 3-4 months. granting – transmission was made without informing him, as a data subject, and resulted, according to the complaint, in the significant disruption of the family peace and the relationship of the complainant with his wife.The Authority invited the complainant Bank to provide information on the complaint, specifying in particular: (a) whether it provided information on the transactions made through the complainant's personal credit card to his wife, on what legal basis and procedure, and  why the complainant as a data subject was not informed  accordingly, (b) when it became aware of the alleged incident on behalf  of the complainant and what action he took subsequently. At the same time, the Bank was requested to submit its relevant Policies and to clarify whether the provisions therein were complied with and whether the alleged were treated as a data breach incident, in accordance with Articles 33-34 of the GDPR.
The HDPA fined the controller €10,000 for unauthorised disclosure of personal data by bank to the data subject's wife under [[Article 5 GDPR|Article 5 (1) (a) GDPR]] and [[Article 5 GDPR|Article 5 (1) (f) GDPR]]. An additional €50,000 was added for the violation of the obligation to notify the breach to the supervisory authority under [[Article 33 GDPR]].
The  Bank confirmed the committal of the violation, which it attributed to an error of an employee of its local branch. In particular, the Bank claimed that it did receive a complaint from a customer about the leakage of his personal data, but the information submitted was not sufficient to initiate an investigation, as it was difficult to identify both the manner and origin of the leak.  and the determination of the time period over which the investigation should extend.
 
According to the complainant, the complainant came back again, providing new evidence, after receiving which the Internal Audit was again informed, in order to initiate the relevant investigation.
First, the Hellenic Data Protection Authority established the violation of [[Article 5 GDPR|Article 5(1)(a)]] and [[Article 5 GDPR|(f)]] GDPR, committed through the unlawful transfer of the complainant's personal data. The transfer of data from the controller to the complainant's wife was unlawful, in violation of the principle of legality and transparency of processing and in violation of the principle of data confidentiality. This unauthorised processing (disclosure by transmission) constitutes a personal data breach, according to the definition of [[Article 4 GDPR|Article 4(12) GDPR,]] even if it is attributed to an error of an employee of the Bank
The Internal Audit report confirmed the leakage of the complainant's personal data, which was attributed to the responsibility of a store operator, but without any deception on her part. This is because, according to the finding:  (a) the complainant's personal data were disclosed at the request of a direct relative  (spouse); (b) the complainant's spouse, who was wrongly the recipient of his data;  is a co-beneficiary of other  products of the Bank as well as an additional credit card holder with  the complainant as the main beneficiary, c) the leak took place in the context of servicing / informing  the complainant's wife about a series of products, in which she is a beneficiary or co-beneficiary, the last of which concerns the credit card in question of her complainant husband and d) the complainant's wife misled the Store Officer by claiming that he supposedly had the relevant authorization  of the cardholder and her husband to receive a copy of his credit card statements.
 
Regarding the management of the breach, based on Articles 33-34 of the GDPR, the Bank claimed that "the incident was treated as a personal data breach, all relevant procedures for recording and handling it were followed, the responsible employee was referred to the Disciplinary Board and severely punished with a disciplinary dismissal penalty of one (1) month, while no notification was made to the subject pursuant to Article 34 of the GDPR given that the latter had informed the Bank about the incident, nor to the Authority, pursuant to Article 33 of the GDPR, because ''it concerned only one subject and there was no possibility that it would affect the rights and freedoms of the subject himself or of other natural persons
Second, the Hellenic DPA considered the violation of the obligation to notify the breach to the supervisory authority, in accordance with [[Article 33 GDPR|Article 33 GDPR.]] Under [[Article 33 GDPR|Article 33,]] the controller should have reported the breach within 72 hours to the Supervisory Authority.


== Comment ==
== Comment ==

Latest revision as of 10:54, 10 January 2024

HDPA - 35/2023
LogoGR.jpg
Authority: HDPA (Greece)
Jurisdiction: Greece
Relevant Law: Article 4(12) GDPR
Article 5(1) GDPR
Article 24(1) GDPR
Article 33(1) GDPR
Article 34(1) GDPR
Type: Complaint
Outcome: Upheld
Started: 28.09.2023
Decided: 08.11.2023
Published: 05.12.2023
Fine: 60.0000 EUR
Parties: n/a
National Case Number/Name: 35/2023
European Case Law Identifier: n/a
Appeal: Unknown
Original Language(s): Greek
Original Source: Hellenic DPA (in EL)
Initial Contributor: Nikolaos. Konstantis

The Hellenic DPA fined a controller €60,000 for unauthorised disclosure of personal data to a data subject's wife.

English Summary

Facts

A data subject complained that Alpha Bank (the controller) provided the complainant's wife with information about the maintenance of a credit card in his name, as well as printed receipts of all transactions he had made in the previous 3-4 months, without informing him. This resulted in in the significant disruption of the family peace and the relationship of the complainant with his wife.

The Authority invited the controller to provide information, specifying in particular:

At the same time, the Bank was requested to submit its relevant policies and to clarify whether the provisions therein were complied with and whether the alleged were treated as a data breach incident, in accordance with Articles 33-34 of the GDPR.

