The Romanian DPA takes action against the Romanian branch of a Polish bank for sending unsolicited communications

15.01.2024

On 12 January 2024, the Romanian DPA announced a fine of EUR 17,000 imposed on a controller in the banking sector for breaches of Art. 5 para. (1) letters a) and b), and Art. 6 of the GDPR. The investigation was conducted based on the cooperation mechanisms provided by the GDPR, and the controller was the Romanian branch of a Polish bank.

The investigation was opened following a complaint from a data subject about a possible breach of the GDPR, alleging that:

the controller sent unsolicited communications, both to his e-mail address and by SMS, despite having previously requested the deletion of all his personal data, which the controller confirmed by terminating the concluded banking contracts and closing the related bank accounts;
there had previously been situations in which the controller sent commercial communications by e-mail, despite the fact he had exercised his right to object.

As a result of the investigation, also based on consultations with the Polish DPA, the Romanian DPA found that:

the controller’s computer system was integrated with the Polish bank’s centralized system, which also implements the database verification methodology from an IT point of view;
the messages sent to the clients after the termination of the contractual relationship with the bank were sent by a technical department in Poland, in accordance with the sanctioned controller’s instructions;
after the termination of the contractual relationship with clients, the controller continued to monitor their activities, and to send notifications about certain operations;
the controller had processed clients’ personal data (such as the e-mail address and the telephone number) for a purpose incompatible with that for which the data were originally collected.

The Romanian DPA also applied a corrective measure, ordering the controller to regularly monitor compliance with the principles and rules outlined in Art. 5 and Art. 6 of the GDPR noting that the controller must inform the Polish bank in case it would be necessary to reconfigure some systems or applications involved in the personal data processing, in order to properly implement the GDPR principles.

The press release is available here (only in Romanian).

Tags:Banking sectorCorrective measuresCross-borderDPADPA investigationGDPR fineGDPR principlesRight to objectUpdate

-                                        Number of fines
-                                        Highest fine
+,000 €
-                                        Lowest fine
+€
-                                        Total amount of fines
+,000 €
-                                        Number of corrective measures
-                                        Number of fines triggered by data breach notifications
-                                        Number of fines triggered by complaints
-                                        Legal provisions mentioned in press releases
+                                        Article 24 (1), Article 32 (1) b), d), (2) of GDPR, Article 18 (2) of Law 102/2005

Dismissal of the data protection officer

Minimum data protection checklist on future law on whistleblowing protection

Introducing NIS 2 – main things to know and follow

Iurie Cojocaru

Partner, Head of the Data Protection practice

Roxana Ionescu

(1981-2023)

Statistics

Subscribe to NNDKP’s newsletters

Statistics

More In the spotlight

Statistics

Subscribe to NNDKP’s newsletters