Bank – €4,000,000 Fine (Austria, 2021)

€4,000,000Datenschutzbehörde1 January 2021Austria
reduced
Fine

General GDPR enforcement action

This case relates to broader data protection obligations, not specifically to cookie or consent banner compliance. It is not included in cookie statistics or the Risk Calculator.

An Austrian bank was fined for not protecting customer data properly. They stored sensitive information in an unprotected file, which was accidentally sent to hundreds of people. This case shows the importance of securing customer data to prevent breaches and fines.

What happened

An Austrian bank was fined for failing to secure customer data, leading to an accidental data breach.

Who was affected

Approximately 5,971 bank customers whose personal data was exposed due to inadequate security measures.

What the authority found

The Austrian DPA found that the bank did not implement adequate security measures to protect personal data, violating GDPR rules.

Why this matters

This case underscores the necessity for businesses to implement strong data protection measures. It serves as a warning that inadequate security can lead to significant fines and reputational damage.

GDPR Articles Cited

AI-verified

Art. 32 GDPR
Art. 5(1)(f) GDPR
View original scraped data
Art. 5(1)(f) GDPR
Art. 32 GDPR

Original data from scraper before AI verification against source document.

Source verified 5 March 2026
amount discrepancy
date discrepancy
Austria enforcementDatenschutzbehörde actionsAll Bank actions
Full Legal Summary
Detailed

Original fine summary: The Austrian DPA has imposed a fine of EUR 4,000,000 on a credit institution. The controller had stored an Excel file containing personal data, such as customers' account information, on an internal drive for the purpose of internal administration of bank customers. The file could be accessed and viewed by all branch employees as needed. The Excel file was neither encrypted nor protected by other adequate measures against unauthorized access or unintentional disclosure to third parties. An employee inadvertently sent the Excel list to 234 customers, disclosing the personal data of approximately 5,971 customers. The DPA therefore found that the controller had failed to implement adequate technical and organizational measures to protect personal data. Update: The fine was reduced from EUR 4,000,000 to EUR 50,000 following a court ruling in 2024.

Related Enforcement Actions (1)

Other enforcement actions involving Bank in AT

Fine
Aug 2020· Datenschutzbehörde

A bank employee made a copy of the identity card of a bank client who wanted to exchange EUR 100 in foreign currency and justified this with money lau...

€100
Current
Jan 2021

Fine

€4.0M

Details

Fine Date

1 January 2021

Authority

Datenschutzbehörde

Fine Amount

€4,000,000

Enforcement Tracker ID

ETid-872

Sources

About this data

Data: CMS GDPR Enforcement Tracker
Licensed under CC BY-NC-SA 4.0
AI-verified and classified

Cite as: Cookie Fines. Bank - Austria (2021). Retrieved from cookiefines.eu

Report Inaccuracy

Last updated: