Sanctions applied
During September - October 2016, the National Supervisory Authority for Personal Data Processing carried out several ex officio investigations or based on the complaints received and applied the following sanctions.
Among them, we present the cases where sanctions have been applied with a minimum fine of 5000 lei.
1. ERB Retail Services IFN S.A.
It was ascertain the following:
Illegal processing of personal data, provided by Article 32 of Law no. 677/2001, whereas ERB Retail Services IFN S.A. reported negative data to Biroul de Credit without the prior notification of certain data subjects, by infringing the provisions of Articles 8 and 9 of ANSPDCP Decision no. 105/2007 and of Article 12 (1) of Law no. 677/2001.
Illegal processing of personal data, provided by Article 32 of Law no. 677/2001, disregarding the right provided by Article 14 (1) and (3) of Law no. 677/2001 whereas ERB Retail Services IFN S.A. did not handle the requests of several natural persons exercising the right of intervention, namely to delete the negative data transmitted to Biroul de Credit, without their prior information.
For these offences, a sanction of an amount of 7.000 lei was applied.
2. Credit Europe Bank SA
It was ascertain the following:
Illegal processing of personal data, provided by Article 32 of Law no. 677/2001, whereas CREDIT EUROPE BANK (ROMANIA) S.A. reported negative data of several natural persons to Biroul de Credit without the prior notification.
Illegal processing of personal data, provided by Article 32 of Law no. 677/2001, whereas CREDIT EUROPE BANK (ROMANIA) S.A. reported several times, for several persons, in the same month negative data to Biroul de Credit for the same outstanding payment without observing the deadline term of 30 day from the due day, contrary to the provisions of Article 5 (1) of ANSPDCP Decision no. 105/2007, by infringing Article 4 (1) letters a) and c) of Law no. 677/2001.
For these offences, a sanction of an amount of 23.000 lei was applied.
3. Easy Asset Management
It was ascertain the following:
Illegal processing of personal data, provided by Article 32 of Law no. 677/2001, whereas Easy Asset Management IFN S.A. reported negative data of several natural persons to Biroul de Credit without the prior notification, by infringing the provisions of Article 8 (2) of ANSPDCP Decision no. 105/2007, Article 9 (1) of ANSPDCP Decision no. 105/2007 and Article 12 (1) of Law no. 677/2001.
Illegal processing of personal data, provided by Article 32 of Law no. 677/2001, whereas Easy Asset Management IFN S.A. reported negative data of several natural persons to Biroul de Credit before the deadline for 30 days from the due date expired, contrary to the provisions of Article 5 (1) of ANSPDCP Decision no. 105/2007, by infringing Article 4 (1) letters a) and c) of Law no. 677/2001, corroborated with Article 12 of ANSPDCP Decision no. 105/2007.
For these offences, a sanction of an amount of 25.000 lei was applied.
4. Unicredit Consumer Financing IFN
It was ascertain the following:
Illegal processing of personal data, provided by Article 32 of Law no. 677/2001, whereas UniCredit Consumer Financing IFN SA reported negative data of several natural persons to Biroul de Credit without proving their prior notification, by infringing the provisions of Article 8 (2), Article 9 (1) and Article 12 of ANSPDCP Decision no. 105/2007, corroborated with Article 12 (1) of Law no. 677/2001. For certain natural persons, the reporting of these negative data to Biroul de Credit was carried out without observing the deadline of 30 days from the due date, as well as with the transmission for several times in the same month of the negative data to Biroul de Credit, contrary to the provisions of Article 5 (1) of ANSPDCP Decision no. 105/2007 and infringing Article 4 (1) letters a) and c) of Law no. 677/2001.
Illegal processing of personal data, provided by Article 32 of Law no. 677/2001, whereas UniCredit Consumer Financing IFN SA in the cases of several natural persons, to which it transmitted SMS informing them about their outstanding payments, did not transmit the information provided by Article 12 (1) of Law no. 677/2001, corroborated with the provisions of Article 9 (1) of ANSPDCP Decision no. 105/2007.
For these offences, a sanction of an amount of 25.000 lei was applied.
5. SC Bancpost SA
It was ascertain the following:
Illegal processing of personal data, provided by Article 32 of Law no. 677/2001, whereas Bancpost SA reported negative data of several natural persons to Biroul de Credit without their prior notification, contrary to the provisions of Article 8 (2) and Article 9 (1) of ANSPDCP Decision no. 105/2007 and Article 12 of Law no. 677/2001. In the same time, negative data were reported to Biroul de Credit out without observing the deadline of 30 days from the due date, contrary to the provisions of Article 5 (1) of ANSPDCP Decision no. 105/2007 and Article 4 (1) letters a) and c) of Law no. 677/2001.
For these offences, a sanction of an amount of 20.000 lei was applied.
