Hellenic Bank – €25,000 Fine (Cyprus, 2021)

€25,000Commissioner for Personal Data Protection3 March 2021Cyprus
final
Fine

General GDPR enforcement action

This case relates to broader data protection obligations, not specifically to cookie or consent banner compliance. It is not included in cookie statistics or the Risk Calculator.

Hellenic Bank was fined €25,000 for leaving a safe with customer documents in a closed branch. This breach happened because the bank forgot about the safe when moving out. The case highlights the importance of securing customer data, even during relocations.

What happened

Hellenic Bank left a safe containing customer documents in a closed branch, which was discovered years later by a new tenant.

Who was affected

Existing customers of Hellenic Bank whose documents were left in the forgotten safe.

What the authority found

The Cypriot DPA found that Hellenic Bank failed to protect customer data and report the breach in a timely manner, violating GDPR rules.

Why this matters

This case emphasizes the need for companies to secure customer data during office closures or relocations. It serves as a reminder to review and update data protection practices regularly.

GDPR Articles Cited

Art. 5(1)(e) GDPR
Art. 32(1)(b) GDPR
Art. 33(1) GDPR
Cyprus enforcementCommissioner for Personal Data Protection actionsAll Hellenic Bank actions
Full Legal Summary
Detailed

The Cypriot DPA imposed a fine of EUR 25,000 on Hellenic Bank. The bank had closed one of its branches in the city of Nicosia in 2015. When moving out of the space, a safe containing old documents of still existing customers, installed in one of the walls, had been forgotten. As the building was vacant in the following years, the controller only learned about this incident when the property was rented out again for the first time in 2019. The new tenant had found the safe and informed the controller. Bank staff had then retrieved the documents and reported the data breach to the Cypriot DPA. The DPA ultimately concluded that the controller had violated Art. 5 (1) e), f) GDPR, Art. 32 (1) b), c) GDPR, and Art. 33 (1) GDPR.

Related Enforcement Actions (0)

No other enforcement actions found for Hellenic Bank in CY

This is the only recorded action for this entity in this jurisdiction.

Details

Fine Date

3 March 2021

Authority

Commissioner for Personal Data Protection

Fine Amount

€25,000

Enforcement Tracker ID

ETid-578

Sources

About this data

Data: CMS GDPR Enforcement Tracker
Licensed under CC BY-NC-SA 4.0
AI-verified and classified

Cite as: Cookie Fines. Hellenic Bank - Cyprus (2021). Retrieved from cookiefines.eu

Report Inaccuracy

Last updated: