The Bank of Cyprus reported a data breach. The data breach involved three inappropriate mailings. The first incident involved a certain letter being mistakenly sent by the Bank of Cyprus to Themis company, while the second and third incidents involved the erroneous sending of electronic files, affecting 11,673 and 5,500 data subjects respectively.
As a result, the Cypriot supervisory authority, the Office of the Data Protection Commissioner, found that the Bank of Cyprus had breached Articles 5(1)(f), 24(1) and 32 of the GDPR.
The Commissioner imposed an administrative fine on the bank and advised the Bank of Cyprus to inform its Data Protection Officer in advance before taking any action on incidents that may breach the GDPR. The authority stressed that any decisions made by the controller regarding the matter are to be consulted with its DPO.