
Background information
- Date of final decision: 10 January 2025
- National case
- Controller: National Bank of Greece S.A
- Legal Reference: Article 5.1(d) (Principle of accuracy), Article 5.1(f) (Principle of Integrity and Confidentiality), Article 15 (Right of access by the data subject), Article 25.1 (Data protection by design and by default), Article 32 (Security of processing), Article 33 (Notification of a personal data breach to the supervisory authority), Article 34 (Communication of a personal data breach to the data subject)
- Decision: infringement of the GDPR, administrative fines imposed
- Key words: access request, data breach, data protection by design and by default
Summary of the Decision
Origin of the case
Complaints were submitted to the Hellenic SA against the National Bank of Greece for the incorrect linking of a complainant's bank account with the mobile phone number of another complainant in the “i-bank Pay application”, which resulted in money transfers, via “IRIS online payments service”, which were made to the first complainant's account instead of the second's.
Key Findings
In the context of the administrative audit conducted by the Authority, the Bank eventually identified that the issue was due to incorrect configuration during the 2020 upgrade of the mobile banking application, which had affected another 24 of its customers. Additionally, the Bank submitted a data breach notification to the Authority and took further corrective measures.
Decision
The Hellenic SA imposed on the Bank, as Data Controller, an administrative fine of EUR 100,000 for violating the principles of accuracy, integrity, and confidentiality of data, and the principles of data protection by design and by default, in conjunction with Articles 32, 33, and 34 of the GDPR, as well as an administrative fine of EUR 20,000 for violating the complainants' right of access.
For further information:
Decision 3/2025 available in national language Επιβολή προστίμου στην Εθνική Τράπεζα για περιστατικό παραβίασης προσωπικών δεδομένων (Greek)
The news published here does not constitute official EDPB communication, nor an EDPB endorsement. This news item was originally published by the national supervisory authority and was published here at the request of the SA for information purposes. Any questions regarding this news item should be directed to the supervisory authority concerned.