ANSPDCP (Romania) - Fine against Raiffeisen Bank: Difference between revisions

ANSPDCP - Fine against Raiffeisen Bank
Authority:	ANSPDCP (Romania)
Jurisdiction:	Romania
Relevant Law:	Article 32(1)(b) GDPR Article 32(1)(d) GDPR Article 32(4) GDPR
Type:	Investigation
Outcome:	Violation Found
Started:
Decided:	20.10.2024
Published:
Fine:	99,466 RON
Parties:	Raiffeisen Bank S.A
National Case Number/Name:	Fine against Raiffeisen Bank
European Case Law Identifier:	n/a
Appeal:	Unknown
Original Language(s):	Romanian
Original Source:	Autoritatea Naţională de Supraveghere a Prelucrării Datelor cu Caracter Personal (in RO)
Initial Contributor:	elu

“The DPA fined Raiffeisen Bank RON 99,466 (€20,000) after inadequate technical and organisational measures allowed for the misuse of customers’ accounts and personal data by the bank’s employees

English Summary

Facts

Raiffeisen Bank S.A., the controller, communicated to the Romanian DPA multiple personal data breaches.

A customer, the data subject, complained about a loan taken in its name, which started an internal investigation. Such investigation revealed that an employee of the controller unlawfully used the data subject’s personal data collected in the context of a prior application which was however withdrawn by the data subject.

Moreover, the controller’s employee withdrew cash, conducted bank transfers on behalf of several data subjects, changed contact details, operated Smart banking operations without data subjects’ consent, and, during this process, affected multiple categories of personal data.

In this context, the controller also admitted that two employees sent confidential information about a data subject’s transaction on Facebook, Messenger and WhatsApp to a former employee, who subsequently shared it to the data subject’s relatives.

Holding

The DPA considered that the controller did not implement sufficient measures to ensure that any employee having access to personal data does not process them except at the controller’s request. In fact, it was the lack of measures that led to the unauthorized access and unauthorized disclosure of personal data transmitted, stored or processed.

Therefore, the DPA found a violation of Article 32(1)(2) and Article 32(4) GDPR and, as such breaches happened between 2015 to beginning of 2023 deemed it appropriate to fine the controller RON 99,466 (€20,000).

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Romanian original. Please refer to the Romanian original for more details.

20.11.2024

Penalty for GDPR violation

 

The National Supervisory Authority for the Processing of Personal Data completed, in October 2024, an investigation at the operator Raiffeisen Bank S.A. and found a violation of the provisions of art. 32 para. (4) in conjunction with art. 32 para. (1) lit. b) and d) and para. (2) of Regulation (EU) 2016/679 (GDPR).

As such, the operator was fined 99,466 lei, the equivalent of 20,000 EURO.

The investigation was started as a result of the fact that Raiffeisen Bank S.A. sent the National Supervisory Authority three notifications regarding the occurrence of personal data security breaches, as follows:

The operator was notified by a customer claiming to take out a loan on his behalf.

During the investigation, it was found that an employee of the operator illegally used the client's credit application, as well as the other documents related to this application, although the client had notified Raiffeisen Bank S.A. that he waives this request.

The operator's employee carried out cash withdrawal transactions from the ATM and bank transfer operations on behalf of several data subjects, the following categories of personal data being affected: name, surname, personal code, home/residence and mailing address, landline/mobile phone number, date of birth, employer's name and address, product IP, product/account status, grant date, grant term, amounts granted, amounts owed, due date, currency, frequency of payments, amount paid, monthly installment, outstanding amounts, number of outstanding installments, number of days of delay, category of delay, product closure date, number of queries, transaction history, direct debit contracts, deposits, savings account, funds of investments.

As such, it was found that the operator Raiffeisen Bank S.A. did not take measures to ensure that any natural person acting under its authority and having access to personal data does not process it except at the request of the operator, which led to the unauthorized access and/or unauthorized disclosure of the transmitted personal data , stored or processed through the computer applications used by the operator in the lending activity by his employee.

Raiffeisen Bank S.A. notified that two of its employees provided confidential information about a customer's transactions to a former bank employee using Facebook, Messenger and WhatsApp, who in turn forwarded it to relatives of the customer.

During the investigation, it was found that Raiffeisen Bank S.A. did not take measures to ensure that any natural person acting under its authority and having access to personal data only processes it at the operator's request, which led to unauthorized access and unauthorized disclosure of customer data (name, surname, CNP, home/mailing address, account number, date of transactions, amount of transactions, beneficiaries of payments).

The operator was notified by a customer who complained about the existence of products not requested by him, as well as the lack of sums of money from his account. The internal checks showed that an employee of Raiffeisen Bank S.A. performed numerous illegal operations on behalf of several of the operator's clients, such as: repeated modification of contact data (phone and e-mail); use of the Smart Mobile service; opening current accounts; opening savings accounts; establishment and liquidation of deposits; requesting credit products, completing and signing the related documentation (credit/credit card); drawing up and signing payment orders; redemption of fund units; applying for and using three debit cards.

During the investigation, it was found that, starting from 2015 until March 2023, the personal data of several customers of Raiffeisen Bank S.A. were accessed and disclosed without authorization. as a result of the actions carried out by an employee of the operator in order to obtain financial products on behalf of the affected data subjects.

Consequently, in relation to the criteria for individualizing the sanction provided for by art. 83 para. (2) of Regulation (EU) 2016/679, the operator Raiffeisen Bank S.A. was fined 99,466 lei, the equivalent of 20,000 euros, for violating the provisions of art. 32 para. (4) in conjunction with art. 32 para. (1) lit. b) and d) and para. (2) of the GDPR.

At the same time, under art. 58 para. (2) lit. d) from Regulation (EU) 2016/679, the following corrective measures were ordered:

the technical and organizational implementation of a procedural plan that includes a process of periodic testing, evaluation and assessment of all actions of introducing/updating personal data for data subjects (customers), including the notification and consent of the customer in any form on any change of personal data that can be carried out by the employees of the Raiffeisen Bank SA operator;

in order to ensure regular information on the risks of unauthorized processing of personal data by employees, the dissemination of this information is required, at an interval of no more than 6 months, including the need to prove that each of the employees who have access to the data is aware of it with personal character and attributions in the current activity of processing customer data. 

 

Legal and Communication Department

A.N.S.P.D.C.P