Raiffeisen Bank S.A – €19,893 Fine (Romania, 2024)

Raiffeisen Bank S.A., the controller, communicated to the Romanian DPA multiple personal data breaches. A customer, the data subject, complained about a loan taken in its name, which started an internal investigation. Such investigation revealed that an employee of the controller unlawfully used the data subject’s personal data collected in the context of a prior application which was however withdrawn by the data subject. Moreover, the controller’s employee withdrew cash, conducted bank transfers on behalf of several data subjects, changed contact details, operated Smart banking operations without data subjects’ consent, and, during this process, affected multiple categories of personal data. In this context, the controller also admitted that two employees sent confidential information about a data subject’s transaction on Facebook, Messenger and WhatsApp to a former employee, who subsequently shared it to the data subject’s relatives. The DPA considered that the controller did not implement sufficient measures to ensure that any employee having access to personal data does not process them except at the controller’s request. In fact, it was the lack of measures that led to the unauthorized access and unauthorized disclosure of personal data transmitted, stored or processed. Therefore, the DPA found a violation of Article 32(1)(2) and Article 32(4) GDPR and, as such breaches happened between 2015 to beginning of 2023 deemed it appropriate to fine the controller RON 99,466 (€20,000).