ANSPDCP (Romania) - ING Bank NV Amsterdam Sucursala București

From GDPRhub
ANSPDCP - ING Bank NV Amsterdam Sucursala București
LogoRO.jpg
Authority: ANSPDCP (Romania)
Jurisdiction: Romania
Relevant Law: Article 32(1) GDPR
Article 32(2) GDPR
Type: Investigation
Outcome: Violation Found
Started:
Decided:
Published: 21.11.2022
Fine: 20,000 EUR
Parties: ING Bank NV Amsterdam Sucursala București
National Case Number/Name: ING Bank NV Amsterdam Sucursala București
European Case Law Identifier: n/a
Appeal: Unknown
Original Language(s): English
Original Source: ANSPDCP (in EN)
Initial Contributor: Daniela Duta

The Romanian DPA fined ING Bank NV Amsterdam Sucursala București €20,000 for a data breach, resulting in third parties having access to and consequently transferring money from the bank accounts of ING Bank's customers.

English Summary

Facts

A data breach was reported to the DPA by ING Bank NV Amsterdam Sucursala București (the controller). The controller claimed that unauthorized access to and disclosure of some of its customers' (the data subjects') personal information had occurred. Data from the identity card, contact information, financial information (transactions and products held, card data), and usernames and passwords for the Internet Banking module (Home'Bank) were all included in the data. As a result, third parties transferred money from the data subject's bank accounts. Following the notification, the DPA started an investigation into the controller.

Holding

During the investigation, the DPA found that the controller lacked adequate technical and organisational measures to ensure a level of security appropriate to the risk presented by the processing. In particular, the DPA held that this led to unauthorised disclosure of and access to personal data of the data subjects. The DPA underlined that, according to the principle of integrity and confidentiality laid down in Article 5(1)(f) GDPR, the controller had the obligation to process personal data in a way that ensured their adequate security. This included protection against unauthorised or unlawful processing and against accidental loss, destruction or accidental damage, by taking appropriate technical or organisational measures. The DPA therefore held that the controller violated Article 32(1) and (2) GDPR and fined the controller €20,000.

Comment

The Romanian DPA only publishes press releases, therefore no additional information was available on the decision. The DPA published another press release in the same week, where it sanctioned another large bank, Raifeissen, with a high fine. Both decisions include the same reference to Article 5(1)(f) GDPR. You can find the GDPRhub summary on that decision here.

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the English original. Please refer to the English original for more details.

21.11.2022

Penalty for GDPR violation



In October 2022, the National Supervisory Authority completed an investigation at the operator ING Bank NV Amsterdam Bucharest Branch and found a violation of the provisions of art. 32 para. (1) and para. (2) of the General Data Protection Regulation.

The operator was fined in the amount of 98,076.00 lei (the equivalent of 20,000 EURO).

The investigation was started as a result of the transmission by the operator of a notification regarding the violation of the security of personal data under the General Data Protection Regulation.

The notification was based on information according to which the personal data of some of the concerned persons was accessed and disclosed without authorization (identification data associated with the identity document; contact data; banking data (transactions and products owned, data associated with the card ); Internet Banking (Home'Bank) module user and password, resulting in the performance of payment operations by third parties, affecting the personal data of these concerned persons.

During the investigation, it was found that the operator ING Bank NV Amsterdam Sucursala Bucharest did not implement adequate technical and organizational measures in order to ensure a level of security corresponding to the risk presented by the processing, generated in particular, accidentally or illegally, by unauthorized disclosure and unauthorized access to personal data transmitted, stored or processed in another way. This led to the unauthorized disclosure and unauthorized access to the personal data of those ING Bank NV Amsterdam Bucharest Branch customers.

We emphasize that, according to art. 5 para. (1) lit. f) of the RGPD, ING Bank NV Amsterdam Bucharest Branch had the obligation to process personal data in a way that ensures their adequate security, including protection against unauthorized or illegal processing and against accidental loss, destruction or damage, through taking appropriate technical or organizational measures ("integrity and confidentiality").

Both the operator of ING Bank NV Amsterdam Sucursala Bucharest and the operator of Raiffeisen Bank SA have paid the contravention fines.



Legal and Communication Department

A.N.S.P.D.C.P.