ANSPDCP - Fine against Banca Transilvania SA
|ANSPDCP - ANSPDCP - Fine to Banca Transilvania SA|
|Relevant Law:||Article 5(1)(f) GDPR|
Article 32(1) GDPR
Article 32(2) GDPR
Article 29 GDPR
|Parties:||Banca Transilvania SA|
|National Case Number/Name:||ANSPDCP - Fine to Banca Transilvania SA|
|European Case Law Identifier:||n/a|
|Original Source:||ANSPDCP (in RO)|
|Initial Contributor:||Stefan Musat|
The Romanian DPA fined a bank €100,000 for unlawful disclosure of personal data, insufficient employee compliance training and for not ensuring that persons acting under its authority with access to personal data only process that data at the request of the controller.
English Summary[edit | edit source]
Facts[edit | edit source]
The Romanian DPA (ANSPDCP) received several complaints regarding a security breach of personal data, where an employee of the bank (the controller) had shared a statement about a customer (the data subject) on how they intended to use a certain amount of money that they wanted to withdraw from their account.
This statement was distributed among several other employees on their work e-mail addresses. One of the employees listed the email containing the data subject's statement as well as the email containing the internal conversation between the controller's employees. Another employee photographed the listed statement with his mobile phone and distributed it via WhatsApp. Subsequently, the listed text wasalso posted and distributed on Facebook and on a website.
Overall, the disclosed personal data belonged to four individuals (one customer and three employees) and included first and last names, email addresses, work phone number, job title and location, work address, behavioral data, personal preferences and financial transaction value.
Holding[edit | edit source]
The Romanian DPA held that sharing the personal data violated Article 5(1)(f) GDPR and proved the ineffectivness of the controller's employee compliance training, in violation of Article 32 GDPR.
The DPA also noted that the controller did not take sufficient measures to ensure that persons acting under its authority (namely their employees) and having access to personal data only processed them at the request of the controller. Finally, the DPA also took into account that the disclosure of personal data in the public space (on the internet) generated a series of moral damages, as well as other significant disadvantages of an economic or social nature for the data subject affected.
Comment[edit | edit source]
This decision was appealed by Banca Transilvania SA. However, the Cluj Court of Appeal (Civil Decision no. 9 of 13.04.2022) confirmed the fine of €100,000 applied by the ANSPDCP (see here).
Although the DPA does not specifically refer to Article 29 GDPR, it is clear the decision also relates to this provision.
Further Resources[edit | edit source]
Share blogs or news articles here!
English Machine Translation of the Decision[edit | edit source]
The decision below is a machine translation of the Romanian original. Please refer to the Romanian original for more details.
The National Supervisory Authority completed on 26.11.2020 an investigation at the operator Banca Transilvania SA and found the violation of the provisions of art. 32 para.(1) and (2) corroborated with art. 5 lit. f) of the General Regulation on Data Protection. The operator Banca Transilvania SA was fined 487,380 lei (equivalent to 100,000 EURO). The investigation was launched following the receipt of complaints regarding the breach of confidentiality and security of personal data. It was found that the statement requested by the operator from a customer of his client regarding how he intended to use a certain amount of money that he wanted to withdraw from his account took place in the public space (online). This statement was distributed among several employees of Banca Transilvania on work e-mail addresses. One of the employees listed the e-mail containing the customer's statement, as well as the e-mail containing the internal conversation between the operator's employees. Another employee photographed the listed document with his mobile phone and distributed it through the WhatsApp application. Subsequently, the listed document was posted and distributed on the social network Facebook and on a website. This situation led to the disclosure and unauthorized access to certain personal data (name and surname, e-mail addresses, behavioral data, personal preferences, financial transaction value, place of work, position and place of work, telephone number service) of 4 targeted individuals (one client and 3 own employees), although according to art. 5 lit. f) of the General Regulation on Data Protection, the operator had the obligation to respect the principle of integrity and confidentiality of personal data. During the investigation carried out at Banca Transilvania SA, the Supervisory Authority found that the operator did not take sufficient measures to ensure that any natural person acting under the authority of the operator (employees of the operator) and who has access to personal data does not process them. than at the request of the operator. The disclosure produced in the public space also proves the inefficiency of the internal training of the operator's employees regarding the observance of the personal data protection norms of the data subjects, although the employee training is an intrinsic part of the technical and organizational measures that the operator was obliged to adopt. security corresponding to the processing risk, thus violating the provisions of art. 32 of the General Regulation on Data Protection. In this context, it was also taken into account that the disclosure of personal data in the public space (on the Internet) generated a number of moral damages, as well as other significant economic or social disadvantages for the individual affected by the incident. security (client of Banca Transilvania). Legal and communication department ANSPDCP