Cyprus Data Protection Watchdog imposes fine on major banking institution for integrity and confidentiality violations.
The complainant had requested a copy of his insurance policy from the Bank which could not locate the original policy in its archives.
As part of the Bank’s archiving policy in 2000 when the said contract was entered into between the complainant and the insurance company, the client would keep the original policy, a copy would be archived in the client’s file and another copy would be archived in a separate file.
It was made apparent that at the time the bank did not archive the copy of the insurance policy since this could not be located from the client’s file or in any other file which the Bank possessed.
In response to the Commissioner’s request for the Bank’s position on the matter, the Bank amongst others argued that:
- The client’s file was initially located in one of the Bank’s establishments located in another town that closed its operations, and as a result all of its archives were transferred to alternative storage facilities that the Bank maintained. The specific document requested however could not be located in any of the above-mentioned storage facilities. The Bank argued that there is no breach of Articles 4 and 5(1)(f) of the GDPR since it cannot be proved that there was a breach of security leading to an accidental or unlawful destruction or loss of personal data. Additionally, the Bank claimed that the insurance policy did not include medical results, health evaluations or other data which fall within the scope of special category personal data.
- There was no reasonable suspicion that the document is located anywhere outside the Bank therefore no breach of Article 32 took place and as such there was no justification to notify the Commission.
The difficulty to locate it was due to amongst others (i) the fact that back in 2000 the archiving policy of the Bank did not provide for the electronic storage of documents, (ii) the transfer of the archives from the establishment that closed its operations to the Bank’s storage facilities, and (c) the Bank merged with another bank therefore as part of such merger there was a change in the usage of storage facilities.
- Since 2012, the insurance company sends a confirmation of the insurance certificate/policy on an annual basis that the Bank circulated to its clients, therefore the complainant has been receiving the information concerning his insurance policy since then. As such the Bank has complied with Article 15 which concerns the right to access.
In response to the above, the Commissioner stated that:
- A personal data breach takes places when there is a security incident relating to personal data processed by a company or organization who is responsible for such data, that leads to a breach of confidentiality, availability (which applied in this case) or integrity of such personal data. In such an event, it is possible that such breach will pose a risk to the freedoms and rights of an individual therefore the company or organisation should notify the supervisory authority without undue delay within 72 hours from becoming aware.
- The Bank’s allegation that there was no loss of personal data because for example the insurance policy did not include reference to special category data i.e. medical information of the complainant, is unfounded since in accordance with Recital 26 and Article 4 of the GDPR, any information that refers to a physical person constitutes personal data. The fact that no medical data are not included in the insurance policy does not absolve the Bank from its obligation to maintain the appropriate technical and organisational safeguards since such insurance policy contained personal data of the complainant.
- Even though the complainant received on an annual basis an update regarding details of his insurance policy, his right to access however was not satisfied by the Bank since the document could not be located and provided at any time thereafter.
The Commissioner therefore in its decision highlighted that the Bank did not comply with its obligations under the GDPR because the loss of the complainant's insurance policy deprived him of his right of access to the insurance contract, making him incapable of checking the correctness and validity of his data and verifying the lawfulness of the processing.
Furthermore, the Commissioner noted that the fine was a result of the Bank's failure to notify the Commissioner of the data breach in relation to the loss of the contract within 72 hours from the moment the breach was brought to its knowledge.
Article provided by: Alexandra Kokkinou (Tassos Papadopoulos & Associates, Cyprus)
Dr. Tobias Höllwarth (Managing Director INPLP)