Romania’s National Supervisory Authority for Personal Data Processing (ANSPDCP) has fined Raiffeisen Bank and local online credit platform Vreau Credit with a total amount of EUR 170,000, out of which EUR 150,000 to be paid by Raiffeisen, for a broad range of data confidentiality breaches.
More exactly, Raiffeisen Bank Romania carried scoring assessments based on personal data of people who registered on the Vreau Credit platform, supplied through WhatsApp by the platform’s employees, and then returned the outcome to Vreau Credit using the same communication means.
Personal data of some 1,100 individuals were thus circulated between the two commercial entities.
Raiffeisen Bank carried investigations in the Credit Bureau database (to search for payment incidents of the subjects) and in the tax collection agency database, where a larger amount of information pertaining the subjects can be found.
Furthermore, Raiffeisen employees breached the bank’s regulations when disclosing the negative scoring outcome to Vreau Credit.
The platform was fined for disclosing personal data to Raiffeisen without the clients’ consent, Raiffeisen was fined for running scoring assessments based on personal data and disclosing the results without the consent of subjects and both were found responsible for having used unprotected communication means.