Unicredit Bank Hit with US$146,000 GDPR Breach Fine in Romania

In Romania, following the conclusion of a National Supervisory Authority, Unicredit Bank has been sanctioned with a US$146,000 (EUR€135,000) General Data Protection Regulation (GDPR) fine in relation to how it uses personal data.

This is the second largest fine ever applied for a GDPR fine in Central and Eastern Europe (CEE) since GDPR become enforceable on May 25 2018, just over one year ago. It shows that the recent trend of sanctions companies and groups with large GDPR fines is not just confined to Western Europe. All countries in the European Union (E.U.) are taking GDPR very seriously if they discover that any group is not adhering to the data privacy legislation.

ANSPDCP, Romania’s personal data protection watchdog, sanctioned lender UniCredit with fine on June 27 2019 in relation the failure to apply proper technical and organizational security measures. This equates to a serious breach of the requirements under GDPR legislation.

The press release issued by ANSPDCP said: “The sanction was applied to UNICREDIT BANK SA as a result of the failure to apply appropriate technical and organizational measures, both in the determination of the processing and processing methods, to effectively implement the data protection principles such as the reduction to the minimum of data, and to integrate the necessary safeguards in the processing, to meet the requirements of the RGPD and to protect the rights of the data subjects.”

The result of failing this was the personal details of customers being made publically accessible. These details included the personal identification number and address of payers (for situations where the payer completes the transaction from an account opened with another credit institution – external transactions and cash deposits) and the payer’s address for situations where the payer completed the transaction from an account opened with Unicredit Bank – internal transactions. The number of individuals impacted by the breach is thought to be 337,042 targeted persons, during the period May 25, 2018 – December 10, 2018.

UniCredit is an Italian banking and financial services company that operates in 17 countries, with more than 8,500 branches and over 147,000 employees

E.U. Member States applying fines such as this – and other recent fines including EUR€220,000 in Poland, EUR€27,000 in Bulgaria, EUR€40,000 in Hungary and EUR€61,500. in Lithuania – should serve as a timely reminders for U.S. companies doing business in the E.U. or with E.U. citizens to ensure that they are 100% in adherence with all the required GDPR requirements. If they do not they may be subjected to a GDPR fine which can be as high as 4% of annual global revenue of the previous year or €20m.