ANSPDCP (Romania) - Raiffeisen Bank SA

From GDPRhub
Revision as of 12:30, 13 September 2022 by Dana.duta (talk | contribs) (Created page with "{{DPAdecisionBOX |Jurisdiction=Romania |DPA-BG-Color=background-color:#ffffff; |DPAlogo=LogoRO.jpg |DPA_Abbrevation=ANSPDCP |DPA_With_Country=ANSPDCP (Romania) |Case_Number_...")
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
ANSPDCP - Raiffeisen Bank SA
LogoRO.jpg
Authority: ANSPDCP (Romania)
Jurisdiction: Romania
Relevant Law: Article 5(1)(a) GDPR
Article 5(1)(b) GDPR
Article 5(1)(d) GDPR
Article 6 GDPR
Type: Investigation
Outcome: Violation Found
Started:
Decided:
Published: 09.09.2022
Fine: 2,000 EUR
Parties: Raiffeisen Bank SA
National Case Number/Name: Raiffeisen Bank SA
European Case Law Identifier: n/a
Appeal: Unknown
Original Language(s): Romanian
Original Source: ANSPDCP (in RO)
Initial Contributor: Daniela Duta

The Romanian DPA fined Raiffeisen Bank SA €2,000 for processing inaccurate personal data of the occasional customers, who made money transactions through the controller's application using the petitioner's phone number in 44 transactions.

English Summary

Facts

The investigation has started following a complaint made by a petitioner according to which a controller was sending SMS text messages to his mobile phone number regarding money transfers that the petitioner did not make.

In the course of the investigation it was found that Raiffeisen Bank SA, as processor, incorrectly introduced the petitioner's phone number in the application made available by the controller, through which the transactions were initiated at the customer's request, and it was noted that the petitioner was not a Raiffeisen Bank client and has not requested the initiation of transactions through the controller's application.


Holding

In August 2022, the Romanian DPA completed an investigation at Raiffeisen Bank SA and found a violation of the provisions of Article 5(1)(a) GDPR , Article 5(1)(b) GDPR , Article 5(1)(d) GDPR , Article 6 GDPR. Raiffeisen Bank SA, as a processor, was sanctioned as follows: with a warning for violating the provisions of Article 5(1)(a) GDPR , Article 5(1)(b) and Article 6 GDPR and with a fine in amount of €2,000 for violating the provisions of Article 5(1)(d) GDPR.


Comment

The decision below is a machine translation of the Romanian original. Please refer to the Romanian original for more details.

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Romanian original. Please refer to the Romanian original for more details.

09/09/2022

Fine for GDPR violation



In August 2022, the National Supervisory Authority completed an investigation at SC Raiffeisen Bank SA and found a violation of the provisions of art. 5 para. (1) lit. a), b) and d) and of art. 6 of the General Data Protection Regulation.

SC Raiffeisen Bank SA, as an agent of an operator, was sanctioned as follows:

with a warning for violating the provisions of art. 5 para. (1) lit. a) and b) and of art. 6 of the General Data Protection Regulation; with a fine of 9,763.60 lei (the equivalent of 2,000 EURO) for violating the provisions of paragraph 5. (1) lit. d) from the General Regulation on Data Protection.

The investigation was started as a result of a complaint made by a petitioner who complained that an operator was sending SMS text messages on his mobile phone number regarding transfers of sums of money to certain people, transfers that the petitioner did not did.

During the investigation, it was found that at the level of SC Raiffeisen Bank SA, as an authorized representative, the petitioner's phone number was erroneously entered in the application made available by the operator through which transactions were initiated at the request of customers.

It was also noted that the petitioner was not a client of SC Raiffeisen Bank SA and did not request the initiation of transactions through the operator's application.

At the same time, the Supervisory Authority found that SC Raiffeisen Bank SA, as authorized agent, processed inaccurate data (phone number) of people, occasional customers, who made money transactions through the operator's application, using the petitioner's phone number in within the framework of 44 transactions, thus violating the principle of data accuracy provided for in art. 5 para. (1) lit. d) from the General Regulation on Data Protection.





Legal and Communication Department

A.N.S.P.D.C.P.