The National Supervisory Authority finalized in May 2023 an investigation at the controller BRD–Groupe Société Générale S.A. and found the breach of the provisions of Article 5 paragraph (1) letters a), b) and f) and paragraph (2) from Regulation (EU) 2016/679.

Therefore, the controller was sanctioned with fine in amount of Lei 9,916 (the equivalent of EUR 2,000).

The investigation was started following a personal data security breach notification, according to the provisions of Article 33 from Regulation (EU) 2016/679.

Within the investigation performed it was found that the controller illegally disclosed personal and financial data of a client of the bank and of other persons, data that were provided to a judicial court, without existing a request of the latter and without previously taking measures through which the legitimacy of such disclosure of the personal data to be verified.

At the same time, also corrective measures were applied to the controller:

to ensure the compliance with Regulation (EU) 2016/679 of the collection and subsequent processing of personal data operations, so as the illegal disclosure of the personal data processed to be avoided;
the application of adequate security and confidentiality measures (for example, pseudonymization) by establishing clear procedures on the provision of the personal data to the judicial courts and/or justice seekers, as well as the regular training of the persons processing data under the authority of the controller and the corresponding involvement in these activities of the data protection officer according to Articles 37-39 from Regulation (EU) 2016/679.

Legal and Communication Department

A.N.S.P.D.C.P.