ANSPDCP (Romania) - Kredyt Inkaso Investments RO SA
|ANSPDCP - Kredyt Inkaso Investments RO SA|
|Relevant Law:||Article 5(1)(a) GDPR|
Article 5(1)(c) GDPR
Article 5(2) GDPR
Article 6 GDPR
Article 9 GDPR
Article 33 GDPR
Kredyt Inkaso Investments RO S.A.
|National Case Number/Name:||Kredyt Inkaso Investments RO SA|
|European Case Law Identifier:||n/a|
|Original Source:||ANSPDCP (in RO)|
|Initial Contributor:||Heiko Hanusch|
The Romanian DPA fined a credit institution and collection agency approximately €5,000 (24.740 RON) for unlawfully disclosing the personal data of a loan applicant to doctors and medical units.
English Summary[edit | edit source]
Facts[edit | edit source]
The controller is a credit institution and collection agency called Kredyt Inkaso Investments RO SA. The data subject applied for a loan with the controller. After the data subject had learned that the controller might had shared personal details of him and his minor child with third parties, he lodged a complaint with the ANSPDCP (Romania). In the course of the investigation, the DPA found that the controller disclosed the data subject's information (home address, personal numerical code, position held, employment contract data, medical leave certificate data) to certain doctors and medical units. Moreover, it found that a security incident occurred in the course of the disclosure of the data to one of the doctors.
Holding[edit | edit source]
The ANSPDCP fined the controller approximately €5000 (24.740 RON) for violating Articles 5(1)(a), (c), (2), 6, 9 and 33 GDPR. The ANSPDCP especially found that legitimate interest is not a legal basis under Article 9 GDPR and that the security incident was not reported to the DPA within the time limit of Article 33(1) GDPR.
Comment[edit | edit source]
Since the ANSPDCP is only publishing press releases and not their decisions in full, there were no further details on the facts and legal reasoning in the publication.
Further Resources[edit | edit source]
Share blogs or news articles here!
English Machine Translation of the Decision[edit | edit source]
The decision below is a machine translation of the Romanian original. Please refer to the Romanian original for more details.
18.05.2022 Sanction for violating the RGPD In April 2022, the National Supervisory Authority completed an investigation at the operator Kredyt Inkaso Investments RO S.A. and found a violation of the provisions of art. 5, art. 6, art. 9 and art. 33 of the General Data Protection Regulation (RGPD). The operator was fined as follows: fine in the amount of 24,740 lei (equivalent to the amount of 5000 EURO) for violating the provisions of art. 5 para. (1) lit. a), c), para. (2), art. 6 and art. 9 of the General Data Protection Regulation; warning for violation of the provisions of art. 33 of the General Data Protection Regulation. The investigation was initiated following a complaint from a data subject that Kredyt Inkaso Investments RO S.A. disclosed his personal data and that of his minor child to certain medical units. In the course of the investigation, it was found that the operator disclosed the applicant's details (home address, personal numerical code, position held, employment contract data, medical leave certificate data) to certain doctors and certain medical units with which she did not have no legal relations. It was also found that the processing of data on the health of the petitioner could not be carried out on the basis of legitimate interest as it is not among the processing conditions provided by art. 9 of the RGPD. Therefore, the operator illegally processed the personal data of the petitioner by illegally and excessively disclosing them, including data on health status, in violation of the principles of processing provided by art. 5 para. (1) lit. a), c), para. (2) and the legality conditions provided by art. 6 and art. 9 of the RGPD. At the same time, it was found that the operator Kredyt Inkaso Investments RO S.A. did not comply with the deadlines for notifying the security incident that occurred at the time of disclosing the petitioner's data to a doctor with whom the petitioner had no legal relations, thus violating the provisions of art. 33 of the RGPD. Legal and Communication Department A.N.S.P.D.C.P.