Skip to main content

A thin line between a typo and a data breach: A case study in enhancing data security practices


In a recent case, the Serbian Commissioner for Information of Public Importance and Personal Data Protection issued a cautionary notice to a bank, shedding light on its procedures for collecting and managing clients' email addresses for communication purposes.

In the fast-paced landscape of contemporary business, technology has revolutionized the way we communicate, with email emerging as the primary conduit for exchanges. It has become customary for every facet of business communication to traverse the digital realm, leveraging the speed and efficiency afforded by electronic messaging. However, amidst this rapid exchange of information, a subtle yet critical danger lurks— a single keystroke error, a misplaced letter, and sensitive data might inadvertently find its way into the wrong hands. The accelerated nature of email communication with the inherent risks it poses to data protection highlights the delicate balance businesses must strike to stay compliant.

This potential pitfall materialized in recent practice – when a bank sent its client’s personal data to an unintended recipient, bringing forth a noteworthy decision by the Commissioner for Information of Public Importance and Personal Data Protection.

Determining the circumstances of this data breach, the Commissioner found that the bank collected email addresses of its clients based on the consent of the data subject, in accordance with the Article 12, Paragraph 1, Point 1 of the Law on Personal Data Protection. The purpose of such data processing was the fulfillment of rights and obligations arising from contracts with clients, including sending service-related notifications and account statements. Clients, during the account opening process, provided consent for electronic communication via email, where the bank subsequently sent statements. The bank collected email data directly from clients in their presence, verifying the information before the client signs the request, confirming the accuracy of personal and contact details.

However, having analyzed bank’s communication procedures, the Commissioner took a stand that the bank did not provide clients with an adequate level of data security and issued a warning to the bank for violating Article 50 of the Law on Personal Data Protection. In his decision, the Commissioner determined that the bank failed to implement appropriate technical, organizational, and personnel measures to ensure an adequate level of security, especially concerning the risk of unauthorized access to clients' personal data.

As a response to the warning, the bank conducted an analysis of relevant processes. It contacted service providers for the implementation of a verification system (automated verification). The bank introduced a temporary solution allowing clients to update their email addresses with one-time password verification via a mobile application. Additionally, branch employees now verify entered email addresses with clients during the contract negotiation process, ensuring the correct reception of emails containing general terms or other documentation.

This Commissioner's decision, as well as the proactive steps taken by the bank, serve as a valuable lesson for businesses operating in a digital environment, highlighting the need for continuous evaluation and enhancement of data security practices. As technology continues to play a pivotal role in communication and information exchange, data controllers must remain vigilant in adapting their protocols to address evolving threats, ultimately fostering a culture of data security and privacy.


Article provided by INPLP member: Ana Popović  (Živković Samardžić, Serbia)



Discover more about the INPLP and the INPLP-Members

Dr. Tobias Höllwarth (Managing Director INPLP)



Cloud Privacy Check (CPC). Data Privacy Compliance in the Cloud Made Easy

Understand Cloud and Data Protection Law in only 4 easy steps. Plus highly relevant legal information for 33 countries. Provided by EuroCloud and 53 European lawyers.


About Us

EuroCloud is an independent non-profit organization and consists of a two-tier setup where organisations form all European countries can apply to participate in as long as they respect the EuroCloud Statutes.

To act as a true European player, all programs that are developed are intended to be European activities. These European programs are the strength of EuroCloud as a whole. Respect to local cultures along with the will to promote a real European spirit.