ANSPDCP - ING Bank N.V. Amsterdam – Bucharest Branch (2)

From GDPRhub
This is the approved revision of this page, as well as being the most recent.
ANSPDCP - ING Bank N.V. Amsterdam – Bucharest Branch (2)
LogoRO.jpg
Authority: ANSPDCP (Romania)
Jurisdiction: Romania
Relevant Law: Article 29 GDPR
Article 32(2) GDPR
Article 32(4) GDPR
Type: Investigation
Outcome: Violation Found
Decided: 25.01.2021
Published: 10.02.2021
Fine: 1000 EUR
Parties: ING Bank N.V. Amsterdam – Bucharest Branch
National Case Number/Name: ING Bank N.V. Amsterdam – Bucharest Branch (2)
European Case Law Identifier: n/a
Appeal: Unknown
Original Language(s): Romanian
Original Source: ANSPDCP (in RO)
Initial Contributor: Stefan Musat

The Romanian DPA (ANSPDCP) conducted an investigation into ING Bank N.V. Amsterdam – Bucharest Branch, following a personal data breach notification, and found that the controller sent files containing outdated information to a contractual partner, through a mandated company.

English Summary[edit | edit source]

Facts[edit | edit source]

A controller's contractual partner received from a controller's processor, on two different dates, files containing outdated information in order to issue insurance policies. As result, 270 individuals were affected.

Dispute[edit | edit source]

Does processing personal data by violating the working procedure leads to a violation of the GDPR?

Holding[edit | edit source]

The ANSPDCP found that the controller sent (through its processor) to a contractual partner, files containing outdated information. The data were outdated because the employees of the insurance policy monitoring department did not check and process the insurance policies in accordance with the working procedure. A number of 270 data subjects were affected because the technical and organizational measures implemented by the controller before the incident were not sufficient and led to the violation of the confidentiality of personal data.

Comment[edit | edit source]

Share your comments here!

Further Resources[edit | edit source]

Share blogs or news articles here!

English Machine Translation of the Decision[edit | edit source]

The decision below is a machine translation of the Romanian original. Please refer to the Romanian original for more details.

Sanction for violating the RGPD

The National Supervisory Authority completed on 25.01.2021 an investigation at the operator ING Bank NV Amsterdam, Bucharest Branch and found a violation of the provisions of art. 29 and art. 32 para. (2) and (4) of the General Data Protection Regulation. 

As such, the operator ING Bank NV Amsterdam was sanctioned with a fine in the amount of 4,874.40 lei (equivalent to 1000 EURO). Following the receipt of a data breach notification from ING Bank NV Amsterdam, an investigation was launched and it was found that this operator transmitted, on two different dates, some files to a contractual partner, through a mandated company, for insurance policies. The submitted files contained out-of-date information, as employees of the insurance policy monitoring department did not check and process the insurance policies in accordance with the Working Procedure, affecting 270 individuals. 

In view of these issues, it was established that <em>the technical and organizational measures implemented by the operator before the incident were not sufficient, which led to the breach of the confidentiality of personal data.

Legal and Communication Department