HDPA (Greece) - 07/2025
From GDPRhub
| HDPA - 07/2025 | |
|---|---|
 | |
| Authority: | HDPA (Greece) |
| Jurisdiction: | Greece |
| Relevant Law: | Article 5(1)(f) GDPR Article 32 GDPR |
| Type: | Investigation |
| Outcome: | Violation Found |
| Started: | 07.10.2022 |
| Decided: | 06.02.2025 |
| Published: | 25.03.2025 |
| Fine: | 3,000 EUR |
| Parties: | n/a |
| National Case Number/Name: | 07/2025 |
| European Case Law Identifier: | n/a |
| Appeal: | n/a |
| Original Language(s): | Greek |
| Original Source: | HDPA (in EL) |
| Initial Contributor: | tjk |
The DPA fined a Bank €3,000 for a failure to implement appropriate security measures following an internal data breach. An employee had wrongfully retained administrator rights and accessed the data of over 6,000 other employees without authorization.
English Summary
Facts
A notification of an incident of a violation was submitted to the DPA by the company “ALPHA BANK S.A.” (the controller), stating that an incident of unauthorized access to personal data occurred. This occurred because an employee's role in the system was not adapted when he was transferred to another organisational position against the controller's security policy. The employee shared some of the thus accessed information with others.
This was not noticed for a very long period of time (2015-2022) and resulted in 6,167 individuals being affected by the incident. The information to which unauthorized access was obtained concerned personal data of special categories (health and disability). The notification of the incident was late because an investigation was required to identify the source of the data leak and confirm the breach.
Holding
The DPA concluded from the security gap that the following measures were not implemented at the level of addressing internal threats in violation of Article 5(1)(f) GDPR in conjunction with Article 32 GDPR:
- Adequate system monitoring
- Implementation of security policies so that users cannot act outside their intended permissions
- Additional system monitoring at the level of administrator activity
- Existence of technical measures which could prevent organizational errors of this type.
The DPA found the gravity of the violations to be overall minor. Thus, the DPA considered a fine of €3,000 to be appropriate.
Specifically, pursuant to Article 83(2) GDPR and Article 83(5)(b) GDPR the DPA took into account as aggravating factors:
- That the employee had the possibility of unauthorized access to the system with elevated system administrator rights for a long period of time, during which this possibility was not realized.
- That particularly important categories of personal data were affected,
- That special categories of personal data were affected, such as health data-disability percentage.
As mitigating factors the DPA considered that the controller took a series of actions to enhance security at a technical and organizational level, imposed measures against the employee involved in the violation and carried out an external audit. Additionally, the DPA considered that the incident was small and the consequences of the incident were limited in proportion to the size of the controller.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Greek original. Please refer to the Greek original for more details.
Athens, 06-02-2025 No. Prot.: 511 DECISION 7/2025 The President of the Authority, as a single-person body pursuant to articles 17 par. 1 of law 4624/2019 (Government Gazette A' 137), within the framework of the responsibilities provided for in articles 4 par. 3 indent a' and 10 par. 4 of the Regulation of Operation of the Authority (Government Gazette B'879/25.02.2022) and the powers provided for in article 15 par. 8 of law 4624/2019 in combination with article 58 par. 2 f’ of Regulation (EU) 2016/679 (General Data Protection Regulation – hereinafter GDPR), examined the incident of violation, which is mentioned below in the history of this decision. The Authority took into account the following: A notification of an incident of violation was submitted to the Authority with the reference number C/ΕΙΣ/11373/27-10-2022 by the company “ALPHA BANK S.A.” (hereinafter “company”), in which it is stated that an incident of unauthorized access to personal data by an employee of the company (hereinafter “employee”). According to the notification, the incident became known through a report by executives of the General Directorate to the Report Evaluation Committee on 07.10.2022 and arose as a consequence of the inadvertent retention of the role of system administrator in the employee, who had been transferred internally to another department. The exploitation of this omission led to a breach of confidentiality for the data of 6,176 employees of the bank. The notification of the incident was late because an investigation was required to identify the source of the data leak and confirm the breach. Subsequently, the company was sent a memorandum with the number Γ/ΕΙΣ/681/27-01-2023, stating that: 1. The incident is due to non-compliance with the company's internal security procedures. 2. The employee continued to maintain an account with administrative rights (System Administrator), despite the fact that on 1.1.2015 he ceased to have the position of system administrator and was transferred to another department (Cybersecurity Department). 3. With the above finding of unauthorized access by the Internal Audit Department, all access rights of the employee to all the Bank's systems were suspended on the same day (7.10.2022) and he was placed on mandatory leave. 