ANSPDCP (Romania) - Unicredit
| ANSPDCP - Unicredit | |
|---|---|
 | |
| Authority: | ANSPDCP (Romania) |
| Jurisdiction: | Romania |
| Relevant Law: | Article 25(1) GDPR |
| Type: | Complaint |
| Outcome: | Upheld |
| Started: | |
| Decided: | |
| Published: | |
| Fine: | 74,652 RON |
| Parties: | Unicredit SA |
| National Case Number/Name: | Unicredit |
| European Case Law Identifier: | n/a |
| Appeal: | Unknown |
| Original Language(s): | Romanian |
| Original Source: | Autoritatea Naţională de Supraveghere a Prelucrării Datelor cu Caracter Personal (in RO) |
| Initial Contributor: | elu |
The DPA fined Unicredit RON 74,652 (€15,000) after faulty app functionalities led to a data breach. The DPA further ordered the controller to implement a testing plan before apps and communication solutions started to process personal data.
English Summary
Facts
Unicredit SA, the controller, notified the Romanian DPA about two data breaches in accordance with Article 35 GDPR.
The DPA deemed it appropriate to start an investigation, which revealed the following.
First Data Breach
The breach happened as a result of an erroneous functioning of the employees´ app, which created an username. However, no prior test in a test environment was conducted.
As a consequence, there has been an unauthorised disclosure of personal data of some customers, the data subjects, such as: name, surname, current account information, account balance, account balance, card balance, card balance.
Second Data Breach
The breach happened as a result of the unauthorized disclosure of personal data (the name of the cardholder, telephone number, date of the transaction, currency, e-mail address, the amount of the transaction, the reason for refusal to pay) of a significant number of customers of the controller.
This unauthorised disclosure resulted from the implementation by an employee of a communication solution for customers with the controller, without conducting the appropriate prior testing in the test environment.
Holding
The DPA held that the controller failed to implement appropriate technical and organisational measures, designed to effectively respect data protection principles.
Therefore, the DPA found a violation of Article 25(1) GDPR and deemed it appropriate to fine RON 74,652 (€15,000).
Moreover, the DPA was ordered to implement a testing plan for all apps or communication solutions to be applied for all activities involving data processing and, specifically, to analyse all functions of the app in a test environment before using the app in a real scenario.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Romanian original. Please refer to the Romanian original for more details.
03.02.2025 Sanction for violation of the GDPR The National Supervisory Authority for Personal Data Processing, completed, in December 2024, an investigation at the operator Unicredit Bank SA and found a violation of the provisions of art. 25 paragraph (1) of the General Data Protection Regulation (GDPR). As such, the operator was sanctioned with a fine in the amount of 74,652 lei, the equivalent of 15,000 EURO. The investigation was initiated following the transmission by the operator of two notifications of violation of personal data security under the GDPR. The investigation found that, in the first case, the data processing security breach occurred as a result of the operator's application for creating the username malfunctioning without prior testing in a test environment. This situation led to the unauthorized disclosure of processed personal data of some customers, such as: name, surname, current account information, account transactions, account balance, card transactions, card balance. In the second case, the data processing security breach occurred as a result of the operator's implementation of a solution for communicating with the bank without conducting adequate prior testing in the test environment, which led to the unauthorized disclosure of personal data (cardholder name, telephone number, transaction date, currency, email address, transaction amount, reason for payment refusal) of a significant number of Unicredit Bank SA customers. As such, in relation to the criteria for individualizing sanctions provided for in art. 83 of the GDPR, a fine was imposed for the violation of the provisions of art. 25 paragraph (1) of the GDPR, since the operator did not implement, both when establishing the means of processing and during the processing itself, appropriate technical and organizational measures designed to effectively implement the principles of data protection and to integrate the necessary guarantees into the processing. At the same time, the operator was also ordered to take the corrective measure of technically and organizationally implementing a test plan for all components/applications that are intended to be introduced into the activities that include personal data processing by analyzing all their functionalities in a test environment, which simulates the real scenario in the production environment. We note that the operator paid the fine imposed. Legal and Communication Department A.N.S.P.D.C.P.
