Poland
mBank
940,000 €
GDPR enforcement action by Polish National Personal Data Protection Office (UODO) on 2024-08-20.
Rank · Sector
#30
of 322 in Finance, Insurance and Consulting
Rank · Poland
#6
of 111
Rank · All fines
#177
of 3,050
Case details
- Authority
- Polish National Personal Data Protection Office (UODO)
- Date
- 2024-08-20
- Controller / Processor
- mBank
- Sector
- Finance, Insurance and Consulting
- Quoted Articles
- Art. 34 (1), (2) GDPR
- Type of violation
- Insufficient fulfilment of data breach notification obligations
Summary
The Polish DPA has fined mBank EUR 940,000. The bank had suffered a data breach in which an employee of the controller sent documents containing customer data to the wrong recipient. The documents contained information such as names, account numbers, dates of birth and ID card numbers. Although the documents were returned to mBank, the envelope had been opened , meaning that third parties may have had access to the documents. During its investigation, the DPA found that, although the controller informed the DPA of the incident, it failed to notify the data subjects in a timely manner.
Open original source
Links to the regulator's original publication or another source.
Related fines
Poland
2025-08-26
4,323,250 €
ETid-2840
ING Bank Śląski
Finance, Insurance and Consulting
Poland
2025-07-21
3,955,000 €
ETid-2757
McDonald’s Polska Sp. z o.o.
Employment
Poland
2026-02-05
2,682,000 €
ETid-3063
DPD Polska sp. z o.o.
Transportation and Energy
Poland
2026-02-19
1,393,300 €
ETid-3113
Restaurant Partner Polska
Industry and Commerce
Poland
2022-01-19
1,000,000 €
ETid-1104
Fortum Marketing and Sales Polska S.A.
Transportation and Energy
Poland
2019-09-10
660,000 €
ETid-79
Morele.net
Industry and Commerce