ANSPDCP (Romania) - Banca Comercială Română S.A.

From GDPRhub
Revision as of 14:06, 11 May 2020 by AL (talk | contribs)
ANSPDCP - Banca Comercială Română S.A.
LogoRO.jpg
Authority: ANSPDCP (Romania)
Jurisdiction: Romania
Relevant Law: Article 32(1) GDPR
Article 32(2) GDPR
Article 32(4) GDPR
Type: Complaint
Outcome: Upheld
Started:
Decided: 14.04.2020
Published:
Fine: 5,000 EUR
Parties: Banca Comercială Română S.A.
National Case Number/Name: Banca Comercială Română S.A.
European Case Law Identifier: n/a
Appeal: Unknown
Original Language(s): Romanian
Original Source: ANSPDCP (in RO)
Initial Contributor: n/a

The Romanian DPA (ANSPDCP) fined Banca Comercială Română S.A. 5,000 € for failing to implement adequate technical and organisational measures when processing personal data of adults and minors.

English Summary

Facts

Following a complaint, the ANSPDCP initiated investigation against the Romanian Bank Banca Comercială Română.

Dispute

Holding

The ANSPDCP found that the Bank "has not implemented adequate technical and organizational measures to ensure a level of security appropriate to the risk of processing. At the same time, the controller has not taken measures to ensure that any natural person acting under his authority who has access to personal data only processes them at his request, unless this obligation is incumbent on him under the law. Union or national law.

Thus, it was found that there was a collection of copies of identity documents of individual customers (minors and legal representatives) through the personal phone of an employee of the operator, as well as transmissions of copies of these documents to the operator, through the Whatsapp application, in violation of the internal working procedure."


Comment

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Romanian original. Please refer to the Romanian original for more details.

Sanction for violating the RGPD

The National Supervisory Authority completed, on 14.04.2020, an investigation at the operator Banca Comercială Română S.A., finding the violation of the provisions regarding the security of processing, respectively art. 32 para. (4) in conjunction with art. 32 para. (1) and para. (2) of the General Data Protection Regulation.

The operator Banca Comercială Română S.A. was sanctioned with a fine in the amount of 24,163.50 lei, the equivalent of the amount of 5000 EURO.

The investigation was initiated following the receipt of a complaint, and during its conduct, the National Supervisory Authority found that Banca Comercială Română S.A. has not implemented adequate technical and organizational measures to ensure a level of security appropriate to the risk of processing. At the same time, the controller has not taken measures to ensure that any natural person acting under his authority who has access to personal data only processes them at his request, unless this obligation is incumbent on him under the law. Union or national law.

Thus, it was found that there was a collection of copies of identity documents of individual customers (minors and legal representatives) through the personal phone of an employee of the operator, as well as transmissions of copies of these documents to the operator, through the Whatsapp application, in violation of the internal working procedure.