The National Supervisory Authority finalized an investigation at the controller Banca Comerciala Romana SA and found the breach of the provisions of Article 25 paragraph (1) and Article 32 paragraph (1) letters b), d) and paragraph (2) of the General Data Protection Regulation.

Therefore, the controller was sanctioned with fine in amount of Lei 9,864.8 (the equivalent of EUR 2,000).

The investigation was started following a security breach notification that was submitted by Banca Comerciala Romana SA based on the provisions of Article 33 of the General Data Protection Regulation.

Thus, according to those mentioned in the notification form, the breach of the data processing security took place following a technical error of an IT application of the controller.

Within the investigation it was found that e-mail containing personal data of some clients were sent to other clients.

This breach of the data security led to the unauthorized disclosure or access to certain personal data, such as: first name and last name, PIN, domicile address, telephone number, e-mail address, together with financial information generated by error regarding the cumulated worth, the cumulated loss, the net worth, the net loss, the cumulated tax due, the tax to be paid, the recovered tax, a number of 564 natural data subjects, clients of the bank being affected.

Also, the National Supervisory Authority found that Banca Comerciala Romana SA did not take adequate technical and organizational measures in order to ensure a level of security corresponding to the risk of the processing, thus breaching the provisions of Article 25 paragraph (1) and Article 32 paragraph (1) letters b), d) and paragraph (2) of the General Data Protection Regulation.

Legal and Communication Department

A.N.S.P.D.C.P.