ANSPDCP (Romania) - Kredyt Inkaso Investments RO SA

From GDPRhub
Revision as of 19:23, 25 November 2022 by 82.76.234.10 (talk) (Changed “loan applicant” with “employee”)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
ANSPDCP - Kredyt Inkaso Investments RO SA
LogoRO.jpg
Authority: ANSPDCP (Romania)
Jurisdiction: Romania
Relevant Law: Article 5(1)(a) GDPR
Article 5(1)(c) GDPR
Article 5(2) GDPR
Article 6 GDPR
Article 9 GDPR
Article 33 GDPR
Type: Complaint
Outcome: Upheld
Started:
Decided: 18.05.2022
Published: 18.05.2022
Fine: 5000 EUR
Parties: anonymous
Kredyt Inkaso Investments RO S.A.
National Case Number/Name: Kredyt Inkaso Investments RO SA
European Case Law Identifier: n/a
Appeal: n/a
Original Language(s): Romanian
Original Source: ANSPDCP (in RO)
Initial Contributor: Heiko Hanusch

The Romanian DPA fined a credit institution and collection agency approximately €5,000 (24.740 RON) for unlawfully disclosing the personal data of an employee to doctors and medical units.

English Summary

Facts

The controller is a credit institution and collection agency called Kredyt Inkaso Investments RO SA. The data subject applied for a loan with the controller. After the data subject had learned that the controller might had shared personal details of him and his minor child with third parties, he lodged a complaint with the ANSPDCP (Romania). In the course of the investigation, the DPA found that the controller disclosed the data subject's information (home address, personal numerical code, position held, employment contract data, medical leave certificate data) to certain doctors and medical units. Moreover, it found that a security incident occurred in the course of the disclosure of the data to one of the doctors.

Holding

The ANSPDCP fined the controller approximately €5000 (24.740 RON) for violating Articles 5(1)(a), (c), (2), 6, 9 and 33 GDPR. The ANSPDCP especially found that legitimate interest is not a legal basis under Article 9 GDPR and that the security incident was not reported to the DPA within the time limit of Article 33(1) GDPR.

Comment

Since the ANSPDCP is only publishing press releases and not their decisions in full, there were no further details on the facts and legal reasoning in the publication.

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Romanian original. Please refer to the Romanian original for more details.

18.05.2022

Sanction for violating the RGPD



In April 2022, the National Supervisory Authority completed an investigation at the operator Kredyt Inkaso Investments RO S.A. and found a violation of the provisions of art. 5, art. 6, art. 9 and art. 33 of the General Data Protection Regulation (RGPD).

The operator was fined as follows:

fine in the amount of 24,740 lei (equivalent to the amount of 5000 EURO) for violating the provisions of art. 5 para. (1) lit. a), c), para. (2), art. 6 and art. 9 of the General Data Protection Regulation; warning for violation of the provisions of art. 33 of the General Data Protection Regulation.

The investigation was initiated following a complaint from a data subject that Kredyt Inkaso Investments RO S.A. disclosed his personal data and that of his minor child to certain medical units.

In the course of the investigation, it was found that the operator disclosed the applicant's details (home address, personal numerical code, position held, employment contract data, medical leave certificate data) to certain doctors and certain medical units with which she did not have no legal relations.

It was also found that the processing of data on the health of the petitioner could not be carried out on the basis of legitimate interest as it is not among the processing conditions provided by art. 9 of the RGPD.

Therefore, the operator illegally processed the personal data of the petitioner by illegally and excessively disclosing them, including data on health status, in violation of the principles of processing provided by art. 5 para. (1) lit. a), c), para. (2) and the legality conditions provided by art. 6 and art. 9 of the RGPD.

At the same time, it was found that the operator Kredyt Inkaso Investments RO S.A. did not comply with the deadlines for notifying the security incident that occurred at the time of disclosing the petitioner's data to a doctor with whom the petitioner had no legal relations, thus violating the provisions of art. 33 of the RGPD.



Legal and Communication Department

A.N.S.P.D.C.P.