ANSPDCP (Romania) - 03.11.2023

From GDPRhub
ANSPDCP - 3.11.2023
LogoRO.jpg
Authority: ANSPDCP (Romania)
Jurisdiction: Romania
Relevant Law: Article 32 GDPR
Article 33 GDPR
Type: Investigation
Outcome: Violation Found
Started:
Decided:
Published:
Fine: 3000 EUR
Parties: n/a
National Case Number/Name: 3.11.2023
European Case Law Identifier: n/a
Appeal: n/a
Original Language(s): Romanian
Original Source: Romanian DPA (in RO)
Initial Contributor: maxinescu

OTP Bank Romania SA, a Romanian financial institution was sanctioned with a fine of EUR 3,000 for the failure to adopt technical and organizational measures under Article 32 GDPR and with a warning for the failure to notify a data breach under Article 33 GDPR.

English Summary[edit | edit source]

Facts[edit | edit source]

The Romanian DPA initiated an investigation following the receiving of a complaint, investigation which was finalized in October 2023. During the investigation, the DPA found that personal data pertaining to a petitioner were sent by e-mail to another individual. The DPA considered that the controller did not adopt sufficient security measures in accordance with Article 32 GDPR, situation which led to the occurrence of a data breach which affected the personal data of the petitioner. Also, the DPA found that the financial institution failed to notify the respective data breach to the DPA, in violation of Article 33 GDPR.

Holding[edit | edit source]

The DPA imposed a fine of EUR 3,0000 for breach of Article 32 GDPR and a warning for breach of Article 33 GDPR. Also, the DPA imposed corrective measures to the financial institution in order to ensure compliance of data processing operations with GDPR, as follows: (a) to implement technical and organizational security measures appropriate to the specifics of the processing and the risks identified, throughout the data processing cycle, in particular in terms of verifying the accuracy of the processed personal data, establishing appropriate rules related to the drafting and management of files that can be transmitted using electronic means of communication (remote), training of personnel processing personal data on behalf and under the authority of the financial institution, regular verification of compliance with instructions given to said personnel, automation of certain processes to reduce the risks of unlawful or unauthorized processing of personal data; and (b) to adopt internal measures necessary for the rapid detection, management and reporting of personal data breaches (whether or not they require notification to the supervisory authority and/or data subjects), as well as by appropriate and regular training of personnel acting on behalf and under the authority of the controller.

Comment[edit | edit source]

Unfortunately, the Romanian DPA does not publish its full decisions.

Further Resources[edit | edit source]

Share blogs or news articles here!

English Machine Translation of the Decision[edit | edit source]

The decision below is a machine translation of the Romanian original. Please refer to the Romanian original for more details.

03.11.2023

Penalty for GDPR violation



In October 2023, the National Supervisory Authority for the Processing of Personal Data completed an investigation at the operator OTP BANK ROMANIA SA and found a violation of the provisions of art. 32 and art. 33 of Regulation (EU) 2016/679.

As such, the operator was penalized:

with a fine of 14,889.3 lei (the equivalent of 3,000 EURO), for violating art. 32 of Regulation (EU) 2016/679; with a warning for violating art. 33 of Regulation (EU) 2016/679.

During the investigation carried out by the Supervisory Authority, an investigation carried out on the basis of a complaint, it was found that the operator did not adopt sufficient security measures according to art. 32 of the RGPD, which led to the security incident, by sending the personal data of the petitioner to another person by e-mail.

At the same time, it was found that OTP Bank România SA did not notify the National Authority for the Supervision of Personal Data Processing of the security incident that affected the petitioner's personal data, thus violating art. 33 of the GDPR.

The National Supervisory Authority for the Processing of Personal Data also applied corrective measures, ordering the operator the following:

to ensure compliance with GDPR of personal data processing operations, by implementing technical and organizational security measures appropriate to the specifics of the processing and identified risks, throughout the data processing cycle, especially in terms of verifying the accuracy of processed personal data, of establishing appropriate rules related to the drafting and management of files that can be transmitted through the use of electronic means of communication (at a distance), of training the persons who process data under his authority, of regularly checking compliance with the instructions sent to them, of automating certain processes through to reduce the risks of illegal or unauthorized processing of personal data; to ensure compliance with GDPR of personal data processing operations, by adopting internal measures necessary for the rapid detection, management and reporting of personal data security breaches, (regardless of whether or not it would require notification to the supervisory authority and/or data subjects) as well as through appropriate and regular training of persons who process data under the authority of the operator.

Legal and Communication Department

A.N.S.P.D.C.P.