July 5, 2019
The National Supervisory Authority For Personal Data Processing (“ANSPDCP”) has announced on 4 July 2019 the issuance of the first fine in the application of Regulation (EU) 2016/679 of European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (“GDPR”).
Data controller sanctioned by ANSPDCP and level of fine
ANSPDCP finalized on 27 June 2019 an investigation with respect to Unicredit Bank S.A. and, coming to the conclusion that the data controller breached the GDPR rules in the course of its activity, it decided to apply a fine of EUR 130.000.
Object and duration of breach
Unicredit Bank S.A. was sanctioned for disclosure of data concerning the personal identification number and the payer’s address (for situations where the payer performed the transaction from an account opened with another credit institution – external transactions and cash deposits) and data concerning the payer’s address (for situations where the payer made the transaction from an account opened with Unicredit Bank S.A. – internal transactions) in the documents containing the details of transactions and made available on-line to the beneficiaries of the payments, for a number of 337,042 data subjects, during the period between 25 May 2018 – 10 December 2018.
ANSPDCP considered that the data controller breached the provisions of article 25(1) GDPR, as a result of the failure to implement appropriate technical and organizational measures, both within the determination of the processing means and processing operations themselves, designed to effectively implement data protection principles, such as data minimization, and to integrate the necessary safeguards in the processing, in order to meet the GDPR requirements and to protect the rights of the data subjects.
Investigation launched following intimation received by ANSPDCP
The investigation was launched by ANSPDCP following an intimation received on 22 November 2018 indicating that the data concerning the personal identification number and the address of the persons performing payments to Unicredit Bank S.A., via online transactions, were disclosed to the beneficiary of the transaction through the account statement/details.