Commissioner (Cyprus) - 12.10.001.011.001: Difference between revisions

From GDPRhub
(Created page with "{{DPAdecisionBOX |Jurisdiction=Cyprus |DPA-BG-Color=background-color:#ffffff; |DPAlogo=LogoCY.jpg |DPA_Abbrevation=Comissioner |DPA_With_Country=Comissioner (Cyprus) |Case_N...")
 
 
(8 intermediate revisions by 2 users not shown)
Line 4: Line 4:
|DPA-BG-Color=background-color:#ffffff;
|DPA-BG-Color=background-color:#ffffff;
|DPAlogo=LogoCY.jpg
|DPAlogo=LogoCY.jpg
|DPA_Abbrevation=Comissioner
|DPA_Abbrevation=Commissioner
|DPA_With_Country=Comissioner (Cyprus)
|DPA_With_Country=Commissioner (Cyprus)


|Case_Number_Name=12.10.001.011.001
|Case_Number_Name=12.10.001.011.001
Line 58: Line 58:
}}
}}


After a typing error during the changes in clients’ information, a client had access to another client’s data through the web-banking. The DPA negotiated the role of data management procedures of a bank, under the aegis of GDPR.   
After a typing error during changes in clients' information, a client had access to another client's data through the web-banking platform. The DPA negotiated the role of data management procedures of a bank, under the aegis of GDPR.   


== English Summary ==
==English Summary==


=== Facts ===
===Facts===
In April 2019, Client A asked from Hellenic Bank to update his information. During the updating process, occurred a typing mistake on passport number. At the time of the mistake, the wrong passport number didn’t match to any client. In May 2019, Client B needed to verify his information too, but his new passport had the number which the bank employee mistakenly typed as Client A’s passport number.   
In April 2019, Client A asked Hellenic Bank to update his information. During the updating process, a typing mistake occurred with his passport number. At the time of the mistake, the wrong passport number didn't match with that of any client. In May 2019, Client B needed to verify his information, too, but his new passport had the number that the bank employee had mistakenly typed as Client A's passport number.   


The result of the above-mentioned timeline was that client B had partial access through the Web Banking Platform to the personal and financial data of client A. When B noticed that, informed the Bank, and the access issue has been resolved. But due to the passport number mistakenly match, Bank’s system automated merge the postal mail addresses of both clients. After two months, client B received a debit card with client A’s name on it.
The result of the abovementioned timeline was that client B had partial access through the web banking platform to client A's personal and financial data. When B noticed that, he informed the Bank, and the access issue was resolved. But due to the passport number mistakenly matching, the Bank's system automatically merged the postal addresses of both clients. After two months, client B received a debit card with client A's name on it.


=== Dispute ===
===Dispute===
The Bank follow the four-eyes principle. The principle calls an employee, before an execution of an act, to ask the verification from a colleague, who should re-examine the act for possible mistakes. Furthermore, a system-error appeared to the employee who updated B’s details and the employee re-verified the B’s documents and evidence such as a passport copy. He or she ignored the error-message and forwarded the process. The fellow employee wasn’t informed for the error-message about potential conflict in clients’ data, and none took care for the reasons which triggered the system error.
The Bank follows the four eyes principle. The principle calls for an employee, before the execution of an act, to ask for the verification from a colleague, who should re-examine the act for possible mistakes. Furthermore, a system error appeared to the employee who updated B's details, and the employee re-verified B's documents and evidence including such as a passport copy. He or she ignored the error-message and proceeded with the process. The fellow employee wasn't informed about the error message in regard to the potential conflict in the clients' data, and it requires time to examine the reasons that triggered the system error.


Among other details, the fact that Client A was a bank user under business account was highlighted too. Bank allege that A’s information, including her name or address, was part from a wider body of legal entity’s data, which are not subject under General Data Protection Regulation 2016/679.
Among other details, the fact that Client A was a Bank user under a business account was highlighted too. The Bank alleges that A's information, including her name and address, was part of a wider body of a legal entity's data, which are not subject to the under General Data Protection Regulation 2016/679.


