ANSPDCP (Romania) - 12.01.2024
| ANSPDCP - 12.01.2024 | |
|---|---|
 | |
| Authority: | ANSPDCP (Romania) |
| Jurisdiction: | Romania |
| Relevant Law: | Article 5(1)(a) GDPR Article 5(1)(b) GDPR Article 6 GDPR |
| Type: | Complaint |
| Outcome: | Upheld |
| Started: | |
| Decided: | |
| Published: | |
| Fine: | 17000 EUR |
| Parties: | n/a |
| National Case Number/Name: | 12.01.2024 |
| European Case Law Identifier: | n/a |
| Appeal: | n/a |
| Original Language(s): | Romanian |
| Original Source: | Romanian DPA (in RO) |
| Initial Contributor: | maxinescu |
Alior Bank SA Warsaw Bucharest Branch was sanctioned with a fine of 17,000 EUR for sending commercial messages even after the termination of the contractual relationship, breaching data protection principles.
English Summary
Facts
The DPA initiated an investigation following several complaints received from a former customer claiming that the controller has sent unsolicited messages both by email and SMS, although the data subject had previously requested the deletion of data. Moreover, following previous requests, the controller had confirmed that the contractual relationship with the financial institution was terminated and, consequently, the related bank accounts of the data subjects were closed. Also, the data subject pointed out that the controller had continuously send commercial correspondence by e-mail, although he/she transmitted several requests specifying that the contractual relationship had been terminated.
Holding
The investigation initiated by the DPA was made in consultation with the Polish DPA, considering that the financial institution had a series of applications and communication systems for customers which were based in Poland. More precisely, the IT system of the financial institution’s branch in Romania was integrated into the centralized system of Alior Bank SA Warsaw based in Poland, which also implemented, from an IT point of view, the methodology for verifying the database. Consequently, the messages communicated to customers after the date of termination of the contractual relationship with the financial institution were sent by the technical department of Alior Bank SA Warsaw in Poland, according to the requirements and instructions sent by Alior Bank SA Branch in Bucharest. Following the internal enquiries at the level of Romanian branch, it has been evidenced that, pursuant to the end of contractual relationship with customers, the controller continued to monitor their activity and send messages on certain operations. Therefore, the controller continued to process personal data (such as e-mail address and telephone number) of the data subjects, even after the termination of their contractual relationship with the financial institution. This was considered incompatible with the initial purpose for which the data were initially collected, resulting thus a breach of Article 5 (1) (a) and (b) GDPR, as well as Article 6 GDPR. The DPA sanctioned the Romanian branch with a fine of 17,000 EUR and imposed the following corrective measures: - Regularly corrective measure ordering the controller to regularly monitor compliance with the principles and rules set out in Articles 5 and 6 of GDPR, in order to avoid unlawful processing of personal data of data subjects, and in case it would be necessary, to reconfigure systems or applications used in the processing of personal data, - The Romanian branch to inform Alior Bank SA from Poland about the above mentioned aspects, in order to properly implement the data protection principles under GDPR.
Comment
In this context, considering the cross-border implications of the situation, Romanian Branch was sanctioned with a fine and corrective measures, although the DPA could have imposed the same fine to the entity in Poland.
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Romanian original. Please refer to the Romanian original for more details.
12.01.2024 Penalty for GDPR violation Based on the cooperation mechanisms provided by Regulation (EU) 2016/679, the National Supervisory Authority for the Processing of Personal Data has completed an investigation at the operator Alior Bank SA, through its branch in Romania - Alior Bank SA Warsaw Branch Bucharest, within which found a violation of the provisions of art. 5 para. (1) lit. a) and b) and art. 6 of Regulation (EU) no. 2016/679. As such, the operator was penalized with a fine of 84,491.7 lei (equivalent to 17,000 EURO). The investigation was started as a result of notifications sent by a concerned person who claimed a possible violation of the provisions of Regulation (EU) no. 2016/679 by the operator. Thus, the petitioner (former client) complained that the operator sent him an unsolicited electronic correspondence, both to his e-mail address and by SMS, although he had previously requested the deletion of all his personal data, an aspect that was confirmed by the operator through the termination notice of the concluded banking contracts, as well as by closing the related bank accounts. The petitioner also reported the fact that there were previously situations in which the operator sent commercial correspondence by e-mail, although he had exercised his right of opposition. As part of the investigation carried out by the National Authority for the Supervision of Personal Data Processing, with the consultation of the authority for data protection in Poland, it turned out that Alior Bank SA Varsovia Sucursala Bucharest owned a series of applications and communication systems for customers. The computer system of Alior Bank SA Warsaw Bucharest Branch was integrated into the centralized system of Alior Bank SA Warsaw based in Poland, which also implements, from an IT point of view, the database verification methodology. As such, the messages communicated to customers after the date of termination of the contractual relationship with the bank were sent by the technical department of Alior Bank SA Warsaw in Poland, according to the requirements sent by the Alior Bank SA Branch in Bucharest. Thus, it was found that the bank, after the termination of the contractual relationship with the clients, continued to monitor their activity and send messages regarding certain operations. As such, it was found that the operator processed the personal data (such as e-mail address and telephone number) of the persons who concluded the contractual relationship with the bank for a purpose incompatible with the one for which the data were initially collected, being in violation of the provisions Art. 5 para. (1) lit. a) and b) and art. 6 of Regulation (EU) no. 2016/679. In this context, related to the cross-border implications of the situation, Alior Bank SA, through its branch in Romania - Alior Bank SA Warsaw Bucharest Branch, was sanctioned by a Decision of the National Supervisory Authority for the Processing of Personal Data with a fine, according to powers established by Regulation (EU) no. 2016/679 and Law no. 102/2005, republished. At the same time, the National Supervisory Authority for the Processing of Personal Data also applied the corrective measure by which it was ordered that the operator regularly monitor compliance with the principles and rules provided by art. 5 and art. 6 of Regulation (EU) no. 2016/679, in order to avoid the illegal processing of the personal data of the persons concerned, and in the situation where it would be necessary to reconfigure some systems or applications used in the processing of personal data, Alior Bank SA Warsaw-Bucuresti Branch- to inform Alior Bank SA from Poland these aspects, in order to properly implement the principles provided by Regulation (EU) no. 2016/679. Legal and Communication Department A.N.S.P.D.C.P.
