11.05.2023
Sanction for the GDPR infringement
The National Supervisory Authority finalized in March 2023 an investigation at the controller Libra Internet Bank SA and found the breach of the provisions of Article 12 and Article 15 from Regulation (EU) 2016/679.
Therefore, the controller was sanctioned:
- with fine in amount of Lei 4,940.5 (the equivalent of EUR 1,000) for the breach of article 12 paragraph (4) in conjunction with article 15 paragraph (3) from Regulation (EU) 2016/679;
- with fine in amount of Lei 49,405 (the equivalent of EUR 10,000) for the breach of Article 12 paragraph (2) in conjunction with article 15 paragraphs (3) and (4) from Regulation (EU) 2016/679.
The investigation was started following a complaint through which it was reported the refusal of the controller to respond in full to the request for exercise of the right of access of the data subject, as well as the omission to provide some information to the latter.
Within the investigation the National Supervisory Authority found that Libra Internet Bank SA did not provide proofs from which to result that it provided a full answer to the request of the data subject, in relation to the request of the data subject based on the provisions of Article 15 paragraphs (1) and (2) from Regulation (EU) 2016/679, given that it did not provide a copy (under the form requested) of the personal data processed and did not provide the answer to the post address mentioned within the agreement, according to the request of the data subject, thus breaching the provisions of Article 15 paragraph (3) from Regulation (EU) 2016/679.
Also, it was found that the answer provided to the data subject by e-mail did not contain information on the possibility to submit a complaint before a supervisory authority and to submit a judicial recourse for the refusal to be provided a copy of the video recording requested, thus breaching the provisions of Article 12 paragraph (4) in conjunction with article 15 paragraph (3) from Regulation (EU) 2016/679.
With the same occasion, the National Supervisory Authority found that Libra Internet Bank SA did not present proofs from which to result that it has taken measures in order to facilitate the exercise of the right of access of the data subjects to the copy of the video recording concerning them, processed by the controller. Aspect that affected inclusively the manner of handling of the request of the claimant to the Authority. Therefore, it was found that the provisions of Article 12 paragraph (2) corroborated with Article 15 paragraphs (3) and (4) from Regulation (EU) 2016/679 were breached.
At the same time, based on Article 58 paragraph (2) letter d) from Regulation (EU) 2016/679 also the following corrective measures were ordered to the controller:
- to respond to the request of the data subject, by communicating all the information provided under Article 15 paragraph (1) and (2) from Regulation (EU) 2016/679 and of the copy of the personal data provided under Article 15 paragraph (3) from the same regulation, adapted to the specific situation of the claimant, under the format requested by the latter, by post, to the correspondence data indicated by the latter;
- to adopt adequate technical and organizational measures, so as to facilitate the exercise of the rights of the data subjects, specifically of the right of access to a copy of the personal data that are subject to the processing, including, through the use of some information programs that would allow the editing of the information that can violate the rights of freedoms of other persons.
Legal and Communication Department
A.N.S.P.D.C.P