ANSPDCP (Romania) - Banca Comercială Română SA

From GDPRhub
Revision as of 14:16, 21 September 2022 by SR (talk | contribs) (→‎Holding)
ANSPDCP - Banca Comercială Română SA
LogoRO.jpg
Authority: ANSPDCP (Romania)
Jurisdiction: Romania
Relevant Law: Article 25(1) GDPR
Article 32(1)(b) GDPR
Article 32(1)(d) GDPR
Article 32(2) GDPR
Type: Investigation
Outcome: Violation Found
Started:
Decided:
Published: 19.09.2022
Fine: 2,000 EUR
Parties: Banca Comercială Română SA
National Case Number/Name: Banca Comercială Română SA
European Case Law Identifier: n/a
Appeal: Unknown
Original Language(s): Romanian
Original Source: ANSPDCP (in RO)
Initial Contributor: Daniela Duta

A Romanian bank's inadequate technical and organizational safeguards lead to a personal data breach as e-mails containing personal data were sent to the incorrect email addresses. The Romanian DPA fined them 2,000€ for breaching provisions of Article 25 GDPR and Article 32 GDPR.

English Summary

Facts

The company Banca Comercială Română SA, the data controller, notified the Romanian DPA of a personal data breach. The notification was made pursuent to Article 33 GDPR. The notification stated that the breach occurred due to a technical error of an IT application.

In its investigation, the DPA found that e-mails containing the personal data of some customers were sent to the incorrect customers. The breach affected 564 data subjects and lead to the unauthorized access of personal data, such as: name and surname, CNP, home address, telephone number, email address, along with erroneously generated financial information regarding cumulative gain, cumulative loss, net gain, net loss, cumulative tax due, payment tax, and tax to be recovered.

Holding

The DPA found that the data controller did not take adequate technical and organizational safeguards to ensure an appropriate level of security corresponding to the risk of its processing of personal data. This amounted to a violation of Article 25(1) GDPR, Article 32(1)(b) GDPR, Article 32(1)(d) GDPR, Article 32(2) GDPR. Consequently, the DPA fined the data controller €2,000.

Comment

This summary is based on their press release.

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Romanian original. Please refer to the Romanian original for more details.

19.09.2022

A new penalty for breaching GDPR



The National Supervisory Authority completed an investigation at the operator Banca Comercială Română SA and found a violation of the provisions of art. 25 para. (1) and art. 32 para. (1) lit. b), d) and para. (2) of the General Data Protection Regulation.

As such, the operator was fined 9,864.8 lei (equivalent to 2,000 EURO).

The investigation was started as a result of a data security breach notification that was sent by Banca Comercială Română SA, based on the provisions of art. 33 of the General Data Protection Regulation.

Thus, according to what was mentioned in the notification form, the violation of data processing security occurred as a result of a technical error of an IT application of the operator.

During the investigation it was found that e-mails containing the personal data of some customers were sent to other customers.

This breach of data security led to the unauthorized disclosure or unauthorized access to certain personal data, such as: name and surname, CNP, home address, telephone number, email address, along with erroneously generated financial information regarding cumulative gain, cumulative loss, net gain, net loss, cumulative tax due, payment tax, tax to be recovered, being affected by the incident a number of 564 targeted natural persons, clients of the bank.

At the same time, the National Supervisory Authority found that Banca Comercială Română SA did not take adequate technical and organizational measures in order to ensure a level of security corresponding to the processing risk, thus violating the provisions of art. 25 para. (1) and art. 32 para. (1) lit. b), d) and para. (2) of the General Data Protection Regulation.

Legal and Communication Department

A.N.S.P.D.C.P.