Santander Bank Polska fined. He lost customer data in the housing estate
Santander Bank Polska and Toyota Bank Polska fined by the President of the Personal Data Protection Office. In total, they have to pay over one and a half million zlotys. The reason is the leakage of customer data.
The President of the Personal Data Protection Office, Mirosław Wróblewski, learned about the personal data protection breach in the case of Santander Bank Polska SA… from the media. It happened after theft of a courier shipment.
The abandoned parcel then landed abandoned in one of the housing estates. Inside it contained data such as names and surnames, dates of birth, bank account numbers, address and contact details, PESEL numbers, usernames and bank passwords, and even data on earnings or ID card series and numbers.
What did Santander do wrong?
However, the problem was not the event itself, because it was not the bank's fault. However, the Personal Data Protection Office blames Santander for this did not inform about the data leak. How did the bank explain such a decision?
The parcel has been found by one identified person within a short time of the loss of the parcel by the courier. Also verified that no documents are missing, and the person who found the documents, she took them directly to the police station and stated that she did not copy the found documents – we read in the President's announcement.
According to the office, however, in the event of a data protection breach, the assessment of the risk of violating the rights and freedoms of a natural person should be carried out by: the prism of the person at risk, not the interests of the administrator. Hence the decision of the President of the Personal Data Protection Office, Mr financial penalty in height 1 million 440 thousand zloty.
Toyota Bank also with a penalty
On the same day, the Office also fined Toyota Bank Polska SA in this case the punishment was much less severe and amounted to 78 thousand zloty. The reason, as above, was failure to report a personal data breach without undue delayi.e. no later than 72 hours after discovering the violation.
In this case, we are talking about the transfer of data unauthorized third party. Although the bank explained that it had reported the matter to the injured person itself, due to the delay – the report was submitted a year and a half after the occurrence – in the case of activities required by law towards the Personal Data Protection Office, it was decided to impose a penalty. The fact that earlier was also important The injured person himself also submitted a complaint to the Office.
