Imposition of a fine on a bank in Greece for an incident of personal data breach

The Greek Data Protection Supervisory Authority imposed on a Bank, as Data Controller, an administrative fine of EUR 100,000 for violating the principles of accuracy, integrity, and confidentiality of data, and the principles of data protection by design and by default, in conjunction with Articles 32, 33, and 34 of the GDPR, as well as an administrative fine of EUR 20,000 for violating the complainants' right of access.

Complaints were submitted to the Supervisory Authority of Greece against the National Bank of Greece for the incorrect linking of a complainant's bank account with the mobile phone number of another complainant in the “i-bank Pay application”, which resulted in money transfers, via “IRIS online payments service”, which were made to the first complainant's account instead of the second's.

 In the context of the administrative audit conducted by the Authority, the Bank eventually identified that the issue was due to incorrect configuration during the 2020 upgrade of the mobile banking application, which had affected another 24 of its customers. Additionally, the Bank submitted a data breach notification to the Authority and took further corrective measures.

You  might also like: An overview of the regulatory framework on Gambling Services in the European Union / Article by Efi Thoma, Lawyer in Cyprus

(source:edpb.europa.eu/photo:freepik.com)


Comments

Post a Comment

Popular posts from this blog

Fully-funded PhD position in AI, Law and Public Power

Image
Erasmus University Rotterdam School of Law, department Law & Markets, is looking for a fulltime PhD researcher in AI, Law and Public Power (4,5 years with 20% teaching tasks). PhD AI, Law and Public Power Are you curious about how artificial intelligence is changing state actor powers? Do you want to conduct critical and in-depth legal research at the intersection of technology, law and power? And would you like to combine that with academic teaching? Then this PhD position at Erasmus School of Law is for you. Within the Law & Markets team, you will spend 4.5 years researching the legal regulation of AI in the public sector. How do we protect fundamental rights when algorithms help decide on who receives public benefits, how to perform enforcement or how to enact environmental policy? What is the role of the state, and where is the limit of government power in a data-driven society? You will have plenty of space to choose your own research angle and work in a multidisci...
Read more

Ombudsman inquiry on Commission President’s text messages is a wake-up call for EU

Image
The European Ombudsman inquiry into the Commission’s handling of a request for text messages between its President and the CEO of a pharmaceutical company is a wake-up call for all EU institutions about ensuring accountability in an era of instant messaging. One year after the initial request by a journalist, the Commission has still not clarified whether messages reported to concern major vaccine procurement deals exist and whether the public is entitled to see them. The Ombudsman had asked the Commission, in a finding of maladministration in January, to conduct a more thorough search for the text messages. The Commission’s recent response failed to say whether it had looked directly and correctly for the text messages and if not, why not. While the response recognised that work-related text messages can be EU documents, it reiterated that the Commission’s internal policy is, in effect, not to register text messages. The Ombudsman has closed  the inquiry  and upheld...
Read more

Annual Report on the execution of the European Court's judgments and decisions

Image
The Secretary General of the Council of Europe, Alain Berset, has called for further efforts to implement judgments from the European Court of Human Rights. Commenting on the  annual report for 2024  on the execution of the Court’s rulings, published today, the Secretary General said: “ This report shows what a concrete, positive impact judgments from the European Court of Human Rights have on the daily lives of the people of Europe. While a lot has been achieved, more needs to be done. The efficient execution of the Court's judgments is essential for the rule of law and democratic accountability in Europe .” The annual report from the Council of Europe’s Committee of Ministers shows that 992 cases were transferred from the European Court of Human Rights to Committee, which supervises their implementation by member states, in 2024. Of those 992 new cases, 194 were “leading” cases – often requiring action to be taken by states to prevent the same violations happ...
Read more

Pretextual Threats of Collective Redundancies: A Form of Workplace Harassment (Mobbing) under Cyprus Law

Image
Written by Giorgos Kazoleas, Managing Partner Lawyer at Legal Experts Cyprus In the Cypriot labor market, personnel management is often characterized by employer practices that exploit the fear and insecurity of employees. A particularly serious issue is the pretextual threat of collective redundancies within companies and enterprises. When such a threat does not reflect a genuine need for restructuring or financial distress, but is instead used deceptively as leverage to intensify labor and suppress claims (e.g., salary increases, bonus claims, other benefits, promotions, etc.), it transforms into a form of workplace harassment (mobbing) with specific legal implications. The Specialized Legal Framework: Law 42(I)/2025 The legal handling of this phenomenon—which has reached concerning proportions in Cyprus—was decisively strengthened by the enactment of the Prevention and Combating of Violence and Harassment at the Workplace Law of 2025 (Law 42(I)/2025). This law incorporates the...
Read more

Gigantic fine for unfair practices imposed on Booking.com by the Competition Authority of Hungary

Image
One of the highest fines for violation of unfair competition law has been imposed (28/4/2020) on online hotel booking platform ‘’Booking.com’’ by the Hungarian Competition Authority. The amount of the fine (approximately EUR 6 million / HUF 2.5 billion) imposed by the Authority illustrates the seriousness of the Dutch company's violations. The Hungarian Competition Authority (GVH) imposed a fine of HUF 2.5 billion on the operator of the online booking portal booking.com, and at the same time banned the Dutch company from continuing its aggressive sales methods. According to the decision of the competition authority, Booking.com B.V. engaged in unfair commercial practices against consumers by, among other things, misleadingly advertising some of its accommodations with a free cancellation option and exerting undue psychological pressure on consumers to make early bookings. As a result of the Competition Authority’s competition supervision proceeding  initiated in 2018, the autho...
Read more

THE CONCEPT OF WORKER (IN ARTICLE 45 TFEU)

Image
By Mpia Tsolaki, Lawyer** Freedom of movement for workers is founded on Article 45(1) TFEU and enshrined in fact in the abolition, set out in its second paragraph, of any discrimination based on nationality between workers of the Member States as regards employment, remuneration and other conditions of work and employment [1] . That prohibition has been regarded since the beginnings of the establishment of the single European Market as an indispensable corollary to its full integration since it has crucially promoted mobility of the workforce throughout the European Union (hereinafter EU) [2] .  From that point of view, it is therefore of outmost importance for ascertaining its ambit to determine at the outset the concept of "worker", which is not defined by neither the primary nor the secondary EU legislation. As expected, the Ariadne’s thread has been offered by the European Court of Justice (hereinafter ECJ) that has been constantly producing an ample case-law, which keepi...
Read more

CJEU Ruling C-57/23: Police May Rely on Internal Rules to Store Suspect Data

Image
Judgment of the Court of Justice in Case C-57/23 (Policejní prezidium): The police of a Member State may decide, on the basis of internal rules, whether it is ecessary to store the biometric and genetic data of a person accused or suspected of a criminal offence.  Where national law sets appropriate time limits for a review of the need to store those data, it does not necessarily need to provide for a maximum period of storage . A Czech public official was interviewed by the police in the context of criminal proceedings involving him. Despite his objections, the police ordered the taking of his fingerprints, the taking of a buccal smear on the basis of which the police established a genetic profile, the taking of photographs and the drawing up of a description of him. That information was entered into various databases.  In 2017, the public official was convicted by final judgment of, inter alia, misconduct in public office. In separate proceedings, he challenged the identific...
Read more