=== Holding ===
===Holding===
According to Article 33 of GDPR, in the case of a personal data breach, the controller shall without undue delay and, where feasible, not later than 72 hours after having become aware of it, notify the personal data breach to the supervisory authority. Cypriot DPO held that obligation is including also circumstances that the controller has the belief that these facts constitute personal data violation. More specific, at least until September 2019, the Bank had not the understanding of the A’s data exposing (to the B client) was as a business user. An ex-post evaluation that drives to findings which did not constitute a breach, is not a kind as to barred the duty to notify DPA office, if the beliefs changed after the period within which the duty should be carried.
According to Article 33 of GDPR, in the case of a personal data breach, the Data Controller shall without undue delay and, where feasible, not later than 72 hours after having become aware of it, notify the supervisory authority of the personal data breach. The Cypriot Commissioner for Personal Data Protection held that that obligation also includes circumstances in which the Data Controller has the belief that these facts constitute a personal data violation. More specifically, and at least until September 2019, the bank did had not have the understanding that A's data exposure (to the B client) was as a business user. Is not a kind as to barred the duty to notify the DPA office, an ex-post evaluation that drives to findings which did not constitute a breach, especially if the beliefs changed after the period within which the duty should be carried out.


Cypriot DPO took the opportunity and stressed the possibility for a notification in phased to the supervisory authority (Art. 33(4)). Each phase shall be defined on the basis of the speed which the Data Controller becomes aware of the facts and the understandings of the issue.
The Cypriot DPA took the opportunity and stressed the possibility for a notification in phases to the supervisory authority (Art. 33(4)). Each phase shall be defined on the basis of the speed with which the Data Controller becomes aware of the facts and the understanding of the issue.


Cypriot DPO addressed another point, relevant to the risk to the rights and freedoms of natural persons, under the view of when the General Data Protection Regulation shall be alleged or not. The Cypriot DPO finds that a two-step verification feature provides a sufficient level of protection, and under that case’s circumstances, the only issue was the exposure of clients’ data. On other words, these circumstances directly reduce the level of the risk.
The Cypriot Commissioner for PDP addressed another point, relevant to the risk to natural persons' rights and freedoms, regarding the view of when the General Data Protection Regulation shall be alleged or not. The Cypriot DPA finds that a two-step verification feature provides a sufficient level of protection, and under that case's circumstances, the only issue was the exposure of clients' data. In other words, these circumstances directly reduce the level of the risk.


The major part of the decision focuses on management rules, procedures and ethics, which the Bank has chosen to handle clients’ personal data. The supervisory authority has noticed the inadequate of the specific implementation of the four-eyes principles by the Bank. The criticism is grounded in the system design. The workflow did not include an error-message for the second employee. Cypriot DPO held that it is totally inefficient if the employee who is charged with the duty to double-checking the client’s data, is not similarly informed as the first employee who fulfilment the form. Such ineffectiveness is incompatible with Article 32, which require “the controller and the processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk”, meaning measure like “the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services”.
The major part of the decision focuses on management rules, procedures and ethics, which the Bank has chosen to handle clients' personal data. The supervisory authority has noticed the inadequacy of the specific implementation of the four eyes principles by the Bank. The criticism is grounded in the system design; the workflow did not include an error-message for the second employee. The Cypriot DPA held that it is totally inefficient if the employee who is charged with the duty to double-check the client's data, is not similarly informed as the first employee who fulfils the form. Such ineffectiveness is incompatible with Article 32, which require that "''the controller and the processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk''", meaning measures such as "''the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services''".


Before her final conclusion, the Data Protection Officer referred to a series of mitigating and aggravating factors, like the Bank’s admissions, the lack of fraudulent intent and the ineffectiveness of the safeguards. It’s not clear if the officer approaches these factors quantitative or qualitative. She didn’t impose any fine but demanded the Hellenic Bank to re-evaluated and modernise the data management.
Before her final conclusion, the Cypriot Commissioner for Personal Data Protection referred to a series of mitigating and aggravating factors, like the Bank's admissions, the lack of fraudulent intent, and the ineffectiveness of the safeguards. It's not clear if the Commissioner approaches these factors quantitative or qualitative. She didn't impose any fine but that demanded the Hellenic Bank re-evaluate and modernise its the data management.


== Comment ==
==Comment==
''Share your comments here!''
''Share your comments here!''


== Further Resources ==
==Further Resources==
''Share blogs or news articles here!''
''Share blogs or news articles here!''


== English Machine Translation of the Decision ==
==English Machine Translation of the Decision==
The decision below is a machine translation of the Greek original. Please refer to the Greek original for more details.
The decision below is a machine translation of the Greek original. Please refer to the Greek original for more details.



