Romania: ANSPDCP fines Banca Transilvania €100,000 for inadequate security measures
The National Supervisory Authority for Personal Data Processing ('ANSPDCP') announced, on 17 December 2020, its decision to fine Banca Transilvania SA RON 487,380 (approx. €100,000) as a result of a violation of Article 5(1)(f) of the General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR'), relating to the controller's responsibility to ensure integrity and confidentiality of data, and Article 32 of the GDPR for inadequate security measures. In particular, the ANSPDCP highlighted that, further to complaints regarding the breach of confidentiality and failure to secure data, it investigated the company, and found that a listed document containing a client's statement, as well as an email containing the internal conversation between the company's employees was posted on Facebook and a website. More specifically, the ANSPDCP noted that the circulation of this listed document led to the unauthorised disclosure of personal data of four individuals and that the company had failed to take adequate technical and organisational security measure to safeguard data.
You can read the announcement, only available in Romanian, here.