ANSPDCP (Romania) - ING BANK NV Amsterdam Bucharest Branch
| ANSPDCP - ING BANK NV Amsterdam Bucharest Branch | |
|---|---|
 | |
| Authority: | ANSPDCP (Romania) |
| Jurisdiction: | Romania |
| Relevant Law: | Article 32(1)(b) GDPR Article 32(2) GDPR Article 32(4) GDPR |
| Type: | Investigation |
| Outcome: | Violation Found |
| Started: | |
| Decided: | |
| Published: | |
| Fine: | 3000 EUR |
| Parties: | n/a |
| National Case Number/Name: | ING BANK NV Amsterdam Bucharest Branch |
| European Case Law Identifier: | n/a |
| Appeal: | n/a |
| Original Language(s): | Romanian |
| Original Source: | ANSPDCP (in RO) |
| Initial Contributor: | Silvia Axinescu |
The Romanian DPA fined Ing Bank NV €3,000 for sharing a .pdf file containing personal data from its clients through Whatsapp, in violation of Article 32(1)(b), (2) and (4) GDPR.
English Summary
Facts
The Ing Bank NV branch in Bucarest, as a controller, notified the Romanian DPA of a data breach under the GDPR. The DPA opened a procedure to further investigate the facts and found that the controller shared a .pdf file through Whatsapp containing personal data of a significant number of its customers.
Holding
After the investigations, the DPA found that there was breach of the confidentiality of the personal data of the bank's consumers.
The DPA held that the controller did not implement adequate technical and organizational measures to provide a level of security that is adequate and proportionate to the risks inherent to the processing of such data. In particular, the DPA held that the controller did not prevent the accidental or illegal destruction, loss , modification, unauthorized disclosure or unauthorized access to personal data under its control.
For this reason, the DPA found a violation of Article 32(1)(b), (2) and (4) GDPR and imposed a fine of RON 14,889, equivalent to €3,000.
Comment
Unfortunately, the Romanian DPA does not publish its full decisions. This summary is based on a press release.
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Romanian original. Please refer to the Romanian original for more details.
18.07.2023 A new penalty for breaching GDPR In June of this year, the National Supervisory Authority completed an investigation at the operator ING BANK NV Amsterdam Bucharest Branch, in which it found a violation of the provisions of art. 32 para. (1) lit. b), paragraph (2) and par. (4) of the General Data Protection Regulation. As such, ING BANK NV Amsterdam Bucharest Branch was fined 14,889 lei, the equivalent of 3,000 EURO. The investigation was started as a result of the transmission by the operator of a notification of a breach of the security of personal data under the General Data Protection Regulation. During the conducted investigation, it was found that there was an unauthorized transmission, through the WhatsApp application, of a .pdf format file containing personal data. This situation led to the loss of confidentiality of the personal data of a significant number of the operator's customers. Thus, the National Supervisory Authority found that ING BANK NV Amsterdam Bucharest Branch did not implement adequate technical and organizational measures in order to ensure a level of security corresponding to the risk of processing, generated, in particular, accidentally or illegally, by the destruction, loss , modification, unauthorized disclosure or unauthorized access to personal data stored or otherwise processed. We emphasize that, according to art. 32 para. (4) of the General Regulation on Data Protection, the operator had the obligation to take measures to ensure that any natural person acting under the authority of the operator and who has access to personal data only processes them at the request of the operator. Legal and Communication Department A.N.S.P.D.C.P.
