In relation to the large numbers of received queries about the recently established data breach of unauthorised access and processing of the personal data of DSK Bank EAD customers, the Commission for Personal Data Protection (CPDP) would like to inform about the following:
Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) obliges the data controller, respectively DSK Bank EAD, under certain conditions to notify the data subjects whose personal data have been compromised in the event of a data breach. One of those conditions, related to the notification in the event of unauthorised or unlawful processing of personal data, includes an internal assessment whether the data breach may result in a high risk to the rights and freedoms of the data subjects.
Depending on the nature of the data breach and the created risk, the main purpose of the data breach notification is to help data subjects to take precautions measures in order to prevent any possible negative consequences resulting due to the breach.
Based on the foregoing and in view of the „transparency” principle in the processing of personal data, more specifically the right to information and communication with the data controller, according to the GDPR, the data subjects have to seek and request information about the processing of their personal data directly from the controller – DSK Bank EAD, and not from CPDP.