Latest revision as of 16:53, 6 December 2023

Commissioner - 12.10.001.011.001
LogoCY.jpg
Authority: Commissioner (Cyprus)
Jurisdiction: Cyprus
Relevant Law: Article 32 GDPR
Article 33 GDPR
Article 34(3) GDPR
Article 34(4) GDPR
Article 38 GDPR
Article 39 GDPR
Type: Investigation
Outcome: Violation Found
Started:
Decided: 04.05.2020
Published:
Fine: None
Parties: Hellenic Bank PLC
National Case Number/Name: 12.10.001.011.001
European Case Law Identifier: n/a
Appeal: Not appealed
Original Language(s): Greek
Original Source: Commissioner for Personal Data Protection (Cyprus) (in EL)
Initial Contributor: Panayotis Yannakas

After a typing error during changes in clients' information, a client had access to another client's data through the web-banking platform. The DPA negotiated the role of data management procedures of a bank, under the aegis of GDPR.

English Summary

Facts

In April 2019, Client A asked Hellenic Bank to update his information. During the updating process, a typing mistake occurred with his passport number. At the time of the mistake, the wrong passport number didn't match with that of any client. In May 2019, Client B needed to verify his information, too, but his new passport had the number that the bank employee had mistakenly typed as Client A's passport number.

The result of the abovementioned timeline was that client B had partial access through the web banking platform to client A's personal and financial data. When B noticed that, he informed the Bank, and the access issue was resolved. But due to the passport number mistakenly matching, the Bank's system automatically merged the postal addresses of both clients. After two months, client B received a debit card with client A's name on it.

Dispute

The Bank follows the four eyes principle. The principle calls for an employee, before the execution of an act, to ask for the verification from a colleague, who should re-examine the act for possible mistakes. Furthermore, a system error appeared to the employee who updated B's details, and the employee re-verified B's documents and evidence including such as a passport copy. He or she ignored the error-message and proceeded with the process. The fellow employee wasn't informed about the error message in regard to the potential conflict in the clients' data, and it requires time to examine the reasons that triggered the system error.

Among other details, the fact that Client A was a Bank user under a business account was highlighted too. The Bank alleges that A's information, including her name and address, was part of a wider body of a legal entity's data, which are not subject to the under General Data Protection Regulation 2016/679.

Holding

According to Article 33 of GDPR, in the case of a personal data breach, the Data Controller shall without undue delay and, where feasible, not later than 72 hours after having become aware of it, notify the supervisory authority of the personal data breach. The Cypriot Commissioner for Personal Data Protection held that that obligation also includes circumstances in which the Data Controller has the belief that these facts constitute a personal data violation. More specifically, and at least until September 2019, the bank did had not have the understanding that A's data exposure (to the B client) was as a business user. Is not a kind as to barred the duty to notify the DPA office, an ex-post evaluation that drives to findings which did not constitute a breach, especially if the beliefs changed after the period within which the duty should be carried out.

The Cypriot DPA took the opportunity and stressed the possibility for a notification in phases to the supervisory authority (Art. 33(4)). Each phase shall be defined on the basis of the speed with which the Data Controller becomes aware of the facts and the understanding of the issue.

The Cypriot Commissioner for PDP addressed another point, relevant to the risk to natural persons' rights and freedoms, regarding the view of when the General Data Protection Regulation shall be alleged or not. The Cypriot DPA finds that a two-step verification feature provides a sufficient level of protection, and under that case's circumstances, the only issue was the exposure of clients' data. In other words, these circumstances directly reduce the level of the risk.

The major part of the decision focuses on management rules, procedures and ethics, which the Bank has chosen to handle clients' personal data. The supervisory authority has noticed the inadequacy of the specific implementation of the four eyes principles by the Bank. The criticism is grounded in the system design; the workflow did not include an error-message for the second employee. The Cypriot DPA held that it is totally inefficient if the employee who is charged with the duty to double-check the client's data, is not similarly informed as the first employee who fulfils the form. Such ineffectiveness is incompatible with Article 32, which require that "the controller and the processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk", meaning measures such as "the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services".

Before her final conclusion, the Cypriot Commissioner for Personal Data Protection referred to a series of mitigating and aggravating factors, like the Bank's admissions, the lack of fraudulent intent, and the ineffectiveness of the safeguards. It's not clear if the Commissioner approaches these factors quantitative or qualitative. She didn't impose any fine but that demanded the Hellenic Bank re-evaluate and modernise its the data management.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Greek original. Please refer to the Greek original for more details.