Fines against Raiffeisen Bank and Vreau Credit
Responsible body: Raiffeisen Bank S.A. and Vreau Credit S.R.L.
Type of data mishap: personal data were exchanged via Whatsapp
The data protection breach consisted in the fact that employees of Raiffeisen Bank S.A. individual-related data received from the company Vreau Credit S.R.L.. The data transfer took place via the mobile application WhatsApp. The purpose of the data exchange was to determine the creditworthiness of the respective person through prescoring simulations.
According to the Romanian supervisory authority, 1177 people are affected, and more than 1194 of these simulations were carried out. In the case of another 124 persons, the database of the National Agency for Financial Administration (NAFA) was consulted.
The above-mentioned prescoring simulations were carried out using the computer application used by Raiffeisen Bank S.A. in granting loans. Subsequently, the employees of Raiffeisen Bank S.A. notified the employees of Vreau Credit S.R.L. of the negative credit decision in violation of internal procedures.
The fine was imposed because the employees of Raiffeisen Bank S.A. granted unauthorised access to personal data processed in connection with the granting of loans and passed on this information without authorisation. Furthermore, no adequate technical and organizational measures were taken to ensure an adequate level of security and the risks associated with processing were not assessed.
Vreau Credit S.R.L. was prosecuted for the violation of data security, but also for failing to inform the supervisory authority immediately of the violation of personal data until the end of the investigation. Especially since the security incident was already noted in December 2018.
Fines: EUR 150,000 for Raiffeisen Bank S.A. and EUR 20,000 for Vreau Credit S.R.L.