Bank: Insufficient technical and organisational measures to ensure information security

Original fine summary: The Austrian DPA has imposed a fine of EUR 4,000,000 on a credit institution. The controller had stored an Excel file containing personal data, such as customers' account information, on an internal drive for the purpose of internal administration of bank customers. The file could be accessed and viewed by all branch employees as needed. The Excel file was neither encrypted nor protected by other adequate measures against unauthorized access or unintentional disclosure to third parties. An employee inadvertently sent the Excel list to 234 customers, disclosing the personal data of approximately 5,971 customers. The DPA therefore found that the controller had failed to implement adequate technical and organizational measures to protect personal data. Update: The fine was reduced from EUR 4,000,000 to EUR 50,000 following a court ruling in 2024.

GDPR Articles: Art. 5 (1) f) GDPR, Art. 32 GDPR
Industry: Finance, Insurance and Consulting