The Romanian DPA fines a bank for breaching several principles regarding personal data sent to a court


On 15 June 2023, The Romanian DPA announced a fine of EUR 2,000 imposed on a controller in the banking sector for breaches of Art. 5 para. (1) a), b), f), and para. (2) of the GDPR (i.e., lawfulness, fairness and transparency, purpose limitation, integrity and confidentiality, and accountability principles) regarding personal data sent to a court.

The investigation was launched following the receipt of a data breach notification submitted by the controller.

During the investigation, the DPA found that the controller unlawfully disclosed personal and financial data of one client and other data subjects, data that were sent to a court without being requested and without measures being taken to verify the legitimacy of such disclosure of personal data.

Additionally, the following corrective measures were also ordered against the controller:

  • ensuring compliance with the GDPR requirements for the collection and subsequent processing of personal data, so as to avoid unlawful disclosure of processed personal data;
  • applying appropriate security and confidentiality measures (e.g., pseudonymization), by establishing clear procedures regarding the transmission of personal data to courts and/or parties in court cases, as well as regular training of persons processing data under the authority of the controller, and the appropriate involvement of the data protection officer in these activities.

The press release is available here (only in Romanian).