HDPA (Greece) - 6/2022
|HDPA (Greece) - 6/2022|
|Relevant Law:||Article 5(1)(f) GDPR|
Article 33 GDPR
Article 34 GDPR
|National Case Number/Name:||6/2022|
|European Case Law Identifier:||n/a|
|Original Source:||HDPA (in EL)|
|Initial Contributor:||Cesar Manso-Sayao|
The Greek DPA issued a fine of €10,000 against a bank for continuing to send financial data to an email address reported as incorrect by the data subject, and for failing to notify this data breach, in violation of Articles 5, 33 and 34 GDPR.
Facts[edit | edit source]
A data subject filed a complaint with the Greek DPA (Hellenic Data Protection Authority - HDPA) against Piraeus Bank (hereinafter the Bank) claiming that she had found out that the Bank was sending emails with her bank account expenditure data to an incorrect email belonging to a person with a similar name and surname. The data subject claimed that she contacted the Bank to correct this situation, but the error was not fixed, and the emails with her financial data continued to be sent to the incorrect email address.
In its investigation, the HDPA asked the Bank to explain: what steps it had taken to address the data subject’s request to correct her email account; why it had not notified the HDPA informing it of the data breach in due time according to Article 33 GDPR; and if it had provided the data subject the information required by Article 34 GDPR regarding the data breach.
The Bank stated in its defense that the bank account in question was a joint account held by the data subject and her ex-spouse. The bank also explained that the reason why the email was going out to a different recipient had to do with an error on Google’s Gmail system, which did not recognise a dot symbol (.) within the email, and identified the email address provided and the alleged final recipient as identical.
Furthermore, regarding the data subject's request to rectify the data on file, the Bank stated that it had informed her that since it had been her ex-spouse who had provided the data, and not the data subject herself, then the data on file was regarded as his personal data, and could only be changed or rectified at his request, or if he authorised her to do so. The Bank then explained that since her ex-spouse had not contacted the Bank in order to rectify the data on the account, the notifications continued to be sent to the email recipient on file.
Holding[edit | edit source]
The HDPA found that the actual reason that the email was being sent to the wrong email recipient had nothing to do with Gmail not recognising a dot symbol (.) within the email, but rather because the ex-spouse had mistakenly introduced the email with an “i” instead of an “e” in the data subject’s name.
Additionally, the HDPA noted that although the data subject had informed the Bank that her personal data was being sent to the wrong email, the Bank still continued to send out notifications to this email while awaiting the joint account holder (the data subject’s ex-spouse) to exercise his right to rectification. Moreover, although the HDPA acknowledged that in this case it was indeed the data subject’s ex-spouse and joint account holder who had the prerogative to exercise the right to rectification regarding the email, it was the bank’s obligation as a data controller to adopt measures regarding the data breach as soon as it became aware of it to ensure the confidentiality of the data subject’s personal data.
Therefore, the HDPA held that the Bank should have ceased sending email notifications until the email issue was resolved by the joint account holder, and that it should have provided information regarding the data breach to both the data subject and the HDPA. By failing to do so, the HDPA held that the Bank had violated the principle of integrity and confidentiality pursuant to Article 5(1)(f) GDPR, as well as Articles 33 and 34 GDPR, and issued a fine of €10,000 against the Bank.
Comment[edit | edit source]
Share your comments here!
Further Resources[edit | edit source]
Share blogs or news articles here!
English Machine Translation of the Decision[edit | edit source]
The decision below is a machine translation of the Greek original. Please refer to the Greek original for more details.
Summary A complaint was lodged with the Authority against Piraeus Bank for an incident of personal data breach, consisting in sending Winbank Alerts notifications to a third party, with the name of the complainant, which continued despite the relevant information of the Bank. The investigation revealed that the incident was due to the incorrect declaration of e-mail address by the co-beneficiary of the complainant. Although the Bank was notified, it did not stop sending the notifications but indicated to the complainant how the right of correction should be exercised by the co-beneficiary, as a subject of inaccurate data. A breach of the principle of confidentiality was found (art. 5 par. 1 item d) and f) GKPD) and a breach of the Bank's obligations to report the incident to the Authority and the subject (Articles 33 and 34 GKPD) for which a total fine was imposed. amounting to € 10,000. In addition, the Authority issued a warning to the Bank regarding the lack of technical and organizational security measures (Articles 24 and 32 GCC) found, due to the lack of verification measures of the e-mail addresses declared for the purpose of sending Winbank Alerts notifications.