On the 1st of October 2019, the National Supervisory Authority finalised two investigations at Raiffeisen Bank S.A. and Vreau Credit S.R.L. noting the following:
- Raiffeisen Bank S.A. infringed the provisions of Article 32 paragraph (4) in conjunction with Article 32 paragraph (1) and paragraph (2) of the GDPR, which led to imposing an administrative fine in the amount of 150,000 Euros
- Vreau Credit S.R.L. infringed the provisions of Article 32 paragraph (4) in conjunction with Article 32 paragraph (1) and paragraph (2) of the GDPR, as well as of Article 33 paragraph (1) of the GDPR, which led to imposing an administrative fine in the amount of 20,000 Euros.
As regards Raiffeisen Bank S.A., the National Supervisory Authority has initiated an investigation, following the notification of a personal data breach to the supervisory authority, by filling in the form on the personal data breach in compliance with Regulation (EU) 2016/679.
The breach of security consisted in the fact that two employees of Raiffeisen Bank S.A., using the data from the identity documents of some natural persons, transmitted by the employees of the company Vreau Credit S.R.L. through the WhatsApp mobile application, performed queries to the Credit Bureau system to obtain the necessary data in order to determine the eligibility to credit of the respective individuals, through prescoring simulations. In this respect, 1194 simulations were performed, with regards to 1177 individuals.
Also, for 124 individuals, the database of the National Agency for Fiscal Administration (NAFA) was also consulted.
The above mentioned prescoring simulations were performed through the computer application used by Raiffeisen Bank S.A. in the crediting activity, and the negative crediting decision was communicated by the employees of Raiffeisen Bank S.A. to the employees of Vreau Credit S.R.L., with the infringement of the internal procedures.
The sanction was imposed to the controller due to the fact that it did not implement the appropriate measures in order to ensure that any natural person acting under its authority and who has access to personal data processes the data only following its request, except for the case where this obligation rests with them under the Union or national law.
Also, the controller did not implement adequate technical and organisational measures in order to ensure an adequate level of security and did not evaluate the risks presented by the processing.
This situation led to the unauthorized access to the personal data processed through the computer application used by Raiffeisen Bank S.A. in the crediting activity and to the unauthorized disclosure of personal data by the employees of the bank.
Concerning the controller Vreau Credit S.R.L., it was also sanctioned for the breach of data security, but also for the fact that until the end of the investigation it did not notify the supervisory authority of the personal data breach, without undue delay, although it has become aware of this security incident since December 2018, which led to the breach of the confidentiality of the personal data of their clients (the data subjects) and to the unauthorized/illegal processing of their personal data.
For further information, please contact the Romanian Supervisory Authority: email@example.com