Sanction for the GDPR infringement
The National Supervisory Authority finalized in October 2022 an investigation at the controller ING Bank NV Amsterdam Bucharest Branch and found the breach of the provisions of Article 32 paragraphs (1) and (2) from the General Data Protection Regulation.
The controller was sanctioned with fine in amount of Lei 98,076.00 (the equivalent of EUR 20,000).
The investigation was started following the submission by the controller of a notification regarding the breach of the personal data security based on the General Data Protection Regulation.
At the basis of the notice was information according to which the personal data of some data subjects were accessed and disclosed (identification data associated to the identification card; contact data; bank data (transactions and products owned, data associated to the card); user and password Internet Banking module (Home’Bank), having as consequence the performance of some payment operations by third persons, by affecting the personal data of these data subjects.
Within the investigation it was found that the controller ING Bank NV Amsterdam Bucharest branch did not implement appropriate organizational and technical measures in order to ensure a level of security corresponding to the risk presented by the processing, generated specifically, accidentally or illegally, by the unauthorized disclosure and access to the personal data provided, stored or processed in another manner. This led to the unauthorized disclosure and access to personal data of those ING Bank NV Amsterdam Bucharest Branch clients.
We underline that, according to Article 5 paragraph (1) letter f) from the GDPR, ING Bank NV Amsterdam Bucharest Branch had the obligation to process the personal data in a manner that ensures their appropriate security, including protection against the unauthorized or illegal protection and against loss, destruction or accidental damage, by taking the corresponding technical or organizational measures (“integrity and confidentiality”).
Both the controller ING Bank NV Amsterdam Bucharest branch and the controller Raifaissen Bank SA paid the fines.
Legal and Communication Department