ANSPDCP - Fine against Banca Transilvania SA

From GDPRhub
ANSPDCP - ANSPDCP - Fine to Banca Transilvania SA
LogoRO.jpg
Authority: ANSPDCP (Romania)
Jurisdiction: Romania
Relevant Law: Article 5(1)(f) GDPR
Article 32(1) GDPR
Article 32(2) GDPR
Type: Investigation
Outcome: Violation Found
Decided:
Published: 17.12.2020
Fine: 100.0000 EUR
Parties: Banca Transilvania SA
National Case Number/Name: ANSPDCP - Fine to Banca Transilvania SA
European Case Law Identifier: n/a
Appeal: Unknown
Original Language(s): Romanian
Original Source: ANSPDCP (in RO)
Initial Contributor: Stefan Musat

The Romanian DPA (ANSPDCP) fined a bank €100,000 for taking insufficient measures to ensure that any person acting under it's authority with access to personal data only process that data at the request of a controller.

English Summary[edit | edit source]

Facts[edit | edit source]

The Romanian DPA (ANSPDCP) received some complaints regarding a security breach of personal data. The statement disclosed in the public space (online) was also shared among several employees on their work e-mail accounts. One of the employees listed the e-mail containing the customer's statement, as well as the e-mail containing the internal conversation between the operator's employees. Another employee photographed the listed document with his mobile phone and distributed it through the WhatsApp application. Subsequently, the listed document was posted and distributed on Facebook and on a website.

Dispute[edit | edit source]

Does the controller implemented appropriate technical and organizational measures to ensure a level of security appropriate to the risk of processing according to Article 32(1) GDPR?

Holding[edit | edit source]

The ANSPDCP found that the controller did not take sufficient measures to ensure that any person acting under it's authority (namely employees of the controller) and having access to personal data only processes them at the request of the controller. The disclosed personal data belonged to four individuals (one client and three employees) and were the following: name and surname, e-mail addresses, behavioral data, personal preferences, financial transaction value, place of work, position and place of work, telephone number service.

The Romanian DPA stated that the controller did not fulfilled its obligation, although, according to art. 5 (1) (f) of the GDPR, the controller had the obligation to respect the principle of integrity and confidentiality of personal data. Also, it stated that the controller had trained its employees, but the disclosure of the personal data proved that the training was inefficient.

Comment[edit | edit source]

Share your comments here!

Further Resources[edit | edit source]

Share blogs or news articles here!

English Machine Translation of the Decision[edit | edit source]

The decision below is a machine translation of the Romanian original. Please refer to the Romanian original for more details.

The National Supervisory Authority completed on 26.11.2020 an investigation at the operator Banca Transilvania SA and found the violation of the provisions of art. 32 para.(1) and (2) corroborated with art. 5 lit. f) of the General Regulation on Data Protection. The operator Banca Transilvania SA was fined 487,380 lei (equivalent to 100,000 EURO). 

The investigation was launched following the receipt of complaints regarding the breach of confidentiality and security of personal data. 

It was found that the statement requested by the operator from a customer of his client regarding how he intended to use a certain amount of money that he wanted to withdraw from his account took place in the public space (online). This statement was distributed among several employees of Banca Transilvania on work e-mail addresses. One of the employees listed the e-mail containing the customer's statement, as well as the e-mail containing the internal conversation between the operator's employees. Another employee photographed the listed document with his mobile phone and distributed it through the WhatsApp application. Subsequently, the listed document was posted and distributed on the social network Facebook and on a website. This situation led to the disclosure and unauthorized access to certain personal data (name and surname, e-mail addresses, behavioral data, personal preferences, financial transaction value, place of work, position and place of work, telephone number service) of 4 targeted individuals (one client and 3 own employees), although according to art. 5 lit. f) of the General Regulation on Data Protection, the  operator had the obligation to respect the principle of integrity and confidentiality of personal data. 
During the investigation carried out at Banca Transilvania SA, the Supervisory Authority found that the operator did not take sufficient measures to ensure that any natural person acting under the authority of the operator (employees of the operator) and who has access to personal data does not process them. than at the request of the operator. The disclosure produced in the public space also proves the inefficiency of the internal training of the operator's employees regarding the observance of the personal data protection norms of the data subjects, although the employee training is an intrinsic part of the technical and organizational measures that the operator was obliged to adopt. security corresponding to the processing risk, thus violating the provisions of art. 32 of the General Regulation on Data Protection. 
In this context, it was also taken into account that the disclosure of personal data in the public space (on the Internet) generated a number of moral damages, as well as other significant economic or social disadvantages for the individual affected by the incident. security (client of Banca Transilvania). 

Legal and communication department 
ANSPDCP