On 3 April 2023, the Romanian DPA announced a fine of EUR 2,000 imposed on a controller in the banking sector.
The Romanian DPA concluded that the controller did not prove that, at the time of the use of its customer’s data, it provided the customer with information on the recipients or categories of recipients of the personal data in a concise, transparent, intelligible and easily accessible manner, as required by the GDPR.
Therefore, the controller did not prove that its customer was informed that the person designated by the customer (i.e., a relative) would be able to access all the customer’s bank accounts via the Internet banking system, and not just the specific account that the customer had authorized to be accessed.
The following provisions of the GDPR were considered to have been breached:
- Art. 5(1)(a) (principle of lawfulness, fairness and transparency)
- Art. 5(2) (principle of accountability)
- Art. 12 and 13 (transparency requirements)
The investigation was launched following a complaint from the controller’s customer.
The following corrective measures were also imposed on the controller:
- to take appropriate measures to comply with the provisions of Art. 5 (1)(a) and Art. 12 and 13 of the GDPR in relation to the processing of personal data in the context of the services provided to the customers, including internet/mobile banking services
- to adopt appropriate technical measures to effectively implement the data protection principles and to incorporate the necessary safeguards in the processing, in accordance with the requirements of data protection by design and by default. To this end, the Romanian DPA required the controller to adopt appropriate technical and organizational measures to ensure that, in all cases, only personal data that are necessary for the specific purpose of the processing and in accordance with the free, specific, informed and unambiguous expression of the will of the data subjects (customers) are processed.
The press release is available here (only in Romanian).