4. Due to the number of unauthorized recorded movements (logs) of the employee that were identified, as well as the content of the e-mail messages and their route that had to be investigated and consequently the potential risk to the rights of the subjects, it was decided to request the assistance of a specialized company for the further investigation of the incident and its consequences. The company Alvarez & Marsal was selected, which sent specialized personnel from Great Britain to Greece, who, in full cooperation with the Bank's Internal Audit Department and using specialized software, proceeded with an investigation. 5. In the context of this investigation, an electronic message was found that included the salary details of all the Bank's staff (6,167 people), as well as evaluations, family status details, previous service details and retirement conditions, which the employee had retrieved from the email archiving system (EnterpriseVault). EnterpriseVault has joined the Privilege Access Management 1 system (Privileged Access Management 1 Privileged Access Management (PAM) is an identity security solution that helps protect organizations from cyber threats by monitoring, detecting and preventing unauthorized privileged access to critical resources. PAM operates through a combination of people, processes and technology and provides visibility into who is using privileged accounts and what they are doing while logged in. The limitation of the number of users who have Management (hereinafter “PAM”), which records the actions of administrators carried out via remote desktop connections to servers, as of January 2022. This integration concerns administrators in the Information Systems Directorate, but not those in the Cybersecurity and Information Security Directorate. 6. From March 2019 to 7.10.2022, when any access was interrupted, as mentioned above, it was found that, with the exception of the period in December 2021 during which no access was recorded, the employee carried out 24,625 unauthorized movements (logged actions) in Enterprise Vault, either to view only the content of the email, or to receive the corresponding file. It is noted in this regard that, in December 2021, the access passwords were changed, resulting in the employee's aforementioned activity being interrupted, until February 2022, when the access passwords to the Enterprise Vault system apparently became known to him, with the cooperation of another employee of the Bank. 7. The employee sent 116 messages containing information that came into his possession through his unauthorized access to the e-mail system, to 8 other employees of the Bank, either by his own initiative or following their recorded electronic request. It is indicatively noted that the recipient of the most messages has received forty-three (43) of them and the recipient of the fewest has received one (1) message. Of these: fifty-three (53) messages included personal data concerning employees of the Bank, one (1) message concerned personal data of individuals outside the Bank and specifically included the CVs of eighteen (18) subjects who applied for a job position at the Bank (year 2020), eight (8) messages concerned requests from some of the 8 officers to the employee for information, while the remaining fifty-four (54) messages did not include personal data as they concerned organizational changes of the Bank (draft Acts, Operating Regulations, etc.). 8. The above conclusions of the investigation were communicated and a total of nine (9) Bank officers (the employee and the 8 recipients) were summoned to give explanations and subsequently agreed to voluntarily leave the Bank, undertaking in writing to fully cooperate with the Bank, within the framework of which they undertook, among other things, to return the files with personal data that came into their possession during their employment at the Bank, to return the terminals (PCs), laptops, keys, data encryption codes, access codes or other means of access to the Bank's premises or systems, which they used during their employment, etc. Most importantly, however, they left the Bank, after undertaking in writing to maintain complete confidentiality regarding the incident, for the monitoring of which they accepted the gradual payment to them over a twelve-month period of the legal severance pay. Furthermore, the company submitted the full notification of the breach incident with the no. prot. C/ΕΙΣ/2545/05-04-2023, further stating that the unauthorized access concerns health data, namely the percentage of disability in the context of managing the employment relationship, and finalizing the number of persons and files affected by the incident. Finally, the company submitted the no. prot. C/ΕΙΣ/2546/05-04-2023 supplementary memorandum, providing the following summary table with the personal data of the Bank's employees to which there was unauthorized access by category: Number of messages Personal Data Number Up to After the natural persons 14.12.2022 14.12.2022 41 6 Personnel payroll data, extraordinary benefits up to 6167 (bonus), age, length of service, evaluations, education, recruitment channel, health data - disability rate, marital status, age/date of birth, personnel voluntary retirement data (VSS) (data for the year 2019/20/21/22) 5 3 Personnel voluntary retirement data (VSS) (years up to 2020, 2021) 4 3 Personnel evaluations, of years 2020, 2021 and 20to 138 1 - Salaries of Directors (2019 data) 86 