12.01.2024

Based on the cooperation mechanism provided under Regulation (EU) 2016/679, the National Supervisory Authority for Personal Data Processing finalized an investigation at the controller Alior Bank SA, through its Romanian branch - Alior Bank SA Warsaw Bucharest Branch, within which it found the breach of the provisions of Article 5 paragraph (1) letters a) and b) and of Article 6 from Regulation (EU) 2016/679.

Therefore, the controller was sanctioned with fine in amount of Lei 84,491.7 (the equivalent of EUR 17,000).

The investigation was started following some intimations submitted by a data subject through which a possible breach of the provisions of Regulation (EU) 2016/679 by the controller was reported.

Therefore, the claimant (former client) reported the fact that the controller sent him an electronic unsolicited correspondence, both on the e-mail address and by SMS, although the latter previously requested the erasure of all his personal data, aspect that was confirmed by the controller both by the communication of the termination of all banking agreements concluded, as well as the closing of all corresponding banking accounts.

Also, the controller reported the fact that previously there have also been situations in which the controller provided by e-mail a commercial correspondence, although he has exercised the right to object.

Within the investigation performed by the National Supervisory Authority for Personal Data Processing, with the consultation of the Data Protection Authority from Poland, it resulted that Alior Bank SA Warsaw Bucharest Branch owed several communication applications and systems for customers.

The information system of Alior Bank SA Warsaw Bucharest Branch was integrated within the centralized system of Alior Bank SA Warsaw with the headquarters in Poland, that was implementing, from an information point of view, also the database verification methodology. Therefore, the messages communicated to the clients after the date of termination of the contractual relationship with the bank have been provided to the technical department of Alior Bank SA Warsaw from Poland, according to the requirements provided by the Alior Bank SA Bucharest Branch.

Therefore, it was found that the bank, after the termination of the contractual relationship with the clients, continued to monitor their activity and to send some messages regarding some operations.

Thus, it was found that the controller processed personal data (such as the e-mail address and telephone number) of the persons that terminated the contractual relationship with the bank for a purpose non-compatible with the one for which the data were initially collected, thus the provisions of Article 5 paragraph (1) letters a) and b) and of Article 6 from Regulation (EU) 2016/679 being breached.

In this context, with reference to the crossborder implications of the situation, Alior Bank SA, through its Romanian Branch - Alior Bank SA Warsaw Bucharest Branch – was sanctioned through a decision by the National Supervisory Authority for Personal Data Processing with fine, according to the tasks provided under Regulation (EU) 2016/679 and Law no. 102/2005, republished.  

At the same time, the National Supervisory Authority for Personal Data Processing also applied the corrective measure through which it was ordered to the controller to regularly monitor the observance of the principles and rules provided under Article 5 and Article 6 from Regulation (EU) 2016/679, in order to avoid the unlawful processing of the personal data of the data subjects, and in case the reconfiguration of some systems or applications used for the processing of personal data would be necessary, Alior Bank SA Warsaw – Bucharest Branch to bring to the knowledge of Alior Bank SA from Poland these aspects, with the purpose of the corresponding implementation of the principles provided under Regulation (EU) 2016/679.

Legal and Communication Department

A.N.S.P.D.C.P.