Hellenic Bank PLC โ Violation Found (Cyprus, 2020)
General GDPR enforcement action
This case relates to broader data protection obligations, not specifically to cookie or consent banner compliance. It is not included in cookie statistics or the Risk Calculator.
Hellenic Bank in Cyprus had a mix-up with passport numbers, leading to one client accessing another's personal data. This incident shows the importance of accurate data handling and the need for banks to have strong checks to prevent such errors. Even without a fine, it highlights the risks of data mishandling.
What happened
Hellenic Bank mistakenly merged two clients' data due to a passport number error, allowing one client to access another's information.
Who was affected
Clients of Hellenic Bank were affected, specifically those whose data was mistakenly merged due to the passport number error.
What the authority found
The DPA Commissioner found that Hellenic Bank failed to properly handle personal data, violating several GDPR articles related to data security and breach notification.
Why this matters
This case illustrates the critical need for banks to have stringent data verification processes. It warns businesses about the potential consequences of data entry errors and highlights the importance of timely breach notification.
GDPR Articles Cited
In April 2019, Client A asked Hellenic Bank to update his information. During the updating process, a typing mistake occurred with his passport number. At the time of the mistake, the wrong passport number didn't match with that of any client. In May 2019, Client B needed to verify his information, too, but his new passport had the number that the bank employee had mistakenly typed as Client A's passport number. The result of the abovementioned timeline was that client B had partial access through the web banking platform to client A's personal and financial data. When B noticed that, he informed the Bank, and the access issue was resolved. But due to the passport number mistakenly matching, the Bank's system automatically merged the postal addresses of both clients. After two months, client B received a debit card with client A's name on it. The Bank follows the four eyes principle. The principle calls for an employee, before the execution of an act, to ask for the verification from a colleague, who should re-examine the act for possible mistakes. Furthermore, a system error appeared to the employee who updated B's details, and the employee re-verified B's documents and evidence including such as a passport copy. He or she ignored the error-message and proceeded with the process. The fellow employee wasn't informed about the error message in regard to the potential conflict in the clients' data, and it requires time to examine the reasons that triggered the system error. Among other details, the fact that Client A was a Bank user under a business account was highlighted too. The Bank alleges that A's information, including her name and address, was part of a wider body of a legal entity's data, which are not subject to the under General Data Protection Regulation 2016/679. According to Article 33 of GDPR, in the case of a personal data breach, the Data Controller shall without undue delay and, where feasible, not later than 72 hours after having become aware
Outcome
Violation Found
The DPA found a violation but did not impose a fine.
Related Enforcement Actions (0)
No other enforcement actions found for Hellenic Bank PLC in CY
This is the only recorded action for this entity in this jurisdiction.
Details
About this data
Cite as: Cookie Fines. Hellenic Bank PLC - Cyprus (2020). Retrieved from cookiefines.eu
Last updated: