Bank: Insufficient technical and organisational measures to ensure information security

The DPA of Brandenburg has imposed a five-digit fine on a bank. The bank had installed a video surveillance system that covered parts of the foyer of the branch with ATMs, the entrance area and the sidewalk and parking spaces in front of it. The transmission of the images as well as the commands to access the camera were carried out unencrypted via the Internet. The bank suffered a data breach in which unknown third parties compromised the video cameras and then posted the images on the Internet. They were also able to control the cameras to a limited extent. During its investigation, the DPA found that the bank had failed to implement adequate technical and organizational measures to protect personal data, which facilitated such a breach. In addition, the DPA found that the bank failed to enter into a processing agreement with its processors, that also had access to cameras and images.

GDPR Articles: Art. 28 (3) GDPR, Art. 32 GDPR
Industry: Finance, Insurance and Consulting