Final decision on the 100,000 EUR fine
Through the civil decision no. 9 of 13.04.2022, final, the Cluj Court of Appeal confirmed the fine in amount of EUR 100,000 applied by the Supervisory Authority to Banca Transilvania for the breach of Article 32 paragraphs (1) and (2) corroborated with Article 5 paragraph (1) letter f) of the General Data Protection Regulation.
Also, the same solution in favour of the Supervisory Authority was rendered at the first level, through the Civil Decision no. 1309 of the 6th of May 2021 of the Cluj Tribunal, fully maintained by the appeal court, finding that the “writ of summons submitted by the claimant Banca Transilvania SA against the defendant Autoritatea Națională de Supraveghere a Prelucrării Datelor cu Caracter Personal is unfounded and will be rejected, the contravention report no. 23409 concluded by the defendant on 26.11.2020 following to be maintained as fully legal and substantiated.”
In order to decide so, “The Tribunal points out that the Regulation introduced at a more higher level of responsibility of the data controller by comparison with the Directive 95/46/EC on data protection, and Articles 25 and 32 of the Regulation provide that the controllers ”take into consideration the current state of technology, the costs of implementation and the nature, the scope, the context, processing purposes, as well as the risks with different likelihood degrees and gravity for the rights and freedoms of the natural persons that such processing presents””.
Also, the court correctly retained the following aspects:
“In this case, in order to prove its diligent behaviour in relation to the training of the personnel within the personal data field the claimant submitted several internal regulations as well as the proof of organizing some courses with this subject, but it appears important to underline that it has not been proved the actual participation of the personnel at these trainings nor the actual application of any method of verification of the acquiring of these knowledge and information.
Besides, the aspects raised by the claimant in the sense that adequate measures have been taken, for the purpose of implementing the provisions from the Regulation, are contradicted even by the facts found through the record of findings and undisputed, that attest the intentional disclosure, unauthorized, by the persons under the authority of the Bank, of a significant set of personal data (some from the category of extremely sensitive data) to a very large number of persons.
The openness with which the employees of the claimant have acted, by providing from one to another the personal data of the bank’s client and subsequently, to third parties, through the WhatsApp application, confirms not only the not knowing of the work procedures regarding the processing of personal data but specifically (and more serious) their inability to identify and qualify the data to which they have access as being personal data, which proves an acute lack of effective training.
Therefore, although the claimant submitted within the file, in certified copy, excerpts from various internal procedures, the latter did not prove, on one hand, the effective training of the three employees that created the security incident, and on the other hand, that it had applied control and evaluation mechanisms conducted in order to ensure that its employees have acknowledged the internal regulations mentioned.
Therefore, the documents provided by the claimant for proving the implementation of the adequate technical organisational measures, are not able to prove the provision of an adequate security level regarding the capacity to ensure the confidentiality and periodical testing, evaluation and assessment of the efficiency of the technical and organisational measures in order to guarantee the security of the processing.”
Regarding the consequences of the breach, the Cluj Tribunal has found that “these have been correctly qualified by the defendant as being serious in relation to the quantity of personal data disseminated by the employees of the Bank, their sensitive nature, the manner of dissemination (through Internal, the e-mail containing the data of the Bank’s client circulating intensively within the public space, synthetic information being taken over inclusively by blogs, TV channels and news websites), the extremely high number of persons that had access to the data of the Bank’s client for a period of time impossible to be determined, following the provisions of the information through the most diverse means, all these aspects being able to offer a correct overview on the amplitude and gravity of the consequences of the security incident.
Besides, the claimant admitted, in relation to the manner of provision of the personal data, that the measures taken for the limitation of the consequences of the security breach were not “feasible”, the amplitude of their dissemination within the public space being evidently out of control.
The defendant correspondingly capitalized also the criteria provided under Article 83 paragraph (2) letters c)-k), the proof of the thorough examination of the criteria being exactly the setting of a fine in an amount much lower to the maximum admitted for the deed committed by the claimant. Besides, the handover contains in detail the analysis performed by the defendant regarding each of the criteria established under Article 83 paragraph (2) for the individualization of the sanction”.
Finally, the first court correctly concluded that:
“For all the de facto and de iure considerations above presented, the tribunal will conclude that the fine in amount of EUR 100,000 is “effective, proportionate and dissuasive” and was established by taking into consideration the nature, the gravity and the consequences of the breach, as well as all the other criteria provided under the Regulation, criteria that were analysed by the defendant coherently and objectively”.
In this context, we mention that, through the press release that can be consulted at the address https://www.dataprotection.ro/?page=Comunicat_17_12_2020&lang=ro, the National Supervisory Authority published relevant information regarding the investigation finalised at the controller Banca Transilvania SA, following which the breach of the provisions of Article 32 paragraphs (1) and (2) correlated with Article 5 paragraph (1) letter f) from the General Data Protection Regulation.
At the same time, we underline that also in other similar cases of breach by controllers from the financial institution field of the GDPR provisions regarding the data processing principles and the measures to ensure their security, through final judicial decisions, the courts have maintained the handovers through which sanctions of fines have been applied, as it follows:
- The Bucharest Court of Appeal confirmed the fines applied to the controller Vreau Credit in total amount of Lei 95,024 (the equivalent of EUR 20,000) for the breach of Articles 32 and 33 from the GDPR;
- The Bucharest Court of Appeal confirmed the fines applied to the controller Hora Credit in total amount of LEI 66,901.8 (the equivalent of EUR 14,000) for the breach of Article 5 paragraph (1) letters d) and f), Article 5 paragraph (2), Article 25, Article 32 and Article 33 paragraph (1) GDPR.
Legal and Communication Department