Home » Comunicat_Presa_03_04_2025
 Română | English | Francais

sigla_anspdcp_2.png

The new Regulation 2016/679 applicable from 25th of May 2018

 

Complaints

GDPR Complaints

 

Procedure for complaints

Information on the payment of fine by legal entities

Controllers

Data Protection Officer Form

 

GDPR Breach Notification

 

Law nr. 506/2004 Breach Notification

 

GDPR Sanctions

Schengen

 

Schengen

News

Useful Information

 

F.A.Q.

Guidelines Q&A Regulation (EU) 2016/679

Indicative guidelines GDPR

Guidelines on the application of Law no. 363/2018

Useful Links

 

TFTP - Terrorist Finance Tracking Program

 

 

 

Procedure

Forms

Contact

Contact us

Data Protection

Information on the processing of personal data carried out by ANSPDCP

 

Cookies policy

03.04.2025

Sanction for the breach of the GDPR

 

The National Supervisory Authority for Personal Data Processing completed, in March 2025, an investigation at the controller Banca Transilvania S.A. and found the breach of Article 5 paragraph (1) letter a) in relation to Article 6 paragraph (1) of Regulation (EU) 2016/679.

For the act committed, the controller was fined with 24,883 lei, equivalent to 5,000 euros.

The investigation was initiated following a complaint from a natural person, the data subject, who claimed that his personal data had been processed without his consent, within the framework of an insurance policy against natural disasters by an insurance company, mandated by the controller Banca Transilvania S.A..

During the investigation, it was found that the petitioner, although his real estate loan contract concluded with the controller Banca Transilvania S.A. had been terminated by payment, was erroneously issued a new insurance policy against natural disasters, accessory to the terminated real estate loan contract, without the data subject having given his consent in this regard and without permission for the use of his personal data by the insurance company.

It was also found that, erroneously, the controller requested the same insurance company to issue a significant number of insurance policies, thus using the personal data contained in these policies, including the data of the petitioner.

In this context, personal data belonging to the petitioner, such as: name, surname, CNP, telephone, e-mail address, address, information on the insured location, were processed without legal basis, in violation of the processing principle provided for by the GDPR “lawfulness, fairness and transparency”.

For this act, the controller was fined for violating the provisions of Article 5 paragraph (1) letter a) in relation to Article 6 paragraph (1) of Regulation (EU) 2016/679.

At the same time, pursuant to the provisions of Article 58 paragraph (2) letter b) of Regulation (EU) 2016/679, against the controller the corrective measure to ensure compliance with the GDPR of the collection and subsequent processing of personal data, so as to avoid their use in violation of the principles and conditions of lawfulness was ordered. In this regard, consideration will also be given to the application of appropriate technical and organizational measures, by establishing written procedures and regular training of persons who process data under the authority of the controller.

 

Legal and Communication Department

A.N.S.P.D.C.P