Search Privacy Fines

Raiffeisen Bank Romania did not observe the necessary security measures required by the GDPR when it assessed the scores of individuals on the WhatsApp platform. The personal data was exchanged via WhatsApp.

Articles: Art. 32 GDPR

Articles: Art. 32 GDPR

The Company was issued a fine because it had failed to provide the necessary security and organization measures in two cases. Firstly, it failed in the appropriate determination of the data processing means. Secondly, it failed in the appropriate implementation of necessary security safeguards, which led to the public disclosure of the personal data of over 337.042 people.

Articles: Art. 25 (1) GDPR, Art. 5 (1) c) GDPR

Articles: Art. 25 (1) GDPR, Art. 5 (1) c) GDPR

Articles: Art. 5 (1) f) GDPR, Art. 32 (1), (2) GDPR

Articles: Art. 25 GDPR

The Romanian branch of ING Bank N.V. Amsterdam was fined with €80,000 due to not respecting data protection principles (privacy by design și privacy by default) by not implementing adequate technical measures to ensure the protection of personal data. As a consequence of this, a total of 225,525 had their transactions doubled on debit card payments during the period of 8-10 October 2018.This is one of the bigger fines in Romania, but it’s interesting to note that for similar offenses in other countries fines of over several millions of Euros are usually awarded. This denotes again the fact that different countries have different approaches to GDPR enforcement.

Articles: Art. 25 GDPR

Articles: Art. 28 (3) a) GDPR

Articles: Art. 25 (1) GDPR, Art. 32 (1), (2), (4) GDPR

The Company sent personal information through the WhatsApp platform to Raiffeisen Bank in order to facilitate the assessment of personal scores. The results were returned on the same platform.

Articles: Art. 32 GDPR, Art. 33 GDPR

Articles: Art. 32 (1), (2) GDPR

Articles: Art. 32 GDPR, Art. 33 GDPR

Articles: Art. 32 GDPR

A fine of €20,000 was issued to the Romanian national airline Tarom because it failed to implement the necessary technical measures to ensure the security of personal information. As a consequence of these inadequate measures, a Tarom employee was able to access the flight booking application without authorization and see the personal data of 22 passengers, after which the employee took a photo of the list and made it public online.

Articles: Art. 32 GDPR

A printed checklist used to verify the attendance of breakfast customers (approx. 46 clients) was photographed by unauthorized people. As a result, the personal data of those clients was disclosed to the public. The operator working for the hotel was sanctioned because of insufficient security measures.

Articles: Art. 32 GDPR

Articles: Art. 32 GDPR

Articles: Art. 32 GDPR

Three fined were issued on Hora Credit IFN SA because personal data of an individual was transmitted through email to a third party. The following investigation revealed that the company processed personal data without any means to validate the accuracy and authenticity of the data collected and processed. The operator also did not employ enough technical and organizational measures to protect the collected personal data. The case was made worse by the fact that the company did not notify the ANSPDCP after the data breach was discovered, as required by the law. The three fined issued were of €3,000, €10,000 and €1,000 for all the three issues of non-compliance discovered by the ANSPDCP.

Articles: Art. 5 GDPR, Art. 25 GDPR, Art. 32 GDPR, Art. 33 GDPR

Articles: Art. 5 GDPR, Art. 25 GDPR, Art. 32 GDPR, Art. 33 GDPR

Fan Courier Express SRL, which is a national courier service, was given an €11,000 fine because it failed to take appropriate technical and organizational measures to prevent the loss of personal data (name, bank card number, CVV code, cardholder’s address, personal identification number, serial and identity card number, bank account number, authorized credit limit) of over 1100 private individuals.

Articles: Art. 32 GDPR

Articles: Art. 32 GDPR

Articles: Art. 32 GDPR

Articles: Art. 5 (1) c) GDPR, Art. 5 (2) GDPR

Articles: Art. 32 (4) GDPR

An operator utilized an unfilled checkbox through which users could request that they do not receive any emails from the company. Since they couldn’t do that, they continued receiving information via email.

Articles: Art. 5 (1) a) GDPR, Art. 6 (1) a) GDPR