ANSPDCP (Romania) - Alpha Bank România SA

From GDPRhub
ANSPDCP - Alpha Bank România SA
LogoRO.jpg
Authority: ANSPDCP (Romania)
Jurisdiction: Romania
Relevant Law: Article 29 GDPR
Article 32(1)(b) GDPR
Article 32(2) GDPR
Article 32(4) GDPR
Type: Investigation
Outcome: Violation Found
Started:
Decided:
Published: 29.08.2022
Fine: 1,000 EUR
Parties: Alpha Bank România SA
National Case Number/Name: Alpha Bank România SA
European Case Law Identifier: n/a
Appeal: Unknown
Original Language(s): Romanian
Original Source: ANSPDCP (in RO)
Initial Contributor: Daniela Duta

The Romanian DPA fined Alpha Bank România €1,000 for sending a document that contained personal data of four people to another recipient through WhatsApp by mistake.

English Summary[edit | edit source]

Facts[edit | edit source]

The investigation was started after a data breach notification from Alpha Bank Romania (controller) to the Romanian DPA pursuant to Article 33 GDPR. The controller reported that a document was sent to another recipient through WhatsApp by mistake.

The incident resulted in the unauthorized disclosure of or unauthorized access to the personal data of 4 data subjects, such as their name and surname, personal identification number, position and signature, type of credit, number and date of contract signature, credit period and the last due date.

Holding[edit | edit source]

The DPA found that the controller lacked adequate technical and organizational measures to ensure a level of confidentiality and security appropriate to the risk of processing pursuant to Article 32(1)(b) and (2) GDPR. Furthermore, it failed to take sufficient measures to ensure that its employees who had access to personal data did not process them unless instructed to do so pursuant to Article 32(4) and Article 29 GDPR.

The DPA therefore held that the controller violated Article 29 and Article 32(1)(b), (2), and (4) GDPR and fined the controller €1000.

In addition, the DPA ordered the controller to review and update its technical and organizational measures, by:

  • providing instructions on the prohibition of the use of employees' personal equipment in customer relations (e.g. mobile phone) for communication app's and online chat services not authorized by the controller; and
  • adopting measures to educate its employees on the risks and consequences of unlawful disclosure of personal data.

Comment[edit | edit source]

The Romanian DPA only publishes press releases, therefore no additional information was available on the decision.

Further Resources[edit | edit source]

Share blogs or news articles here!

English Machine Translation of the Decision[edit | edit source]

The decision below is a machine translation of the Romanian original. Please refer to the Romanian original for more details.

In July 2022, the National Supervisory Authority completed an investigation at the operator Alpha Bank România SA and found a violation of the provisions of art. 29 and art. 32 para. (1) lit. b), paragraph (2) and para. (4) of the General Data Protection Regulation.

As such, the operator was penalized for contravention with a fine of 4,935.10 lei (equivalent to 1000 EURO).

The investigation was started as a result of a data security breach notification that was sent by Alpha Bank Romania SA, based on the provisions of art. 33 of the General Data Protection Regulation.

Thus, according to what is mentioned in the notification form, the violation of the security of data processing occurred as a result of the fact that a document was sent to another recipient, by mistake, by using the Whatsapp application.

During the investigation it turned out that this violation led to the unauthorized disclosure or unauthorized access to certain personal data, such as: name and surname, CNP, position and signature, type of credit, number and date of signing the contract, period of credit and the date of the last due date, being affected by the incident a number of 4 natural persons concerned.

The National Supervisory Authority found that Alpha Bank Romania SA did not implement adequate technical and organizational measures to ensure a level of confidentiality and security corresponding to the processing risk and did not take sufficient measures to ensure that any natural person acting under the authority of the operator and who has access to personal data only processes them at his request.

At the same time, under art. 58 para. (2) lit. d) from the General Regulation on Data Protection, the following corrective measures were ordered against the operator:

reviewing and updating the technical and organizational measures implemented as a result of the risk assessment for the rights and freedoms of individuals, including work procedures related to the protection of personal data, by implementing and transmitting to the responsible persons some instructions regarding the prohibition of the use of personal equipment of employees in customer relations (eg mobile phone) for communication applications/online chat services not authorized by the Bank;
the adoption of measures regarding the training of persons acting under the operator's authority, including regarding the risks and consequences involved in the disclosure of personal data.
Legal and Communication Department