UODO – €83,681 Fine (Poland, 2021)

The data subjects are customers at Bank Millennium S.A. (hereafter: controller). They provided the controller with their personal data in March 2019 to have a bank account set up. In May 2019, the controller notified them of the loss of their personal data. However, since the data subjects did not obtain additional information on the breach, in June 2019 they filed a complaint with the UODO (Polish DPA). During the DPA’s investigation, it turned out that, in April 2019, the controller sent a parcel to its Head Office, with several documents. These documents contained, in particular, the following data: name, surname, PESEL, registered address, bank account numbers, CIF number (identification number assigned to the controller's clients) of the Applicant and the Applicant's name, surname and PESEL. The controller considered the circumstances of the breach, i.e., what personal data had been lost, and assessed this breach in accordance with a methodology based on the European ENISA methodology (a risk management assessment tool by the European Union Agency for Cybersecurity). Based on this assessment, the controller considered that the breach is likely to (only) cause a medium risk of violation of the rights and freedoms of the data subjects. Hence, it did not notify the data subjects in accordance with Article 34(1) GDPR, only supplying very general information on the nature of the breach, and that the data subjects could use the controller’s free Alert service to minimise the negative effects. Moreover, the controller also did not notify the DPA in accordance with Article 33(1) GDPR. During the DPA’s investigation, the controller brought forward a number of arguments why it had not notified the data subjects and the DPA, i.e., that parcels are also categorized as ‘lost’ without leaving the supplier’s infrastructure, that the loss of PESEL numbers does not cause a high risk for the rights and freedoms of the data subject, and that the data subject’s personal data was