ANSPDCP (Romania) - Fine against Banca Comercială Română S.A.
ANSPDCP (Romania) - Fine against Banca Comercială Română S.A. | |
---|---|
Authority: | ANSPDCP (Romania) |
Jurisdiction: | Romania |
Relevant Law: | Article 5(1)(a) GDPR Article 5(1)(d) GDPR Article 5(2) GDPR Article 6 GDPR |
Type: | Investigation |
Outcome: | Violation Found |
Started: | |
Decided: | |
Published: | 19.05.2021 |
Fine: | 2000 EUR |
Parties: | Banca Comercială Română S.A. |
National Case Number/Name: | Fine against Banca Comercială Română S.A. |
European Case Law Identifier: | n/a |
Appeal: | Unknown |
Original Language(s): | Romanian |
Original Source: | ANSPDCP (in RO) |
Initial Contributor: | Diana Rosu |
Due to illegal processing of data conducted by Banca Comerciala Romana (BCR - the Romanian Commercial Bank), a data subject was wrongfully assigned as the financial guarantor of a company and later was the subject of forced execution. The Romanian DPA fined the bank approximately EUR 2 000 (RON 9 855.8) and imposed a coercive measure in order to assure future compliance with the GDPR.
English Summary
Facts
Following a complaint filed by a data subject, the Romanian DPA started an investigation against Banca Comerciala Romana S.A. (the Romanian Commercial Bank) and found that the bank unlawfully processed the complainant's personal data. As result, the complainant was wrongfully assigned as a financial guarantor for a company and later was the subject of forced execution.
Holding
Banca Comerciala Romana S.A. was fined approximately EUR 2 000 (RON 9 855.8) and a coercive measure was imposed in order to assure future compliance with the GDPR.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Romanian original. Please refer to the Romanian original for more details.
In April, the National Supervisory Authority completed an investigation at Banca Comercială Română S.A. and found a violation of the provisions of art. 5 para. (1) lit. a) and d), art. 5 para. (2) and art. 6 of the General Regulation on Data Protection. Banca Comercială Română S.A., the controller, was sanctioned with a fine of 9,855.8 lei (equivalent to 2,000 euros). The investigation was initiated following the receipt of a complaint claiming that Banca Comercială Română S.A. used, without consent, the personal data of a natural person in foreclosure proceedings for debts resulting from a credit agreement of which they were unaware. The petitioner, therefore, complained about the unauthorized use of personal data for other purposes than those authorized, as well as the use of an address that was no longer relevant and for which the petitioner considered that the bank had illegally accessed a database. They also complained about the lack of information regarding the source of collecting this information according to art. 14 of the RGPD, as well as the failure to receive a response regarding several requests addressed to BCR S.A. During the investigation, the National Supervisory Authority found that Banca Comercială Română S.A. processed the personal data of the petitioner without legal grounds, by erroneously assigning the status of guarantor in 2019, extracting outdated data, using and disclosing their personal data, in notification procedures carried out through a bailiff, regarding arrears to a bailiff credit agreement accumulated by a company, client of the bank, with which the petitioner had no relationship, in violation of art. 5 para. (1) lit. a) and d) and art. 5 para. (2), as well as of art. 6 of the RGPD. The National Supervisory Authority applied to the controller Banca Comercială Română S.A. a corrective action to ensure compliance with the GDPR of the operations of collection and further processing of personal data, by implementing effective methods of respecting the exact and current nature of the data, from the moment of data collection and their entry in the controller's database; throughout the processing period; in this regard, the implementation of adequate and effective security measures will be considered, both from a technical point of view in terms of deleting inaccurate / outdated data, and from an organizational point of view, by training of data controllers under the authority of the controller. In this respect, recital (39) RGPD states that “Any processing of personal data should be lawful and fair. (...) All reasonable steps should be taken to ensure that inaccurate personal data are rectified or deleted. (...) ” As regards the lawfulness of the processing, recital (40) of the RGPD provides that “For the processing of personal data to be lawful, it should be carried out on the basis of the data subject's consent or on another legitimate reason in another act of Union or national law, as provided for in this Regulation, including the need to comply with the legal obligations to which the controller is subject or the need to perform a contract to which the data subject is a party or to go through the steps prior to the conclusion of a contract, at the request of the data subject. "