Can a Social Welfare Centre grant the Mayor access to its bank account on the basis of a letter from the Mayor in which the purpose and legal basis for processing are not indicated? Is the fact that the Mayor obtained such access without the consent of the Social Welfare Centre director a personal data breach?

ANSWER

The bank account number of the Social Welfare Centre alone will not constitute personal data within the meaning of the GDPR, as the GDPR applies to the processing of personal data of natural persons (the Social Welfare Centre is an entity to which the GDPR does not apply in that respect). Nevertheless, within the bank account itself personal data of natural persons may be processed, as e.g. the Social Welfare Centre may make transfers to entitled natural persons, e.g. benefit payments, etc. Therefore, if the Mayor wishes to obtain access to a specific bank account of another data controller, they should submit a request for disclosure of personal data originating from such an account and indicate the legal basis for such disclosure.

Otherwise, on the part of the Social Welfare Centre a personal data breach will occur, understood as disclosure of data to unauthorised persons, while the Mayor as a data controller will be processing personal data without a legal basis for processing. For this reason, the Mayor should either submit a request for disclosure of personal data originating from a specific bank account with indication of the legal basis for the request and/or factual interest.