1 - Directors and Deputy Directors 253 with comments on voluntariness (2020 data) 1 - Promotions and evaluations of executives (2020 data) 53 11 Total 64 Maximum number of affected Natural Persons 6167 Messages (Bank officials) Messages without personal data Until After 14.12.2022 14.12.2022 Content of messages without personal data of natural persons 54 17 Organizational changes, Action Plans, Regulations - Operation (2019 to 2022) 8 4 Requests to employees for information - 62 21 Total Messages 83 - The company was summoned to a hearing before the President of the Authority on 08.02.2024, with the Authority's document no. Γ/ΕΣΕ/451/31-01-2024. At the meeting The following were present on behalf of the controller: Mourgelas Ioannis, Legal Advisor (AM DSA …), Salakas Nikolaos, Legal Advisor (AM DSA …), A, Head of the Compliance Department and B, Data Protection Officer, who supported the following: 1. The incident was noticed because in September 2022, the feeling was created in the company's management that there was a leak of information regarding salaries from the IT department because some people seemed to be aware of some changes, of which they should not have been. 2. It was found that an employee had retrieved an email with salary information from the Enterprise Vault system without having authorized access. 3. There was a company role revocation policy that was not implemented. 4. The investigation showed that from 2019 to 2022, the employee had 24,625 unauthorized accesses and downloaded 64 emails from the Enterprise Vault system. Of these, 63 concerned personal data of company employees and one included candidate CVs in relation to a job advertisement. 5. The employee forwarded the emails to a group of eight recipients. 6. The officers involved were dismissed with termination of employment and signed a confidentiality statement. 7. 15 months have passed since then, during which there were no indications of use of the personal data to which the involved officers gained unauthorized access. 8. The employee had no reason to use the unauthorized access option before 2019. He then had an incentive, due to the change in the company's management and the resulting changes in personnel. 9. A series of new security measures were taken, in response to the incident, such as the possibility of accessing data only in cases where it is requested by more than one authorized user of the system, the control of access by an independent department of the company, etc. As a result of these additional technical measures, it is no longer possible to repeat this specific violation due to an organizational error. Finally, the company submitted the no. G/ΕΙΣ/1433/22-02-2024 memorandum, accompanied by the group security policy and the human resources management policy, which mentions, among other things, 1. the additional organizational and technical measures taken after the incident, 2. that after a thorough investigation in collaboration with an external partner, no indications of unauthorized access to the company's systems emerged until the first quarter of 2019. The Authority, having taken the above into account, DECIDED IN ACCORDANCE WITH THE LAW 1. According to paragraph 1 item. Article 5 of Regulation (EU) 2016/679 of the European Parliament and of the Council (General Data Protection Regulation – hereinafter GDPR), “personal data shall be processed in a manner that ensures appropriate security of personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures (“integrity and confidentiality”).” 2. According to Article 32 of the GDPR: “Taking into account the latest developments, the cost of implementation and the nature, scope, context and purposes of the processing, as well as the risks of varying likelihood and severity for the rights and freedoms of natural persons, the controller and the processor shall implement appropriate technical and organizational measures to ensure an appropriate level of security against the risks, including, inter alia, where applicable: (..) b) the ability to ensure the confidentiality, integrity, availability and reliability of the processing systems and services on an ongoing basis, (..) d) a procedure for regularly testing, assessing and evaluating the effectiveness of the technical and organizational measures to ensure the security of the processing. In assessing the appropriate level of security, account shall be taken in particular of the risks presented by the processing, in particular accidental or unlawful destruction, loss, alteration, unauthorised disclosure of or access to personal data transmitted, stored or otherwise processed. 3. The controller and the processor shall take measures to ensure that any natural person acting under the supervision of the controller or processor who has access to personal data processes them only on instructions from the controller, unless required to do so by Union or Member State law. 3. In the case under consideration, the information in the file shows that, due to the failure to implement the company's security policy, the employee's role in the system was not adapted when he was transferred to another organisational position, in breach of Article 32 of the GDPR. Furthermore, due to the high rights required by his previous position as an employee (system administrator), the user in question maintained increased unauthorized access to system resources for a long period of time. This specific security gap led to an access control type violation, which despite its limited scope (one user) and the fact that it falls under the category of internal threats (insider thread), is considered a high-risk risk that exposes a system to a large extent. This failure to adapt roles was not noticed for a very long period of time (2015-2022) and resulted in 6,167 individuals being affected by the incident, and the information to which unauthorized access was obtained also concerns personal data of special categories (health - disability rate). 