Recently, the Data Protection Authority (DPA) imposed an administrative fine of EUR 100,000 on a financial institution. It appeared that an employee had repeatedly consulted his ex-wife’s financial data without authorisation and for personal reasons. The DPA held that the unauthorised consultation by an employee does not exempt the employer from its responsibilities and obligations as a data controller. This is all the more required when employees, in the course of their work, have access to sensitive data.
Between 2016 and 2018, an executive employed by a financial institution consulted his ex-wife’s data in the Central Individual Credit Register (CCP) at the National Bank of Belgium (NBB) as many as 20 times. After the NBB informed the ex-wife that her data in the CCP Register had been repeatedly consulted by the respective financial institution, she initially addressed the financial institution directly and then filed an initial complaint with the DPA.
The DPA’s first line service then launched an investigation and requested information on a possible legal basis to justify these 20 consultations. In addition, it asked for a list of all consultations of the CCP Register, the identity of the persons who had consulted the database in question and the data consulted. The financial institution was unable to provide adequate answers to this question, with the result that the ex‑wife lodged another complaint with the DPA.
This time, the complaint was directed against both the financial institution and the ex-husband for unlawful access to her financial data in the CCP Register. She also wished to obtain additional information on any sanctions taken by the financial institution against the employee.
The Dispute Resolution Chamber of the DPA decided to deal with each complaint separately. The discussion below only concerns the complaint against the financial institution.
Decision of the Dispute Resolution Chamber of the DPA
Who is the data controller?
The DPA decided that the financial institution must be regarded as the data controller in respect of the consultations in the CCP Register, since it determines the purposes for which and the means by which personal data are processed in the context of the conclusion of credits. Indeed, although it was the executive who committed an offence by consulting the CCP Register purely for his own purposes, this does not exempt the financial institution from its responsibilities and obligation to comply with the principles relating to the processing of personal data.
Responsibilities and obligations of the data controller
As a data controller, the financial institution has the obligation to take appropriate technical and organisational measures to ensure compliance with the principles of the GDPR and to guarantee the security and confidentiality of personal data and to prevent their unauthorised processing by its employees.
According to the DPA, the specific situation in which an executive was able to consult the CCP Register of the NBB 20 times over a period of more than two years shows that the financial institution had taken insufficient technical and organisational measures to protect the data from unauthorised access by employees. The fact that the financial institution had no control mechanism to verify consultations by employees constitutes an additional infringement. After all, the principle of accountability requires that the controller must be able to demonstrate compliance with the principles of the GDPR and guarantee security and confidentiality in a transparent and traceable manner at all times, including for all employees.
In this context, the DPA recommends that IT logs be kept. IT logs make it possible to trace the various loggings in the IT system in detail afterwards (who has gained access to which data at which moment) in the event of any audit or (suspected) abuse.
Finally, the DPA also found a violation of the obligation to provide information and the right of inspection.
Corrective measures and sanctions
The financial institution was ordered, within three months from the date of the decision, to implement sufficient additional security measures to guarantee the safety and confidentiality of the personal data in the CCP Register of the NBB. The measures that the financial institution had already taken since the incident came to light were considered as insufficient by the DPA.
In addition, the financial institution was ordered to pay an administrative fine of EUR 100,000. The DPA justifies the amount of this fine by the following reasons: the sensitive nature of the data in this dispute, the extensive period during which and the number of times that these unlawful consultations took place, the amount of sensitive personal data that the employees of the financial institution have to process on a daily basis and finally the circumstance that without the complaint of the ex-wife, these unlawful consultations might have remained under the radar of the financial institution for a longer period of time.
Attention! Within the framework of the GDPR, as a data controller, you are liable for all unauthorised processing of personal data by your employees.
It is therefore crucial that there is a policy in place that gives clear instructions to employees who process personal data as part of their job. Finally, you should make sure to have an adequate control system (IT loggings), so that you can always check who has consulted personal data, when and for what reason.