The Romanian DPA takes action against the Romanian branch of a Polish bank for sending unsolicited communications


On 12 January 2024, the Romanian DPA announced a fine of EUR 17,000 imposed on a controller in the banking sector for breaches of Art. 5 para. (1) letters a) and b), and Art. 6 of the GDPR. The investigation was conducted based on the cooperation mechanisms provided by the GDPR, and the controller was the Romanian branch of a Polish bank.

The investigation was opened following a complaint from a data subject about a possible breach of the GDPR, alleging that:

  • the controller sent unsolicited communications, both to his e-mail address and by SMS, despite having previously requested the deletion of all his personal data, which the controller confirmed by terminating the concluded banking contracts and closing the related bank accounts;
  • there had previously been situations in which the controller sent commercial communications by e-mail, despite the fact he had exercised his right to object.

As a result of the investigation, also based on consultations with the Polish DPA, the Romanian DPA found that:

  • the controller’s computer system was integrated with the Polish bank’s centralized system, which also implements the database verification methodology from an IT point of view;
  • the messages sent to the clients after the termination of the contractual relationship with the bank were sent by a technical department in Poland, in accordance with the sanctioned controller’s instructions;
  • after the termination of the contractual relationship with clients, the controller continued to monitor their activities, and to send notifications about certain operations;
  • the controller had processed clients’ personal data (such as the e-mail address and the telephone number) for a purpose incompatible with that for which the data were originally collected.

The Romanian DPA also applied a corrective measure, ordering the controller to regularly monitor compliance with the principles and rules outlined in Art. 5 and Art. 6 of the GDPR noting that the controller must inform the Polish bank in case it would be necessary to reconfigure some systems or applications involved in the personal data processing, in order to properly implement the GDPR principles.

The press release is available here (only in Romanian).