The Bank launched an internal investigation and confirmed the committal of the violation, which it attributed to an error of an employee of its local branch. The investigation concluded that employee acted without intention to deceive. This was because:

Regarding the management of the breach, based on Articles 33-34 of the GDPR, the Bank claimed that the incident was treated as a personal data breach, all relevant procedures for recording and handling it were followed, the responsible employee was referred to the Disciplinary Board and severely punished with a disciplinary dismissal penalty of one (1) month. No notification was made to the Authority under Article 33 GDPR, because it concerned only one subject and the controller thought that there was no possibility that it would affect the rights and freedoms of the subject himself or of other natural persons. While no notification was made to the data subject pursuant to Article 34 GDPR, the controller did not consider this necessary as the data subject had been the one to inform the controller about the incident.

Holding

The HDPA fined the controller €10,000 for unauthorised disclosure of personal data by bank to the data subject's wife under Article 5 (1) (a) GDPR and Article 5 (1) (f) GDPR. An additional €50,000 was added for the violation of the obligation to notify the breach to the supervisory authority under Article 33 GDPR.

First, the Hellenic Data Protection Authority established the violation of Article 5(1)(a) and (f) GDPR, committed through the unlawful transfer of the complainant's personal data. The transfer of data from the controller to the complainant's wife was unlawful, in violation of the principle of legality and transparency of processing and in violation of the principle of data confidentiality. This unauthorised processing (disclosure by transmission) constitutes a personal data breach, according to the definition of Article 4(12) GDPR, even if it is attributed to an error of an employee of the Bank

Second, the Hellenic DPA considered the violation of the obligation to notify the breach to the supervisory authority, in accordance with Article 33 GDPR. Under Article 33, the controller should have reported the breach within 72 hours to the Supervisory Authority.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Greek original. Please refer to the Greek original for more details.

