Home » Comunicat_Presa_19_05_2021_2
 Română | English | Francais


Another sanction for the infringement of GDPR


The National Supervisory Authority finalized during April an investigation at Banca Comercială Română S.A. and found the breach of the provisions of Article 5 paragraph (1) letters a) and d), Article 5 paragraph 2 and Article 6 of the General Data Protection Regulation.

Banca Comercială Română S.A., as controller, was sanctioned with a fine in amount of Lei 9,855.8 (the equivalent of EUR 2,000).

The investigation was started following the receipt of a complaint through which it was claimed that Banca Comercială Română S.A. has used, without consent, the personal data of a natural person, within some enforcement procedures for debts resulting from a credit agreement about which he/she did not know.

The complainant claimed, therefore, the use without consent of his/her personal data, for other purposes than those authorized by him/her, as well as the use of an address which was no longer up to date and in relation to which the complainant considered that the bank has unlawfully accessed a database. Also, he/she claimed the lack of information regarding the collection source for these information according to Article 14 of GDPR, as well as the lack of receipt of an answer in connection with several claims submitted by him/her to BCR S.A..

During the conduct of the investigation, the National Supervisory Authority found that Banca Comercială Română S.A. has processed the personal data of the complainant without legal basis, by wrongfully attributing the capacity of guarantor in 2019, the retrieval of some outdated data, the use and disclosure of his/her personal data, within some notification procedures performed through a judicial executor regarding the outstanding amounts for a loan agreement accrued by a commercial company, client of the bank, with which the complainant had no relationship, by breaching Article 5 paragraph 5 letters a) and d) and Article 5 paragraph 2, as well as Article 6 of GDPR.

The National Supervisory Authority applied to the controller Banca Comercială Română S.A. also the corrective measure to ensure the compliance with GDPR of the collecting and subsequent personal data processing operations, from the moment of collecting the data and their registration within the database of the controller and during the entire processing period; therefore, it will be taken into account the practical implementation of some appropriate and efficient security measure, both from a technical point a view as from an organisational point of view, through the regular training of the persons that are processing data under the authority of the controller.

Regarding this matter, recitals 39 of the GDPR provides that ”Any processing of personal data should be lawful and fair. (…) every reasonable step should be taken to ensure that personal data which are inaccurate are rectified or deleted.(…)”

Regarding the lawfulness of the processing, recitals 40 of the GDPR states that ”In order for processing to be lawful, personal data should be processed on the basis of the consent of the data subject concerned or some other legitimate basis, laid down by law, either in this Regulation or in other Union or Member State law as referred to in this Regulation, including the necessity for compliance with the legal obligation to which the controller is subject or the necessity for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract.”


Legal and Communication Department