ANSPDCP (Romania) - 12.01.2024
ANSPDCP - 12.01.2024 | |
---|---|
Authority: | ANSPDCP (Romania) |
Jurisdiction: | Romania |
Relevant Law: | Article 5(1)(a) GDPR Article 5(1)(b) GDPR Article 6 GDPR |
Type: | Complaint |
Outcome: | Upheld |
Started: | |
Decided: | |
Published: | |
Fine: | 17000 EUR |
Parties: | n/a |
National Case Number/Name: | 12.01.2024 |
European Case Law Identifier: | n/a |
Appeal: | n/a |
Original Language(s): | Romanian |
Original Source: | Romanian DPA (in RO) |
Initial Contributor: | maxinescu |
A bank was fined €17,000 by the Romanian DPA for sending commercial messages to data subjects, even after the termination of the contractual relationship with them, in breach of Article 5 GDPR and Article 6 GDPR.
English Summary
Facts
The DPA initiated an investigation following several complaints received from a former customer (the data subject) claiming that the controller, Alior Bank SA Warsaw Bucharest Branch, sent unsolicited messages both by e-mail and SMS to the data subject, although the data subject had previously requested the deletion of their data.
The data subject also informed the DPA that, following previous requests, the controller had confirmed that the contractual relationship was terminated and, consequently, the related bank accounts of the data subjects were closed. Moreover, the data subject pointed out that the controller had continuously sent commercial correspondence by e-mail to them despite them contacting the controller several times specifying that the contractual relationship had been terminated.
Holding
The investigation initiated by the DPA was made in consultation with the Polish DPA, considering that the controller had a series of applications and communication systems based in Poland. More precisely, the IT system of the controller’s branch in Romania was integrated into the centralized system of Alior Bank SA Warsaw, based in Poland. Consequently, the messages communicated to customers after the date of termination of the contractual relationship with the financial institution were sent by the technical department of Alior Bank SA Warsaw in Poland.
Following the internal enquiries at the level of the Romanian branch, it became clear that when a contractual relationship with customers ended, the controller continued to monitor their activity and send messages on certain operations. Therefore, the controller continued to process the personal data (such as e-mail addresses and telephone numbers) of the data subjects, even after the termination of their contractual relationship. This was considered incompatible with the initial purpose for which the data were initially collected, resulting in a breach of Article 5(1)(a) and (b) GDPR, as well as Article 6 GDPR.
Thus, the DPA sanctioned the Romanian branch with a fine of €17,000 and imposed the following corrective measures.
- Firstly, it ordered the controller to regularly monitor compliance with the principles and rules set out in Article 5 GDPR and Article 6 GDPR to avoid unlawful processing of personal data of data subjects and, in case necessary, to reconfigure systems or applications used in the processing of personal data.
- Secondly, it requested the controller to inform its Polish branch about the above-mentioned to properly implement the data protection principles under GDPR.
Comment
From the facts presented in the press release, it seems that the following proceedings, although not explicitly mentioned, fall within Article 61(1) GDPR since the Romanian DPA consulted with the Polish DPA.
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Romanian original. Please refer to the Romanian original for more details.
12.01.2024 Penalty for GDPR violation Based on the cooperation mechanisms provided by Regulation (EU) 2016/679, the National Supervisory Authority for the Processing of Personal Data has completed an investigation at the operator Alior Bank SA, through its branch in Romania - Alior Bank SA Warsaw Branch Bucharest, within which found a violation of the provisions of art. 5 para. (1) lit. a) and b) and art. 6 of Regulation (EU) no. 2016/679. As such, the operator was penalized with a fine of 84,491.7 lei (equivalent to 17,000 EURO). The investigation was started as a result of notifications sent by a concerned person who claimed a possible violation of the provisions of Regulation (EU) no. 2016/679 by the operator. Thus, the petitioner (former client) complained that the operator sent him an unsolicited electronic correspondence, both to his e-mail address and by SMS, although he had previously requested the deletion of all his personal data, an aspect that was confirmed by the operator through the termination notice of the concluded banking contracts, as well as by closing the related bank accounts. The petitioner also reported the fact that there were previously situations in which the operator sent commercial correspondence by e-mail, although he had exercised his right of opposition. As part of the investigation carried out by the National Authority for the Supervision of Personal Data Processing, with the consultation of the authority for data protection in Poland, it turned out that Alior Bank SA Varsovia Sucursala Bucharest owned a series of applications and communication systems for customers. The computer system of Alior Bank SA Warsaw Bucharest Branch was integrated into the centralized system of Alior Bank SA Warsaw based in Poland, which also implements, from an IT point of view, the database verification methodology. As such, the messages communicated to customers after the date of termination of the contractual relationship with the bank were sent by the technical department of Alior Bank SA Warsaw in Poland, according to the requirements sent by the Alior Bank SA Branch in Bucharest. Thus, it was found that the bank, after the termination of the contractual relationship with the clients, continued to monitor their activity and send messages regarding certain operations. As such, it was found that the operator processed the personal data (such as e-mail address and telephone number) of the persons who concluded the contractual relationship with the bank for a purpose incompatible with the one for which the data were initially collected, being in violation of the provisions Art. 5 para. (1) lit. a) and b) and art. 6 of Regulation (EU) no. 2016/679. In this context, related to the cross-border implications of the situation, Alior Bank SA, through its branch in Romania - Alior Bank SA Warsaw Bucharest Branch, was sanctioned by a Decision of the National Supervisory Authority for the Processing of Personal Data with a fine, according to powers established by Regulation (EU) no. 2016/679 and Law no. 102/2005, republished. At the same time, the National Supervisory Authority for the Processing of Personal Data also applied the corrective measure by which it was ordered that the operator regularly monitor compliance with the principles and rules provided by art. 5 and art. 6 of Regulation (EU) no. 2016/679, in order to avoid the illegal processing of the personal data of the persons concerned, and in the situation where it would be necessary to reconfigure some systems or applications used in the processing of personal data, Alior Bank SA Warsaw-Bucuresti Branch- to inform Alior Bank SA from Poland these aspects, in order to properly implement the principles provided by Regulation (EU) no. 2016/679. Legal and Communication Department A.N.S.P.D.C.P.