News

Source : PS/00477/2023

·       A bank allowed unauthorized access to a joint bank account by a third party (the mother of one of the holders), without the consent of both co-holders.
📌 This constitutes a breach of the principle of data confidentiality and security.

·       ❌ Misconfiguration of Access Rights
A misconfiguration or lack of access scope limitation resulted in unauthorized access to personal data.
The bank admitted that the access settings allowed the mother to view her daughter’s and the co-holder’s banking products, despite having no rights over them.
📌 Repeated complaints by the data subjects:
The complainant reported the unauthorized access to the bank multiple times, but the issue persisted, increasing the bank’s liability.

·       📜 Breached Articles

• Article 5.1.f GDPR – Data not processed in a manner that ensures appropriate security (integrity & confidentiality).
• Article 25 GDPR – Failure to implement data protection by design: a flaw in the online banking system allowed unauthorized access.

·       💶 Sanction
Total amount: €3,500,000

·       🔹 €500,000 – Violation of Article 5.1.f GDPR (data integrity and confidentiality) — classified as very serious
🔹 €3,000,000 – Violation of Article 25 GDPR (data protection by design and by default) — also classified as serious
❌ The violation of Article 32 GDPR (security of processing) was dismissed in this decision.

·       👉 Justified by the impact on all online banking users, not only the complainants.
🚨 Lack of adequate technical and organizational measures = serious non-compliance.