The Administrative Court upholds DPA’s decision on administrative fine imposed on Bank Millennium

The Voivodeship Administrative Court in Warsaw, in a ruling issued on July 1, 2022, dismissed Bank Millennium S.A.'s complaint against the Polish DPA’s decision imposing an administrative fine

The Polish DPA imposed an administrative fine on the controller in connection with a personal data breach that occurred as a result of a courier service provider losing correspondence sent by the bank with personal data, such as name, surname, personal identification number, address of permanent residence, bank account numbers, and identification number given to the bank's customers The Polish DPA learned about the incident from a complaint filed against the bank.

The controller considered the risk to the rights and freedoms of the persons affected by the breach to be medium, and therefore did not notify the breach to the supervisory authority and did not fully comply with its obligation to communicate it to data subjects. The failure to notify the supervisory authority of the breach and to communicate it to the data subject was the reason for the fine.

All in all, the personal data breach occurred

The court had no doubt that the incident at issue constituted a personal data breach, as referred to in Article 4(12) of the GDPR. Indeed, as a result of the loss of a correspondence containing personal data of the bank's customers, a security breach occurred, resulting in the possibility of unauthorized disclosure of such data. Since the controller lost control over the processed personal data due to the failure to find the correspondence of bank documents containing the personal data of its customers, the risk of unauthorized disclosure of personal data arose, with the result that the attribute of confidentiality of personal data was violated.

The bank has no information on what happened to the aforementioned correspondence, which also clearly shows that there is no information on whether unauthorized persons became acquainted with the data contained in the contents of the documents in the lost correspondence, which consequently means that there was a personal data breach.

This is because we are not dealing with a personal data breach only when the controller is certain that the personal data has not become familiar to an unauthorized person, but also when the controller cannot exclude such a situation due to the lack of information in this regard. The controller is not able to determine unequivocally on its own that personal data has not been disclosed, so the incident in question is treated as a personal data breach.

In this case, there was a personal data breach involving the loss of documentation containing personal data of the bank's customers, which causes a high risk  to the rights or freedoms of natural persons. This means that an obligation arose on the part of the bank to notify the personal data breach to the supervisory authority and to communicate the breach to those persons.

Risk analysis

The controller itself, in its assessment of the risk to the rights or freedoms of natural persons, assumed an medium level of such risk. The bank, therefore, according to the result of its own risk analysis conducted in connection with the personal data breach, should at least have notified the personal data breach to the DPA, which, as it should be emphasised again, it did not do.

Who is the controller ‒ the post office or the bank?

According to the court, the Polish DPA correctly concluded that the bank was the controller of the personal data at issue. This is because it was the bank, not the postal operator, that determined the purposes and means of processing the data. The controller of the data contained in the documents inside the correspondence is the entity sending them, and only it, as the sender, has knowledge of what data correspondence contains. The courier service provider does not have such knowledge. It should be noted that postal operators or courier service providers are controllers, but only of the data appearing on the envelope, i.e. the data of the senders and addressees, i.e. the data to the extent necessary for the proper delivery of the mail.

It should be pointed out that the lost correspondence contained bank documents, which therefore makes it clear that the controller of the data is undoubtedly the bank, which also sent the correspondence, and it was the bank that was obliged to fulfill the controller’s duties alleged in the appealed decision.

*Judgment of the Voivodship Administrative Court in Warsaw of July 1, 2022 (ref. II SA/Wa 4143/21).