Toyota Bank Poland S.A. – €18,000 Fine (Poland, 2024)

Toyota Bank Poland S.A. (controller) is a bank established under Polish law. On 31 March 2021 an employee of the controller, by mistake, sent a letter with personal data of the data subject to another client. The letter contained personal data from the loan agreement concluded between the data subject and the controller, specifically: name, surname, bank account number, address, national ID number (PESEL), ID number. The (incorrect) addressee picked-up and opened the letter. Eventually, the controller took the letter back by sending a courier. The controller registered the incident within the internal register and performed a risk assessment. During the risk assessment, the controller took into account European Union Agency for Cybersecurity (ENISA) data breach guideline https://www.enisa.europa.eu/publications/dbn-severity ENISA Recommendations for a methodology of the assessment of severity of personal data breaches. According to the controller, the breach affected only one person, the letter was swiftly retrieved and the (incorrect) addressee was the controller’s client and helped to solve the problem. Because of that, the controller assigned the breach a low-risk level. Hence, the controller did not notify the DPA. Nevertheless, the controller decided to inform the data subject about the breach by sending a letter. The data subject filed a complaint with the DPA, claiming the controller unlawfully disclosed their personal data. During the complaint proceedings, on 7 September 2022, the controller notified the DPA about the breach. The notification was done almost 18 months after the breach. The controller explained the late notification with the minor risk assigned to the breach. As a consequence of late data breach notification, the DPA initiated ex officio proceedings regarding the violation of Article 33(1) GDPR. According to DPA, the controller failed to adequately assess the risk of the data breach. The DPA emphasised that the data subject interests sho