The National Supervisory Authority finalized in August 2022 an investigation at Raiffeisen Bank SA and found the breach of the provisions of Article 5 paragraph (1) letters a), b) and d) and of Article 6 of the General Data Protection Regulation.

Raiffeisen Bank SA, as processor of a controller, was sanctioned as it follows:

with reprimand for the breach of the provisions of Article 5 paragraph (1) letters a) and b) and of Article 6 of the General Data Protection Regulation;
with fine in amount of Lei 9,763.60 (the equivalent of EUR 2,000) for the breach of the provisions of Article 5 paragraph (1) letter d) of the General Data Protection Regulation.

The investigation was started following a complaint lodged by a claimant who complained that a controller provides him on his mobile telephone number SMS type messages regarding the transfers of some amounts to certain persons, transfers that the claimant did not perform.

Within the investigation performed, it was found that at the level of Raiffeisen Bank SA, as controller, the telephone number of the claimant was wrongfully introduced within the application made available by the controller through which transactions were initiated at the request of the clients.

Also, it was found that the controller was not a client of Raiffeisen Bank SA and did not request the initiation of some transactions through the controller’s application.

Also, the Supervisory Authority found that Raiffeisen Bank SA, as processor, processed inaccurate data (the telephone number) of the persons, occasional clients, that performed money transactions through the controller’s application, using the telephone number of the claimant within 44 transactions, thus breaching the data accuracy principle provided under Article 5 paragraph (1) letter d) of the General Data Protection Regulation.

Legal and Communication Department

A.N.S.P.D.C.P.