03.04.2023
Sanction for GDPR infringement
The National Supervisory Authority finalised in March 2023 an investigation at the controller Banca Transilvania SA and found the breach of the provisions of Article 5 paragraph (1) letter a) and paragraph (2), Article 12 and Article 13 in conjunction with Article 83 paragraph (5) letters a) and b) from Regulation (EU) 2016/679.
Therefore, the controller was sanctioned with fine in amount of Lei 9,841.80 (the equivalent of Eur 2,000).
The investigation was started following a complaint submitted by a natural person that reported a possible breach of the Regulation (EU) 2016/679 provisions.
Thus, the claimant (client) requested to Banca Transilvania SA the issuance of a card on the name of a relative, with the possibility of access by him only of the EUR account. At the moment of issuance of the card, the client and the person having operation right on the Euro account used a certain Internet Mobile Banking application of Banca Transilvania that allowed the restriction of viewing some accounts.
Within the investigation, from the request for update of data (products/banking services purchase) for a new mobile application dedicated to the performance of services it resulted that the restriction to the right to operate only the Euro account continues to apply for the relative appointed by the client. In this case, it resulted that the claimant clearly manifested its will regarding the possibility to visualize only the Euro account.
Still, after the activation of the Internet Mobile Banking service for the use of the new application, the relative of the claimant was able to access unauthorized all the accounts of the holder.
Therefore, it was found that the controller did not prove that, when using the data of his client, he provided to the latter, in a concise, transparent, intelligible and easily accessible form information on the recipients and categories of recipients of the personal data, as provided by article 13 paragraph 1 letter e) in conjunction with article 12 from Regulation (EU) 2016/679.
Therefore, the controller did not prove the information of the data subject (client) in relation to the fact that, within the new application, the banking data corresponding to all his account were to be disclosed to the appointed person (his relative).
At the same time, the following corrective measures were applied to the controller:
- to take adequate measures for the observance of the provisions of Article 5 paragraph 1 letter a) and of Article 12 and 13 from Regulation (EU) 2016/679, with reference to the processing of personal data within the services rendered for the clients, including of the Internet/Mobile Banking services;
- to take adequate technical measures, in order to implement efficiently the data protection principles and to integrate the necessary guarantees within the processing, both when establishing the processing means and when processing in order to fulfil the requirements of Regulation (EU) 2016/679 and to protect the rights of the data subjects. In this respect, the implementation of adequate technical and organisational measures to ensure that in all cases only personal data necessary for the specific purpose of the processing and in accordance with the manifestation of free, specific, informed and unambiguous will of the data subjects (clients) are processed were ordered.
Legal and Communication Department
A.N.S.P.D.C.P.