Raiffeisen Bank SA and Vreau Credit S.R.L fined for inadequate data protection
On October 1st the Romanian National Supervisory Authority fined Raiffeisen Bank SA (150.000 EUR) and Creau Credit S.R.L ( 20.000 EUR) due to inadequate data protection.
The Supervisory Authority initiated an investigation due to a personal data breach notification. Vreau Credit S.R.L sent data from identity documents of 1177 individuals via WhatsApp to two Raiffeisen employees. They performed queries to the Credit Bureau System to obtain credit eligibility scores for these individuals. Raiffeisen employees returned the negative credit scores to the employees of Vreau Credit S.R.L. violating internal procedures.
The controller did not implement appropriate security measures to ensure that the employees process personal data only as intended. An adequate level of security was not ensured and the risks of this processing were not evaluated. This situation lead to unauthorised access to personal data and unauthorised disclosure of personal data.
Vreau Credit S.R.L. was fined 20.000 EUR because they did not notify the supervisory authority of the personal data breach.
read more at the European Data Protection Board.
Type of Issue:
inadequate data protection
Number of involved data records:
Special category of data involved:
Violation of GDPR Paragraph:
32. Security of processing