ANSPDCP (Romania) - ING Bank NV Amsterdam Sucursala București: Difference between revisions

From GDPRhub
(Created page with "{{DPAdecisionBOX |Jurisdiction=Romania |DPA-BG-Color=background-color:#ffffff; |DPAlogo=LogoRO.jpg |DPA_Abbrevation=ANSPDCP |DPA_With_Country=ANSPDCP (Romania) |Case_Number_...")
 
(/* Facts * Changed the facts so it became easier to read and less of an automated translation.)
Line 68: Line 68:


=== Facts ===
=== Facts ===
The investigation was started after a data breach notification from the controller to the Romanian DPA .  
The DPA received a notification of a data breach from ING Bank NV Amsterdam Sucursala București (the controller). The controller stated that personal data of some of its customers (the data subjects) were accessed and disclosed without authorisation. The data included identification data associated with the identity card, contact data, banking data (transactions and products held, card data) and usernames and passwords of the Internet Banking module (Home'Bank). As a result, payment transactions were carried out by third parties, affecting the personal data of these data subjects.  


The incident resulted in the unauthorized disclosure and unauthorized access to the customers personal data, (identification data associated with the identity document; contact data; banking data (transactions and products owned, data associated with the card ); Internet Banking (Home'Bank) user and password, resulting in the performance of payment operations by third parties.
Following the notification, the DPA started an investigation into the controller. During the investigation, the DPA found that the controller.  
 
During the investigation, it was found that the controller ING Bank NV Amsterdam Sucursala Bucharest did not implement adequate technical and organizational measures in order to ensure a level of security corresponding to the risk presented by the processing, generated in particular, accidentally or illegally, by unauthorized disclosure and unauthorized access to personal data transmitted, stored or processed. This led to the unauthorized disclosure and unauthorized access to the personal data of those ING Bank NV Amsterdam Bucharest Branch customers.


=== Holding ===
=== Holding ===

Revision as of 09:33, 29 November 2022

ANSPDCP - ING Bank NV Amsterdam Sucursala București
LogoRO.jpg
Authority: ANSPDCP (Romania)
Jurisdiction: Romania
Relevant Law: Article 32(1) GDPR
Article 32(2) GDPR
Type: Investigation
Outcome: Violation Found
Started:
Decided:
Published: 21.11.2022
Fine: 20,000 EUR
Parties: ING Bank NV Amsterdam Sucursala București
National Case Number/Name: ING Bank NV Amsterdam Sucursala București
European Case Law Identifier: n/a
Appeal: Unknown
Original Language(s): English
Original Source: ANSPDCP (in EN)
Initial Contributor: Daniela Duta

The Romanian DPA fined ING Bank NV Amsterdam Sucursala București €20,000 for unauthorized disclosure and unauthorized access to the customers personal data, resulting the performance of payment operations by third parties Consequently, the Romanian DPA fined the controller for violating Article 32(1) GDPR and Article 32(2) GDPR.

English Summary

Facts

The DPA received a notification of a data breach from ING Bank NV Amsterdam Sucursala București (the controller). The controller stated that personal data of some of its customers (the data subjects) were accessed and disclosed without authorisation. The data included identification data associated with the identity card, contact data, banking data (transactions and products held, card data) and usernames and passwords of the Internet Banking module (Home'Bank). As a result, payment transactions were carried out by third parties, affecting the personal data of these data subjects.

Following the notification, the DPA started an investigation into the controller. During the investigation, the DPA found that the controller.

Holding

The DPA found that the controller lacked adequate technical and organizational measures to ensure a level of confidentiality and security appropriate to the risk of processing pursuant to Article 32(1)GDPR and Article 32(2) GDPR.

The DPA therefore held that the controller violated Article 32(1)GDPR and Article 32(2) GDPR and fined the controller €20,000.

Comment

The Romanian DPA only publishes press releases, therefore no additional information was available on the decision.

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the English original. Please refer to the English original for more details.

21.11.2022

Penalty for GDPR violation



In October 2022, the National Supervisory Authority completed an investigation at the operator ING Bank NV Amsterdam Bucharest Branch and found a violation of the provisions of art. 32 para. (1) and para. (2) of the General Data Protection Regulation.

The operator was fined in the amount of 98,076.00 lei (the equivalent of 20,000 EURO).

The investigation was started as a result of the transmission by the operator of a notification regarding the violation of the security of personal data under the General Data Protection Regulation.

The notification was based on information according to which the personal data of some of the concerned persons was accessed and disclosed without authorization (identification data associated with the identity document; contact data; banking data (transactions and products owned, data associated with the card ); Internet Banking (Home'Bank) module user and password, resulting in the performance of payment operations by third parties, affecting the personal data of these concerned persons.

During the investigation, it was found that the operator ING Bank NV Amsterdam Sucursala Bucharest did not implement adequate technical and organizational measures in order to ensure a level of security corresponding to the risk presented by the processing, generated in particular, accidentally or illegally, by unauthorized disclosure and unauthorized access to personal data transmitted, stored or processed in another way. This led to the unauthorized disclosure and unauthorized access to the personal data of those ING Bank NV Amsterdam Bucharest Branch customers.

We emphasize that, according to art. 5 para. (1) lit. f) of the RGPD, ING Bank NV Amsterdam Bucharest Branch had the obligation to process personal data in a way that ensures their adequate security, including protection against unauthorized or illegal processing and against accidental loss, destruction or damage, through taking appropriate technical or organizational measures ("integrity and confidentiality").

Both the operator of ING Bank NV Amsterdam Sucursala Bucharest and the operator of Raiffeisen Bank SA have paid the contravention fines.



Legal and Communication Department

A.N.S.P.D.C.P.