mBank – €932,230 Fine (Poland, 2024)

mBank (the controller) entrusted a third-party to perform processing activities (a processor). The processor’s employee, erroneously, sent the controller’s clients documents to another bank. The documents contained the following personal data: name, surname, national identification number (PESEL), financial data (clients’ assets), account number, ID number. According to the controller, the other bank sent back all the documents. The documents’ integrity was not affected, yet it was probable that the other bank’s employees read the documents. As the documents confidentiality was violated, a data breach under Article 4(12) GDPR occurred. Nevertheless, the controller was of the opinion that the risk posed by the breach was minimised by the statutory bank secrecy. Because of that, the controller didn't see a reason to notify the data subjects in accordance with Article 34 GDPR. However, the controller notified the Polish DPA (UODO) about the data breach. During the following proceedings, the DPA requested the controller to notify the data subjects involved about the breach under Article 34 GDPR. The controller asked the DPA to reconsider their request. The controller emphasised the documents were shared with the other bank, the controller’s business partner, which should be treated as “a trusted party”. That was because the other bank, together with the controller, were part of banking sector in Poland. As such, both the controller and the other bank pursue highly regulated business activity, in particular in the field of data protection and cybersecurity. For this reason, the breach didn’t pose “a significant risk of negative consequences for the data subjects”. In addition the other bank’s employees made a statement confirming they didn’t possess the documents’ copies and were unable the identity of the data subjects. Moreover, the other bank’s employees were aware of duties associated with the bank secrecy, as well the liability for its breach under Article 171 para