ANSPDCP (Romania) - Raiffeisen Bank SA: Difference between revisions

From GDPRhub
No edit summary
No edit summary
Line 78: Line 78:
The data subject was not a customer of the processor and did not request the initiation of transactions through the controller's application.
The data subject was not a customer of the processor and did not request the initiation of transactions through the controller's application.
=== Holding ===
=== Holding ===
The DPA found that the processor processed inaccurate data (telephone number) of occasional users who carried transferred money through the operator's application. The data subject's telephone number was incorrectly used in 44 transactions. The DPA thus held that the processor violated [[Article 5 GDPR#1a|Article 5(1)(a)]], [[Article 5 GDPR#1b|(b)]] and [[Article 5 GDPR#1d|(d) GDPR]] (principles of lawfulness fairness and transparency, purpose limitation and accuracy) and [[Article 6 GDPR|Article 6 GDPR]].  
The DPA found that the processor processed inaccurate data (telephone number) of occasional users who carried transferred money through the operator's application. The data subject's telephone number was incorrectly used in 44 transactions. The DPA thus held that the processor violated [[Article 5 GDPR#1a|Article 5(1)(a)]], [[Article 5 GDPR#1b|(Article 5(1)(b)]] and [[Article 5 GDPR#1d|(d) GDPR]] (principles of lawfulness fairness and transparency, purpose limitation and accuracy) and [[Article 6 GDPR|Article 6 GDPR]].  


The DPA sanctioned the processor with a warning for violating [[Article 5 GDPR#1a|Article 5(1)(a)]], [[Index.php?title=Article 5 GDPR|(b)]] and [[Article 6 GDPR]] and a fine of €2,000 for violating [[Article 5 GDPR#1d|Article 5(1)(d) GDPR]].
The DPA sanctioned the processor with a warning for violating [[Article 5 GDPR#1a|Article 5(1)(a)]], [[Index.php?title=Article 5 GDPR|(b)]] and [[Article 6 GDPR]] and a fine of €2,000 for violating [[Article 5 GDPR#1d|Article 5(1)(d) GDPR]].

Revision as of 15:23, 13 September 2022

ANSPDCP - Raiffeisen Bank SA
LogoRO.jpg
Authority: ANSPDCP (Romania)
Jurisdiction: Romania
Relevant Law: Article 5(1)(a) GDPR
Article 5(1)(b) GDPR
Article 5(1)(d) GDPR
Article 6 GDPR
Type: Investigation
Outcome: Violation Found
Started:
Decided:
Published: 09.09.2022
Fine: 2,000 EUR
Parties: Raiffeisen Bank SA
National Case Number/Name: Raiffeisen Bank SA
European Case Law Identifier: n/a
Appeal: Unknown
Original Language(s): Romanian
Original Source: ANSPDCP (in RO)
Initial Contributor: Daniela Duta

The Romanian DPA fined Raiffeisen Bank SA, acting as a processor, €2,000 for processing inaccurate personal data of data subjects who transferred money through the controllers application.

English Summary

Facts

A data subject received SMS text messages from Raiffeisen Bank SA (the processor) regarding money transfers. However, the data subject did not make these transfers. He therefore filed a complaint with the Romanian DPA, which started an investigation.

During the investigation, the DPA found that the processor, incorrectly entered the data subject's phone number in an application made available by the controller. Through this application, transactions were initiated at a customer's request.

The data subject was not a customer of the processor and did not request the initiation of transactions through the controller's application.

Holding

The DPA found that the processor processed inaccurate data (telephone number) of occasional users who carried transferred money through the operator's application. The data subject's telephone number was incorrectly used in 44 transactions. The DPA thus held that the processor violated Article 5(1)(a), (Article 5(1)(b) and (d) GDPR (principles of lawfulness fairness and transparency, purpose limitation and accuracy) and Article 6 GDPR.

The DPA sanctioned the processor with a warning for violating Article 5(1)(a), (b) and Article 6 GDPR and a fine of €2,000 for violating Article 5(1)(d) GDPR.

Comment

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Romanian original. Please refer to the Romanian original for more details.

09/09/2022

Fine for GDPR violation



In August 2022, the National Supervisory Authority completed an investigation at SC Raiffeisen Bank SA and found a violation of the provisions of art. 5 para. (1) lit. a), b) and d) and of art. 6 of the General Data Protection Regulation.

SC Raiffeisen Bank SA, as an agent of an operator, was sanctioned as follows:

with a warning for violating the provisions of art. 5 para. (1) lit. a) and b) and of art. 6 of the General Data Protection Regulation; with a fine of 9,763.60 lei (the equivalent of 2,000 EURO) for violating the provisions of paragraph 5. (1) lit. d) from the General Regulation on Data Protection.

The investigation was started as a result of a complaint made by a petitioner who complained that an operator was sending SMS text messages on his mobile phone number regarding transfers of sums of money to certain people, transfers that the petitioner did not did.

During the investigation, it was found that at the level of SC Raiffeisen Bank SA, as an authorized representative, the petitioner's phone number was erroneously entered in the application made available by the operator through which transactions were initiated at the request of customers.

It was also noted that the petitioner was not a client of SC Raiffeisen Bank SA and did not request the initiation of transactions through the operator's application.

At the same time, the Supervisory Authority found that SC Raiffeisen Bank SA, as authorized agent, processed inaccurate data (phone number) of people, occasional customers, who made money transactions through the operator's application, using the petitioner's phone number in within the framework of 44 transactions, thus violating the principle of data accuracy provided for in art. 5 para. (1) lit. d) from the General Regulation on Data Protection.





Legal and Communication Department

A.N.S.P.D.C.P.