ANSPDCP (Romania) - ING Bank N.V. Amsterdam – Bucharest Branch (2)
| ANSPDCP - ING Bank N.V. Amsterdam – Bucharest Branch (2) | |
|---|---|
 | |
| Authority: | ANSPDCP (Romania) |
| Jurisdiction: | Romania |
| Relevant Law: | Article 29 GDPR Article 32(2) GDPR Article 32(4) GDPR |
| Type: | Investigation |
| Outcome: | Violation Found |
| Started: | |
| Decided: | 25.01.2021 |
| Published: | 10.02.2021 |
| Fine: | 1000 EUR |
| Parties: | ING Bank N.V. Amsterdam – Bucharest Branch |
| National Case Number/Name: | ING Bank N.V. Amsterdam – Bucharest Branch (2) |
| European Case Law Identifier: | n/a |
| Appeal: | Unknown |
| Original Language(s): | Romanian |
| Original Source: | ANSPDCP (in RO) |
| Initial Contributor: | Stefan Musat |
The Romanian DPA (ANSPDCP) conducted an investigation into ING Bank N.V. Amsterdam – Bucharest Branch, following a personal data breach notification, and found that the controller sent files containing outdated information to a contractual partner, through a mandated company.
English Summary
Facts
A controller's contractual partner received from a controller's processor, on two different dates, files containing outdated information in order to issue insurance policies. As result, 270 individuals were affected.
Dispute
Does processing personal data by violating the working procedure leads to a violation of the GDPR?
Holding
The ANSPDCP found that the controller sent (through its processor) to a contractual partner, files containing outdated information. The data were outdated because the employees of the insurance policy monitoring department did not check and process the insurance policies in accordance with the working procedure. A number of 270 data subjects were affected because the technical and organizational measures implemented by the controller before the incident were not sufficient and led to the violation of the confidentiality of personal data.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Romanian original. Please refer to the Romanian original for more details.
Sanction for violating the RGPD The National Supervisory Authority completed on 25.01.2021 an investigation at the operator ING Bank NV Amsterdam, Bucharest Branch and found a violation of the provisions of art. 29 and art. 32 para. (2) and (4) of the General Data Protection Regulation. As such, the operator ING Bank NV Amsterdam was sanctioned with a fine in the amount of 4,874.40 lei (equivalent to 1000 EURO). Following the receipt of a data breach notification from ING Bank NV Amsterdam, an investigation was launched and it was found that this operator transmitted, on two different dates, some files to a contractual partner, through a mandated company, for insurance policies. The submitted files contained out-of-date information, as employees of the insurance policy monitoring department did not check and process the insurance policies in accordance with the Working Procedure, affecting 270 individuals. In view of these issues, it was established that <em>the technical and organizational measures implemented by the operator before the incident were not sufficient, which led to the breach of the confidentiality of personal data. Legal and Communication Department
