Raiffeisen Bank SA and penalty for inadequate data protection
A report of a data breach by the controller itself, led to the investigations and ultimately the fine. The breach of the GDPR consisted of two employees of Raiffeisen Bank SA performing credit evaluations for another bank.
Raiffeisen employees performed credit scoring, based on identity documents, of some natural persons who had previously received them via WhatsApp from employees of the company Vreau Credit SRL. According to the supervisory authority, this penalizes at least 1177 natural persons. The “ Prescoring ” of the loan applicants was carried out via the computer system of Raiffeisen Bank SA.
The “negative credit decision” was sent via WhatsApp by employees of Raiffeisen Bank SA to the employees of Vreau Credit SRL. Internal guidelines were also violated in the process.
Because Raiffeisen Bank SA did not ensure that its own employees complied with the data protection guidelines(GDPR Article 32), a fine of EUR 150,000 was imposed.
Vreau Credit SRL was also asked to pay by data protection. Vreau had to pay EUR 20,000 for not reporting the data protection incident when it became known.
Entscheidungsdatum:
01.10.2019
Land:
Romania
Art des Verstoßes:
inadequate data protection
Betroffene Datensätze:
1177
Waren sensible Daten betroffen?:
No
verhängte Geldstrafe:
€ 150,000,-
Violation of GDPR Paragraph:
32. Security of processing
Quelle:
Communication from the Romanian Data Protection Authority (Romanian)