Sanction for the breach of the GDPR
The National Supervisory Authority finalized in July 2022 an investigation at the controller Alpha Bank Romania SA and found the breach of the provisions of Article 29 and of Article 32 paragraph (1) letter b), paragraph (2) and paragraph (4) of the General Data Protection Regulation.
Therefore, the controller was sanctioned with fine in amount of Lei 4,935.10 (the equivalent of EUR 1,000).
The investigation was started following a data security breach notification that was submitted by Alpha Bank Romania SA, based on the provisions of Article 33 of the General Data Protection Regulation.
Therefore, according to those mentioned within the notification form, the breach of the data processing security took place following the fact that a document was provided to another recipient, by error, by using the WhatsApp application.
Within the investigation, it resulted that this breach led to the unauthorized disclosure or unauthorized access to certain personal data, such as: first name and last name, PIN, position and signature, credit type, number and execution date of the agreement, the credit period and the date of the last maturity, a number of 4 natural data subjects being affected by the incident.
The National Supervisory Authority found that Alpha Bank Romania SA did not implement adequate technical and organisational measures in order to ensure a level of confidentiality and security corresponding to the risk of the processing and did not took sufficient measures to ensure that any natural person acting under the authority of the controller and that has access to the personal data processes them solely at its request.
At the same time, based on Article 58 paragraph (2) letter d) of the General Data Protection Regulation, the following corrective measures were taken against the controller:
- the review and update of the technical and organizational measures implemented following the evaluation regarding the risk for the rights and freedoms of persons, including of the work procedures regarding the personal data protection, by implementing and providing to the responsible persons some instructions on the interdiction to use the personal equipment of the employees within the relationships with the clients (for example, the mobile phone) for the communication applications/online chat services unauthorized by the Bank;
- the adoption of measures on the training of the persons acting under the authority of the controller, inclusively in relation to the risks and consequences that the disclosure of the personal data imply.
Legal and Communication Department