Why was the fine imposed?
When making a payment, whether initiated by an account holder with the sanctioned bank or by a third-party user of the interbank payment system, the CNP and payer's address was accessible to the payee through the bank statement or payment details provided by the bank. Following the investigation, ANSPDCP concluded that the processing of these data violates the data privacy by design principle, according to which the operators have the obligation to implement appropriate technical and organizational measures in relation to the nature and risks of processing, as well as technological and financial possibilities, to ensure compliance with GDPR.
The Principle of Data Privacy by Design - the legal implications also, on IT systems
The principle of data privacy by design acts as an umbrella and involves the incorporation of the other GDPR principles under a single provision - for example, the principle of minimizing data. The compliance with data privacy by design involves a preliminary risk assessment process, through which operators identify possible measures to be implemented.
Moreover, besides the legal assessment (for example, identification of the processed data as necessary in relation to the purposes, the retention period, the basis used, etc.), this principle requires thorough verification of the IT infrastructure (systems, applications, etc.). ), followed by remodeling, if nonconformities are identified.
Thus, respecting the data privacy by design can not be achieved simply by adopting procedures and policies, but only by implementing and periodically testing the proper functioning of systemic changes that ensure compliance with data protection procedures and policies.
Implementing a new business process or new software within the company should be done with the support of data protection officers. The best way to verify whether both technical and non-technical controls work is to periodically simulate a cyber incident that results in unauthorized access to personal data. To perform this exercise, the team must identify the data that was accessed, the systems that store the information, and the affected business processes. This type of test will oblige the internal teams to verify that the existing information is up to date.
Similarly, as a result of these exercises, companies can identify processes or applications that allow external providers access to data, access that may not have been documented in advance or that is not warranted.
At the same time, for processes that have been properly documented at the time of implementation, a company can realize that existing information requires a higher level of detail.
As regards the proportionality of the fine, it is interesting to note that the breach of the data privacy by design principle is covered by the GDPR at a fine of no more than 10 million EUR or 2% of the global annual turnover rather than the upper limit of 20 million EUR or 4%.
In addition, in individualizing the amount of the fine, the ANSDPCP had to consider the large number of targeted persons - 337,042 - and other aspects such as the data categories involved, the intention or negligence of the operator's deed, potential actions to reduce the harm suffered by the persons targeted, etc.
Romania, the second largest fine in Central and Eastern Europe
In relation to fines in Central and Eastern Europe, the sanction imposed by ANSPDCP is the second highest after the fine issued after the 220,000 euros in Poland regarding the Bisnode case, which uses personal data from public sources without respecting obligations to inform the data subjects.
Thus, based on a study conducted by Deloitte Legal in Central and Eastern Europe, the amount of this first fine places Romania at the top of the fines granted in this first year of application of GDPR. The study also reveals that in Bulgaria the highest fine did not exceed 27,000 euros, in Hungary, 40,000 euros, and in Lithuania 61,500 euros.
The financial and banking industry was among the most concerned by ANSPDCP investigations, both before and after the entry into force of GDPR.
Moreover, ANSPDCP has reported that the complaints and claims received have meant breaching the principles of personal data processing in the banking system and the privacy and security rules for personal data processing.
Consequences in procedural and judicial terms
From official data communicated by ANSPDCP, about 1,000 investigations were in progress at the end of May 2019, and it is expected that entities subject to sanctions and corrective measures will challenge these decisions in court.
Complaints filed with the courts for administrative and fiscal litigation suspend only the payment of the fine, not the obligation to apply corrective measures, so they will most likely be duplicated by requests for suspension of corrective measures under the provisions of the Administrative Litigation Act.
In the absence of crystallized jurisprudence on the various typologies of violations brought to the legislation in question, and the fact that the previous legislation provided for significantly lower thresholds for fines (about 10,000 euros), the courts will have to set up their own point of view in solving these causes.
Shortly after the first fine, ANSPDCP announced two more sanctions, worth 15,000 and 3,000 euros, respectively. It remains to be seen whether their value and frequency will increase, given the appetite of injured persons to make direct court actions (actions exempt from stamp duty), while the introduction of such actions does not prevent the simultaneous notification of ANSPDCP and does not oblige ANSPDCP to suspend or rank complaints.