Huge fine for mBank. It's all about data leak

Huge fine for mBank. It’s all about data leak

Data leakage is always a serious matter that has consequences. mBank has to pay the imposed fine, and although at first glance it seems huge, in reality it turns out to be surprisingly mild.

The President of the Personal Data Protection Office informed on imposing a penalty on mBank. The bank must pay PLN 4 million for failing to notify those affected by the data leak. Although this sum seems huge to the average Joe, in reality it represents only 24 thousandths of a percent of the bank’s turnover.

Why is mBank being fined?

The bank failed to fulfil its obligations under the GDPR after experienced a leak of its customers’ data on June 30, 2022. Personal data of a group of mBank customers were transferred to an unauthorized recipient. If such an event occurs, it is necessary to inform about the event and present all possible consequences and remedies. The institution is also obliged to provide contact information for the personal data protection officer.

In a statement issued by the Office for Personal Data Protection, it was explained that an employee of a company processing personal data on behalf of a bank made a mistake and sent customer documents to another financial institution.

The documents were returned to the bank, but the envelope was opened. This means that third parties could have had access to the documents and it cannot be ruled out that they read the documentation.

– says the UODO statement.

This concerns personal data, including PESEL, earnings data and the series and numbers of the ID card.. The bank did not notify customers of this fact, even though the president of the UODO ordered the necessity of such actions. In the bank’s opinion, there was no need to disclose this leak, because the institution that temporarily possessed the data is also bound by banking secrecy. In addition, the employees confirmed that they do not have copies of the documents sent by mistake.

As we can guess, the UODO president did not accept this explanation, as evidenced by the imposed penalty. Such action by the bank is an example of disregard for the rights of people whose data it processes. The bank’s reasoning, which focused only on those who had access to the data, is erroneous.

Considering that under the provisions of the GDPR the fine could amount to PLN 337 million, it should be considered relatively lenient.

– we read in the UODO press release.

Let us recall that a penalty imposed by the UODO cannot be appealed. The only option is to refer the case to an administrative court.

See: Miracles are happening again at mBank. The customer’s money started to escape
See: Santander Bank customer data leaked. What about Poland?

Similar Posts