After a typing error during the changes in clients’ information, a client had access to another client’s data through the web-banking platform. The DPA negotiated the role of data management procedures of a bank, under the aegis of GDPR.
In April 2019, Client A asked from Hellenic Bank to update his information. During the updating process, occurred a typing mistake on his passport number. At the time of the mistake, the wrong passport number didn’t match to any client. In May 2019, Client B needed to verify his information too, but his new passport had the number which the bank employee mistakenly typed as Client A’s passport number.
The result of the above-mentioned timeline was that client B had partial access through the Web Banking Platform to the personal and financial data of client A. When B noticed that, he informed the Bank, and the access issue has been resolved. But due to the passport number mistakenly match, Bank’s system automated merge the postal mail addresses of both clients. After two months, client B received a debit card with client A’s name on it.
The Bank follow the four-eyes principle. The principle calls an employee, before an execution of an act, to ask the verification from a colleague, who should re-examine the act for possible mistakes. Furthermore, a system-error appeared to the employee who updated B’s details and the employee re-verified the B’s documents and evidence such as a passport copy. He or she ignored the error-message and forwarded the process. The fellow employee wasn’t informed for the error-message about potential conflict in clients’ data, and one took the time to examine the reasons which triggered the system error.
Among other details, the fact that Client A was a bank user under business account was highlighted too. Bank allege that A’s information, including her name or address, was part from a wider body of legal entity’s data, which are not subject under General Data Protection Regulation 2016/679.
According to Article 33 of GDPR, in the case of a personal data breach, the controller shall without undue delay and, where feasible, not later than 72 hours after having become aware of it, notify the personal data breach to the supervisory authority. Cypriot Commissioner for Personal Data Protection held that obligation is including also circumstances that the controller has the belief that these facts constitute personal data violation. More specific, at least until September 2019, the Bank had not the understanding of the A’s data exposing (to the B client) was as a business user. An ex-post evaluation that drives to findings which did not constitute a breach, is not a kind as to barred the duty to notify DPA office, if the beliefs changed after the period within which the duty should be carried.
Cypriot DPA took the opportunity and stressed the possibility for a notification in phased to the supervisory authority (Art. 33(4)). Each phase shall be defined on the basis of the speed which the Data Controller becomes aware of the facts and the understandings of the issue.
Cypriot Commissioner for PDP addressed another point, relevant to the risk to the rights and freedoms of natural persons, under the view of when the General Data Protection Regulation shall be alleged or not. The Cypriot DPA finds that a two-step verification feature provides a sufficient level of protection, and under that case’s circumstances, the only issue was the exposure of clients’ data. On other words, these circumstances directly reduce the level of the risk.
The major part of the decision focuses on management rules, procedures and ethics, which the Bank has chosen to handle clients’ personal data. The supervisory authority has noticed the inadequate of the specific implementation of the four-eyes principles by the Bank. The criticism is grounded in the system design. The workflow did not include an error-message for the second employee. Cypriot DPA held that it is totally inefficient if the employee who is charged with the duty to double-checking the client’s data, is not similarly informed as the first employee who fulfilment the form. Such ineffectiveness is incompatible with Article 32, which require “the controller and the processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk”, meaning measure like “the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services”.
Before her final conclusion, the Cypriot Commissioner for Personal Data Protection referred to a series of mitigating and aggravating factors, like the Bank’s admissions, the lack of fraudulent intent and the ineffectiveness of the safeguards. It’s not clear if the Commissioner approaches these factors quantitative or qualitative. She didn’t impose any fine but demanded the Hellenic Bank to re-evaluated and modernise the data management.
Article 32 of GDPR | Article 33 οf GDPR | Article 34(3) of GDPR | Article 34(4) of GDPR | Article 38 of GDPR | Article 39 of GDPR