The Belgian Autorité de protection des données (APD) or Gegevensbeschermingsautoriteit, the country's data protection authority, has fined the Banque Nationale de Belgique or BNB because one of its staff accessed his ex-wife's personal data improperly, in contravention of the EU's General Data Protection Regulation.
The complainant, a lady with an account at the bank, learnt in April 2019 that someone at BNB had 'consulted' her personal data twenty times by looking at her file at the bank's Central Individual Credit Register between 2016 and 2018. Her ex-husband, with whom she was in the process of ceasing to share various possessions after their divorce in 2015, is a bank employee.
The complainant argued that by consulting her data in her file at the bank - and therefore information relating to her loans - her ex-husband gained the ascendancy in his negotiations over joint ownership and caused her financial and moral damage. The ex-husband, according to the regulator, has admitted having improperly consulted his ex-wife's data.
On 14 November 2018, the lady asked the bank for the list of financial organisations that had consulted the credit register's file in its name. Two months later she asked the bank: "What are your criteria for consulting the files of...your clients? Are you or any other person authorized to consult them without a specific request for financing?"
The bank's Data Protection Officer (DPO) of the day replied that the files of the credit register "are only consulted in the context of the granting or management of credits or payment services.”
However, the complainant said that she did not have any credit file open at the bank. This year, the bank's current DPO confirmed that she did not have an 'ongoing' file, but does have a closed file at home, which explains how the ex-husband was able to access the file.
The regulator has justified the fine by reference to the sensitive nature of the data subject to the disputed processing (financial data relating to the complainant's credit), the extended period during which the processing took place, the fact that the bank has taken few 'additional' measures since the incident to make its processing power more secure, and the fact that without the lodging of the complaint, it is not unreasonable to think that the abusive 'consultations' could have continued without let or hindrance.
The regulator says that a lower fine would not satisfy Article 83.1. of the GDPR, which dictates that an administrative fine ought to be not only proportionate, but also effective and dissuasive.