Introduction

On 22 February 2022, the President of the Personal Data Protection Office (PDPO) published a decision of 19 January 2022 imposing an administrative fine on Santander Bank Polska SA PLN 545 000 for breach of article 34(1) GDPR[1], namely for not communicating a data breach to data subjects without undue delay.

While analyzing the data breach, Santander concluded that the risk of breach of natural persons’ rights and freedoms was not high, and did not notify the individuals concerned as required under article 34 of the GDPR. During the investigation, the President of the PDPO found that the breach did present a high risk of breach of natural persons’ rights and freedoms and that the data subjects did have to be notified of the breach of their personal data as required under article 34 in conjunction with article 12 of the GDPR.

The President of the PDPO stated in the decision that although the group of employees affected by this breach is not specifically defined, this does not hinder compliance with the obligation under article 34, and examined how to interpret the phrase trusted data recipient.

Facts surrounding the breach

Santander reported the data breach to the PDPO when a former employee of the bank accessed a remitter profile on the Social Insurance Institution e-services platform (PUE ZUS). The former employee was able to review the personal data of other employees on the bank’s remitter profile. When reporting the data breach as defined in article 33 of the GDPR, Santander stated that the data of 10 500 people had been breached. The former employee gained access to bank employee details such as first name, surname, personal civil identification number (PESEL), residential address, and sickness leave medical certificates, being health-related information. The investigation found that when they were no longer employed, the employee used their authorization to log in to the platform five times. It was not determined precisely whose data the former employee processed, and to what extent.

Analyzing the incident and evaluating the risk of breach of rights and freedoms of natural persons, Santander found that the data breach due to an employee of the bank gaining access, when no longer employed, to employee data processed on the Social Insurance Institution e-services platform, comprising first name, surname, residential address, personal civil identification numbers (PESEL), as well as sickness leave medical certificates, being health-related information, resulted in a low risk of breach of rights and freedoms of natural persons, and that the breach did not have to be communicated to the persons affected.

Santander submitted its evaluation of the breach in terms of breach of rights and freedoms of natural persons and specified the grounds for its decision. The bank stated, for instance, that the former employee who accessed personal data on the Social Insurance Institution e-services platform qualified as a trusted data recipient. The bank’s trust in the recipient was founded on a declaration made by the employee while employed at the bank, that they would take no further action with regard to those data. In the bank’s view, this risk evaluation was correct because the former employee herself reported unauthorized access to the Social Insurance Institution e-services platform to the controller.

The PDPO’s findings

Following the investigation, the President of the PDPO stated that in the case, a data breach had occurred in the meaning of article 4(12) of the GDPR. The PDPO also upheld its standpoint, finding that this breach of data on the Social Insurance Institution e-services platform by a former bank employee did present a high risk of violation of rights and freedoms of natural persons. In the findings, the President of the PDPO addressed the question of interpretation of the phrase trusted data recipient when evaluating the risk of violating of rights and freedoms of natural persons.

A trusted data recipient – the art. 29 Working Party

The term trusted data recipient appears in the context of evaluation of risk of breach of rights and freedoms of natural persons. In guidelines on reporting data breaches under the GDPR, the art. 29 Working Party (today the European Data Protection Board – EDPB)[2] describes the test for determining whether a recipient is an unauthorized, but a trusted recipient, in a particular case. According to the EDPB, a controller may have a level of assurance with the recipient so that it can reasonably expect that party not to read or access the data sent in error, and to comply with instructions to return it. Even if data are accessed, the controller may still have trust in the recipient that they will not take further action with regard to the data, and will return the data to the controller without undue delay and cooperate in measures to recover them.

Analysis of whether, in a particular case, data have been disclosed to a trusted data recipient is a major factor when evaluating the severity of consequences of a breach of particular personal data.

The EDPB stresses that a trusted data recipient can mitigate the consequences of a breach, and this, in turn, can eliminate the likelihood of risk to natural persons, in which case it will not be necessary to notify the regulatory authority or communicate this to the natural persons affected by the breach[3].

EDPB guideline 1/2021 gives an example of an insurance agent as a trusted data recipient who receives, as a processor, an e-mail containing data of persons who are not their customers, and reports this to the controller without undue delay, and also makes an undertaking to delete the e-mail received in error.

A trusted data recipient – the President of the PDPO

The President of the PDPO stated in the decision that a crucial factor determining that a recipient can be considered a trusted data recipient is the relationship between the parties.

The term trusted data recipient in the Santander case decision

In the decision, the President of the PDPO clarifies that an organization cannot consider a former employee to be a trusted data recipient. A former employee no longer has the authorization to process data because the terminated employment relationship is not trustworthy. According to the Polish DPA, for a person to be a trusted recipient, there must be specific ties between the parties, in fact, or in law, to evaluate the level of trust between them. The President of the PDPO found no legal or business ties between the bank and the former employee, stating that it was not inevitable, beyond all doubt, that the former employee would act appropriately.

The term trusted data recipient in other decisions issued by the President of the PDPO

Does the decision in question set a precedent to concerning the interpretation of a trusted data recipient? This is not the case, but the arguments presented by the President of the PDPO regarding how the Polish regulator understands this term are noteworthy. For example, in decision DKN.5131.5.2020, the President of the PDPO found a party with which a controller did business to be a trusted recipient, while in decision DKN.5131.5.2020 the President of the PDPO stated that an inappropriate department of an organization is a trusted data recipient (the EDPD reached a similar conclusion in its guidelines).

In decision DKN.5130.3114.2020, the Polish regulator stated that a person sharing a household is not automatically a trusted data recipient. To be certain that a particular person sharing a household is a trusted data recipient, the relationship between the unauthorized recipient and the intended recipient must be examined on a case-by-case basis.

Conclusions regarding the Santander case decision

There are two main conclusions regarding the Santander case decision:

  • A former employee is not a trusted data recipient;
  • Although the persons affected by a breach are not specifically defined, this does not hinder compliance with the obligation provided for in article 34 of the GDPR. If a controller does not know whose data have been breached, a broad range of potential ‘victims’ must be assumed, all of whom must be notified.

Full text of the Santander case decision.

[1] Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).

[2] See https://www.uodo.gov.pl/pl/10/12 (accessed 15.03.2022).

[3] In this case as well, this depends entirely on the specific circumstances, and each case must be assessed individually.