Major bank acting as processor fined by the Romanian DPA


On 9 September 2022, the Romanian DPA announced it sanctioned a bank acting as processor with:

  • A warning, for violating the principles of lawfulness, fairness and transparency and purpose limitation;
  • A fine of EUR 2,000 for violating the principle of data accuracy.

The investigation was launched following a data subject’s complaint, stating that he received SMS text messages on his mobile phone number concerning transfers of money to certain persons which the complainant has not made.

During the investigation, the Romanian DPA found that the bank:

  • erroneously entered the complainant’s telephone number into the application provided by the controller to initiate transactions at the request of customers.
  • processed inaccurate data (telephone number) of persons, occasional customers, who carried out money transactions through the controller’s application, using the complainant’s telephone number in 44 transactions, thus violating the principle of data accuracy of the GDPR.

It is worth mentioning that the data subject was not a customer of the bank and did not request the initiation of transactions through the controller`s application.

The press release is available here (only in Romanian).