The Personal Data Protection Office imposed a fine of over PLN 363,000 on Bank Millenium S.A. for failing to report a data protection breach and for failing to fully inform affected persons of the incident

The Personal Data Protection Office imposed a fine of over PLN 363,000 on Bank Millenium S.A. for failing to report a data protection breach and for failing to fully inform affected persons of the incident. A courier company lost letters containing personal data of bank customers. The bank informed the addressees, but the information in question was insufficient – it did not meet the requirements set out in the GDPR. The bank considered that the risk of negative consequences for the persons affected by the breach was moderate and did not report the breach to the supervisory authority. In addition to imposing an administrative penalty, the PDPO also ordered that the persons affected by the breach be notified in the manner provided for in Article 34(2) of the GDPR.

LATEST POSTS

FIND US