The National Supervisory Authority has finalized, on the 4th of November 2019, an investigation with ING Bank N.V. Amsterdam – Sucursala București, following an intimation, and found that the controller infringed the provisions of Article 25 paragraph (1), in conjunction with Article 5 paragraph (1) letter f) of the GDPR, which lead to the application of an administrative fine of 80,000 Euros.
In this respect, the controller did not ensure the compliance with the principles of privacy by design and privacy by default, as it did not take appropriate technical and organisational measures regarding the implementation of adequate safeguards in the automated data processing system during the settlement process of card transactions, thus affecting a number of 225,525 customers whose payment operations were doubled during the period 8-10.10.2018, taking into account also the provisions of Article 32 paragraph (1) letter d) of the GDPR.
In this context, we mention that Article 25 paragraph (1) of GDPR provides the following:
”Taking into account the state of the art, the cost of implementation and the nature, scope, context and purposes of processing as well as the risks of varying likelihood and severity for rights and freedoms of natural persons posed by the processing, the controller shall, both at the time of the determination of the means for processing and at the time of the processing itself, implement appropriate technical and organisational measures, such as pseudonymisation, which are designed to implement data-protection principles, such as data minimisation, in an effective manner and to integrate the necessary safeguards into the processing in order to meet the requirements of this Regulation and protect the rights of data subjects.”
Also, Article 5 paragraph (1) letter f) of the GDPR establishes one of the data processing principles, namely that the data shall be “processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures (‘integrity and confidentiality’).”
At the same time, according to Article 32 paragraph (1) letter d) from the GDPR, among the appropriate technical and organizational measures that the controller must take in order to ensure a level of security appropriate to the risk, there is the one regarding the existence of a process forregularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing.
To read the press release in Romanian, click here
For further information, please contact the Romanian Supervisory Authority: firstname.lastname@example.org