Personal Data Protection Office: Toyota Bank Polska fined for profiling customers
Poland’s Personal Data Protection Office (UODO) fined Toyota Bank Polska over PLN 314,000 for failing to include customer profiling in its data processing register and nearly PLN 262,000 for improperly positioning its Data Protection Officer (DPO). The fines followed a regulatory audit.
The bank used profiling to assess customers' creditworthiness, including scoring and assigning risk categories, without properly documenting this in its data processing activities or evaluating the impact on data security. Additionally, the DPO was not directly subordinate to senior management but instead reported to a department director, compromising independence.
UODO highlighted these breaches as significant failures to comply with GDPR, emphasizing the importance of accountability and proper data governance within organizations.
(wnp.pl)
