Polish DPA: Bank Millennium fined 80,000 EUR for failure to notify the breach and the data subjects about the incident

22 November 2021

Background information

Date of final decision: 14 October 2021
Cross-border case or national case: National case
Controller: Bank Millennium S.A.
Legal Reference: Notification of a personal data breach to the supervisory authority (Article 33(1)), Communication of a personal data breach to the data subject (Article 34(1))
Decision: Infringement of the GDPR, fine imposed, order to comply
Key words: Obligation to notify, lost correspondence

Summary of the Decision

Origin of the case

The Personal Data Protection Office (UODO) learnt about the personal data breach from a complaint lodged against the bank. The complaint concerned the loss by a courier company of correspondence containing personal data, such as: name, surname, personal identification number (PESEL number), registered address, bank account numbers, identification number assigned to the bank’s customers. The complainants were informed about this fact by the bank, but the information was not sufficient — it did not meet the requirements set out in the GDPR.

Key Finding

In the course of the case, it turned out that the data controller had failed to comply with its obligations in relation to personal data breach. The bank considered that the risk of adverse effects for persons affected by the breach was medium; therefore, it did not notify this breach to the supervisory authority, and did not fully comply with the obligation to communicate it to the data subjects. UODO pointed out that if the controller had had notified the supervisory authority in this case, it would have been informed that the breach should also be communicated to people.


When deciding to impose a fine of 80,000 EUR, the UODO took into account, among other things, the fact that, during the proceedings, the bank had still failed to fulfil its obligations relating to the breach, as well as the unsatisfactory level of cooperation with the supervisory authority, the intentional nature of the activity and the nature and gravity of the breach. In the opinion of the supervisory authority, the amount of the fine will fulfil a repressive function, as not only this particular controller, but also others, will properly fulfil their obligations related to data breaches.
In the decision in question, the supervisory authority not only imposed a fine on the controller, but also ordered the controller to communicate the breach to the persons affected by the breach in the manner set out in Art. 34(2) of the GDPR.

For further information: https://uodo.gov.pl/decyzje/DKN.5131.16.2021

The news published here does not constitute official EDPB communication, nor an EDPB endorsement. This news item was originally published by the national supervisory authority and was published here at the request of the SA for information purposes. Any questions regarding this news item should be directed to the supervisory authority concerned.

Source: EDPB

About the author: Dissent

Comments are closed.