ING Bank N.V. Amsterdam – Bucharest Branch – €3,000 Fine (Romania, 2020)

The Romanian DPA (ANSPDCP) conducted an investigation into ING Bank N.V. Amsterdam – Bucharest Branch and found that, due to a system error, the request to close a current account of one former client did not operate and the client was considered "active". Because of this error, the controller continued to process the former client's personal data. Does processing personal data, after a system error fails to register the account closing, lead to a violation of the GDPR? The ANSPDCP found that the controller sent, to the e-mail address of a natural person, messages regarding the updating of his personal data, although the data subject had requested on 24.11.2017 the closure of the last bank product held (a current account). Due to a system error, the data subject was still registered as client and the controller processed the following personal data: e-mail address, name and surname, expiration date of the identity card. The Romanian DPA found that the controller processed personal data in violation with the provisions of Article 5(1)(a-d)GDPR (the principles of: lawfulness, fairness and transparency; purpose limitation; data minimization; accuracy) and without fulfilling the conditions of legality of the processing, as provided in Article 6(1)GDPR.