The client had asked for a copy of the policy he had taken out through the bank, but there was no trace of the document. The bank had justified itself by the fact that the client’s account had been transferred from another city many years earlier, and that it was not possible to access the original contract because it had been stored in a remote location and was too expensive to recover, simply advising the client to cancel the policy.
At the end of the investigation conducted by the Cypriot Privacy Guarantor following the client’s complaint, the authority then announced that it had imposed a penalty of 15,000 euros on the Bank of Cyprus for failing to comply with its obligations under the GDPR following the loss of the client’s insurance policy. The client found himself unable to access the insurance contract, without being able to exercise his rights of access and verify the correctness and validity of his personal data.
In fact, the interested party had requested access to the information pursuant to article 15 of the GDPR, but the bank had not been able to comply with the request because the insurance contract had not been found, thus noting that the document had been lost.
The supervisory authority noted that the sanction was the consequence of the bank’s failure to notify the bank of the date of breach in relation to the loss of the contract, which should have taken place within 72 hours of the breach being brought to its attention.
In particular, the bank’s justification for this omission was not upheld, as it had stated that it had failed to provide the notification required by the GDPR because “there was not the slightest suspicion that the document could have been lost, but that it was probably only put in the wrong place“.
In this context, there were several breaches of the GDPR, including violations of the rights of the data subject pursuant to article 15, the obligation to protect personal data pursuant to articles 5 and 32, as well as failure to notify the supervisory authority and the data subject pursuant to article 33 of the GDPR. SOURCE: FEDERPRIVACY