ANSPDCP (Romania) - Fine against Banca Comercială Română S.A.

From GDPRhub
ANSPDCP (Romania) - Fine against Banca Comercială Română S.A.
Authority: ANSPDCP (Romania)
Jurisdiction: Romania
Relevant Law: Article 5(1)(a) GDPR
Article 5(1)(d) GDPR
Article 5(2) GDPR
Article 6 GDPR
Type: Investigation
Outcome: Violation Found
Published: 19.05.2021
Fine: 2000 EUR
Parties: Banca Comercială Română S.A.
National Case Number/Name: Fine against Banca Comercială Română S.A.
European Case Law Identifier: n/a
Appeal: Unknown
Original Language(s): Romanian
Original Source: ANSPDCP (in RO)
Initial Contributor: Diana Rosu

The Romanian DPA fined bank approximately €2,000 for the processing a complainant's personal data with out a valid legal basis, in enforcement proceedings for debts resulting from a credit agreement which he had no knowledge of.

English Summary


Following a complaint filed by a data subject, the Romanian DPA started an investigation against Banca Comerciala Romana S.A. (the Romanian Commercial Bank) and found that the bank unlawfully processed the complainant's personal data without his consent. As result, the complainant was wrongfully assigned as a financial guarantor for a company and later was subject to enforcement proceedings executed by a bailiff.


Banca Comerciala Romana S.A. was fined approximately EUR 2 000 (RON 9 855.8) and a corrective measure was imposed in order to assure future compliance with the GDPR.


Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Romanian original. Please refer to the Romanian original for more details.

In April, the National Supervisory Authority completed an investigation at Banca Comercială Română S.A. and found a violation of the provisions of art. 5 para. (1) lit. a) and d), art. 5 para. (2) and art. 6 of the General Regulation on Data Protection.

Banca Comercială Română S.A., the controller, was sanctioned with a fine of 9,855.8 lei (equivalent to 2,000 euros).

The investigation was initiated following the receipt of a complaint claiming that Banca Comercială Română S.A. used, without consent, the personal data of a natural person in foreclosure proceedings for debts resulting from a credit agreement of which they were unaware.

The petitioner, therefore, complained about the unauthorized use of personal data for other purposes than those authorized, as well as the use of an address that was no longer relevant and for which the petitioner considered that the bank had illegally accessed a database. They also complained about the lack of information regarding the source of collecting this information according to art. 14 of the RGPD, as well as the failure to receive a response regarding several requests addressed to BCR S.A.

During the investigation, the National Supervisory Authority found that Banca Comercială Română S.A. processed the personal data of the petitioner without legal grounds, by erroneously assigning the status of guarantor in 2019, extracting outdated data, using and disclosing their personal data, in notification procedures carried out through a bailiff, regarding arrears to a bailiff credit agreement accumulated by a company, client of the bank, with which the petitioner had no relationship, in violation of art. 5 para. (1) lit. a) and d) and art. 5 para. (2), as well as of art. 6 of the RGPD.

The National Supervisory Authority applied to the controller Banca Comercială Română S.A. a corrective action to ensure compliance with the GDPR of the operations of collection and further processing of personal data, by implementing effective methods of respecting the exact and current nature of the data, from the moment of data collection and their entry in the controller's database; throughout the processing period; in this regard, the implementation of adequate and effective security measures will be considered, both from a technical point of view in terms of deleting inaccurate / outdated data, and from an organizational point of view, by training of data controllers under the authority of the controller.

In this respect, recital (39) RGPD states that “Any processing of personal data should be lawful and fair. (...) All reasonable steps should be taken to ensure that inaccurate personal data are rectified or deleted. (...) ”

As regards the lawfulness of the processing, recital (40) of the RGPD provides that “For the processing of personal data to be lawful, it should be carried out on the basis of the data subject's consent or on another legitimate reason in another act of Union or national law, as provided for in this Regulation, including the need to comply with the legal obligations to which the controller is subject or the need to perform a contract to which the data subject is a party or to go through the steps prior to the conclusion of a contract, at the request of the data subject. "