ANSPDCP (Romania) - Fine against Libra Internet Bank SA

From GDPRhub
ANSPDCP - Fine against Libra Internet Bank SA
LogoRO.jpg
Authority: ANSPDCP (Romania)
Jurisdiction: Romania
Relevant Law: Article 12(2) GDPR
Article 12(4) GDPR
Article 15(1) GDPR
Article 15(3) GDPR
Article 15(4) GDPR
Type: Investigation
Outcome: Violation Found
Started:
Decided:
Published: 11.05.2023
Fine: 11.000 EUR
Parties: Libra Internet Bank SA
National Case Number/Name: Fine against Libra Internet Bank SA
European Case Law Identifier: n/a
Appeal: Unknown
Original Language(s): Romanian
Original Source: ANSPDCP (in RO)
Initial Contributor: Diana Rosu

The Romanian authority fined a bank approximately 11.000€ for failing to properly answer an access request. (The controller did not share a copy of all the data held about the data subject, including some video recordings, did not send the personal data in the format required by the data subject and did not respect the format requirements of Article 12(4).

English Summary[edit | edit source]

Facts[edit | edit source]

A data subject made an access request with Libra Internet Bank SA (data controller and a bank in Romania). The data subject required a copy of their personal data, including some video recordings to be sent to their physical address by mail. The controller failed to properly fullfil the access request, as required by the data subject and, as such, the data subject filed a complaint with the Romanian Data Protection Authority.

Holding[edit | edit source]

Following the complaint, the Romanian Data Protection Authority started an investigation against the controller and found that the controller failed to provide all the data requested by the data subject, in the requested format, in breach of GDPR Article 15(1), (2), and (3). Additionally, the personal data sent by the controller was sent by e-mail as opposed to the data subject's request to receive the data via post and the controller did not mention in the reply the possibility of the data subject to file a request with the Data Protection Authority for the missing parts of the personal data, in breach of GDPR Articles 12(4) and 15(3). The controller was fined approximately 1.000€ for this infringement.

Finally, during the investigation, the Romanian authority found that the controller did not implement sufficient technical and organisational measures that would facilitate the fulfilment of access requests, in particular, the access to video recordings, in breach of GDPR Articles 12(2), 15(3) and (4). The controller was fined approximately 10.000€ for this infringement.

In addition to the financial penalties, the Authority also required the controller to (1) answer the request as required by the data subject and in line with the GDPR requirements, and (2) to implement sufficient technical and organisational measures that will allow the fulfilment of access requests, including access to personal data captured through video recordings.

Comment[edit | edit source]

Share your comments here!

Further Resources[edit | edit source]

Share blogs or news articles here!

English Machine Translation of the Decision[edit | edit source]

The decision below is a machine translation of the Romanian original. Please refer to the Romanian original for more details.

11.05.2023

Penalty for GDPR violation



The National Supervisory Authority completed, in March 2023, an investigation at the operator Libra Internet Bank SA and found a violation of the provisions of art. 12 and art. 15 of Regulation (EU) 2016/679.

As such, the operator was penalized:

with a fine of 4,940.5 lei (the equivalent of 1,000 EURO), for violating art. 12 para. (4) in conjunction with art. 15 para. (3) from Regulation (EU) 2016/679; with a fine of 49,405 lei (the equivalent of 10,000 EURO), for violating art. 12 para. (2) in conjunction with art. 15 para. (3) and (4) of Regulation (EU) 2016/679.

The investigation was started as a result of a complaint that complained about the operator's refusal to fully comply with the request to exercise the right of access of the person concerned, as well as the failure to provide him with certain information.

During the investigation, the National Supervisory Authority found that Libra Internet Bank SA did not present evidence from which it could be concluded that it had sent a complete response to the request of the person concerned, by referring to the provisions of art. 15 para. (1) and (2) of Regulation (EU) 2016/679, since he did not communicate a copy (in the requested form) of the personal data processed and did not send the answer to the postal address mentioned in the contract, according to the request of the data subject, being violated thus the provisions of art. 15 para. (3) of Regulation (EU) 2016/679.

At the same time, it was found that the reply sent to the person concerned by e-mail did not contain information about the possibility of filing a complaint before a supervisory authority and introducing a judicial appeal for the refusal to communicate a copy of the video recording requested, thus violating the provisions of art. 12 para. (4), in conjunction with art. 15 para. (3) of Regulation (EU) 2016/679.

On the same occasion, the National Supervisory Authority noted that Libra Internet Bank SA did not present evidence to show that it had adopted measures to facilitate the exercise of the right of access of the persons concerned to the copies of the video recordings concerning them, processed by the operator , an aspect that also affected the manner in which the Authority's petitioner's request was resolved. Therefore, it was found that the provisions of art. 12 para. (2), related to art. 15 para. (3) and (4) of Regulation (EU) 2016/679.

At the same time, pursuant to art. 58 para. (2) lit. d) from Regulation (EU) 2016/679, the following corrective measures were ordered against the operator:

to respond to the request of the person concerned, by communicating all the information provided by art. 15 para. (1) and (2) of Regulation (EU) 2016/679 and of the copy of personal data provided by art. 15 para. (3) from the same regulation, adapted to the specific situation of the petitioner, in the format requested by him, by mail, to the correspondence dates indicated by him; to adopt the appropriate technical and organizational measures, so as to facilitate the exercise of the rights of the data subjects, in particular, the right of access to a copy of their personal data that is the subject of processing, including through the use of computer programs that allow the editing of information of the nature infringe on the rights and freedoms of others.



Legal and Communication Department

A.N.S.P.D.C.P.