Commissioner - 12.10.001.011.001
|Commissioner - 12.10.001.011.001|
|Relevant Law:||Article 32 GDPR|
Article 33 GDPR
Article 34(3) GDPR
Article 34(4) GDPR
Article 38 GDPR
Article 39 GDPR
|Parties:||Hellenic Bank PLC|
|National Case Number/Name:||12.10.001.011.001|
|European Case Law Identifier:||n/a|
|Original Source:||Commissioner for Personal Data Protection (Cyprus) (in EL)|
|Initial Contributor:||Panayotis Yannakas|
After a typing error during changes in clients' information, a client had access to another client's data through the web-banking platform. The DPA negotiated the role of data management procedures of a bank, under the aegis of GDPR.
English Summary[edit | edit source]
Facts[edit | edit source]
In April 2019, Client A asked Hellenic Bank to update his information. During the updating process, a typing mistake occurred with his passport number. At the time of the mistake, the wrong passport number didn't match with that of any client. In May 2019, Client B needed to verify his information, too, but his new passport had the number that the bank employee had mistakenly typed as Client A's passport number.
The result of the abovementioned timeline was that client B had partial access through the web banking platform to client A's personal and financial data. When B noticed that, he informed the Bank, and the access issue was resolved. But due to the passport number mistakenly matching, the Bank's system automatically merged the postal addresses of both clients. After two months, client B received a debit card with client A's name on it.
Dispute[edit | edit source]
The Bank follows the four eyes principle. The principle calls for an employee, before the execution of an act, to ask for the verification from a colleague, who should re-examine the act for possible mistakes. Furthermore, a system error appeared to the employee who updated B's details, and the employee re-verified B's documents and evidence including such as a passport copy. He or she ignored the error-message and proceeded with the process. The fellow employee wasn't informed about the error message in regard to the potential conflict in the clients' data, and it requires time to examine the reasons that triggered the system error.
Among other details, the fact that Client A was a Bank user under a business account was highlighted too. The Bank alleges that A's information, including her name and address, was part of a wider body of a legal entity's data, which are not subject to the under General Data Protection Regulation 2016/679.
Holding[edit | edit source]
According to Article 33 of GDPR, in the case of a personal data breach, the Data Controller shall without undue delay and, where feasible, not later than 72 hours after having become aware of it, notify the supervisory authority of the personal data breach. The Cypriot Commissioner for Personal Data Protection held that that obligation also includes circumstances in which the Data Controller has the belief that these facts constitute a personal data violation. More specifically, and at least until September 2019, the bank did had not have the understanding that A's data exposure (to the B client) was as a business user. Is not a kind as to barred the duty to notify the DPA office, an ex-post evaluation that drives to findings which did not constitute a breach, especially if the beliefs changed after the period within which the duty should be carried out.
The Cypriot DPA took the opportunity and stressed the possibility for a notification in phases to the supervisory authority (Art. 33(4)). Each phase shall be defined on the basis of the speed with which the Data Controller becomes aware of the facts and the understanding of the issue.
The Cypriot Commissioner for PDP addressed another point, relevant to the risk to natural persons' rights and freedoms, regarding the view of when the General Data Protection Regulation shall be alleged or not. The Cypriot DPA finds that a two-step verification feature provides a sufficient level of protection, and under that case's circumstances, the only issue was the exposure of clients' data. In other words, these circumstances directly reduce the level of the risk.
The major part of the decision focuses on management rules, procedures and ethics, which the Bank has chosen to handle clients' personal data. The supervisory authority has noticed the inadequacy of the specific implementation of the four eyes principles by the Bank. The criticism is grounded in the system design; the workflow did not include an error-message for the second employee. The Cypriot DPA held that it is totally inefficient if the employee who is charged with the duty to double-check the client's data, is not similarly informed as the first employee who fulfils the form. Such ineffectiveness is incompatible with Article 32, which require that "the controller and the processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk", meaning measures such as "the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services".
Before her final conclusion, the Cypriot Commissioner for Personal Data Protection referred to a series of mitigating and aggravating factors, like the Bank's admissions, the lack of fraudulent intent, and the ineffectiveness of the safeguards. It's not clear if the Commissioner approaches these factors quantitative or qualitative. She didn't impose any fine but that demanded the Hellenic Bank re-evaluate and modernise its the data management.
Comment[edit | edit source]
Share your comments here!
Further Resources[edit | edit source]
Share blogs or news articles here!
English Machine Translation of the Decision[edit | edit source]
The decision below is a machine translation of the Greek original. Please refer to the Greek original for more details.