ANSPDCP (Romania) - Banca Comercială Română SA: Difference between revisions
(Created page with "{{DPAdecisionBOX |Jurisdiction=Romania |DPA-BG-Color=background-color:#ffffff; |DPAlogo=LogoRO.jpg |DPA_Abbrevation=ANSPDCP |DPA_With_Country=ANSPDCP (Romania) |Case_Number_...") |
(Clarification) |
||
| Line 67: | Line 67: | ||
}} | }} | ||
Inadequate technical and organizational safeguards by a Romanian bank, a data controller, lead to a personal data breach by sending e-mails containing personal data to the incorrect costumers. The Romanian DPA fined them 2,000€ for breaching provisions of [[Article 25 GDPR]] and [[Article 32 GDPR]]. | |||
== English Summary == | == English Summary == | ||
=== Facts === | === Facts === | ||
The | The company Banca Comercială Română SA, the data controller, notified the Romanian DPA of a personal data breach. The notification was made pursuent to [[Article 33 GDPR]]. The notification stated that the breach occurred due to a technical error of an IT application. | ||
The | |||
In its investigation, the DPA found that e-mails containing the personal data of some customers were sent to the incorrect customers. The breach affected 564 data subjects and lead to the unauthorized access of personal data, such as: name and surname, CNP, home address, telephone number, email address, along with erroneously generated financial information regarding cumulative gain, cumulative loss, net gain, net loss, cumulative tax due, payment tax, and tax to be recovered. | |||
The DPA found that the data controller did not take adequate technical and organizational safeguards to ensure an appropriate level of security corresponding to the risk of its processing of personal data. | |||
=== Holding === | === Holding === | ||
The Romanian DPA held that the data controller's inadequate technical and organizational safeguards, commulating in a personal data breach, amounted to a violation of [[Article 25 GDPR#1|Article 25(1) GDPR]], [[Article 32 GDPR#1b|Article 32(1)(b) GDPR]], [[Article 32 GDPR#1d|Article 32(1)(d) GDPR]], [[Article 32 GDPR#2|Article 32(2) GDPR]]. | |||
Consequently, the DPA fined the controller €2,000 | Consequently, the DPA fined the data controller €2,000. | ||
== Comment == | == Comment == | ||
Revision as of 09:06, 21 September 2022
| ANSPDCP - Banca Comercială Română SA | |
|---|---|
 | |
| Authority: | ANSPDCP (Romania) |
| Jurisdiction: | Romania |
| Relevant Law: | Article 25(1) GDPR Article 32(1)(b) GDPR Article 32(1)(d) GDPR Article 32(2) GDPR |
| Type: | Investigation |
| Outcome: | Violation Found |
| Started: | |
| Decided: | |
| Published: | 19.09.2022 |
| Fine: | 2,000 EUR |
| Parties: | Banca Comercială Română SA |
| National Case Number/Name: | Banca Comercială Română SA |
| European Case Law Identifier: | n/a |
| Appeal: | Unknown |
| Original Language(s): | Romanian |
| Original Source: | ANSPDCP (in RO) |
| Initial Contributor: | Daniela Duta |
Inadequate technical and organizational safeguards by a Romanian bank, a data controller, lead to a personal data breach by sending e-mails containing personal data to the incorrect costumers. The Romanian DPA fined them 2,000€ for breaching provisions of Article 25 GDPR and Article 32 GDPR.
English Summary
Facts
The company Banca Comercială Română SA, the data controller, notified the Romanian DPA of a personal data breach. The notification was made pursuent to Article 33 GDPR. The notification stated that the breach occurred due to a technical error of an IT application.
In its investigation, the DPA found that e-mails containing the personal data of some customers were sent to the incorrect customers. The breach affected 564 data subjects and lead to the unauthorized access of personal data, such as: name and surname, CNP, home address, telephone number, email address, along with erroneously generated financial information regarding cumulative gain, cumulative loss, net gain, net loss, cumulative tax due, payment tax, and tax to be recovered.
The DPA found that the data controller did not take adequate technical and organizational safeguards to ensure an appropriate level of security corresponding to the risk of its processing of personal data.
Holding
The Romanian DPA held that the data controller's inadequate technical and organizational safeguards, commulating in a personal data breach, amounted to a violation of Article 25(1) GDPR, Article 32(1)(b) GDPR, Article 32(1)(d) GDPR, Article 32(2) GDPR. Consequently, the DPA fined the data controller €2,000.
Comment
This summary is based on their press release.
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Romanian original. Please refer to the Romanian original for more details.
19.09.2022 A new penalty for breaching GDPR The National Supervisory Authority completed an investigation at the operator Banca Comercială Română SA and found a violation of the provisions of art. 25 para. (1) and art. 32 para. (1) lit. b), d) and para. (2) of the General Data Protection Regulation. As such, the operator was fined 9,864.8 lei (equivalent to 2,000 EURO). The investigation was started as a result of a data security breach notification that was sent by Banca Comercială Română SA, based on the provisions of art. 33 of the General Data Protection Regulation. Thus, according to what was mentioned in the notification form, the violation of data processing security occurred as a result of a technical error of an IT application of the operator. During the investigation it was found that e-mails containing the personal data of some customers were sent to other customers. This breach of data security led to the unauthorized disclosure or unauthorized access to certain personal data, such as: name and surname, CNP, home address, telephone number, email address, along with erroneously generated financial information regarding cumulative gain, cumulative loss, net gain, net loss, cumulative tax due, payment tax, tax to be recovered, being affected by the incident a number of 564 targeted natural persons, clients of the bank. At the same time, the National Supervisory Authority found that Banca Comercială Română SA did not take adequate technical and organizational measures in order to ensure a level of security corresponding to the processing risk, thus violating the provisions of art. 25 para. (1) and art. 32 para. (1) lit. b), d) and para. (2) of the General Data Protection Regulation. Legal and Communication Department A.N.S.P.D.C.P.