DECISION 35/2023 (Department) The Personal Data Protection Authority met, at the invitation of its President, in a regular meeting in the composition of the Department at its headquarters on 08/11/2023, in order to examine the case referred to in the history of this . The meeting was attended by teleconference by George Batzalexis, Deputy President, in opposition to the President of the Authority, Konstantinos Menoudakos, and was attended by the alternate member Nikolaos Livos, as rapporteur, as well as the alternate members Demosthenes Vougioukas and Maria Psalla, in place of the regular members Konstantinos Lambrinoudakis and Grigorio Tsolia who did not attend due to disability although they were legally summoned in writing. The meeting was attended, by order of the President without the right to vote, by Haris Symeonidou, specialist scientist - auditor as assistant rapporteur and Irini Papageorgopoulou, employee of the Authority's administrative affairs department, as secretary. The Authority took into account the following: With the no. prot. C/EIS/10503/28-09-2022 his complaint, A (hereinafter the complainant), is directed against Alpha Bank (hereinafter the complainant), whose customer and credit card holder is being treated illegally and without prior notification giving his personal data to his wife. In particular, according to the complaint, on ... of ... the complained Bank provided the complainant's wife, at her request, with information regarding the fact that the complainant maintains a credit card in his 2 name, as well as printed receipts of all transactions, which the complainant had made transactions with the credit card in question in the previous 3-4 months, i.e. information falling under bank secrecy. As the complainant claims, the fact that the printing had been done in a Bank branch was confirmed by an employee of the Alpha Bank Branch in Φ to whom the complainant showed the relevant photos, while it follows from the complaint that the complainant was not previously informed as the subject of the data, before transmission. In addition, the complainant states that he has already appealed the alleged facts to the Consumer Ombudsman, while he regularly received SMS from the complained Bank with the message that an effort is being made to find the best solution for his case. The complainant also states that the reason he had issued the credit card in question is that …. Finally, the complaint states that as a consequence of the unlawful leakage of information regarding the existence and movements of the complainant's credit card, family peace and his relationship with his wife were significantly disturbed (…). In the context of the investigation of the complaint, the Authority with document G/EXE/3243/13-12-2022 invited the complainant to state her views on the complainants, clarifying in particular, a) whether the complainant provided information regarding the transactions they had carried out through the complainant's personal credit card to his wife, with what legal basis and procedure, and why was the complainant as the data subject not informed about it, b) when did the complainant become aware of the reported incident on behalf of the complainant and in what actions he took next. With its response, the Bank was asked to provide the relevant Bank Policies and to clarify whether the provisions therein were observed in this case, specifying in particular whether it handled the reported incident as a personal data breach in accordance with articles 33-34 GDPR and justifying its response . With the under no. prot. C/EIS/125/09-01-2023 in its response, the complained Bank stated the following: 3 - That the complainant is a customer of Alpha Bank, as is his wife, and on ... filed a complaint about the leakage of his personal data and specifically transactions on his credit card..., which had been issued in his name without another beneficiary (additional card). According to the Bank, the competent Service received the request but the information provided by the complainant was not sufficient to initiate a relevant investigation, as the manner and origin of the leak would have to be identified, since it could potentially be any Branch of the Bank, while it was not possible to determine the period of time in which the investigation should extend, because only the end of the period in question (the ...) was known and not its beginning. However, the complainant states that the client-complainant suspected that the source of the leak was Store X and that he informed him regarding the receipt of the request and the start of its processing with three (3) sms messages (at ... and ...). - That on ... the complainant came back with a newer message via e-mail, with an attached black and white photo of a copy of his card account transactions, which, according to him, had been forwarded/delivered to his wife by an unknown employee of the Bank "to P or X". Following this, the Bank's Service forwarded, according to the complainant's reply, on ... the complainant's request to the competent Internal Audit Department in order to initiate a relevant investigation, but by mistake, as it states, did not forward the additional data received on ..., as a result, due to a lack of information that would limit the scope of the investigation, the Internal Audit requested on ... clarifications and further information from the Bank Service that managed the case. He also claims that for this difficulty in the Bank's immediate response, the complainant was informed by four (4) sms messages on his mobile phone dated (... and ...). - That, subsequently, on ... a request/report of the complainant on the same subject was received by the complainant through the Consumer Advocate, in which it was stated that his wife on ... showed him copies of his card account transactions as "evidence", claiming that these documents had come from her accessing web banking by intercepting his 4 passwords. Attached to this request was the black-and-white photo of the above copy of the account as well as newer information about the case and thus, according to the aforementioned response, the Bank's Service on ... addressed the Internal Audit again, providing all the information it now had in at her disposal, so that the relevant investigation can be launched, while on ... an official of the competent Service called the complainant to provide clarifications and to confirm the information that had been brought to her attention. - That on ... the relevant conclusion of the Internal Audit was issued, which confirmed the leak of the complainant's personal data, for which responsibility is attributed to Store Officer OH X (with code ...). Nevertheless, according to the conclusion, no fraud was diagnosed on the part of the Officer because, as the Bank states: a) the complainant's personal data were disclosed at the request of a direct relative (husband), b) the complainant's wife, who was wrongly the recipient of his data, he is a co-beneficiary in other products of the Bank as well as the holder of an additional credit card with the complainant as the main beneficiary, c) the leak took place in the context of servicing / informing the complainant's wife about a series of products, in which beneficiary or co-beneficiary herself, the latter of which concerns the disputed credit card of her complainant's husband and d) the complainant's wife misled the Store Clerk by claiming that she allegedly had the relevant authorization from the cardholder and her husband for the receipt copy of his credit card transactions. Furthermore, regarding the management of the incident as a breach of personal data, with the same response the complained Bank stated the following: - That with the confirmation of the Data Confidentiality Breach, the bank, through its competent Services, took a series of actions: On ... the Operational Risk Incident Management Council met and, among other things, decided to refer the Officer for whom responsibilities arose, to the Disciplinary Council for non-compliance with the Bank's Policies. 