Sanction for the infringement of GDPR
On the 26th of November 2020 the national supervisory authority finalised an investigation at controller Banca Transilvania SA (Transilvania Bank) and found a violation of the provisions of Article 32 paragraphs (1) and (2) in connection with Article 5 letter f) of the General Data Protection Regulation.
The controller Banca Transilvania SA was sanctioned with a fine of 487,380 lei (the equivalent of 100,000 euros).
The investigation was launched following the receipt of intimations regarding the breach of the confidentiality and security of the personal data.
It was found that the statement requested by the controller from one of its client regarding how he intended to use a certain amount of money he wanted to withdraw from his account was disclosed in the public space (online). This statement was distributed among several employees of Banca Transilvania on the professional email addresses. One of the employees listed the email containing the customer’s statement, as well as the email containing the internal conversation between the controller’s employees. Another employee took a photo of the listed document with his mobile phone and distributed it through the WhatsApp application. Subsequently, the listed document was posted and distributed on the social network Facebook and on a website.
This situation lead to the unauthorised disclosure and access to certain personal data (name and surname, email addresses, behavioural data, personal preferences, financial transaction value, address of the place of work, position and place of work, professional telephone number) of 4 data subjects (1 client and 3 own employees), although, pursuant to Article 5 letter f) of the General Data Protection Regulation, the controller had the obligation to respect the principle of integrity and confidentiality of personal data.
During the investigation performed at Banca Transilvania SA, the supervisory authority found that the controller did not take sufficient measure to ensure that any natural personal acting under the authority of the controller (employees of the controller) and who has access to personal data process personal data only following the request of the controller.
The disclosure produced in the public space also proves the inefficiency of the internal training of the controller’s employees regarding the observance of the personal data protection rules, although the employees training is an intrinsic part of the technical and organisational measures that the controller was obliged to adopt in order to ensure a level of security adequate to the risk of the processing, thus infringing the provisions of Article 32 of the General Data Protection Regulation.
In this context, it was also taken into account that the disclosure of personal data in the public space (on the Internet) generated a series of moral damages, as well as other significant economic or social disadvantages for the natural persons affected by the data breach (client of Banca Transilvania).
Legal and Communication Department