ANSPDCP (Romania) - ING BANK NV Amsterdam Bucharest Branch
| ANSPDCP - ING BANK NV Amsterdam Bucharest Branch | |
|---|---|
 | |
| Authority: | ANSPDCP (Romania) |
| Jurisdiction: | Romania |
| Relevant Law: | Article 32(1)(b) GDPR Article 32(2) GDPR Article 32(4) GDPR |
| Type: | Investigation |
| Outcome: | Violation Found |
| Started: | |
| Decided: | |
| Published: | |
| Fine: | 3000 EUR |
| Parties: | n/a |
| National Case Number/Name: | ING BANK NV Amsterdam Bucharest Branch |
| European Case Law Identifier: | n/a |
| Appeal: | n/a |
| Original Language(s): | Romanian |
| Original Source: | ANSPDCP (in RO) |
| Initial Contributor: | Silvia Axinescu |
ING BANK NV Amsterdam Bucharest Branch was sanctioned with a fine of RON 14,889, equivalent to EUR 3,000 for violations of art. 32 (1) (b), (2) and (4).
English Summary
Facts
The DPA started an investigation following the transmission by the bank of a notification for a personal data breach under the GDPR. During the investigation, the DPA found that a file .pdf containing personal data was transmitted in an unauthorized manner by the bank, respectively through the use of messaging application WhattsApp. This situation led to loss of confidentiality of personal data of a significant number of customers of the controller.
Holding
The DPA found that ING BANK NV Amsterdam Bucharest Branch has not implemented appropriate technical and organizational measures to ensure a level of security appropriate to the risk of processing, in particular accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data stored or otherwise processed.
During its investigation, the DPA invoked the provisions of art. 32 para. (4) of GDPR, the controller was obliged to take measures to ensure that any natural person acting under the authority of the controller and having access to personal data processes them only at the request of the controller.
Comment
Unfortunately, the Romanian DPA does not publish its full decisions. This summary is based on a press release.
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Romanian original. Please refer to the Romanian original for more details.
18.07.2023 A new penalty for breaching GDPR In June of this year, the National Supervisory Authority completed an investigation at the operator ING BANK NV Amsterdam Bucharest Branch, in which it found a violation of the provisions of art. 32 para. (1) lit. b), paragraph (2) and par. (4) of the General Data Protection Regulation. As such, ING BANK NV Amsterdam Bucharest Branch was fined 14,889 lei, the equivalent of 3,000 EURO. The investigation was started as a result of the transmission by the operator of a notification of a breach of the security of personal data under the General Data Protection Regulation. During the conducted investigation, it was found that there was an unauthorized transmission, through the WhatsApp application, of a .pdf format file containing personal data. This situation led to the loss of confidentiality of the personal data of a significant number of the operator's customers. Thus, the National Supervisory Authority found that ING BANK NV Amsterdam Bucharest Branch did not implement adequate technical and organizational measures in order to ensure a level of security corresponding to the risk of processing, generated, in particular, accidentally or illegally, by the destruction, loss , modification, unauthorized disclosure or unauthorized access to personal data stored or otherwise processed. We emphasize that, according to art. 32 para. (4) of the General Regulation on Data Protection, the operator had the obligation to take measures to ensure that any natural person acting under the authority of the operator and who has access to personal data only processes them at the request of the operator. Legal and Communication Department A.N.S.P.D.C.P.
