Data Protection Academy » Data Protection News » Fines against Raiffeisen Bank and Vreau Credit

A person holds five euro notes in his hand. A symbolisation for the fines against Raiffeisen Bank and Vreau Credit.

Fines against Raiffeisen Bank and Vreau Credit

Date: 01.10.2019

Responsible body: Raiffeisen Bank S.A. and Vreau Credit S.R.L.

Type of data mishap: personal data were exchanged via Whatsapp

The data protection breach consisted in the fact that employees of Raiffeisen Bank S.A. individual-related data received from the company Vreau Credit S.R.L.. The data transfer took place via the mobile application WhatsApp. The purpose of the data exchange was to determine the creditworthiness of the respective person through prescoring simulations.

According to the Romanian supervisory authority, 1177 people are affected, and more than 1194 of these simulations were carried out. In the case of another 124 persons, the database of the National Agency for Financial Administration (NAFA) was consulted.

The above-mentioned prescoring simulations were carried out using the computer application used by Raiffeisen Bank S.A. in granting loans. Subsequently, the employees of Raiffeisen Bank S.A. notified the employees of Vreau Credit S.R.L. of the negative credit decision in violation of internal procedures.

The fine was imposed because the employees of Raiffeisen Bank S.A. granted unauthorised access to personal data processed in connection with the granting of loans and passed on this information without authorisation. Furthermore, no adequate technical and organizational measures were taken to ensure an adequate level of security and the risks associated with processing were not assessed.

Vreau Credit S.R.L. was prosecuted for the violation of data security, but also for failing to inform the supervisory authority immediately of the violation of personal data until the end of the investigation. Especially since the security incident was already noted in December 2018.

Legal basis: Article 32 and the 33 GDPR

Fines: EUR 150,000 for Raiffeisen Bank S.A. and EUR 20,000 for Vreau Credit S.R.L.

Country: Romania

Back to the overview of the data breaches

Nadine Porrmann
Latest posts by Nadine Porrmann (see all)

This might interest you too:

Examples of GDPR fines: what happens in data protection

GDPR infringements are punished with heavy fines. Find out which data protection infringements are suspected and secure yourself.

Italian data protection supervisory authority imposed 27.8 million fine

The telecommunications operator was found to be involved in unlawful processing for marketing purposes. millions of people were affected.

Data protection fine imposed on the Municipality of Oslo Education Authority

120.000 € because the security of the app "Skolemelding" for communication between school staff, parents and pupils was not guaranteed.