Polish Data Protection Authority Fines mBank Over €870,000 for Failing to Notify Customers of Data Breach

Poland’s Personal Data Protection Office (UODO) has fined mBank more than €870,000 (4,053,173 PLN) for failing to notify customers affected by a significant data breach. The penalty, while substantial, represents just 0.0024% of the bank’s annual turnover, raising questions about the relative impact of such fines on large financial institutions.

The breach occurred on June 30, 2022, when sensitive customer data was mistakenly sent by an employee of a third-party processor to an unauthorized recipient at another financial institution. Although the documents were returned to mBank, the envelope had been opened, increasing the risk that the personal data may have been accessed by third parties.

The exposed information included names, birth dates, addresses, national identification numbers (PESEL), bank account details, income and asset data, and other identifiers, such as mother's maiden names and ID card numbers. Under the General Data Protection Regulation (GDPR), mBank was obligated to notify the affected individuals, providing them with details of the breach, potential risks, and steps to mitigate any adverse effects. However, the bank failed to do so.

mBank argued that the breach did not require notification because the recipient institution was bound by banking secrecy laws and considered a "trusted entity." The bank relied on assurances that the documents had not been copied or misused by the recipient.

The UODO rejected mBank's defense, referring to GDPR Guidelines 9/2022, which specify that the status of the recipient is not sufficient to avoid the obligation to notify. The guidelines emphasize that a trusted recipient must have a long-term, direct relationship with the sender, along with a track record of secure data handling practices. In this case, mBank’s reliance on the recipient’s assurances did not meet the stringent standards set by GDPR.

The President of the UODO stressed that mBank’s failure to notify its customers deprived them of the opportunity to protect themselves against potential risks, such as identity theft or financial fraud. The regulator further criticized the bank for focusing on the recipient’s status rather than prioritizing the rights and interests of the individuals whose data was exposed. In GDPR cases, the primary obligation is to ensure that data subjects are informed of breaches that may affect their privacy and security.

While GDPR allows for penalties up to €73 million (337 million PLN) in cases of severe non-compliance, the UODO imposed a relatively moderate fine of €870,000. The decision reflects concerns about a systemic issue within mBank’s data breach notification procedures, which the regulator found to be insufficiently robust.

In issuing the fine, the UODO condemned mBank for showing "disregard for the rights of individuals whose personal data the bank processes." The authority underscored that compliance with GDPR is paramount and that no organization—regardless of any additional obligations such as banking secrecy—can avoid the responsibility of protecting personal data.

The GRC Report is your premier destination for the latest in governance, risk, and compliance news. As your reliable source for comprehensive coverage, we ensure you stay informed and ready to navigate the dynamic landscape of GRC. Beyond being a news source, the GRC Report represents a thriving community of professionals who, like you, are dedicated to GRC excellence. Explore our insightful articles and breaking news, and actively participate in the conversation to enhance your GRC journey.