5 On ... the Personal Data Breach Incident Evaluation Committee met in accordance with the Bank's relevant Policy, which assessed that, based on the circumstances of the incident and in particular that the unauthorized recipients of the data are limited to a person related to the complainant (spouse ) "there does not appear to be a risk to his freedoms and rights as a subject". The incident was registered in the Data Breach Incident Register (submitted as attachment 1) and the Personal Data Breach Incident Risk Analysis Form was completed (submitted as attachment 2). According to this Risk Analysis Form, the risk to the subject is assessed as "negligible". On ... he informed the complainant by e-mail about the incident and the result of the relevant investigation and on ... the Disciplinary Council of the Bank met and a relevant decision is expected. Based on the above, the Bank maintains that it examined the complainant's request with due care, that it "proceeded with the required investigation when it had at its disposal the necessary data to carry out the relevant audit, as their temporary lack made it impossible to carry out or it would lead to the employment of disproportionately increased resources and would significantly prolong its conduct". Finally, with the same document, the Bank submitted to the Authority the Personal Data Protection Policy (cont. 4), the Group Cybersecurity and Information Security Framework (cont. 5) and the Procedure for Notification of Personal Data Protection Violations (Data Breach Management) ( co. 6) and emphasized that it undertakes continuous training initiatives for its staff in matters of personal data protection 6. In this text, among other things, the following are provided: "2.1 REPORTING OF A SUSPICIOUS INCIDENT All possible security incidents, including those that may constitute incidents of breach or are confirmed incidents of breach of personal data, are reported immediately:  via e-mail: To: privacy @alpha.gr Notification: Market Risks and Operational Risks Department or  by phone, tel. 210 326 6965, the Support Operations Department, which immediately informs the following: o the Group Data Protection Officer (hereinafter "DPO") and o the Cyber Security and Information Security (hereinafter "DKAP") Possible security incidents may be reported to the Bank, in its capacity as data controller, by the following: 1. Bank units: They report incidents that have come to their attention, which may concern a security incident, and in particular an incident of personal data breach. These Units immediately complete the "Announcement of an Operational Risk Event" form (Form Code 15031), according to the provisions of the Operational Risk Management Policy and send it via e-mail based on the above." […]“2.4 ASSESSMENT OF A PERSONAL DATA BREACH INCIDENT It is very important, as soon as it is confirmed that the incident concerns a personal data breach, not only to carry out the initial actions to deal with it, but also to assess the risk of the breach incident, based on the effects it may have on the rights and freedoms of the data subjects".  In continuation of the above, the Authority, with calls C/EXE/730/22-03-2023 and C/EXE/731/22-03-2023 respectively, invited the complainant and the complainant to a hearing, via video conference, before the Department of the Authority on ..., in order to present their views on the case. At the 7th meeting of ..., the case was adjourned at the request of the complainant, for the meeting of ..., at which time it was adjourned again, at the request of the complainant, for the meeting of .... At the meeting of ..., the complainant and on behalf of the complained Bank, lawyers Ioannis Mourgelas (AM DSA ...), Angeliki Sakopoulou (AM DSA ...) attended, while B, the Bank's Data Protection Officer, also attended. During the hearing the parties developed their views and were given a deadline to submit a memorandum. Subsequently, the complainant filed the due date from ... no. prot. C/EIS/4899/03-07-2023 her memorandum, while the complainant did not file a memorandum. At the hearing, the complainant reiterated what was stated in his complaint, emphasizing the fact that the credit card was solely in his name, that both he and his wife are "Gold Members" of the complainant Bank and that his wife is a regular customer in store X, that in the context of the adjudication of his lawsuit against the accused Bank, an employee of the latter falsely testified that his wife had his authorization to obtain information in relation to his credit card and that the Bank, after 3- For 4 months she sent him messages (sms) apologizing for the delay, finally informing him via e-mail that he did well to provide the information to his wife because she had his authorization, which, as the complainant claims, was not the case. Furthermore, as the complainant stated, his wife did not know his card number. The complainant, both at the hearing and in her memorandum from ..., argued that in her original complaint from ..., the complainant did not identify the store from which the leak occurred "not even by area", as a result of which it is not objectively possible the investigation to lead to a specific conclusion. However, the complainant submits the request in question (as attachment 1), from which it appears that the complainant explicitly mentions that "X's store is suspected", while also in C/EIS/125/9-1-2023 her opinion document the complainant states that the complainant in his initial request "suspected that the source of the leak was Store X". Furthermore, the complainant argued during the hearing and in her pleading that, although 8 with his second request from … the complainant provided a photo of a printout (on …) of his card account statement which had been given to his wife and although he determined that the leak occurred between Y and X, again the Bank was unable to identify the source of the leak as the exact time of the leak was not specified. In particular, the Bank states that along the beach front between Ψ and X there are ... its Branches, which are staffed by ... officers and in each of them they are carried out daily according to 100-120 transactions, so her search for even 35 business days (from … to …) would have to span many thousands of transactions. Therefore, according to the complained Bank, "it is obvious that it is very difficult to complete such a project in order to establish whether there really was a leak, from which store, and exactly which data". In addition, the complainant reiterated the claim that when the complainant's request from ... was forwarded to the Bank's Internal Audit Department in order to initiate an investigation, the additional information was inadvertently not forwarded, i.e. the provided photo of the printout of his card statement complainant, adding that the fact that it was a "not full picture of a monthly bill of a card" contributed to this detour. In addition, according to the complainant, no store is mentioned in this photo, but only the date of issue of the statement of account transactions (…), the name of its owner, the number of the card, its credit limit and the new (debit) balance, as well as the details of the transactions that took place during the period covered by the copy. According to the Bank, the leakage of the transaction data depicted in it "does not appear to endanger the freedoms and rights of the cardholder in the slightest" because "these are limited to the dates on which the transactions took place, the businesses in which these were carried out, such as ..., as well as the amount of each transaction, without any reference whatsoever to the specific goods or services purchased, so that it was not objectively possible to associate these transactions with any person for whom they were carried out" and because they had a low height, 9 as "daily