6. Garanti Bank SA
It was ascertain the following:
Illegal processing of personal data, provided by Article 32 of Law no. 677/2001, whereas Garanti Bank SA reported negative data of several data subjects to Biroul de Credit without their prior notification, contrary to the provisions of Article 8 (2) and Article 9 (1) of ANSPDCP Decision no. 105/2007 and Article 12 of Law no. 677/2001. In the same time, negative data were reported to Biroul de Credit out without observing the deadline of 30 days from the due date, contrary to the provisions of Article 5 (1) of ANSPDCP Decision no. 105/2007 and Article 4 (1) letters a) and c) of Law no. 677/2001.
For these offences, a sanction of an amount of 20.000 lei was applied.
7. Unicredit Bank SA
It was ascertain the following:
Illegal processing of personal data, provided by Article 32 of Law no. 677/2001, whereas Unicredit Bank SA reported negative data of several data subjects to Biroul de Credit without providing the information provided by Article 9 (1) of ANSPDCP Decision no. 105/2007 and Article 12 (1) of Law no. 677/2001.
Illegal processing of personal data, provided by Article 32 of Law no. 677/2001, whereas Unicredit Bank SA reported negative data of several natural persons to Biroul de Credit before the deadline for 30 days from the due date expired, contrary to the provisions of Article 5 (1) of ANSPDCP Decision no. 105/2007, by infringing Article 4 (1) letters a) and c) of Law no. 677/2001.
For these offences, a sanction of an amount of 9.000 lei was applied.
8. SC RCS & RDS SA
It was ascertain the following:
The non observance of the obligation to ensure the security of the processing of personal data, provided by Article 3 of Law no. 506/2004, as well as the non observance of the notification obligation to ANSPDCP provided by Article 3 (6) of Law no. 506/2004.
Thus, it was ascertain that SC RCS & RDS SA did not take sufficient adequate technical and organizational measures in order to ensure the protection of personal data processing and a security level proportional with the existing risk, in order to guarantee that personal data of the holders of the contracts concluded with SC RCS & RDS SA can be accessed only by authorized persons, including in order to prevent the creation and/or accessing a user account by another person other than the account holder.
Illegal processing of personal data, provided by Article 32 of Law no. 677/2001, disregarding the right of intervention, whereas SC RCS & RDS SA did not send a reply in writing, within 15 days, to the complaint of the data subject, in which he reported the infringement of his rights provided by Law no. 677/2001, even if it had that obligation.
For these offences, a sanction of an amount of 11.000 lei was applied.
9. SC Aramis Invest SRL
It was ascertain the following:
The non observance of the provisions of Article 12 of Law no 506/2004 on obtaining the consent for the transmission of unsolicited communications, as provided by Article 13 (1) letter q) of Law no. 506/2004.
Thus, it was ascertain that SC Aramis Invest SRL transmitted an unsolicited commercial message via the electronic mail of a natural person without proving the existence of the expressed consent of the person for receiving such communication to his email address.
Illegal processing of personal data, provided by Article 32 of Law no. 677/2001, disregarding the right of intervention, whereas SC Aramis Invest SRL did not send a reply in writing, within 15 days, to the complaint of the data subject, in which he reported the infringement of his rights provided by Law no. 677/2001, even if it had that obligation.
For these offences, a sanction of an amount of 6.000 lei was applied.
10. Simplu Credit IFN SA
It was ascertain the following:
Illegal processing of personal data, provided by Article 32 of Law no. 677/2001, whereas Simplu Credit IFN SA reported negative data of a data subject to Biroul de Credit without providing the prior notification under the conditions provided by Article 9 (1) of ANSPDCP Decision no. 105/2007 and Article 12 (1) of Law no. 677/2001, as well as the transmission of inaccurate date and also before the deadline for 30 days from the due date expired, contrary to the provisions of Article 4 (2) and Article 5 (1) of ANSPDCP Decision no. 105/2007, corroborated with the provisions of Article 4 (1) letters a) and c) of Law no. 677/2001.
Illegal processing of personal data, provided by Article 32 of Law no. 677/2001, disregarding the right provided by Article 14 (1) of Law no. 677/20014, whereas Simplu Credit IFN SA did not handle the request of a natural person exercising the right of intervention, namely to adopt measure for the deletion of the negative data transmitted to Biroul de Credit, without their prior information.
For these offences, a sanction of an amount of 5.000 lei was applied.
11. SC Toro TeleMarketing SRL
It was ascertain the following:
Illegal processing of personal data, provided by Article 32 of Law no. 677/2001, whereas SC Toro Telemarketing SRL processed, starting with July 2016, the biometric data (fingerprints) of the employees for establishing the working hours, a processing considered excessive in relation with the purpose of the processing because other means, less intrusive, could be used in order to achieve this purpose, thus breaching Article 4 (1) letter c) of Law no. 677/2001.
The non observance of the obligation concerning the confidentiality and the application of security measures, provided by Article 33 of Law no. 677/2001 whereas SC Toro Telemarketing SRL did not adopt sufficient confidentiality and security measures of the processed data, biometric data of employees, according to Article 19 and 20 of Law no. 677/2001, in terms of the development of a security policy and providing detailed instructions to process the data.
For these offences, a sanction of an amount of 5.000 lei was applied.
Legal and Communication Department