Test yourself - WebApplication

Fill in the missing prepositions

(1 p.) April 2, 2024, the Polish data protection authority (UODO) announced that it had published its decision in Case No. DKN.5131.59.2022 as issued on March 12, 2024, in which it imposed an administrative fine (1 p.) PLN 1.4 million (approx. $360,080) (1 p.) Santander Bank Polska S.A. for General Data Protection Regulation (GDPR) violations following an investigation into a data protection breach.

Background to the case

The UODO stated that it learned about the personal data protection breach at Santander Bank from the media, in which public bank documents found in a parcel abandoned in one of the housing estates were made public after it had previously been stolen from a courier company. The parcel included personal and sensitive data, such as names and surnames, dates of birth, bank account numbers, address and contact details, national identification numbers (PESEL numbers), bank usernames and passwords, earnings data, ID card series and numbers, information about banking products, etc. The UODO recounted that Santander Bank explained that it did not report this violation because the parcel was found by an individual shortly after it was lost by the courier. Moreover, Santander Bank established that no documents were missing, and the individual who found the documents took them directly to the police station and stated that he had not copied the found documents.

Findings

The UODO found that Santander was (1 p.) violation of:
• Article 33 of the GDPR (1 p.) failing to report the personal data protection breach to the UODO (1 p.) undue delay no later than 72 hours after discovering the breach; and
• Article 34 of the GDPR (1 p.) failing to notify data subjects (1 p.) undue delay about a breach of personal data protection.

Furthermore, the UODO noted that (1 p.) the above violations, Santander Bank deprived the data subjects (1 p.) the opportunity to respond appropriately (1 p.) the breach and to independently assess the breach that may cause serious consequences. The UODO also determined that Santander Bank failed to respond appropriately to the breach, namely to assess the risk of the breach (1 p.) the rights and freedoms of a natural person, and verify whether the controller had applied appropriate measures (1 p.) remedy the breach and minimize the negative effects. In addition, the UODO concluded that it was irrelevant that the data was made available (1 p.) only one identified person, so far as the parcel was found by an individual.

Outcomes

(1 p.) light of the above, the UODO imposed an administrative fine (1 p.) PLN 1.4 million (approx. $360,080) (1 p.) Santander Bank for the above violations. The UODO also ordered Santander Bank to notify the persons affected by the violation (1 p.) three days from the date (1 p.) receipt of the decision.

Source: https://www.dataguidance.com/news/poland-uodo-fines-santander-bank-polska-pln-14m-failure