ANSPDCP (Romania) - Raiffeisen Bank SA: Difference between revisions
No edit summary |
No edit summary |
||
Line 82: | Line 82: | ||
The DPA sanctioned the processor with a warning for violating [[Article 5 GDPR#1a|Article 5(1)(a)]], [[Article 5 GDPR#1a|Article 5(1)(b)]] and [[Article 6 GDPR]] and a fine of €2,000 for violating [[Article 5 GDPR#1d|Article 5(1)(d) GDPR]]. | The DPA sanctioned the processor with a warning for violating [[Article 5 GDPR#1a|Article 5(1)(a)]], [[Article 5 GDPR#1a|Article 5(1)(b)]] and [[Article 6 GDPR]] and a fine of €2,000 for violating [[Article 5 GDPR#1d|Article 5(1)(d) GDPR]]. | ||
== Comment == | == Comment == | ||
The original | The original source did not include information on the identity of the controller. | ||
== Further Resources == | == Further Resources == |
Revision as of 18:46, 14 September 2022
ANSPDCP - Raiffeisen Bank SA | |
---|---|
Authority: | ANSPDCP (Romania) |
Jurisdiction: | Romania |
Relevant Law: | Article 5(1)(a) GDPR Article 5(1)(b) GDPR Article 5(1)(d) GDPR Article 6 GDPR |
Type: | Investigation |
Outcome: | Violation Found |
Started: | |
Decided: | |
Published: | 09.09.2022 |
Fine: | 2,000 EUR |
Parties: | Raiffeisen Bank SA |
National Case Number/Name: | Raiffeisen Bank SA |
European Case Law Identifier: | n/a |
Appeal: | Unknown |
Original Language(s): | Romanian |
Original Source: | ANSPDCP (in RO) |
Initial Contributor: | Daniela Duta |
The Romanian DPA fined Raiffeisen Bank SA, acting as a processor, €2,000 for processing inaccurate personal data of data subjects who transferred money through the controllers application.
English Summary
Facts
A data subject received SMS text messages from Raiffeisen Bank SA (the processor) regarding money transfers. However, the data subject did not make these transfers. He therefore filed a complaint with the Romanian DPA, which started an investigation.
During the investigation, the DPA found that the processor, incorrectly entered the data subject's phone number in an application made available by the controller. Through this application, transactions were initiated at a customer's request.
The data subject was not a customer of the processor and did not request the initiation of transactions through the controller's application.
Holding
The DPA found that the processor processed inaccurate data (telephone number) of occasional users who carried transferred money through the operator's application. The data subject's telephone number was incorrectly used in 44 transactions. The DPA thus held that the processor violated Article 5(1)(a), (Article 5(1)(b) and (d) GDPR (principles of lawfulness fairness and transparency, purpose limitation and accuracy) and Article 6 GDPR.
The DPA sanctioned the processor with a warning for violating Article 5(1)(a), Article 5(1)(b) and Article 6 GDPR and a fine of €2,000 for violating Article 5(1)(d) GDPR.
Comment
The original source did not include information on the identity of the controller.
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Romanian original. Please refer to the Romanian original for more details.
09/09/2022 Fine for GDPR violation In August 2022, the National Supervisory Authority completed an investigation at SC Raiffeisen Bank SA and found a violation of the provisions of art. 5 para. (1) lit. a), b) and d) and of art. 6 of the General Data Protection Regulation. SC Raiffeisen Bank SA, as an agent of an operator, was sanctioned as follows: with a warning for violating the provisions of art. 5 para. (1) lit. a) and b) and of art. 6 of the General Data Protection Regulation; with a fine of 9,763.60 lei (the equivalent of 2,000 EURO) for violating the provisions of paragraph 5. (1) lit. d) from the General Regulation on Data Protection. The investigation was started as a result of a complaint made by a petitioner who complained that an operator was sending SMS text messages on his mobile phone number regarding transfers of sums of money to certain people, transfers that the petitioner did not did. During the investigation, it was found that at the level of SC Raiffeisen Bank SA, as an authorized representative, the petitioner's phone number was erroneously entered in the application made available by the operator through which transactions were initiated at the request of customers. It was also noted that the petitioner was not a client of SC Raiffeisen Bank SA and did not request the initiation of transactions through the operator's application. At the same time, the Supervisory Authority found that SC Raiffeisen Bank SA, as authorized agent, processed inaccurate data (phone number) of people, occasional customers, who made money transactions through the operator's application, using the petitioner's phone number in within the framework of 44 transactions, thus violating the principle of data accuracy provided for in art. 5 para. (1) lit. d) from the General Regulation on Data Protection. Legal and Communication Department A.N.S.P.D.C.P.