Home » Comunicat_Presa_03_02_2025
 Română | English | Francais

sigla_anspdcp_2.png

The new Regulation 2016/679 applicable from 25th of May 2018

 

Complaints

GDPR Complaints

 

Procedure for complaints

Information on the payment of fine by legal entities

Controllers

Data Protection Officer Form

 

GDPR Breach Notification

 

Law nr. 506/2004 Breach Notification

 

GDPR Sanctions

Schengen

 

Schengen

News

Useful Information

 

F.A.Q.

Guidelines Q&A Regulation (EU) 2016/679

Indicative guidelines GDPR

Guidelines on the application of Law no. 363/2018

Useful Links

 

TFTP - Terrorist Finance Tracking Program

 

 

 

Procedure

Forms

Contact

Contact us

Data Protection

Information on the processing of personal data carried out by ANSPDCP

 

Cookies policy

03.02.2025

Sanction for the infringement of the GDPR

 

The National Supervisory Authority for Personal Data Processing completed, in December 2024, an investigation at the controller Unicredit Bank SA and found the breach of Article 25 (1) of Regulation (EU) 2016/679 (GDPR).

As such, the controller was fined in the amount of 74,562 lei (the equivalent of 15,000 euros).

The investigation was launched following the submission by the controller of two data breach notifications pursuant to the GDPR.

During the investigation, it was found that, in the first situation, the violation of the data processing security occurred as a result of the incorrect operation of the controllers’ application that creates the username, without performing a prior test in a test environment.

This situation led to the unauthorised disclosure of the processed personal data of some customers, such as: name, surname, current account information, account transactions, account balance, card transactions, card balance.

In the second situation, the breach of the data processing security occurred as a result of the controller’s implementation of a customer communication solution with the bank, without performing adequate prior testing in the test environment, which led to the unauthorised disclosure of personal data (cardholder name, phone number, transaction date, currency, e-mail address, transaction amount, reason for payment refusal) of a significant number of Unicredit Bank SA customers.

As such,  in relation to the criteria for individualising  the sanctions provided for by Article 83 of the GDPR, the fine for violating the provisions of Article 25 (1) of the GDPR, since the controller did not implement, both at the time of establishing the means of processing and at the time of the processing itself, adequate technical and organisational measures designed to effectively implement the principles of data protection and to integrate the necessary safeguards within the processing.

At the same time, the controller was also ordered the corrective measure of technically and organisationally implement a test plan for all the components/applications that want to be introduced within the activities that include personal data processing, by analysing all their functionalities in a test environment which simulates the real scenario in the production environment.

We mention that the controller paid the imposed fine.

 

Legal and Communication Department

A.N.S.P.D.C.P