ANSPDCP (Romania) - ING Bank N.V. Amsterdam – Bucharest Branch

From GDPRhub
ANSPDCP - ING Bank N.V. Amsterdam – Bucharest Branch
LogoRO.jpg
Authority: ANSPDCP (Romania)
Jurisdiction: Romania
Relevant Law: Article 5(1)(a) GDPR
Article 5(1)(b) GDPR
Article 5(1)(c) GDPR
Article 5(1)(d) GDPR
Article 6(1) GDPR
Type: Investigation
Outcome: Violation Found
Started:
Decided: 07.12.2020
Published: 30.12.2020
Fine: 3000 EUR
Parties: ING Bank N.V. Amsterdam – Bucharest Branch
National Case Number/Name: ING Bank N.V. Amsterdam – Bucharest Branch
European Case Law Identifier: n/a
Appeal: Unknown
Original Language(s): Romanian
Original Source: ANSPDCP (in RO)
Initial Contributor: Stefan Musat

The Romanian DPA (ANSPDCP) imposed a €3000 fine on ING Bank N.V. Amsterdam – Bucharest Branch for unlawfully processing the personal data of a natural person after the conclusion of their contractual relationship.

English Summary

Facts

The Romanian DPA (ANSPDCP) conducted an investigation into ING Bank N.V. Amsterdam – Bucharest Branch and found that, due to a system error, the request to close a current account of one former client did not operate and the client was considered "active". Because of this error, the controller continued to process the former client's personal data.

Dispute

Does processing personal data, after a system error fails to register the account closing, lead to a violation of the GDPR?

Holding

The ANSPDCP found that the controller sent, to the e-mail address of a natural person, messages regarding the updating of his personal data, although the data subject had requested on 24.11.2017 the closure of the last bank product held (a current account). Due to a system error, the data subject was still registered as client and the controller processed the following personal data: e-mail address, name and surname, expiration date of the identity card.

The Romanian DPA found that the controller processed personal data in violation with the provisions of Article 5(1)(a-d)GDPR (the principles of: lawfulness, fairness and transparency; purpose limitation; data minimization; accuracy) and without fulfilling the conditions of legality of the processing, as provided in Article 6(1)GDPR.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Romanian original. Please refer to the Romanian original for more details.

A new sanction for violating the RGPD

The National Supervisory Authority completed on 07.12.2020 an investigation at the operator ING Bank NV Amsterdam - Bucharest Branch and found the violation of the provisions of art. 5 para. (1) lit. a) -d) reported to art. 6 para. (1) of the General Data Protection Regulation.

The operator ING Bank NV Amsterdam - Bucharest Branch was sanctioned with a fine in the amount of 14,619.9 lei (equivalent to 3,000 EURO). The sanction was applied to the operator as a result of the fact that he processed the personal data of a natural person after the conclusion of the contractual relationship with ING Bank. During the investigation, the National Supervisory Authority found that the operator sent to the e-mail address of a natural person messages regarding the updating of his personal data, although he had requested on 24.11.2017 the closure of the last bank product held, respectively a current account. It was also found that, as a result of a system error, this request to close the current account did not have the effect of closing the business relationship with the operator, which was still maintained in "active" status. This situation led to the processing of personal data  (e-mail address, name and surname, date of expiration of the identity card) in violation of the provisions of art. 5 para. (1) lit. a) -d) of the RGPD and without fulfilling the conditions of legality of the processing, as provided in art. 6 para. (1) of the RGPD. 
In this context, we mention that art. 5 of the RGPD regulates the principles related to the processing of personal data, according to which personal data must be: 
a) processed lawfully, fairly and transparently to the data subject ("legality, fairness and transparency"); 
b) collected for determined, explicit and legitimate purposes and are not subsequently processed in a manner incompatible with these purposes; 
c) appropriate, relevant and limited to what is necessary in relation to the purposes for which they are processed ("minimization of data") 
d) accurate and, if necessary, updated; all necessary measures must be taken to ensure that personal data which are inaccurate, having regard to the purposes for which they are processed, are deleted or rectified without delay ("accuracy"); 

Legal and Communication Department 
ANSPDCP