New GDPR fines in Romania: The National Supervisory Authority for Personal Data Processing – ANSPDCP issues new fines for Raiffeisen Bank S.A., Vreau Credit S.R.L. and Artmark Holding S.R.L.
The National Supervisory Authority for Personal Data Processing ("ANSPDCP") has recently announced another three fines applied in Romania as a result of the enforcement of the EU General Data Protection Regulation ("GDPR") and national data privacy legislation.
As a result, Raiffeisen Bank S.A. was sanctioned with a fine of EUR 150,000 for a personal data breach, Vreau Credit S.R.L. was sanctioned with a fine of EUR 20,000 for a personal data breach and Artmark Holding S.R.L. was sanctioned with a fine of LEI 10,000 for sending unsolicited marketing communications (in breach of Law no. 506/2004 on the processing of personal data and the protection of privacy in the electronic communications sector).
On 9 October 2019, ANSPDCP announced the completion of two investigations at Raiffeisen Bank S.A. and Vreau Credit S.R.L. noting the following:
- Raiffeisen Bank S.A. breached the provisions of art. 32 paragraph (4) in conjunction with art. 32 paragraph (1) and paragraph (2) of GDPR, which led to the application of a fine amounting to EUR 150,000;
- Vreau Credit S.R.L. breached the provisions of art. 32 paragraph (4) in conjunction with art. 32 paragraph (1) and paragraph (2) of GDPR, as well as of art. 33 paragraph (1) of GDPR, which led to the application of a fine amounting to EUR 20,000.
According to the press release issued by ANSPDCP, the breach of security consisted in the fact that two employees of Raiffeisen Bank S.A., used identification details of some individuals/potential clients, sent by the employees of Vreau Credit S.R.L. through the WhatsApp mobile application, and performed credit history checks with the Credit Bureau in order to determine the eligibility for credit of the respective individuals, through pre-scoring simulations. In this regard, 1194 simulations were performed, with regard to 1177 individuals.
The sanction was applied to the controller Raiffeisen Bank S.A. as it did not take the appropriate measures to ensure that any individual acting under its authority and who has access to personal data, only processes the data at its request and in accordance with its instructions.
Also, the controller did not implement adequate technical and organizational measures to ensure an adequate level of security and did not evaluate the risks involved with the data processing.
As to Vreau Credit S.R.L. as a controller it was also sanctioned for the breach of data security, and also for the fact that, until the completion of the investigation it did not notify the supervisory authority on the personal data breach, although the controller was aware of this security incident since December 2018.
As regards Artmark Holding S.R.L., ANSPDCP sanctioned the controller with a fine of LEI 10,000. ANSPDCP applied the sanction as a result of a petition claiming that the controller Artmark Holding S.R.L. transmitted to the petitioner unsolicited marketing communications to his e-mail address without his consent. Thus, although the petitioner had requested the company to erase his personal data from the controller's database as such had been obtained without his consent, he continued to receive unsolicited marketing communications from Artmark Holding S.R.L. on his e-mail address.