10.4 C
London
Saturday, December 21, 2024

mBank punished. It endangered customers. And it was no accident. “A manifestation of the bank's systemic attitude”

Must read

- Advertisement -



The data leak from mBank occurred on June 30, 2022. Personal data of customers was transferred to an unauthorized person as a result of an employee's error, who mistakenly sent documents to another financial institution. Although the documents were returned to the bank, the envelope was opened, which created a risk of access to the information by unauthorized persons. The documents contained data such as surnames, first names, PESEL numbers, place of residence, ID card numbers, and information on assets and earnings.

mBank did not notify customers about the leak, despite the fact that the President of the Personal Data Protection Office indicated the need to take such actions. The bank argued that the documents were sent to an institution that is also subject to banking secrecy and has the status of a trusted entity. Employees of this institution confirmed that they do not have copies of the documents, and mBank considered that there was no need to disclose the matter. The imposed penalty of four million zlotys constitutes 0.024 (24 thousandths) percent of the bank's turnover.

Watch the video Zuzanna Polak: You don't pay for online services? You probably give away your data in return

mBank punished. The bank got away with it, the penalty could have been much higher

The President of the UODO did not recognize mBank's position regarding the trusted entity. He also found that the possibility of disclosing such a large amount of data creates a huge risk for the people concerned. Since they were not notified of the problem, they could not counteract the potential negative effects of the breach.

The bank reasoned incorrectly, focusing only on who had access to the disclosed data. In its explanations, it relied on assurances from people with access to the disclosed data that nothing bad had happened. This is not enough

– we read in the UODO press release.

- Advertisement -

“When analysing such a situation, the rights of the persons affected by the breach should always be taken into account. It should be emphasised that respecting other legally protected secrets does not exempt from the application of the GDPR,” the office argues.

In the opinion of the President of the UODO, the bank's action in question is an example of disregard for the rights of persons whose personal data the administrator processes. “Considering that, in accordance with the provisions of the GDPR, the fine could amount to PLN 337 million, it should be considered relatively mild. Based on analyses of cases that reach the supervisory authority, it can be assumed that the adopted practice of not informing persons whose data have been breached, justified as in the case of the discussed breach of personal data protection, is a manifestation of the bank's systemic attitude (policy), which deserves an exceptionally negative assessment by the President of the UODO,” the Office sums up.

mBank responds. The institution has not changed its arguments

As TVN24 found out, mBank does not agree with the UODO decision and announced an appeal to the Provincial Administrative Court in Warsaw. The company recalled that the problem, which affected three clients, was reported to the Office itself. Although the UODO rejected mBank's explanations, the latter did not change its line of argument and continues to maintain that the documents remained with the group of people who are obliged to apply banking secrecy and were authorized to process data in accordance with the GDPR.

“We submitted our arguments regarding the assessment of this event to the President of the Personal Data Protection Office back in 2022. It also included a request to re-assess the issued decision on the need to inform our clients about this event. Unfortunately, we have not received a final response from the Personal Data Protection Office. We have been cooperating with the Office from the beginning and have answered every question sent to us honestly and accurately. In light of these facts, we believe that the penalty imposed on us is inadequate,” mBank emphasized.



Source link

More articles

- Advertisement -

Latest article