micro-transactions". Further, the Bank alleges that the complainant did not provide it with all the information available to it for the purpose of investigating the incident, as his wife's claim that she had used his web banking codes first became known to the bank on …, when she was notified of the report pending before the Consumer Ombudsman, while, as the complainant stated in his message from … and also during the hearing, while he knew the store and the employee in charge, he did not want to report them to the Bank . For this reason, the complained Bank maintains that the complainant bears significant responsibility for the delay in the investigation of the incident. In addition, the Bank states that the guilty employee wrongly accepted the husband's verbal authorization as sufficient, despite the Bank's internal procedures and instructions, but acted in good faith due to her misrepresentation, with a view to serving the customer, based on the couple's long-term relationship with the Bank Bank, the number of products they have in common and the fact that the wife knew the existence and also the number of the complainant's credit card. Subsequently, the Bank maintains that the incident was treated as a breach of personal data, all relevant recording and handling procedures were followed, the guilty employee was referred to the Disciplinary Council and severely punished with a disciplinary suspension of one (1) month, while no notification was made to the subject according to Article 34 of the GDPR, given that he had informed the Bank about the incident, nor to the Authority, according to Article 33 of the GDPR, because "it concerned only one subject and there was no way that it would affect his own rights and freedoms subject or other natural persons". With its memorandum, the Bank submits the complainant's original complaint from ..., the informative sms sent to him by the Bank, the black and white photo of the printout, the complaint to the Consumer Ombudsman, the complainant's request from ..., an affidavit of the manager (at the time of the incident) of Branch OH X, as well as again the Bank's Data Protection Policy, which he had also submitted as reference 4 of the under no. prot. C/EIS/125/09-01-2023 of its response document. 10 The Authority, after examining the elements of the file and after hearing the rapporteur and the clarifications from the assistant rapporteur, who was present without the right to vote, after a thorough discussion, DECIDED IN ACCORDANCE WITH THE LAW 1. From the provisions of articles 51 and 55 of the General Data Protection Regulation (Regulation (EU) 2016/679 - hereinafter, GDPR) and Article 9 of Law 4624/2019 (Government Gazette A΄ 137) it follows that the Authority has the authority to supervise the implementation of the provisions of the GDPR, the law this and other regulations concerning the protection of the individual from the processing of personal data. In particular, from the provisions of articles 57 par. 1 item f of the GDPR and 13 par. 1 item g΄ of Law 4624/2019 it follows that the Authority has the authority to deal with A's complaint against Alpha Bank and to exercise, respectively, the powers granted to it by the provisions of Articles 58 of the GDPR and 15 of Law 4624/2019. 2. Article 5 par. 1 of the General Regulation (EU) 2016/679 for the protection of natural persons against the processing of personal data (hereinafter GDPR) sets out the principles that must govern a processing. According to article 5 par. 1 a) and f) GDPR "1. Personal data: a) are processed lawfully and legitimately in a transparent manner in relation to the data subject ("legality, objectivity and transparency"), [...] f) are processed in a way that guarantees appropriate data security of a personal nature, including their protection from unauthorized or illegal processing and accidental loss, destruction or damage, by using appropriate technical or organizational measures ("integrity and confidentiality")", while as pointed out in the Preamble of the Regulation, "The data personal data should be processed in a way that ensures the appropriate protection and confidentiality of personal data, including to prevent any unauthorized access 11 to such personal data and to the equipment used to process it or the use of these personal data and the equipment in question" (Ref. Sk. 39 in fine). Furthermore, according to the principle of accountability which is expressly defined in the second paragraph of the same article and constitutes a cornerstone of the GDPR, the data controller "bears the responsibility and is able to demonstrate compliance with paragraph 1 ("accountability")". This principle entails the obligation of the controller to be able to demonstrate compliance with the principles of art. 5 par.1.  3. According to the provision of article 24 par. 1 GDPR: "1. Taking into account the nature, scope, context and purposes of the processing, as well as the risks of different probability of occurrence and severity for the rights and freedoms of natural persons, the controller implements appropriate technical and organizational measures in order to ensure and can demonstrate that the processing is carried out in accordance with this regulation. The measures in question are reviewed and updated when deemed necessary", while in accordance with the provisions of paragraphs 1 and 2 of article 32 GDPR for the security of the processing, "1. Taking into account the latest developments, the cost of implementation and the nature, scope, context and purposes of the processing, as well as the risks of different probability of occurrence and severity for the rights and freedoms of natural persons, the controller and the executor the processing implement appropriate technical and organizational measures in order to ensure the appropriate level of security against risks, [...] 2. When assessing the appropriate level of security, particular account is taken of the risks deriving from the processing, in particular from accidental or illegal destruction, loss , alteration, unauthorized disclosure or access to personal data transmitted, stored or otherwise processed". 4. According to article 4 no. 12 GDPR as a personal data breach means "a breach of security that leads to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure or access of personal data transmitted, stored or otherwise processed". According to the Guidelines 18/2018 of the Working Group of Article 29 of Directive 95/46/EC (now European Data Protection Council) on Personal data breach notification under Regulation dated 02-06-2018 ("Guidelines on Personal data breach notification under Regulation 2016/679" WP 250 rev. 1) one of the types of personal data breach is the one categorized based on the security principle of "confidentiality", when unauthorized access to personal data is found ("confidentiality breach"). A breach can potentially have various significant adverse consequences for persons, which can lead to physical, material or moral harm. The GDPR explains that this harm can include loss of control over their personal data, limitation of their rights, discrimination, misuse or identity theft, financial loss, unlawful de-pseudonymisation, damage to reputation and loss of confidentiality of personal data of a nature protected by professional secrecy, etc. (see also paragraphs 85 and 75). 