The Authority has completed, on 14.04.2020, an investigation at the operator Banca Comercială Română SA, he found out that some provision had been violated, respectively art. 32 cpv. (4) in conjunction with Art. 32 cpv. (1) and para. (2) of the General Data Protection Regulation.
The operator of Banca Comercială Română SA was fined 24163.50 lei, the equivalent of EUR 5000.
The investigation was initiated upon receipt of a complaint and, during its conduct, The National Supervisory Authority found that Banca Comercială Română SA did not implement adequate technical and organisational measures to ensure a level of security appropriate to the risk of processing.
At the same time, the processor has not taken any measures to ensure that any natural person acting under his authority who has access to personal data processes them only at his request, unless such an obligation is incumbent upon him under the law. Union or national law.
Therefore, it was found that there was a collection of copies of individual client identity documents (minors and legal representatives) by the personal telephone of an employee of the operator, as well as the transmission of copies of these documents to the operator, through the Whatsapp application, in violation of the internal working procedure.