The National Supervisory Authority finalised on 25.01.2021 an investigation at ING Bank N.V. Amsterdam, Bucharest Branch and found the breach of the provisions of Article 29 and Article 32 paragraphs (2) and (4) of the General Data Protection Regulation.

Therefore, the controller ING Bank N.V. Amsterdam was sanctioned with a fine in amount of Lei 4.874,40 (the equivalent of Eur 1,000).

Following the receipt of a personal data breach notification from ING Bank N.V. Amsterdam an investigation was started and it was found that this controller sent, to two different dates, some files to a contractual partner, through a principal company, for the issuance of some insurance policies. The files sent contained information out of date, because the employees of the department for the monitoring of the insurance policies did no verify and process the insurance policies according to the Working procedure, 270 natural persons being affected.

Considering these aspects, it was established that the technical and organisational measures implemented by the controller before the incident were not sufficient, aspect that led to the breach of the personal data confidentiality.

Legal and Communication Department

ANSPDCP