National Bank of Greece – €20,000 Fine (Greece, 2022)

The National Bank of Greece (the controller) replaced all debit/credit cards of its customers (data subjects) with new ones which could carry out contactless transactions. Data subjects could not refuse the replacement. The new cards embedded a chip stored information on the 10 last transactions. According to the controller, this information included only the date, the amount, and currency of the transaction. Third parties could gain unauthorised access to this data by situating a "reading" device (e.g. a smart phone with malicious software installed) close to the card. According to the manufacturer of the cards (Mastercard), this feature was not necessary for carrying out contactless payments and it was the controller's choice to add it. The range of the collected data was also determined by the controller. However, the controller did not inform the data subjects about these processing operations. After a data subject's complaint in 2015, the Greek DPA issued a warning in [https://www.dpa.gr/sites/default/files/2019-10/48_2018anonym.pdf Decision 48/2018]. The DPA held that since the collection performed by the chip was not necessary for carrying out contactless payments, the processing could only be based on the data subject's consent. After that, the DPA ordered the controller to inform the data subjects who were already possessing the cards in question and had not granted their consent about the storage of transaction history. The information could be delivered by any appropriate means (such as email, postal notice, message through the e-banking account). By doing so, the data subjects could have the opportunity to object to this processing (Article 21 GDPR). In case of an objection, the controller had to deactivate the collection of the transaction history or issue a new card without this feature. For the cards issued in the future, the feature in question had to be deactivated by default and could be activated only based on the data subject's consent. On 15 No