HDPA (Greece) - 6/2022
HDPA (Greece) - 6/2022 | |
---|---|
Authority: | HDPA (Greece) |
Jurisdiction: | Greece |
Relevant Law: | Article 5(1)(f) GDPR Article 33 GDPR Article 34 GDPR |
Type: | Complaint |
Outcome: | Upheld |
Started: | |
Decided: | 04.04.2022 |
Published: | 14.04.2022 |
Fine: | 10,000 EUR |
Parties: | n/a |
National Case Number/Name: | 6/2022 |
European Case Law Identifier: | n/a |
Appeal: | n/a |
Original Language(s): | Greek |
Original Source: | HDPA (in EL) |
Initial Contributor: | Cesar Manso-Sayao |
The Greek DPA issued a fine of €10,000 against a bank for continuing to send financial data to an email address reported as incorrect by the data subject, and for failing to notify this data breach, in violation of Articles 5, 33 and 34 GDPR.
Facts
A data subject filed a complaint with the Greek DPA (Hellenic Data Protection Authority - HDPA) against Piraeus Bank (hereinafter the Bank) claiming that she had found out that the Bank was sending emails with her bank account expenditure data to an incorrect email belonging to a person with a similar name and surname. The data subject claimed that she contacted the Bank to correct this situation, but the error was not fixed, and the emails with her financial data continued to be sent to the wrong email. In its investigation, the HDPA asked the Bank to explain what steps it had taken to address the data subject’s request to correct her email account, why the Bank had not notified the HDPA informing it of the data breach in due time according to Article 33 GDPR, and if it had provided the data subject the information required by Article 34 GDPR with relation to the data breach.
The Bank stated in its defense that the bank account in question was a joint account held by the data subject and her ex-spouse. The bank stated that the email they had on file for notifications had been provided by the data subject’s ex-spouse, and that the reason why the email was going out to a different recipient had to do with an error on Google’s Gmail system, which did not recognise a dot symbol (.) within the email, and identified the email address provided and the alleged final recipient as identical.
Furthermore, the Bank stated that in its reply to the data subject’s request to correct the email on file, it had informed the data subject of its procedures in order to modify bank account details, either online, by phone or visiting a branch. The Bank stated that it had also informed the data subject that since in this case it had been the ex-spouse who had provided the data to the Bank, and not the data subject herself, then the data on file was regarded as his personal data, and could only be changed or rectified at his request, or if he authorised her to do so. Since the ex-spouse had not contacted the Bank in order to change make any changed to the information on the account, the emails continued to be sent to the email on file.
Holding
The HDPA noted that although the data subject had informed the Bank that her personal data was being sent to the wrong email, the Bank still continued to send out notifications to this email while awaiting the joint account holder (the data subject’s ex-spouse) to exercise his right to rectification.
The HDPA also found that the actual reason that the email was being sent to the wrong recipient had nothing to do with Gmail not recognising a dot symbol (.) within the email, but rather because the ex-spouse had mad mistakenly introduced the email with an “i” instead of an “e” in the data subject’s name.
Although the HDPA acknowledged that in this case it was indeed the data subject’s ex-spouse and joint account holder who had the prerogative to exercise the right to rectification regarding the email, it was the bank’s obligation as a data controller to adopt measures regarding the data breach as soon as it became aware of it to ensure the confidentiality of the data subject’s personal data.
Therefore, the HDPA held that the Bank should have ceased sending email notifications until the email issue was resolved by the joint account holder, and that it should have provided information regarding the data breach to both the data subject and the HDPA. By failing to do so, the HDPA held that the Bank had violated the principle of integrity and confidentiality pursuant to Article 5(1)(f) GDPR, as well as Articles 33 and 34 GDPR, and issued a fine of €10,000 against the Bank.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Greek original. Please refer to the Greek original for more details.
Summary A complaint was lodged with the Authority against Piraeus Bank for an incident of personal data breach, consisting in sending Winbank Alerts notifications to a third party, with the name of the complainant, which continued despite the relevant information of the Bank. The investigation revealed that the incident was due to the incorrect declaration of e-mail address by the co-beneficiary of the complainant. Although the Bank was notified, it did not stop sending the notifications but indicated to the complainant how the right of correction should be exercised by the co-beneficiary, as a subject of inaccurate data. A breach of the principle of confidentiality was found (art. 5 par. 1 item d) and f) GKPD) and a breach of the Bank's obligations to report the incident to the Authority and the subject (Articles 33 and 34 GKPD) for which a total fine was imposed. amounting to € 10,000. In addition, the Authority issued a warning to the Bank regarding the lack of technical and organizational security measures (Articles 24 and 32 GCC) found, due to the lack of verification measures of the e-mail addresses declared for the purpose of sending Winbank Alerts notifications.