5. Incidents of data breach must be notified to the Authority within 72 hours from the moment the data controller became aware of them, in accordance with article 33 par. 1 GDPR: "1. In the event of a personal data breach, the controller shall notify the supervisory authority competent in accordance with Article 55 without delay and, if possible, within 72 hours of becoming aware of the personal data breach, unless the breach of personal data may not cause a risk to the rights and freedoms of natural persons. Where notification to the supervisory authority is not made within 72 hours, it shall be accompanied by a justification for the delay.' And according to recital 85, as soon as the data controller becomes aware of a personal data breach, "he should immediately notify the competent supervisory authority, unless he can demonstrate, in accordance with the principle of accountability, that the 13 breach personal data may not pose a risk to the rights and freedoms of natural persons". It is pointed out that according to the wording of Article 33 of the GDPR and in contrast to the wording of Article 34 of the GDPR, the obligation to notify the Authority does not require the existence of a "high risk" for the subject but simply a "danger" for the rights and freedoms of. And according to the above Guidelines of OE 29 "Article 33 paragraph 1 makes it clear that, in the event of a violation that "is not likely to cause a risk to the rights and freedoms of natural persons", notification to the supervisory authority is not required. An example may be the case where personal data are already publicly available and their disclosure does not pose a potential risk to the person" (wp 250 rev.01, p.21). From the above, it follows that the GDPR establishes a "presumption" of the obligation to notify the Authority of incidents of infringement, with the only exception being the absence of risk to the rights and freedoms of the affected subjects, for which the data controller bears the burden of proof, if he chooses to do not make such a disclosure. 1 6. The notification must have the minimum content referred to in par. 3 of article 33 GDPR, while according to par. 5 of the same article "The 1 See and the Guidelines 09/2022 of the ESPD for the notification of incidents of violation (§39- 40): "Whilst it is the responsibility of controllers and processors to put in place suitable measures to be able to prevent, react and address a breach, there are some practical steps that should be taken in all cases. Information concerning all security-related events should be directed towards a responsible person or persons with the task of addressing incidents, establishing the existence of a breach and assessing risk. Risk to individuals as a result of a breach should then be assessed (likelihood of no risk, risk or high risk), with relevant sections of the organization being informed. Notification to the supervisory authority, and potentially communication of the breach to the affected individuals should be made, if required. At the same time, the controller should act to contain and recover the breach. Documentation of the breach should take place as it develops. 40. Accordingly, it should be clear that there is an obligation on the controller to act on any initial alert and establish whether or not a breach has, in fact, occurred. This brief period allows for some investigation, and for the controller to gather evidence and other relevant details. However, once the controller has established with a reasonable degree of certainty that a breach has occurred, if the conditions in Article 33(1) GDPR have been met, it must then notify the supervisory authority without undue delay and, where feasible, not later than 72 hours. If a controller fails to act in a timely manner and it becomes apparent that a breach did occur, this could be considered as a failure to notify in accordance with Article 33 GDPR.” 14 controller documents each personal data breach, consisting of the facts concerning the personal data breach, the consequences and the corrective measures taken. Such documentation shall enable the supervisory authority to verify compliance with this Article.' With regard to the time when the Data Controller became aware of the incident, the above-mentioned CG 18/2018 of OE 29 (wp 250) states the following: "As detailed above, the GDPR requires, in the event of a breach, the Data Controller to notify the breach without delay and, if possible, within 72 hours of becoming aware of the fact. This may raise the question of when a controller can be deemed to acquire "knowledge" of a breach. OE29 considers that a controller should be considered to have acquired "knowledge" when that controller has a reasonable degree of certainty that a security incident has occurred which results in personal data being compromised. However, as mentioned above, the GDPR requires the controller to implement all appropriate technical protection measures and organizational measures to immediately detect any breach and immediately inform the supervisory authority and the data subjects. It also states that notification should be found to have been made without undue delay, taking into account in particular the nature and seriousness of the data breach, as well as its consequences and adverse results for the data subject. In this way, the controller is subject to the obligation to ensure that it becomes "aware" of any violations in time to be able to take appropriate action. The exact point in time at which a controller can be deemed to acquire "knowledge" of a particular breach will depend on the circumstances of the particular breach. In some cases, it will be relatively clear from the outset that a breach has occurred, while in others it may take some time to determine whether personal data has been compromised. However, the emphasis should be on taking timely action to 15 investigate an incident to determine whether personal data has been breached and, in such a case, to take corrective action and make a disclosure, if required." According to the above, from article 33 of the GDPR not only follows the obligation to submit notification of incidents of violation to the supervisory authority but also the obligation to actively investigate each possible incident, as long as the data controller becomes aware of the relevant indications. Otherwise, the data controller processing could easily circumvent its obligation to notify the supervisory authority of the incidents of infringement each time, simply by ignoring the indications of a possible incident and avoiding to obtain certainty and "take notice" of it in accordance with the above provision.  In addition, from paragraph 3 of article 33 GDPR (content of the notification) arises the obligation of the data controller to immediately investigate the information mentioned there, so as to be able to include it in the notification to the Authority (nature of the violation, categories and number of affected subjects, number of affected files, possible consequences of the breach, measures taken or proposed to be taken to deal with the breach, measures to mitigate its possible adverse consequences), as well as to assess the risk to the rights and freedoms of the subject ,2 in order to decide whether notification is also required for this according to article 34 of the GDPR, while par. 5 of article 33 of the GDPR explicitly states the obligation to maintain documentation for all the above procedures. After all, and based on the principle of accountability (article 5 par. 2 GDPR), the data subject who has notified the data controller of a possible data breach, does not have to take additional active action so that the latter obtains 2 See and the Guidelines 09/2022 of the ESPD for the notification of incidents of violation (§101 – 102): “101. This means that immediately upon becoming aware of a breach, it is vitally important that the controller should not only seek to contain the incident but it should also assess the risk that could result from it. There are two important reasons for this: firstly, knowing the likelihood and the potential severity of the impact on the individual will help the controller to take effective steps to contain and address the breach; secondly, it will help it to determine whether notification is required to the supervisory authority and, if necessary, to the individuals concerned. 102. As explained above, notification of a breach is required unless it is unlikely to result in a risk to the rights and freedoms of individuals,[…]” . 