Τράπεζα Πειραιώς Α.Ε. – €210,000 Fine (Greece, 2023)
General GDPR enforcement action
This case relates to broader data protection obligations, not specifically to cookie or consent banner compliance. It is not included in cookie statistics or the Risk Calculator.
The Hellenic Data Protection Authority fined Piraeus Bank €210,000 for mistakenly sending letters about loan claims to customers with no debts. The bank's system error led to unauthorized data sharing. This case underscores the need for robust data management systems to prevent errors.
What happened
Piraeus Bank mistakenly sent letters about loan claims to customers with no debts due to a system error.
Who was affected
Customers of Piraeus Bank who received incorrect letters about loan claims despite having no outstanding debts.
What the authority found
The Hellenic Data Protection Authority fined Piraeus Bank for unauthorized data sharing due to a system error, which violated GDPR data management principles.
Why this matters
This case highlights the importance of maintaining accurate data management systems to prevent unauthorized data sharing. Businesses should ensure their systems are robust to avoid costly errors and protect customer trust.
GDPR Articles Cited
View original scraped data
Original data from scraper before AI verification against source document.
Piraeus Bank S.A., the controller, sent the data subject a letter informing them that it had entrusted the management of loans and credit related claims to a credit management company (AFS), its wholly owned subsidiary. The letter also informed that the data subject was subject to a claim and that their personal data had been shared with AFS, which was managing the claim. The data subject submitted an access request to the controller under Article 15 GDPR, asking for more detailed information such as the date, the means and the purpose of the transmission of their personal data, as well as the loan contract number and any other personal data. The controller responded that the letter was sent to the data subject by mistake and asked them to disregard it as their personal data had not been shared and remained on its servers. Dissatisfied with the response, the data subject filed a complaint with the Hellenic DPA, claiming that the controller did not provide them with sufficient information. Moreover, they argued that they did not have any loan or credit related claim with the controller and, therefore, there was no legal basis for sharing their data with AFS. The DPA opened an investigation regarding the controller. In the procedure, the controller stated that it had an agreement with AFS for the management of its 'portfolio' (receivables from loan granting and/or customers' debts that had became overdue, terminated or settled). The controller admitted that, due to a technical problem with its systems, letters were mistakenly sent to customers that had zero balance and should not be included in the portfolio. After the investigation, the Hellenic DPA could not determine if the data subject's data had been transferred to AFS, but reserved itself the right to further investigate the matter. On the other hand, the DPA found that personal data from the data subject, as well as from a large number of customers who were involved in loans with zero rest were mistakenl
Related Enforcement Actions (0)
No other enforcement actions found for Τράπεζα Πειραιώς Α.Ε. in GR
This is the only recorded action for this entity in this jurisdiction.
Details
Fine Date
12 June 2023
Authority
Hellenic Data Protection Authority
Fine Amount
€210,000
GDPRhub ID
gdprhub-6078About this data
Cite as: Cookie Fines. Τράπεζα Πειραιώς Α.Ε. - Greece (2023). Retrieved from cookiefines.eu
Last updated: