The Hellenic Bank had rented premises for its own branch in Nicosia, but when it decided to move in 2015 it literally forgot an old vault with a key lock that had been built in a wall of the building. Subsequently, from 2015 to 2019 the store had been vacant, but when the premises were finally rented again by its owner, the new tenants discovered with surprise the existence of the abandoned vault, and therefore they promptly decided to warn the bank, But when the officials of the institution went to the place to open the armored rooms, they were not inside gold bars or bundles of notes, but old practices and files of customers and former customers who had been placed there at the time.
At that point, the bank officials retrieved all the contents that had remained closed to them for five years and were concerned to transfer all the documentation and secure it at the Bank’s headquarters. However, as required by the GDPR, the bank also notified the “data Breach” to the Office of the Cypriot Data Protection Commissioner.
In addition to the delay in relation to the obligation of the bank to notify the supervisory authority of the breach of security, which should normally take place “without undue delay and, where possible, within 72 hours from the moment it became aware of it”, the Cypriot guarantor also found a violation of the principle of availability of files that remained locked inside the vault in the period from 2015 to 2019.
Among aggravating and mitigating factors which were assessed during the safety incident investigation, In March 2021, the Office of the Data Protection Commissioner of Cyprus finally decided to impose on Hellenic Bank Ltd a fine of 25,000 euros for breaches of the security principles required by Article 5 of the GDPR, those of Article 32, paragraph 1, letters b) and c) the ability to ensure on a permanent basis the confidentiality, integrity, availability and resilience of processing systems and services, as well as the ability to promptly restore the availability and access of personal data in the event of a physical or technical incident, in addition to challenging the delayed notification pursuant to article 33 of the EU Regulation.
As it was all too easy to assume, given the safe house where the documents were kept, the Cypriot media reported that Hellenic Bank nevertheless stressed that in that long period of time none of the information concerning the bank’s clients in the vault was disclosed to third parties, and that, in the meantime, all the organisational measures have been taken to ensure that such events do not recur in the future.
SOURCE: FEDERPRIVACY