Raiffeisen Bank SA and Vreau Credit S.R.L fined for inadequate data protection
On October 1st the Romanian National Supervisory Authority fined Raiffeisen Bank SA (150.000 EUR) and Creau Credit S.R.L ( 20.000 EUR) due to inadequate data protection.
The Supervisory Authority initiated an investigation due to a personal data breach notification. Vreau Credit S.R.L sent data from identity documents of 1177 individuals via WhatsApp to two Raiffeisen employees. They performed queries to the Credit Bureau System to obtain credit eligibility scores for these individuals. Raiffeisen employees returned the negative credit scores to the employees of Vreau Credit S.R.L. violating internal procedures.
The controller did not implement appropriate security measures to ensure that the employees process personal data only as intended. An adequate level of security was not ensured and the risks of this processing were not evaluated. This situation lead to unauthorised access to personal data and unauthorised disclosure of personal data.
Vreau Credit S.R.L. was fined 20.000 EUR because they did not notify the supervisory authority of the personal data breach.
read more at the European Data Protection Board.
Entscheidungsdatum:
01.10.2019
Land:
Romania
Art des Verstoßes:
inadequate data protection
Betroffene Datensätze:
1177
Waren sensible Daten betroffen?:
No
verhängte Geldstrafe:
€ 150,000,-
Violation of GDPR Paragraph:
32. Security of processing
Quelle: