He worked in a smart way the employe of the Banca Comercială Română (BCR) who, for help client in the practice manage, used his own smartphone for sending documents and ID on Whatsapp, also from minors and their legal represent, violating the working internal procedures, that is why the was sanctioned for privacy policy breach.
Obviously, using Whatsapp in a company for the transmission of documents is not in compliance with GDPR, and the decision to adopt it or not is a duty of the controller, that must assess the privacy impact risks, specially in minor personal data processing. It is important also to look for transparency and informations provided to data subject, also regulating its use with specific organizational security measures and procedures to which the authorized employees must then comply with the processing of customer data.
In the Romanian Bank case, the investigation by the Autoritatea Naţională de Supraveghere a Prelucrării Datelor cu Caracter Personalper (ANSPDCP) began after a claim of a client who was not so happy about the exchange of documents by using an app owned by Facebook.
After the investigation by the Romanian Data Protection Authority led by Ancuța Gianina, it was found out that the employee usually recollected documents using his own smartphone and that by carrying documents from his smartphone to his company’s pc. In this way the internal privacy policy has been breached and also some rules of the GDPR.
The Romanian Privacy Supervisor objected the fact that the Bank had not implemented adequate technical and organizational measures for ensuring the data processing y for ensuring that the employers, as authorized persons for the access to personal data,
managed them only at request and in accordance with the given instructions .
At the end of the investigation, 14 April, the Data Protection Authority pointed out the processing data breach according to article 32 paragraph 4 and article 32 paragraphs 1 and 2 of the GDPR 2016/679. For this reason he fined the Banca Comercială Română S.A. with a 24.163,50 lei (romanian currency) in other currency 5.000 euros.
SOURCE: FEDERPRIVACY