16 certainty about the existence or non-incident of violation. This obligation rests with the data controller, who bears the responsibility of proving his compliance. 7. In addition, the violation must also be announced to the data subject, as the case may be and in accordance with the provisions of article 34 par. 1 and 2 GDPR: "1. When the personal data breach may put the rights and freedoms of natural persons at high risk, the data controller shall immediately notify the data subject of the personal data breach. 2. The notification to the data subject referred to in paragraph 1 of this article clearly describes the nature of the personal data breach and contains at least the information and measures referred to in article 33 paragraph 3 items b), c) and d)". 8. In the present case, given the facts presented above that emerged from the file and after the hearing, it is established first of all that the provision of personal data on the part of the complained Bank regarding the use of the complainant's credit card to the wife it was done to him unlawfully, in violation of the principle of legality, objectivity and transparency of processing (Article 5 para. 1 a' GDPR) and in violation of the principle of data confidentiality (Article 5 para. 1 f GDPR). The said unauthorized processing (disclosure by transmission) constitutes an incident of personal data breach, according to the definition of article 4 no. 12 GDPR, which is attributed to an error by an employee of the Bank. Specifically, as emerged from the Bank's relevant investigation and the conduct of a disciplinary audit, on ..., during the visit of the complainant's wife to the Alpha Bank Ω X store, in order to be informed about the performance of joint investment products that she held with the complainant, the his husband requested to be informed about the balance and the transactions that had been carried out with a credit card that the complainant kept exclusively in his own name, assuring the employee that he has a relevant verbal order and 17 authorization from the complainant, as the subject of the data. The employee, misled as to the existence of authorization, printed and provided the complainant's wife with the current transactions of his personal credit card, in violation of the Bank's relevant internal procedures and security measures, which require written authorization (see the complainant's memorandum: " It is obvious that this particular employee wrongly accepted the wife's verbal authorization as sufficient, despite the Bank's internal instructions and procedures"). Subsequently, although the complained Bank was informed of this incident on ... by the complainant, who even named as a possible source of the leak one of the Bank's branches in the area of X ("I suspect X"), and although the possibility is given control of the accesses that had taken place during the disputed time period to the complainant's account information by its employees through its systems, the Bank did not immediately take active action to investigate the incident in order to obtain the required degree of certainty and to comply with the provisions of Article 33 GDPR its obligations, considering that the information it had at its disposal was not sufficient. In addition, although the complainant on ... sent the Bank a relevant photo of the copy of the account statements that his wife had shown him, the Bank's Service "by mistake", as he claims, did not forward this element to the Internal Audit Department, as a result of which it is still possible, in her opinion, to initiate the investigation. In fact, it seems that this element was not forwarded to the Internal Audit Department even on ..., when the latter, with its message to the Bank's Service, requested clarifications and further information on the case (see relevant C/EIS/125/09-01-
2023 opinion document of the complainant). Finally, the photograph of the printout of the complainant's credit card account transactions was sent to the Internal Audit Department with a long delay on ..., i.e. 1.5 months after the Bank received the relevant report of the complainant to the Consumer Advocate (...), on the occasion of which finally sent all the data to the Internal Audit Directorate, which finally issued the conclusion of … 18 confirming the leak3 and recording it as a violation incident. Subsequently, the Violation Incident Evaluation Committee met on ... (see the Bank's response G/EIS/125/09-01-2023), i.e. 20 days after the above conclusion. During the meeting, according to the same answer, it was estimated that "based on the amount and type of data, concerning .. credit card transactions carried out in a period of approximately ... months (... to ...) and the fact that the non- authorized recipients of the above data are limited to a natural person and in fact related to the complainant (husband), there does not seem to be a risk to the freedoms and rights of the subject". Consequently, the Bank did not notify the Authority of the incident in accordance with Article 33 of the GDPR, incorrectly characterizing the risk from it as "nil" (see Excerpt from the Breach Incident Register, as reference 1 of the Bank's memorandum), despite the fact that in the Risk Analysis and Assessment Form of the incident (ref. 2 of the Bank's memorandum) the "causing anxiety, stress, discomfort and lack of trust due to the leakage of his credit card transactions, to his wife" have been recorded as possible consequences for the subject of". As can be seen from the same Form, the seriousness of the effects on the subject has been assessed as "negligible", as well as the possibility of harm to the subject being characterized as "negligible", with the following reasoning: "The number and categories of data ( movements of a card for a maximum period of … months) and their recipient, the data was leaked to a person of the closest family circle of natural person B, it is estimated that they significantly reduce the possibility of high risks to the freedoms and rights of natural person B. Following the above, the possibility of causing a risk to the subject's rights and freedoms or damage is considered negligible". However, this assessment by the Bank is clearly incorrect, given that it is certain that the incident had consequences for the rights and freedoms of the 3 It is noted that in the Risk Analysis Form of the incident of violation, the date of confirmation of the incident is indicated as ..., while the date of detection the ..., without this discrepancy being explained by the Bank. 19 of the complainant, since, as was already known to the Bank, it disrupted his personal and family life4. It also appears that the Bank underestimates the possible consequences of the breach, arguing with its memorandum that the type of service provided is not evident from the recording of daily transactions, such as payments to ... or ..., an assertion that is clearly unfounded. Furthermore, in the same Risk Analysis and Assessment Form (Ref. 2 of the memorandum) it is noted that "Due to the nature of the incident and given that, now, the effects of the incident cannot be prevented, there is no possibility for corrective actions on the part of Bank", assessment also incorrect, since the Bank could in any case take measures to limit the impact of the incident: For example, it could contact the wife and recipient of the complainant's data, inform her of the fact that the transmission of his transactional information to her had been done illegally, in violation of the bank's procedures and bank confidentiality and to call on her to return the relevant printouts to the Bank and destroy any copies thereof, as well as not to disclose the relevant information further to third parties. Thus, although the Bank acknowledges that in this case the complainant's data was illegally processed and improperly transmitted and registered the incident in the Data Breach Incident Register, in the end it did not notify the Authority in accordance