Home » Comunicat_17_12_2020
 Română | English | Francais

sigla_anspdcp_2.png

The new Regulation 2016/679 applicable from 25th of May 2018

 

Complaints

GDPR Complaints

 

Procedure for complaints

Information on the payment of fine by legal entities

Controllers

Data Protection Officer Form

 

GDPR Breach Notification

 

Law nr. 506/2004 Breach Notification

 

GDPR Sanctions

Schengen

 

Schengen

News

Useful Information

 

F.A.Q.

Guidelines Q&A Regulation (EU) 2016/679

Indicative guidelines GDPR

Guidelines on the application of Law no. 363/2018

Useful Links

 

TFTP - Terrorist Finance Tracking Program

 

 

 

Procedure

Forms

Contact

Contact us

Data Protection

Information on the processing of personal data carried out by ANSPDCP

 

Cookies policy

17.12.2020

Sanction for the infringement of GDPR

 

 

On the 26th of November 2020 the national supervisory authority finalised an investigation at controller Banca Transilvania SA (Transilvania Bank) and found a violation of the provisions of Article 32 paragraphs (1) and (2) in connection with Article 5 letter f) of the General Data Protection Regulation.

The controller Banca Transilvania SA was sanctioned with a fine of 487,380 lei (the equivalent of 100,000 euros).

The investigation was launched following the receipt of intimations regarding the breach of the confidentiality and security of the personal data.

It was found that the statement requested by the controller from one of its client regarding how he intended to use a certain amount of money he wanted to withdraw from his account was disclosed in the public space (online). This statement was distributed among several employees of Banca Transilvania on the professional email addresses. One of the employees listed the email containing the customer’s statement, as well as the email containing the internal conversation between the controller’s employees. Another employee took a photo of the listed document with his mobile phone and distributed it through the WhatsApp application. Subsequently, the listed document was posted and distributed on the social network Facebook and on a website.

This situation lead to the unauthorised disclosure and access to certain personal data (name and surname, email addresses, behavioural data, personal preferences, financial transaction value, address of the place of work, position and place of work, professional telephone number) of 4 data subjects (1 client and 3 own employees), although, pursuant to Article 5 letter f) of the General Data Protection Regulation, the controller had the obligation to respect the principle of integrity and confidentiality of personal data.

During the investigation performed at Banca Transilvania SA, the supervisory authority found that the controller did not take sufficient measure to ensure that any natural personal acting under the authority of the controller (employees of the controller) and who has access to personal data process personal data only following the request of the controller.

The disclosure produced in the public space also proves the inefficiency of the internal training of the controller’s employees regarding the observance of the personal data protection rules, although the employees training is an intrinsic part of the technical and organisational measures that the controller was obliged to adopt in order to ensure a level of security adequate to the risk of the processing, thus infringing the provisions of Article 32 of the General Data Protection Regulation.

In this context, it was also taken into account that the disclosure of personal data in the public space (on the Internet) generated a series of moral damages, as well as other significant economic or social disadvantages for the natural persons affected by the data breach (client of Banca Transilvania).

 

 

Legal and Communication Department

A.N.S.P.D.C.P