Support Centre

You have out of 5 free articles left for the month

Signup for a trial to access unlimited content.

Start Trial

Continue reading on DataGuidance with:

Free Member

Limited Articles

Create an account to continue accessing select articles, resources, and guidance notes.

Free Trial

Unlimited Access

Start your free trial to access unlimited articles, resources, guidance notes, and workspaces.

Greece: HDPA fines Piraeus Bank €30,000 for data breach

The Hellenic Data Protection Authority ('HDPA') announced, on 30 March 2023, that it had issued, on 2 February 2023, Decision No. 4/2023, in which it fined Piraeus Bank SA €30,000, for violations of Articles 5(1)(a), 5(1)(f), 33, and 34 of the General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR'), following a complaint.

Background to the decision

In particular, the HDPA highlighted that it received a complaint from a customer of Piraeus Bank regarding the provision, to the heir of a deceased individual, of details of bank accounts in which the complainant was a joint beneficiary with the deceased. Thereafter, the HDPA explained that the bank account details were subsequently used in court against the complainant.

Findings of the HDPA

As a result of its investigation, the HDPA noted that the disclosure to the heir had been due to an error on the part of one of Piraeus Bank's employee, who, contrary to the instructions given to them, had failed to notice that the accounts were joint accounts and who had not sought the opinion of the Piraeus Bank's legal department. Moreover, the HDPA found that Piraeus Bank did not notify the HDPA and the complainant of the incident, considering that it was not obliged to do so because it had taken sufficient technical and organisational measures, which, however, could not prevent individual human errors.

In light of the facts above, the HDPA found a breach of the principles of lawfulness of processing and data confidentiality (Articles 5(1)(a) and 5(1)(f) of the GDPR) and a breach of Piraeus Bank's obligations to notify the incident to the HDPA and the data subject (Articles 33 and 34 of the GDPR).

Outcomes

In conclusion, the HDPA imposed an administrative fine of €30,000 for the aforementioned violations.

You can read the press release here and the decision here, both only available in Greek.

Feedback