4. From the above security gap it can be concluded that, in violation of Article 32 of the GDPR, the following measures were not implemented at the level of addressing internal threats: a. Adequate system monitoring, b. Implementation of security policies, 2 Access control imposes a policy so that users cannot act outside their intended permissions c. Additional system monitoring at the level of administrator activity, d. Existence of technical measures which could, by definition, prevent organizational errors of this type, such as automated changes at the 3 software level or with database triggers that adapt system roles to field modifications relating to changes in organizational positions. 5. The company has a special/privileged access management system (Privilege Access Management – hereinafter PAM). The software used by the company to monitor communication channels and identify discrepancies (Enterprise Vault) was integrated into PAM in 2022 and does not monitor the activity of cybersecurity and information security managers. If this integration had taken place earlier and concerned all users/managers, the security gap may have been detected through this system and its consequences may have been mitigated. 6. The above data indicates a violation of the principle of confidentiality and, therefore, a violation of article 5 par. 1 lit. f’ in conjunction with article 32 of the GDPR is established. 7. Based on the foregoing considerations, the Authority considers that it is appropriate to exercise the powers under article 58 par. 2 of the GDPR its corrective powers in relation to the established infringement and that, based on the circumstances established, an effective, proportionate and dissuasive administrative fine should be imposed, pursuant to the provision of article 58 par. 2 sub. i’ of the GDPR, in accordance with article 83 of the GDPR. 8. Furthermore, the Authority took into account the criteria for measuring fines set out in article 83 par. 2 of the GDPR and paragraph 5 item. b’ of the same article which are applicable to the present case, the Guidelines on the application and setting of administrative fines for the purposes of Regulation 2016/679 issued on 03-10-2017 by the Article 29 Working Party (WP 253) and the Guidelines 04/2022 of the European Data Protection Board on the calculation of administrative fines under the General Regulation, as well as the actual facts of the case under consideration and in particular the following criteria: I. As aggravating factors: a. That the employee had the possibility of unauthorized access to the system with elevated system administrator rights for a long period of time, during which this possibility was not realized. b. That particularly important categories of personal data were affected, such as personnel payroll data, special benefits (bonus), age/date of birth, length of service, education, recruitment channel, marital status, personnel voluntary departure data, comments from managers and Deputy Managers of Departments on voluntary departure, personnel evaluations, salaries of department managers, promotions and evaluations of executives. c. That special categories of personal data were affected, such as health data-disability percentage. II. As mitigating factors: a. Following the incident, the company's compliance policy framework took a series of actions to enhance security at a technical and organizational level, in order to strengthen the security of the system by taking technical measures and to limit the possibility of the same incident being repeated. b. Following the incident, measures were imposed against the company's employees who were involved in the leak of personal data. c. Following the incident, an investigation was carried out in full cooperation with the Bank's Internal Audit Department using special software from the company Alvarez & Marsal, which sent specialized personnel from the United Kingdom to Greece. d. The leakage of personal data as a result of the incident was small and the consequences of the incident were limited in proportion to the size of the company. III. The last consolidated available turnover of the company (01/01/2022- 30/06/2022) which amounts to €2,194,008,000. 9. After taking into account the above aggravating and mitigating criteria (paragraph 8 points i) and ii) above), as well as the turnover of the HR (paragraph 8 point iii) above), the gravity of the violations found is considered minor. Therefore, the Authority considers that a fine close to the low end of the static range set out in the EDPB Guidelines 4/2022 for the type of infringements with minor seriousness and equal to €3,000 should be imposed on the company with the name “ALPHA BANK S.A.”. FOR THESE REASONS The Authority, exercising its corrective powers pursuant to Article 58, paragraph 2, letter i) of the GDPR, imposes a fine of three thousand euros (€3,000) on the company with the name “ALPHA BANK S.A.”, for the reasons extensively set out in the reasoning. The President The Secretary Konstantinos Menuudakos Irini Papageorgopoulou
