ANSPDCP (Romania) - Banca Comercială Română SA
ANSPDCP - Banca Comercială Română SA | |
---|---|
Authority: | ANSPDCP (Romania) |
Jurisdiction: | Romania |
Relevant Law: | Article 25(1) GDPR Article 32(1)(b) GDPR Article 32(1)(d) GDPR Article 32(2) GDPR |
Type: | Investigation |
Outcome: | Violation Found |
Started: | |
Decided: | |
Published: | 19.09.2022 |
Fine: | 2,000 EUR |
Parties: | Banca Comercială Română SA |
National Case Number/Name: | Banca Comercială Română SA |
European Case Law Identifier: | n/a |
Appeal: | Unknown |
Original Language(s): | Romanian |
Original Source: | ANSPDCP (in RO) |
Initial Contributor: | Daniela Duta |
The Romanian DPA fines Banca Comercială Română SA as a result of a IT technical error that led to a security data breach.
English Summary
Facts
The Romanian DPA has completed an investigation at Banca Comercială Română SA as a result of a data breach notification. The security data breach led to the unauthorized disclosure or unauthorized access to certain personal data, such as: name and surname, personal identification number, home address, telephone number, email address, along with erroneously generated financial information regarding cumulative gain, cumulative loss, net gain, net loss, cumulative tax due, payment tax, tax to be recovered, being affected by the incident 564 data subjects, clients of the bank.
Holding
ANSPDCP completed an investigation at Banca Comercială Română SA and found a violation of the provisions of Article 25(1) GDPR, Article 32(1)(b) GDPR, Article 32(1)(d) GDPR, Article 32(2) GDPR. Consequently, the DPA fined the controller €2,000. During the investigation was found that e-mails containing personal data of some customers were sent to other customers. The Romanian DPA found that Banca Comercială Română SA did not take adequate technical and organizational measures in order to ensure a level of security corresponding to the processing risk.
Comment
This summary is based on their press release.
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Romanian original. Please refer to the Romanian original for more details.
19.09.2022 A new penalty for breaching GDPR The National Supervisory Authority completed an investigation at the operator Banca Comercială Română SA and found a violation of the provisions of art. 25 para. (1) and art. 32 para. (1) lit. b), d) and para. (2) of the General Data Protection Regulation. As such, the operator was fined 9,864.8 lei (equivalent to 2,000 EURO). The investigation was started as a result of a data security breach notification that was sent by Banca Comercială Română SA, based on the provisions of art. 33 of the General Data Protection Regulation. Thus, according to what was mentioned in the notification form, the violation of data processing security occurred as a result of a technical error of an IT application of the operator. During the investigation it was found that e-mails containing the personal data of some customers were sent to other customers. This breach of data security led to the unauthorized disclosure or unauthorized access to certain personal data, such as: name and surname, CNP, home address, telephone number, email address, along with erroneously generated financial information regarding cumulative gain, cumulative loss, net gain, net loss, cumulative tax due, payment tax, tax to be recovered, being affected by the incident a number of 564 targeted natural persons, clients of the bank. At the same time, the National Supervisory Authority found that Banca Comercială Română SA did not take adequate technical and organizational measures in order to ensure a level of security corresponding to the processing risk, thus violating the provisions of art. 25 para. (1) and art. 32 para. (1) lit. b), d) and para. (2) of the General Data Protection Regulation. Legal and Communication Department A.N.S.P.D.C.P.