Penalty against Romanian bank
Justification
The Romanian branch of Unicredit Bank was ordered by the local data protection authority to pay a fine of approximately €130,000.
The supervisory authority based the penalty on a large number of deficiencies in technical and organizational implementation. Furthermore, the principle of data minimization was disregarded. As an example, the authority stated that remittance recipients could view the address of the remitter, although this is not necessary for the execution of a transaction. The principle of data minimization was thus disregarded.
The supervisory authority started its investigation on May 25, 2018, and thus on the day of the introduction of the GDPR, and ended it on December 10, 2018. Over 330,000 customers were affected by the poor implementation during this period.
Conclusion
Efficient implementation of the GDPR is essential for companies of all types and sizes. In this case, it appeared that the investigation started immediately after the introduction of the GDPR. Nevertheless, the procedure was not terminated until after more than a year. In addition to the fine, the banking company also had to invest time and resources to fulfill its own obligations in the proceedings.
With easyGDPR , such a procedure could have been prevented. In the first step, our program queries your current technical and organizational measures and identifies where you need to make improvements. At the same time, easyGDPR documents your decisions. In the event of an inspection by the data protection authority , you can thus present these documents. You benefit twice, thanks to correct implementation of the GDPR you save yourself a fine, thanks to the automatically created documentation the procedure can be ended quickly and you can take care of the important issues in your company.
Entscheidungsdatum:
27.06.2019
Land:
Romania
Art des Verstoßes:
technical deficiency
Betroffene Datensätze:
337 042
Waren sensible Daten betroffen?:
No
verhängte Geldstrafe:
€ 130,000,-
Violation of GDPR Paragraph:
25. Data protection by design and by default
5. Principles relating to personal data processing
6. Lawfulness of processing
Quelle:
Press release of the Romanian Data Protection Authority (English)