Banca Transilvania SA – €100,000 Fine (Romania, 2020)

The Romanian DPA (ANSPDCP) fined Banca Transilvania SA EUR 100,000 for violations of Art. 5 (1) f) GDPR, Art. 32 (1) GDPR and Art. 32 (2) GDPR. It was found that the bank requested a declaration from a customer about the intended use of a certain amount of money wished to withdraw from its account. This statement was submitted to the bank online and forwarded to several employees of the bank. One employee photographed the declaration with his cell phone and spread it via WhatsApp. Subsequently, the document was posted on the social network Facebook and on a website. This situation led to the disclosure and unauthorized access of certain personal data concerning four data subjects, despite the Bank's commitment to respect the principle of integrity and confidentiality of personal data as required by Art. 5 (1) f) GDPR. The DPA notes that the occurred disclosure of the data also proves the ineffectiveness of the internal training of the Bank's employees regarding compliance with the standards for data protection. These trainings are, however, an integral part of the technical and organizational measures that the Bank was obliged to implement, Art. 32 GDPR.