Due to Failure to Notify the Breach and the Data Subjects about the Incident Back, Millennium Has Been Fined by Polish DPA

The Polish Data Protection Authority ("DPA") decided that Bank Millenium S.A. infringes the GDPR so, it imposed a fine to Bank Millenium S.A. because of the lack of notification of a personal data breach to the supervisory authority and communication of a personal data breach to the data subject, on 14th of October 2021.

The Personal Data Protection Office ("UODO") learnt about the personal data breach from a complaint lodged against the bank. The complaint concerned the loss by a courier company of correspondence containing personal data, such as name, surname, personal identification number ("PESEL number"), registered address, bank account numbers, the identification number assigned to the bank’s customers. The complainants were informed about this fact by the bank, but the information was not sufficient under the requirements set out in the GDPR.

It turned out that the data controller had failed to comply with its obligations in relation to the personal data breach. The bank considered that the risk of adverse effects for persons affected by the breach was medium; therefore, it did not notify this breach to the supervisory authority and did not fully comply with the obligation to communicate it to the data subjects.

The DPA fined Bank Millenium S.A. 80.000 Euro.

You can find the full text here.


Kind regards,

Zumbul Attorneys-at-Law