The National Supervisory Authority finalized in June this year an investigation at the controller ING BANK NV Amsterdam Sucursala București within which it found the breach of the provisions of Article 32 paragraph (1) letter b), paragraph (2) and paragraph (4) from the General Data Protection Regulation.

Therefore, ING BANK NV Amsterdam Sucursala București was sanctioned with fine in amount of Lei 14,889, the equivalent of EUR 3,000.

The investigation started following the submission by the controller of a personal data security breach notification based on the General Data Protection Regulation.

Within the investigation performed it was found that an unauthorized provisions, through WhatsApp, of a file .pdf format that contained personal data, took place.

This led to the loss of the confidentiality of the personal data of a significant number of clients of the controller.

Thus, the National Supervisory Authority found that ING BANK NV Amsterdam Sucursala București did not implement adequate technical and organizational measures in order to ensure a level of security corresponding to the processing risk, generated specifically, accidentally or unlawfully, by the destruction, loss, amendment, unauthorized disclosure or unauthorized access to the personal data stored or processed in another manner.

We underline that, according to Article 32 paragraph (4) from the General Data protection Regulation, the controller had the obligation to take measures in order to ensure that any natural person acting under the authority of the controller and that has access to the personal data processes them solely at the request of the controller.

Legal and Communication Department

A.N.S.P.D.C.P.