Cyprus

Hellenic Bank

25,000 €

GDPR enforcement action by Cypriot Data Protection Commissioner on 2021-03-03.

Rank · Sector

#147

of 322 in Finance, Insurance and Consulting

Rank · Cyprus

of 47

Rank · All fines

#952

of 3,050

Case details

Authority: Cypriot Data Protection Commissioner
Date: 2021-03-03
Controller / Processor: Hellenic Bank
Sector: Finance, Insurance and Consulting
Quoted Articles: Art. 5 (1) e), f) GDPR, Art. 32 (1) b), c) GDPR, Art. 33 (1) GDPR
Type of violation: Insufficient technical and organisational measures to ensure information security

Summary

The Cypriot DPA imposed a fine of EUR 25,000 on Hellenic Bank. The bank had closed one of its branches in the city of Nicosia in 2015. When moving out of the space, a safe containing old documents of still existing customers, installed in one of the walls, had been forgotten. As the building was vacant in the following years, the controller only learned about this incident when the property was rented out again for the first time in 2019. The new tenant had found the safe and informed the controller. Bank staff had then retrieved the documents and reported the data breach to the Cypriot DPA. The DPA ultimately concluded that the controller had violated Art. 5 (1) e), f) GDPR, Art. 32 (1) b), c) GDPR, and Art. 33 (1) GDPR.

Open original source Links to the regulator's original publication or another source.