The Romanian National Supervisory Authority (the Romanian equivalent of the UK’s ICO) has issued its first GDPR fine.
They have fined Unicredit Bank €130,000 for breaches of Article 25(1) for “failure to implement appropriate technical and organisational measures, both within the determination of the processing means and processing operations themselves, designed to effectively implement data protection principles, such as data minimisation, and to integrate the necessary safeguards in the processing, in order to meet the GDPR requirements and to protect the rights of the data subjects.”
Article 25 of the GDPR relates to the requirement to consider data protection by design and default.
The fine comes after an investigation into issues at the bank which led to the unlawful disclosure of personal data relating to payer’s details – basically a personal identification number and address details were available in documents related to payment transactions made to the bank’s customers. It lead to the disclosure of over 337k payer’s details.
For more information, see the National Supervisory Authority’s news post.