Insufficient data protection solutions in a bank

Country: Bulgaria

Fine: EUR 511,200

A Bulgarian bank has been punished for leaving its 33,492 customers’ personal data without appropriate protection. The case was initiated following notice from a third party that it had free access to the bank’s customer information. After internal inspection, penetration of the bank’s databases was not detected. It was concluded that the data were leaked in hard copy, rather than electronically. The supervising authority decided that the bank had not installed sufficient technical and organisational solutions to protect customers’ and third parties’ data.

What can we learn from this situation?

Data controllers need to implement technical and organisational requirements and constantly assess what solutions are appropriate for existing risks and types of data processed.

Face recognition technology at school

Country: Sweden

Fine: EUR 20,000

A municipality will have to pay a fine in relation to a pilot project where a municipal school used face recognition technology to check pupils’ attendance by processing their biometric data. The municipality’s actions had been coordinated with pupils’ families, but the supervising authority considered this to be an insufficient legal ground to implement the project if taking into account the nature of data processing. In addition, handling biometric data had not been coordinated with the supervising authority.

What can we learn from this situation?

Not always can someone’s consent can be considered a sufficient reason to process data. Each case needs to be assessed individually; so, in cases of doubt, it is advisable to consult the supervising authority, especially if a special category of data is processed.

Data on electricity consumption can be personal data

Country: Spain

Spain’s Supreme Court has held that information about an individual’s electricity consumption should be seen as personal data. This position is substantiated by EU case law, which establishes a general finding that personal data are also data that allow someone to be identified when used together with other information. The court indicated that if you know the place where electricity is supplied, it is easy to identify the owner, and if you know the energy consumption at various times, it is not hard to judge a person’s habits and daily routine.

What can we learn from this situation?

GDPR Article 4 states that personal data is not only data that identify someone but also data that assist in indirectly identifying them. This means that personal data can also comprise information that does not seem to be personal data at first glance, so special attention should be paid not only to the planned purpose of data usage but also to other ways in which data together with other information could be abused, for example, to detect whether someone is at home.