Home » Comunicat_Presa_20_11_2024
 Română | English | Francais

sigla_anspdcp_2.png

The new Regulation 2016/679 applicable from 25th of May 2018

 

Complaints

GDPR Complaints

 

Procedure for complaints

Information on the payment of fine by legal entities

Controllers

Data Protection Officer Form

 

GDPR Breach Notification

 

Law nr. 506/2004 Breach Notification

 

GDPR Sanctions

Schengen

 

Schengen

Visa Information System

 

 

 

Visa Information System

News

Useful Information

 

F.A.Q.

Guidelines Q&A Regulation (EU) 2016/679

Indicative guidelines GDPR

Guidelines on the application of Law no. 363/2018

Useful Links

 

TFTP - Terrorist Finance Tracking Program

 

 

 

Procedure

Forms

Contact

Contact us

Data Protection

Information on the processing of personal data carried out by ANSPDCP

 

Cookies policy

20.11.2024

Sanction for the breach of the GDPR

 

The National Supervisory Authority for Personal Data Processing completed, in October 2024, an investigation at the controller Raiffeisen Bank S.A. and found the infringement of Article 32 paragraph (4) in conjunction with Article 32 paragraph (1) letter b) and d) and paragraph (2) of Regulation (EU) 2016/679 (GDPR).

As such, the controller was sanctioned with a fine of 99,466 lei, the equivalent of 20,000 euros.

The investigation was started as a result of the submission, by Raiffeisen Bank S.A., of three personal data breach notifications, as follows:

The controller was notified by a customer claiming contracting a loan on his behalf.

During the investigation, it was found that an employee of the controller illegally used the client’s credit application, as well as the other documents related to this application, although the client had notified Raiffeisen Bank S.A. that he waives this request.

The controller’s employee carried out cash withdrawal transactions from the ATM and bank transfer operations on behalf of several data subjects, the following categories of personal data being affected: name, surname, personal identification number, home/residence and mailing address, phone number and mobile phone number, date of birth, name and address of the employer, product IP, product/account status, grant date, grant term, amounts granted, amounts owed, due date, currency, frequency of payments, amount paid, monthly installment, outstanding amounts, number of outstanding installments, number of days of delay, category of delay, product closing date, number of queries, transaction history, direct debit contracts, deposits, savings account, investment funds.

As such, it was found that the controller Raiffeisen Bank S.A. did not take measures to ensure that any natural person who acts under its authority and has access to personal data does not process them except at the request of the controller, which led to the unauthorised access and/or unauthorised disclosure of personal data transmitted, stored or processed through the computer applications used by the controller in the lending activity by its employee.

Raiffeisen Bank S.A. notified that two of its employees provided confidential information about a customer’s transactions to a former bank employee using Facebook, Messenger and WhatsApp, who in turn forwarded it to relatives of the customer.

During the investigation, it was found that Raiffeisen Bank S.A. did not take the measures to ensure that any natural person acting under its authority and having access to personal data does not process them except at the request of the controller, which led to unauthorised access and unauthorised disclosure of the customer’s data (name, surname, personal identification number, home/mail address, account number, date of transactions, amount of transactions, beneficiaries of payments).

The controller was notified by a customer who complained about the existence of products not requested by him, as well as the lack of sums of money from his account. The internal checks showed that an employee of Raiffeisen Bank S.A. performed numerous illegal operations on behalf of several of the controller’s clients such as: repeated modification of the contact details (phone and e-mail); use of Smart Mobile service; opening current accounts; opening savings accounts; establishment and liquidation of some deposits; requesting credit products, filling in and signing the related documentation (credit/credit card); drawing up and signing payment orders; redemption of fund units; applying for and using three debit cards.

During the investigation, it was found that, starting with 2015 until March 2023, the personal data of several customers of Raiffeisen Bank S.A. were accessed and disclosed without authorisation as a result of the actions carried out by an employee of the controller in order to obtain financial products on behalf of the affected data subjects.

Consequently, in relation to the criteria for individualising the sanction provided for by Article 83 paragraph (2) of Regulation (EU) 2016/679, the controller Raiffeisen Bank S.A. was fined with 99,466 lei, the equivalent of 20,000 euros for infringing the provisions of Article 32 paragraph (4) in conjunction with Article 32 paragraph (1) letters b) and d) and paragraph (2) of the GDPR.

At the same time, pursuant to Article 58 paragraph (2) letter d) of Regulation (EU) 2016/679, the following corrective measures were ordered:

  • the technical and organisational implementation of a procedural plan that includes a process of periodic testing, evaluation and assessment of all personal data entry/update actions for the data subjects (customers), including the notification and the consent of customer in any form on any change of personal data that can be carried out by the employees of the controller Raiffeisen Bank S.A.;
  • in order to ensure the regular information on the risks of unauthorised processing of personal data by the employees, the dissemination of this information is required, at an interval of no more than six months, including the need to prove that each employee who has access to personal data and duties in the current activity of processing customers’ data is aware of it.

 

Legal and Communication Department

A.N.S.P.D.C.P