Romania Issues First GDPR Fine Against UniCredit for Data Security Failings

The first GDPR-related fine in Romania has just been issued against UniCredit Bank following a National Supervisory Authority investigation into the bank’s use of personal data.

The fine, for US$146,000 (EUR€135,000), is the second-largest GDPR fine issued in Central and Eastern Europe (CEE) in 14 months since the regulations first came into effect.

ANSPDCP, Romania’s data protection watchdog, sanctioned lender UniCredit with a fine on June 27 2019. They cited the bank’s failure to apply proper technical and organizational security measures as justification for the fine, a severe breach of GDPR.

The press release issued by ANSPDCP said: “The sanction was applied to UNICREDIT BANK SA as a result of the failure to apply appropriate technical and organizational measures, both in the determination of the processing and processing methods, to effectively implement the data protection principles such as the reduction to the minimum of data, and to integrate the necessary safeguards in the processing, to meet the requirements of the RGPD and to protect the rights of the data subjects.”

As a result of UniCredit’s failings, the personal information of 337,042 individuals was made publicly available between May 25, 2018, and December 10, 2018. These details included the personal identification number and address of payers (for situations where the payer completes the transaction from an account opened with another credit institution – external transactions and cash deposits) and the payer’s address for situations where the payer completed the transaction from an account opened with Unicredit Bank – internal transactions.

UniCredit is an Italian banking and financial services company that operates in 17 countries, with more than 8,500 branches and over 147,000 employees

In a statement to the Global Data Review, a spokesperson for UniCredit said: “The shortcomings identified by [the regulator] have been fully remedied. UniCredit would like to reassure all its customers that no data was publicly disclosed.

“UniCredit considers the need to maintain data security an essential purpose of the bank’s business. We will continue to dedicate our efforts to ensure the highest quality standards for our customers, including the security of personal data processing.”

Romania follows in the steps of other Eastern European countries in issuing their first GDPR-related fine.  Other recent fines include €220,000 in Poland, €27,000 in Bulgaria, €40,000 in Hungary and €61,500 in Lithuania-serves as a pointed reminder to organizations that data privacy must become a top priority. Organizations which fail to comply may be subjected to a GDPR fine which can be as high as 4% of the annual global revenue of the previous year or €20m.