Home » Comunicat_Presa_16_11_2022
 Română | English | Francais

16.11.2022

Sanction for the GDPR infringement

 

The National Supervisory Authority finalized in September 2022 an investigation at the controller Raiffeisen Bank SA and found several breaches of the provisions of the General Data Protection Regulation.

The controller was sanctioned with two warnings and with three fines in total amount of Lei 138,572 (the equivalent of EUR 28,000), as it follows:

  1. Fine in amount of Lei 98,980, the equivalent of EUR 20,000 for the breach of the Article 32 paragraph (4) corroborated with Article 32 paragraph (1) and (2) from the GDPR;
  2. Warning for the breach of the provisions of Article 32 paragraph (1) and Article 32 paragraph (2) from the GDPR;
  3. Fine in amount of Lei 14,847, the equivalent of EUR 3,000 for the breach of the provisions of Article 32 paragraph (4) corroborated with Article 32 paragraph (10 and (2) from the GDPR;
  4. Fine in amount of Lei 24,745 (the equivalent of EUR 5,000) for the breach of Article 25 paragraph (1) from the GDPR;
  5. Warning for the breach of the provisions of Article 32 paragraph (4) corroborated with Article 32 paragraph (1) and (2) from the GDPR.

The investigation was started following the submission by the controller Raiffeisen Bank SA of a number of 17 notifications regarding some breaches of the personal data security, by reference to the provisions of the General Data Protection Regulation.

Therefore, within the investigation mainly the following were found:

Interrogations within the evidence system managed by the Credit Bureau S.A., respectively within the one managed by the National Agency for Fiscal Administration were performed, and also the informational systems of the controller Raiffeisen Bank S.A. were used in order to simulate the credit decisions (“prescoring”) for an external credit broker.

In two cases, the performance of prescoring operations for clients or potential clients were carried out, but the interrogation within the Credit Bureau System was performed without the documentation corresponding to the interrogation to be signed by those applicants. It was found that the incidents notified to the National Supervisory Authority targeted a number of at least 169 natural persons.

The controller Raiffeisen Bank SA notified to the Authority un incident regarding the granting of credits to some clients, natural persons, through an entity having the capacity of processor. Information according to which personal needs credits for the clients would have been approved without asking them and without signing the corresponding documents were the basis of the notification.

Therefore, it was found that Raiffeisen Bank SA did not take measures in order to ensure that any natural person acting under the authority of the controller and that has access to the personal data processes them only at the request of the controller and did not implement appropriate technical and organizational measures in order to ensure a level of security corresponding to the processing risk. This led to the unauthorized access and/or disclosure of the personal data, stored or processed through the informational applications used by Raiffeisen Bank S.A. within the credit activity.

The controller notified an incident regarding the breach of the data security that consisted in the fact that, within the performance of the data update process for a client, a wrong e-mail address was introduced within the system and a document with various personal data belonging to the bank’s client was provided to another natural personal.

Another incident consisted in the fact that the controller Raiffeisen Bank SA submitted, through e-mail, confidential data to another person than the data subject.

Another notification of an incident produced at the level of the controller envisaged the fact that on a wrong e-mail address of another natural person, a document named “Form for defining the personal data” and that contained numerous personal data of a bank’s client was provided.

A similar incident took place following the fact that two clients of the controller submitted similar intimations, and when preparing the e-mail response to the intimation of the first client, the controller attached in the e-mail provided to him documents with personal data belonging to the other client. The cause of the wrong provision of the documents was represented by the similarity between the typology of the intimations and the successive moment of providing the response.

Another incident regarding breaches of the data security, notified by the controller, regarded a situation that implies also suspicions of internal credit fraud and consisted of:

  1. The performance of specific operations for granting a credit for a client natural person, without the presence of the applicant at the office of the agency;
  2. The request of credit facilities Credit Card type, the filling-in and signature of the documentation corresponding to the credit card type, the request of credit facility personal needs credit type, the filling-in and the signature of the documentation corresponding to the personal needs credit type facility, the update of the data subjects data within the Bank application through the amendment of the telephone number of the data subjects with the telephone number of the bank employee and by introducing a fictive e-mail address.

A similar incident, notified by the controller and investigated by the National Supervisory Authority consisted of the processing of data by the controller in relation to the granting of three credit facilities (Flexicredit, Flexicredit refinancing, respectively Shopping Card), on behalf of a natural person, client of the bank, without him/her really requesting those credits.

Another breach of the personal data security, notified by the controller from the bank field, consisted of the unauthorized disclosure of the personal data of some clients from the Smart Mobile account (the mobile banking system made available by Raiffeisen Bank) to other clients of the controller.

In the context of the above, within the investigation it was found that the controller Raifeissen Bank SA did not take measures in order to ensure that any natural person acting under its authority and that has access to personal data processes them only at the request of the controller. This led to the unauthorized access to personal data of the Raiffeisen Bank SA clients’ (for example, first name, last name, domicile address, citizenship, nationality, image of the person, personal identification code, number and series of the identity card, e-mail, telephone number, data from the Credit Bureau, data from the evidence system managed by NAFA, data from the Smart Mobile account) and to the unauthorized disclosure of these data, by the controller.

We underline that, according to Article 5 paragraph (1) letter f) from GDPR, Raiffeisen Bank SA has the obligation to process personal data in a manner that ensures their appropriate security, inclusively the protection against the unauthorized or unlawful disclosure and against the loss, destruction or accidental deterioration, by taking appropriate technical or organizational measures (“integrity and confidentiality”).  

 

Legal and Communication Department

A.N.S.P.D.C.P.