ANSPDCP (Romania) - ING BANK NV Amsterdam Bucharest Branch

From GDPRhub
Revision as of 12:53, 22 August 2023 by Ba (talk | contribs) (I changed the description of the facts to put them in chronological order and other small changes.)
ANSPDCP - ING BANK NV Amsterdam Bucharest Branch
LogoRO.jpg
Authority: ANSPDCP (Romania)
Jurisdiction: Romania
Relevant Law: Article 32(1)(b) GDPR
Article 32(2) GDPR
Article 32(4) GDPR
Type: Investigation
Outcome: Violation Found
Started:
Decided:
Published:
Fine: 3000 EUR
Parties: n/a
National Case Number/Name: ING BANK NV Amsterdam Bucharest Branch
European Case Law Identifier: n/a
Appeal: n/a
Original Language(s): Romanian
Original Source: ANSPDCP (in RO)
Initial Contributor: Silvia Axinescu

The Romainan DPA fined Ing Bank NV €3,000 for sharing a .pdf file containing personal data from its clients through Whatsapp, in violation of Article 32(1)(b), (2) and (4) GDPR.

English Summary

Facts

The Ing Bank NV branch in Bucarest, as a controller, notified the Romanian DPA of a data breach under the GDPR. The DPA opened a procedure to further investigate the facts and found that the controller shared a .pdf file through Whatsapp containing personal data of a significant number of its customers.

Holding

After the investigations, the DPA found that there was breach of the confidentiality of the personal data of the bank's consumers.

The DPA held that the controller did not implement adequate technical and organizational measures to provide a level of security that is adequate and proportionate to the risks inherent to the processing of such data. In particular, the DPA held that the controller did not prevent the accidental or illegal destruction, loss , modification, unauthorized disclosure or unauthorized access to personal data under its control.

For this reason, the DPA found a violation of Article 32(1)(b), (2) and (4) GDPR and imposed a fine of RON 14,889, equivalent to €3,000.

Comment

Unfortunately, the Romanian DPA does not publish its full decisions. This summary is based on a press release.

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Romanian original. Please refer to the Romanian original for more details.

18.07.2023

A new penalty for breaching GDPR



In June of this year, the National Supervisory Authority completed an investigation at the operator ING BANK NV Amsterdam Bucharest Branch, in which it found a violation of the provisions of art. 32 para. (1) lit. b), paragraph (2) and par. (4) of the General Data Protection Regulation.

As such, ING BANK NV Amsterdam Bucharest Branch was fined 14,889 lei, the equivalent of 3,000 EURO.

The investigation was started as a result of the transmission by the operator of a notification of a breach of the security of personal data under the General Data Protection Regulation.

During the conducted investigation, it was found that there was an unauthorized transmission, through the WhatsApp application, of a .pdf format file containing personal data.

This situation led to the loss of confidentiality of the personal data of a significant number of the operator's customers.

Thus, the National Supervisory Authority found that ING BANK NV Amsterdam Bucharest Branch did not implement adequate technical and organizational measures in order to ensure a level of security corresponding to the risk of processing, generated, in particular, accidentally or illegally, by the destruction, loss , modification, unauthorized disclosure or unauthorized access to personal data stored or otherwise processed.

We emphasize that, according to art. 32 para. (4) of the General Regulation on Data Protection, the operator had the obligation to take measures to ensure that any natural person acting under the authority of the operator and who has access to personal data only processes them at the request of the operator.

Legal and Communication Department

A.N.S.P.D.C.P.