Banner1.jpg

ANSPDCP (Romania) - Unicredit Consumer Financing

From GDPRhub
Revision as of 12:46, 7 January 2025 by Elu (talk | contribs) (Created page with "{{DPAdecisionBOX |Jurisdiction=Romania |DPA-BG-Color=background-color:#ffffff; |DPAlogo=LogoRO.jpg |DPA_Abbrevation=ANSPDCP |DPA_With_Country=ANSPDCP (Romania) |Case_Number_Name=Unicredit Consumer Financing |ECLI= |Original_Source_Name_1=Autoritatea Naţională de Supraveghere a Prelucrării Datelor cu Caracter Personal |Original_Source_Link_1=https://www.dataprotection.ro/?page=Comunicat_Presa_17_12_2024&lang=ro |Original_Source_Language_1=Romanian |Original_Source_L...")
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
ANSPDCP - Unicredit Consumer Financing
LogoRO.jpg
Authority: ANSPDCP (Romania)
Jurisdiction: Romania
Relevant Law: Article 5(1)(a) GDPR
Article 5(1)(f) GDPR
Article 5(2) GDPR
Article 6(1) GDPR
Article 33 GDPR
Type: Investigation
Outcome: Violation Found
Started:
Decided:
Published: 17.12.2024
Fine: n/a
Parties: Unicredit
National Case Number/Name: Unicredit Consumer Financing
European Case Law Identifier: n/a
Appeal: Unknown
Original Language(s): Romanian
Original Source: Autoritatea Naţională de Supraveghere a Prelucrării Datelor cu Caracter Personal (in RO)
Initial Contributor: elu

Unicredit Consumer Financing was fined RON 24, 885 (€ 5,000) as it processed data of current and past clients without a legal basis and lacked proper monitoring of data confidentiality and security procedures.

English Summary

Facts

Unicredit Consumer Financing, the controller, notified a data breach in line with its obligations under Article 33 GDPR. This data breach included the name, surname, position, signature of their current and past clients, the data subjects.

The Romanian DPA started an investigation on the matter.

Holding

First, the DPA found that the controller processed the data subject´s data in violation of the principles laid out in Article 5(1)(a), (f) and (2) GDPR.

Second, the controller failed to provide a legal basis for the processing of such data and thus violated Article 6(1) GDPR.

Therefore, the DPA deemed it appropriate to impose a fine of RON 24, 885 (€ 5,000). The DPA also suggested the controller to implement a plan to monitor the application of the relevant procedures to ensure GDPR compliance, especially in relation to the processing of personal data of employees that terminate the contractual employment relationship with the controller.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Romanian original. Please refer to the Romanian original for more details. 

17.12.2024

Sanction for violation of the GDPR

 

The National Supervisory Authority for Personal Data Processing completed, in November 2024, an investigation at the operator UNICREDIT CONSUMER FINANCING IFN S.A. and found a violation of the provisions of art. 6 paragraph (1) in conjunction with the provisions of art. 5 paragraph (1) letters a) and f), paragraph (2) and art. 32 paragraph (4) of Regulation (EU) 2016/679.

For the act committed, the operator was sanctioned with a fine in the amount of 24,885 lei, the equivalent of 5,000 euros.

The investigation was initiated following the transmission by the operator UNICREDIT CONSUMER FINANCING IFN S.A. of a personal data breach notification, pursuant to its obligation under the provisions of art. 33 of Regulation (EU) 2016/679.

It was reported that personal data such as: name, surname, position, signature belonging to data subjects (former employees), were processed by including them in certain contractual documents and used in the relationship with the operator's clients and collaborators, although their individual employment contracts had been terminated.

During the investigation, it was found that UNICREDIT CONSUMER FINANCING IFN S.A. processed the personal data of former employees in violation of the principles provided for by the Regulation, as a result of operational errors.

At the same time, it was found that the operator did not responsibly monitor the application of procedures ensuring the confidentiality and security of personal data, which led to the use of versions of documents with outdated signatories.

In this context, the processing of personal data was carried out without legal basis, in violation of the principles of processing relating to lawfulness, security and protection against unauthorized or illegal processing.

For this act, the operator was fined for violating the provisions of art. 6 paragraph (1) of Regulation (EU) 2016/679 in conjunction with the provisions of art. 5 paragraph (1) letters a) and f), paragraph (2) and art. 32 paragraph (4).

At the same time, the corrective measure of implementing a plan to monitor the application of procedures was ordered against the operator in order to ensure compliance with the provisions of the Regulation at all times, including with regard to the processing of personal data of employees who terminate their contractual employment relationship with UNICREDIT CONSUMER FINANCING IFN S.A.

The operator paid the established contravention fine.

 

Legal and Communication Department

A.N.S.P.D.C.P
Retrieved from "https://gdprhub.eu/index.php?title=ANSPDCP_(Romania)_-_Unicredit_Consumer_Financing&oldid=44750"
Creative Commons Attribution-NonCommercial-ShareAlike
Powered by MediaWiki