with Article 33 GDPR, it did not take measures to mitigate the consequences and did not take additional measures to prevent similar incidents in the future, beyond imposing on the guilty employee the disciplinary penalty of one month's suspension, which, according to the Bank, is intended to act as a deterrent for other staff as well. It is also noted 4 According to the above-mentioned DG 09/2022 of the ESPD, the assessment of the risk to the rights and freedoms of the subjects in the context of an incident of violation differs from the general assessment of the (hypothetical) risk during the conduct of the EADPD and should focus on the actual effect of the incident on the subjects: “104. It should be noted that assessing the risk to people's rights and freedoms as a result of a breach has a different focus to the risk considered in a DPIA). The DPIA considers both the risks of the data processing being carried out as planned, and the risks in case of a breach. When considering a potential breach, it looks in general terms at the likelihood of this occurring, and the damage to the data subject that might ensue? in other words, it is an assessment of a hypothetical event. With an actual breach, the event has already occurred, and so the focus is entirely about the resulting risk of the impact of the breach on individuals.
"
20
that the Bank did not show any interest or even a formal apology
for the moral damage suffered by the complainant due to the incident.
9. From the facts presented above, a series of
incorrect actions and omissions in the management of the incident in question
violation on the part of the complained Bank. Specifically, the Bank, as
controller, even though he had indications of the possible execution of an incident
violation, did not initially investigate it, shifting the responsibility for detection
of the source of the leak to the data subject, then delayed
significantly to treat it as an incident of breach due to lack of agreement
between its competent Units, subsequently underestimated its consequences for the
subject and wrongly assessed that he does not have to notify it to the Authority
according to article 33 GDPR. The identified deficiencies and delays according to
internal handling of the case does not appear to be due to incomplete Policies
and Procedures of the Bank in accordance with article 24 par. 2 GDPR, since the
actions that the institutions and services must follow without delay
of in the event of a possible incident of violation are provided for in the texts which
the Bank invoked and presented (see rel. 4-6 of the under no. prot.
C/EIS/125/09-01-2023 of the Bank's response document) but in non-compliance with the
said procedures in this case. Following the above, it follows
the Bank's responsibility for the fact that it delayed for many months to
investigate the incident to obtain a reasonable degree of certainty and to
handled as an incident of violation, but also for the fact that after the
confirmation of the incident did not notify the Authority either
took measures to mitigate its consequences.
10. Therefore, the Authority finds the following violations on its part
of the complained Bank, as data controller:
a) illegal processing of the complainant's personal data, due to
of the transmission of his credit card transactions to a third party, which
it was made without a legal basis, in violation of the principles of its legality
data processing and confidentiality (article 5 par. 1 a) and f)
GDPR) and constitutes an incident of infringement (Article 4 no. 12 GDPR)
21
b) incorrect handling of the incident and failure to submit notification to
Principle in violation of Article 33 GDPR.
11. Based on the above, the Authority considers that there is a case to exercise the v
the article 58 par. 2 of the GDPR corrective powers in relation to
found violations and that should, based on the circumstances that
were established, to impose, pursuant to the provision of article 58 par. 2 sec.
i of the GDPR, effective, proportionate and dissuasive administrative money
fine according to article 83 of the GDPR, both to restore compliance, as
and for the punishment of unlawful conduct. Furthermore, the Authority took into account
the criteria for measuring the fine defined in article 83 par. 2 of the GDPR,
paragraph 5 sec. a' of the same article that applies to the present
case, the Guidelines for implementation and determination
administrative fines for the purposes of Regulation 2016/679 issued
on 03-10-2017 by the Article 29 Working Group (WP 253) and
Guidelines 04/2022 of the European Protection Board
Data for the calculation of administrative fines under the General
Regulation, as well as the actual data of the case under consideration and
in particular the criteria listed below, per offence.
A. With reference to the first violation established above (see paragraph 10 a),
the following special circumstances are particularly taken into account:
a) that the violation of the legality of the processing falls under the provision of par.
5 of article 83 GDPR,
b) that the incident appears to be isolated, as it has not been imposed by
the Authority sanctioning the Bank for a similar violation in the past,
c) that the breach directly affected a data subject, …,
d) that the violation is due to human error of an employee attributable to
negligence, while the Bank has established appropriate procedures that provide for it
written authorization as a condition for providing information to a third party;
22
e) that the Bank did not take measures to mitigate its direct effects
incident for the data subject, such as e.g. to contact her
recipient of the data and ask it to return to the Bank or to
destroy data unlawfully provided to it,
f) that, however, the Bank finally proceeded with a disciplinary control of the employee
who violated said procedures, and imposed a disciplinary penalty on her.
B. With reference to the second violation established above (see paragraph 10 b),
the following criteria are particularly taken into account:
a) that the violation of the controller's obligations under the article
33 GDPR falls under the provisions of paragraph 4 of article 83 GDPR,
b) the degree of responsibility of the complainant, which although she has received appropriate
organizational measures and has established relevant policies for management
data breach incidents, it emerged that he did not put them into practice
in this case,
c) that a multi-month delay was found in a procedure that should
conducted within 72 hours, which indicates a possible attempt
cover-up on the part of the Bank, and in any case indifference regarding it
compliance with its GDPR obligations,
d) that as part of the inspection of the complaint by the Authority, the Bank transferred the
burden of responsibility for investigating the incident on the subject, in a way that
goes against the principle of accountability,
e) that the Bank further disregarded the consequences of the incident at
data subject, of which he was aware and underestimated him
risk to the subject to the point of characterizing it as "zero",
f) that based on the above it follows that the overall incorrect and unfair
handling of the incident by the Bank is a systemic problem
which may potentially affect its other customers.
23
FOR THOSE REASONS
THE BEGINNING
A. Imposes, on ALPHA BANK S.A. as controller, based on
article 58 par. 2 sec. i) of the GDPR, an administrative fine of ten thousand (€10,000)
euros, for the established violation of the principles of the legality of the processing
and the confidentiality of the data according to article 5 par. 1 a) and f) GDPR.
B. It imposes, on ALFA BANK S.A., as controller, based on
article 58 par. 2 sec. i) of the GDPR, an administrative fine of fifty thousand
(€50,000) euros, for the established violation of the handling obligation and
notification of an incident of violation based on article 33 GDPR.
The President The Secretary
Georgios Batzalexis Irini Papageorgopoulou