Austria

Bank

4,000,000 €

GDPR enforcement action by Austrian Data Protection Authority (dsb) on 2021.

Rank · Sector

of 322 in Finance, Insurance and Consulting

Rank · Austria

of 38

Rank · All fines

#84

of 3,042

Case details

Authority: Austrian Data Protection Authority (dsb)
Date: 2021
Controller / Processor: Bank
Sector: Finance, Insurance and Consulting
Quoted Articles: Art. 5 (1) f) GDPR, Art. 32 GDPR
Type of violation: Insufficient technical and organisational measures to ensure information security

Summary

Original fine summary: The Austrian DPA has imposed a fine of EUR 4,000,000 on a credit institution. The controller had stored an Excel file containing personal data, such as customers' account information, on an internal drive for the purpose of internal administration of bank customers. The file could be accessed and viewed by all branch employees as needed. The Excel file was neither encrypted nor protected by other adequate measures against unauthorized access or unintentional disclosure to third parties. An employee inadvertently sent the Excel list to 234 customers, disclosing the personal data of approximately 5,971 customers. The DPA therefore found that the controller had failed to implement adequate technical and organizational measures to protect personal data.
Update: The fine was reduced from EUR 4,000,000 to EUR 50,000 following a court ruling in 2024.

Open original source Links to the regulator's original publication or another source.