Back to Feed
PolicyJul 3, 2026

ANSPDCP (Romania) - 02/07/2026

Romanian DPA fines Banca Transilvania RON 26,172 for employee data breach.

Summary

The Romanian DPA (ANSPDCP) has fined Banca Transilvania S.A. RON 26,172 (€5,000) for failing to implement adequate security measures. An employee unlawfully accessed a customer's bank account data for personal purposes at the request of a third party. The DPA found violations of Article 32 of the GDPR concerning appropriate technical and organizational measures.

Full text

Help ANSPDCP (Romania) - 02/07/2026: Difference between revisions From GDPRhub Jump to:navigation, search VisualWikitext Latest revision as of 15:14, 3 July 2026 view source Ds (talk | contribs)Bureaucrats, Interface administrators, noContributionReport, Administrators122 edits Tag: submission [1.0] (No difference) Latest revision as of 15:14, 3 July 2026 ANSPDCP - 02/07/2026 Authority: ANSPDCP (Romania) Jurisdiction: Romania Relevant Law: Article 32(1) GDPR Article 32(2) GDPR Article 32(4) GDPR Type: Complaint Outcome: Upheld Started: Decided: Published: 02.07.2026 Fine: 26,172 RON Parties: Banca Transilvania S.A National Case Number/Name: 02/07/2026 European Case Law Identifier: n/a Appeal: n/a Original Language(s): Romanian Original Source: ANSPDCP (in RO) Initial Contributor: ds The DPA fined a bank RON 26,172 (€5,000) for failing to implement appropriate technical and organisational measures after an employee unlawfully accessed a customer’s account data for personal purposes. Contents 1 English Summary 1.1 Facts 1.2 Holding 2 Comment 3 Further Resources 4 English Machine Translation of the Decision English Summary Facts The Romanian DPA (ANSPDCP) launched an investigation into a bank, Banca Transilvania S.A. (the controller), following a data subject’s complaint. The data subject claimed that their personal data associated with their bank account had been processed without their consent. During the investigation the DPA found that an employee of the controller had accessed the data subject's bank account statements without authorisation and outside the scope of their official duties, at the request of a third party. The personal data included the data subject’s surname, first name, IBAN, account type, client code, transaction data and account balances. Holding The DPA found that the controller had failed to implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk. It noted that the controller had not sufficiently ensured that employees acting under its authority and having access to customers’ personal data processed those data only on its instructions. It held that this failure resulted in the unauthorised access to the data subject’s personal data for personal purposes. The DPA therefore found that the controller infringed Article 32(1) GDPR, Article 32(2) GDPR and Article 32(4) GDPR and imposed a fine of RON 26,172 (€5,000). Furthermore, the DPA ordered the controller to implement appropriate technical and organisational measures to prevent employees from unlawfully accessing personal data for personal purposes. Comment Share your comments here! Further Resources Share blogs or news articles here! English Machine Translation of the Decision The decision below is a machine translation of the Romanian original. Please refer to the Romanian original for more details. 02/07/2026 Sanction for violation of the GDPR The National Supervisory Authority for Personal Data Processing completed, in June 2026, an investigation at the operator Banca Transilvania S.A. and found a violation of the provisions of art. 32 para. (1), (2) and (4) of Regulation (EU) 2016/679. As such, the operator was sanctioned with a fine of 26,172 lei, equivalent to 5,000 euros. The investigation was initiated following a complaint from a natural person, a data subject, who claimed that his personal data associated with his bank account had been processed without his consent. During the investigation, it was found that an employee of the operator, at the request of a third party, accessed, outside of his/her job duties, account statements of the data subject in an unauthorized manner, affecting the following categories of personal data: name, surname, bank account number (IBAN), account type, client code, transaction data and account balance. As such, it was found that the operator did not implement technical and organizational measures to ensure a level of security appropriate to the risk presented by the processing, in order to ensure that employees acting under its authority and having access to the personal data of the bank's customers only process them at its request, which led to unauthorized access, for personal purposes, to the data subject's data. Consequently, in relation to the criteria for individualizing the sanction provided for in art. 83 para. (2) of Regulation (EU) 2016/679, the operator Banca Transilvania S.A. was fined for violating the provisions of art. 32 par. (1), (2) and (4) of Regulation (EU) 2016/679. At the same time, pursuant to the provisions of art. 58 par. (2) letter b) of Regulation (EU) 2016/679, the corrective measure was ordered against the operator to ensure compliance with Regulation (EU) 2016/679 of the personal data processing operations, by implementing appropriate technical and organizational measures, so as to avoid illegal access, in the personal interest of employees, to the personal data of individuals whose data the operator processes. The operator paid the contravention fine imposed by ANSPDCP. Legal and Communication Department A.N.S.P.D.C.P Retrieved from "https://gdprhub.eu/index.php?title=ANSPDCP_(Romania)_-_02/07/2026&oldid=52059" Categories: ANSPDCP (Romania)RomaniaArticle 32(1) GDPRArticle 32(2) GDPRArticle 32(4) GDPRRomanian This page was last edited on 3 July 2026, at 15:14. Content is available under Creative Commons Attribution-NonCommercial-ShareAlike unless otherwise noted. Privacy policy About GDPRhub Disclaimers

Entities

Banca Transilvania S.A (vendor)