ANSPDCP (Romania) - ING Bank N.V. Amsterdam – Bucharest Branch (2)

From GDPRhub
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
ANSPDCP - ING Bank N.V. Amsterdam – Bucharest Branch (2)
LogoRO.jpg
Authority: ANSPDCP (Romania)
Jurisdiction: Romania
Relevant Law: Article 29 GDPR
Article 32(2) GDPR
Article 32(4) GDPR
Type: Investigation
Outcome: Violation Found
Started:
Decided: 25.01.2021
Published: 10.02.2021
Fine: 1000 EUR
Parties: ING Bank N.V. Amsterdam – Bucharest Branch
National Case Number/Name: ING Bank N.V. Amsterdam – Bucharest Branch (2)
European Case Law Identifier: n/a
Appeal: Unknown
Original Language(s): Romanian
Original Source: ANSPDCP (in RO)
Initial Contributor: Stefan Musat

The Romanian DPA (ANSPDCP) conducted an investigation into ING Bank N.V. Amsterdam – Bucharest Branch, following a personal data breach notification, and found that the controller sent files containing outdated information to a contractual partner, through a mandated company.

English Summary

Facts

A controller's contractual partner received from a controller's processor, on two different dates, files containing outdated information in order to issue insurance policies. As result, 270 individuals were affected.

Dispute

Does processing personal data by violating the working procedure leads to a violation of the GDPR?

Holding

The ANSPDCP found that the controller sent (through its processor) to a contractual partner, files containing outdated information. The data were outdated because the employees of the insurance policy monitoring department did not check and process the insurance policies in accordance with the working procedure. A number of 270 data subjects were affected because the technical and organizational measures implemented by the controller before the incident were not sufficient and led to the violation of the confidentiality of personal data.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Romanian original. Please refer to the Romanian original for more details.

Sanction for violating the RGPD

The National Supervisory Authority completed on 25.01.2021 an investigation at the operator ING Bank NV Amsterdam, Bucharest Branch and found a violation of the provisions of art. 29 and art. 32 para. (2) and (4) of the General Data Protection Regulation. 

As such, the operator ING Bank NV Amsterdam was sanctioned with a fine in the amount of 4,874.40 lei (equivalent to 1000 EURO). Following the receipt of a data breach notification from ING Bank NV Amsterdam, an investigation was launched and it was found that this operator transmitted, on two different dates, some files to a contractual partner, through a mandated company, for insurance policies. The submitted files contained out-of-date information, as employees of the insurance policy monitoring department did not check and process the insurance policies in accordance with the Working Procedure, affecting 270 individuals. 

In view of these issues, it was established that <em>the technical and organizational measures implemented by the operator before the incident were not sufficient, which led to the breach of the confidentiality of personal data.

Legal and Communication Department