mBank – €932,230 Fine (Poland, 2024)
General GDPR enforcement action
This case relates to broader data protection obligations, not specifically to cookie or consent banner compliance. It is not included in cookie statistics or the Risk Calculator.
mBank was fined EUR 932,230 after a third-party employee mistakenly sent sensitive client documents to another bank. The Polish data protection authority found that mBank did not properly notify its clients about the breach, which could have compromised their personal information. This case serves as a reminder for businesses to have clear protocols for notifying customers about data breaches.
What happened
mBank's client documents containing personal data were mistakenly sent to another bank by a third-party employee.
Who was affected
Clients of mBank whose personal data was included in the documents were affected.
What the authority found
The authority ruled that mBank failed to notify affected clients about the data breach, violating GDPR's notification requirements.
Why this matters
This case highlights the need for companies to have robust data breach notification procedures in place. Businesses should ensure they are prepared to inform customers promptly in case of data breaches.
GDPR Articles Cited
View original scraped data
Original data from scraper before AI verification against source document.
National Law Articles
mBank (the controller) entrusted a third-party to perform processing activities (a processor). The processor’s employee, erroneously, sent the controller’s clients documents to another bank. The documents contained the following personal data: name, surname, national identification number (PESEL), financial data (clients’ assets), account number, ID number. According to the controller, the other bank sent back all the documents. The documents’ integrity was not affected, yet it was probable that the other bank’s employees read the documents. As the documents confidentiality was violated, a data breach under Article 4(12) GDPR occurred. Nevertheless, the controller was of the opinion that the risk posed by the breach was minimised by the statutory bank secrecy. Because of that, the controller didn't see a reason to notify the data subjects in accordance with Article 34 GDPR. However, the controller notified the Polish DPA (UODO) about the data breach. During the following proceedings, the DPA requested the controller to notify the data subjects involved about the breach under Article 34 GDPR. The controller asked the DPA to reconsider their request. The controller emphasised the documents were shared with the other bank, the controller’s business partner, which should be treated as “a trusted party”. That was because the other bank, together with the controller, were part of banking sector in Poland. As such, both the controller and the other bank pursue highly regulated business activity, in particular in the field of data protection and cybersecurity. For this reason, the breach didn’t pose “a significant risk of negative consequences for the data subjects”. In addition the other bank’s employees made a statement confirming they didn’t possess the documents’ copies and were unable the identity of the data subjects. Moreover, the other bank’s employees were aware of duties associated with the bank secrecy, as well the liability for its breach under Article 171 para
Related Enforcement Actions (1)
Other enforcement actions involving mBank in PL
Details
Fine Date
20 August 2024
Authority
Urząd Ochrony Danych Osobowych
Fine Amount
€932,230
4,053,173 PLN
GDPRhub ID
gdprhub-8277About this data
Cite as: Cookie Fines. mBank - Poland (2024). Retrieved from cookiefines.eu
Last updated: