On April 2, 2024, the Polish data protection authority (UODO) announced that it had published its decision in Case No. DKN.5131.59.2022 as issued on March 12, 2024, in which it imposed an administrative fine of PLN 1.4 million (approx. $360,080) on Santander Bank Polska S.A. for General Data Protection Regulation (GDPR) violations following an investigation into a data protection breach.

Background to the case

The UODO stated that it learned about the personal data protection breach at Santander Bank from the media, in which public bank documents found in a parcel abandoned in one of the housing estates were made public after it had previously been stolen from a courier company. The parcel included personal and sensitive data, such as names and surnames, dates of birth, bank account numbers, address and contact details, national identification numbers (PESEL numbers), bank usernames and passwords, earnings data, ID card series and numbers, information about banking products, etc. The UODO recounted that Santander Bank explained that it did not report this violation because the parcel was found by an individual shortly after it was lost by the courier. Moreover, Santander Bank established that no documents were missing, and the individual who found the documents took them directly to the police station and stated that he had not copied the found documents.

Findings

The UODO found that Santander was in violation of:

• Article 33 of the GDPR for failing to report the personal data protection breach to the UODO without undue delay no later than 72 hours after discovering the breach; and
• Article 34 of the GDPR for failing to notify data subjects without undue delay about a breach of personal data protection.

Furthermore, the UODO noted that through the above violations, Santander Bank deprived the data subjects of the opportunity to respond appropriately to the breach and to independently assess the breach that may cause serious consequences. The UODO also determined that Santander Bank failed to respond appropriately to the breach, namely to assess the risk of the breach to the rights and freedoms of a natural person, and verify whether the controller had applied appropriate measures to remedy the breach and minimize the negative effects. In addition, the UODO concluded that it was irrelevant that the data was made available to only one identified person, so far as the parcel was found by an individual.

Outcomes

In light of the above, the UODO imposed an administrative fine of PLN 1.4 million (approx. $360,080) on Santander Bank for the above violations. The UODO also ordered Santander Bank to notify the persons affected by the violation within three days from the date of receipt of the decision.

You can read the press release here and the decision here, both only available in Polish.