On the 27th of June 2019, the National Supervisory Authority finalised an investigation at the controller UNICREDIT BANK S.A. and found that it breached the provisions of Article 25 (1) of Regulation (EU) 2016/679of European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).
The controller was sanctioned with a fine in the amount of 613,912 lei, the equivalent in euro of 130,000 euros.
The sanction was applied to UNICREDIT BANK S.A. as a result of the failure to implement appropriate technical and organisational measures, both within the determination of the processing means and processing operations themselves, designed to effectively implement data protection principles, such as data minimisation, and to integrate the necessary safeguards in the processing, in order to meet the GDPR requirements and to protect the rights of the data subjects. This led to the disclosure of data concerning the personal identification number and the payer’s address (for situations where the payer performs the transaction from an account opened with another credit institution – external transactions and cash deposits) and data concerning the payer’s address (for situations where the payer made the transaction from an account opened with UNICREDIT BANK SA – internal transactions) in the documents containing the details of transactions and made available on-line to payment customers, for a number of 337,042 data subjects, during the period between the 25th of May 2018 – the 10th of December 2018.
The sanction was imposed following an intimation addressed to the National Supervisory Authority on the 22nd of November 2018 indicating that the data concerning the personal identification number and the address of the persons performing payments to UNICREDIT BANK S.A., via online transactions, were disclosed to the beneficiary of the transaction through the account statement/details.
Pursuant to Article 5 (1) letter c) of GDPR (“Principles relating to processing of personal data”), the controller had the obligation to process the data limited to what is necessary in relation to the purposes for which they are processed.
In the same time, Recital (78) of the Regulation states: ”The protection of the rights and freedoms of natural persons with regard to the processing of personal data require that appropriate technical and organisational measures be taken to ensure that the requirements of this Regulation are met. In order to be able to demonstrate compliance with this Regulation, the controller should adopt internal policies and implement measures which meet in particular the principles of data protection by design and data protection by default. Such measures could consist, inter alia, of minimising the processing of personal data, pseudonymising personal data as soon as possible, transparency with regard to the functions and processing of personal data, enabling the data subject to monitor the data processing, enabling the controller to create and improve security features. When developing, designing, selecting and using applications, services and products that are based on the processing of personal data or process personal data to fulfil their task, producers of the products, services and applications should be encouraged to take into account the right to data protection when developing and designing such products, services and applications and, with due regard to the state of the art, to make sure that controllers and processors are able to fulfil their data protection obligations. The principles of data protection by design and by default should also be taken into consideration in the context of public tenders.”
Legal and Communication Department