ANSPDCP (Romania) - Fine against Unicredit Bank SA

Summary

Romania's ANSPDCP fined Unicredit Bank SA a total of €12,000 (RON 62,714) for violating GDPR Articles 32 and 33. The bank failed to implement appropriate technical and organizational measures, resulting in unauthorized disclosure of customer data (names, addresses, property details, mortgage status) via erroneous insurance policy notifications sent to wrong recipients due to improper manual file processing. Additionally, the bank failed to notify the breach within the required 72-hour deadline.

Full text

Help ANSPDCP (Romania) - Fine against Unicredit Bank SA: Difference between revisions From GDPRhub Jump to:navigation, search VisualWikitext Latest revision as of 09:39, 3 June 2026 view source Ds (talk | contribs)Bureaucrats, Interface administrators, noContributionReport, Administrators68 edits Tag: submission [1.0] (No difference) Latest revision as of 09:39, 3 June 2026 ANSPDCP - Fine against Unicredit Bank SA Authority: ANSPDCP (Romania) Jurisdiction: Romania Relevant Law: Article 32(1)(b) GDPR Article 32(2) GDPR Article 32(4) GDPR Article 33(1) GDPR Type: Complaint Outcome: Upheld Started: Decided: Published: 29.05.2026 Fine: 62,714 RON Parties: Unicredit Bank SA National Case Number/Name: Fine against Unicredit Bank SA European Case Law Identifier: n/a Appeal: Unknown Original Language(s): Romanian Original Source: ANSPDCP (in RO) Initial Contributor: ds The DPA fined a bank RON 62,714 (€12,000) for failing to implement appropriate technical and organisational measures, which led to the unauthorised disclosure of customer data. The DPA also found that the bank failed to notify the personal data breach within the legal deadline. Contents 1 English Summary 1.1 Facts 1.2 Holding 2 Comment 3 Further Resources 4 English Machine Translation of the Decision English Summary Facts A data subject filed a complaint with the Romanian DPA (ANSPDCP) against Unicredit Bank SA (the controller) raising possible GDPR infringements. Subsequently, the DPA launched an investigation into the controller. As a result of the investigation, the DPA found that the controller sent erroneous notifications of expiry of insurance policies via mobile messaging, online banking, and email to persons other than the rightful recipients due to improper manual processing of a file. This occurred while the controller was handling the renewal of insurance policies. Holding The DPA found that the controller had not implemented adequate technical and organisational measures. It noted that the controller failed to ensure that any person acting under its authority, or under the authority of its processor, who had access to personal data, processed that data only on the controller’s instructions and under a level of security appropriate to the risk, including ensuring confidentiality. Therefore, the DPA held that the controller violated Article 32(1)(b) GDPR, Article 32(2) GDPR, and Article 32(4) GDPR and fined it RON 52,270 (€10,000). The DPA concluded that this led to the unauthorized disclosure of personal data to third parties, including customers' names and surnames, addresses, details of insured property, bank customer status for mortgage lending products, insurance policy expiry dates and costs. The DPA further found that the controller did not notify the personal data breach within 72 hours of becoming aware of the security incident, despite having certain information. Accordingly, the DPA held that the controller infringed Article 33(1) GDPR and fined it RON 10,454 (€2,000). Comment Share your comments here! Further Resources Share blogs or news articles here! English Machine Translation of the Decision The decision below is a machine translation of the Romanian original. Please refer to the Romanian original for more details. 29.05.2026 Sanctions for violation of the GDPR The National Supervisory Authority for Personal Data Processing completed an investigation at Unicredit Bank SA in May 2026 and found a violation of the provisions of art. 32 para. (1) letter b), para. (2) and (4) and art. 33 para. (1) of Regulation (EU) 2016/679. As such, Unicredit Bank SA was sanctioned with two fines in the amount of 62,714 lei (equivalent to 12,000 EURO), as follows: with a fine in the amount of 52,270 lei (equivalent to 10,000 euros) for violating the provisions of art. 32 para. (1) letter b) and para. (2) and (4) of Regulation (EU) 2016/679, for failure to implement appropriate technical and organizational measures; with a fine of 10,454 lei (equivalent to 2,000 euros) for violating the provisions of art. 33 paragraph (1) of Regulation (EU) 2016/679, for failing to transmit the security breach notification within the legal deadline. The investigation was initiated following the submission of a petition by a natural person reporting possible violations of Regulation (EU) 2016/679. As a result of the investigation carried out, it emerged that the operator, in order to renew insurance policies by customers who had this obligation, in the context of their expiration, sent erroneous notifications to a large number of customers, both via mobile or online banking messaging, and via e-mail. The disclosure was caused by an error related to the processing of a file necessary for the preparation of notifications. During the investigation, it was found that the controller did not implement appropriate technical and organizational measures to ensure that any natural person acting under the authority of the controller or the person empowered by the controller and who has access to personal data only processes them at the request of the controller, taking into account ensuring a level of security appropriate to the risk of processing, including the ability to ensure data confidentiality. Consequently, this breach led to the unauthorized disclosure of personal data (such as the name, surname, address of the client, address and value of the insured property, the quality of the bank's client for the mortgage lending product, the expiration date and costs of the insurance policy) for a significant number of data subjects (clients), by erroneously transmitting notifications regarding the expiration of insurance policies to persons other than the rightful recipients, due to the improper manual processing of a file. This situation constitutes a violation of the provisions of art. 32 par. (1) letter b) and par. (2) and (4) of Regulation (EU) 2016/679. At the same time, during the investigation, it was found that the controller did not notify the personal data breach within 72 hours from the date on which it became aware of the security breach incident, the notification being sent late, although the controller had concrete information regarding the breach of personal data confidentiality, thus violating the provisions of art. 33 par. (1) of Regulation (EU) 2016/679. Legal and Communication Department A.N.S.P.D.C.P. Retrieved from "https://gdprhub.eu/index.php?title=ANSPDCP_(Romania)_-_Fine_against_Unicredit_Bank_SA&oldid=51819" Categories: ANSPDCP (Romania)RomaniaArticle 32(1)(b) GDPRArticle 32(2) GDPRArticle 32(4) GDPRArticle 33(1) GDPRRomanian This page was last edited on 3 June 2026, at 09:39. Content is available under Creative Commons Attribution-NonCommercial-ShareAlike unless otherwise noted. Privacy policy About GDPRhub Disclaimers

Entities