ANSPDCP (Romania) - Raiffeisen Bank SA: Difference between revisions

From GDPRhub
(Created page with "{{DPAdecisionBOX |Jurisdiction=Romania |DPA-BG-Color=background-color:#ffffff; |DPAlogo=LogoRO.jpg |DPA_Abbrevation=ANSPDCP |DPA_With_Country=ANSPDCP (Romania) |Case_Number_...")
 
No edit summary
Line 67: Line 67:
}}
}}


The Romanian DPA fined Raiffeisen Bank SA €2,000 for processing inaccurate personal data of the occasional customers, who made money transactions through the controller's application using the petitioner's phone number in 44 transactions.
The Romanian DPA fined Raiffeisen Bank SA, acting as a processor, €2,000 for processing inaccurate personal data of data subjects who transferred money through the controllers application.


== English Summary ==
== English Summary ==


=== Facts ===
=== Facts ===
The investigation has started  following a complaint made by a petitioner according to which a controller  was sending SMS text messages to his mobile phone number regarding money transfers that the petitioner did not make.
A data subject received SMS text messages from Raiffeisen Bank SA (the processor) regarding money transfers. However, the data subject did not make these transfers. He therefore filed a complaint with the Romanian DPA, which started an investigation.
In the course of the investigation it was found that Raiffeisen Bank SA, as processor, incorrectly introduced  the petitioner's phone number in the application made available by the controller, through which the  transactions were initiated at the customer's request, and it was noted that the petitioner was not a Raiffeisen Bank client and has not requested the initiation of transactions through the controller's application.


During the investigation, the DPA found that the processor, incorrectly entered the data subject's phone number in an application made available by the controller. Through this application, transactions were initiated at a customer's request.


The data subject was not a customer of the processor and did not request the initiation of transactions through the controller's application.
=== Holding ===
=== Holding ===
In August 2022, the Romanian DPA completed an investigation at Raiffeisen Bank SA and found a violation of the provisions of [[Article 5 GDPR#1a|Article 5(1)(a) GDPR]] , [[Article 5 GDPR#1b|Article 5(1)(b) GDPR]] , [[Article 5 GDPR#1d|Article 5(1)(d) GDPR]] , [[Article 6 GDPR|Article 6 GDPR]].
The DPA found that the processor processed inaccurate data (telephone number) of occasional users who carried transferred money through the operator's application. The data subject's telephone number was incorrectly used in 44 transactions. The DPA thus held that the processor violated [[Article 5 GDPR#1a|Article 5(1)(a)]], [[Article 5 GDPR#1b|(b)]] and [[Article 5 GDPR#1d|(d) GDPR]] (principles of lawfulness fairness and transparency, purpose limitation and accuracy) and [[Article 6 GDPR|Article 6 GDPR]].  
Raiffeisen Bank SA, as a processor, was sanctioned as follows: with a warning for violating the provisions of [[Article 5 GDPR#1a|Article 5(1)(a) GDPR]] , Article 5(1)(b) and [[Article 6 GDPR|Article 6 GDPR]] and with a fine in amount of €2,000 for violating the provisions of [[Article 5 GDPR#1d|Article 5(1)(d) GDPR]].
 


The DPA sanctioned the processor with a warning for violating [[Article 5 GDPR#1a|Article 5(1)(a)]], [[Index.php?title=Article 5 GDPR|(b)]] and [[Article 6 GDPR]] and a fine of €2,000 for violating [[Article 5 GDPR#1d|Article 5(1)(d) GDPR]].
== Comment ==
== Comment ==
The decision below is a machine translation of the Romanian original. Please refer to the Romanian original for more details.


== Further Resources ==
== Further Resources ==

Revision as of 15:05, 13 September 2022

ANSPDCP - Raiffeisen Bank SA
LogoRO.jpg
Authority: ANSPDCP (Romania)
Jurisdiction: Romania
Relevant Law: Article 5(1)(a) GDPR
Article 5(1)(b) GDPR
Article 5(1)(d) GDPR
Article 6 GDPR
Type: Investigation
Outcome: Violation Found
Started:
Decided:
Published: 09.09.2022
Fine: 2,000 EUR
Parties: Raiffeisen Bank SA
National Case Number/Name: Raiffeisen Bank SA
European Case Law Identifier: n/a
Appeal: Unknown
Original Language(s): Romanian
Original Source: ANSPDCP (in RO)
Initial Contributor: Daniela Duta

The Romanian DPA fined Raiffeisen Bank SA, acting as a processor, €2,000 for processing inaccurate personal data of data subjects who transferred money through the controllers application.

English Summary

Facts

A data subject received SMS text messages from Raiffeisen Bank SA (the processor) regarding money transfers. However, the data subject did not make these transfers. He therefore filed a complaint with the Romanian DPA, which started an investigation.

During the investigation, the DPA found that the processor, incorrectly entered the data subject's phone number in an application made available by the controller. Through this application, transactions were initiated at a customer's request.

The data subject was not a customer of the processor and did not request the initiation of transactions through the controller's application.

Holding

The DPA found that the processor processed inaccurate data (telephone number) of occasional users who carried transferred money through the operator's application. The data subject's telephone number was incorrectly used in 44 transactions. The DPA thus held that the processor violated Article 5(1)(a), (b) and (d) GDPR (principles of lawfulness fairness and transparency, purpose limitation and accuracy) and Article 6 GDPR.

The DPA sanctioned the processor with a warning for violating Article 5(1)(a), (b) and Article 6 GDPR and a fine of €2,000 for violating Article 5(1)(d) GDPR.

Comment

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Romanian original. Please refer to the Romanian original for more details.

09/09/2022

Fine for GDPR violation



In August 2022, the National Supervisory Authority completed an investigation at SC Raiffeisen Bank SA and found a violation of the provisions of art. 5 para. (1) lit. a), b) and d) and of art. 6 of the General Data Protection Regulation.

SC Raiffeisen Bank SA, as an agent of an operator, was sanctioned as follows:

with a warning for violating the provisions of art. 5 para. (1) lit. a) and b) and of art. 6 of the General Data Protection Regulation; with a fine of 9,763.60 lei (the equivalent of 2,000 EURO) for violating the provisions of paragraph 5. (1) lit. d) from the General Regulation on Data Protection.

The investigation was started as a result of a complaint made by a petitioner who complained that an operator was sending SMS text messages on his mobile phone number regarding transfers of sums of money to certain people, transfers that the petitioner did not did.

During the investigation, it was found that at the level of SC Raiffeisen Bank SA, as an authorized representative, the petitioner's phone number was erroneously entered in the application made available by the operator through which transactions were initiated at the request of customers.

It was also noted that the petitioner was not a client of SC Raiffeisen Bank SA and did not request the initiation of transactions through the operator's application.

At the same time, the Supervisory Authority found that SC Raiffeisen Bank SA, as authorized agent, processed inaccurate data (phone number) of people, occasional customers, who made money transactions through the operator's application, using the petitioner's phone number in within the framework of 44 transactions, thus violating the principle of data accuracy provided for in art. 5 para. (1) lit. d) from the General Regulation on Data Protection.





Legal and Communication Department

A.N.S.P.D.C.P.