The National Data Protection Authority announced on Friday that it has fined OTP Bank following an investigation that revealed the bank had sent customer data to another person via email. In addition, the bank did not even report this security incident, for which it was fined €3,000.

The National Supervisory Authority for the Processing of Personal Data (ANSPDCP) reports that it completed an investigation at this bank in October and found a violation of the provisions of Art. 32 and Art. 33 of Regulation (EU) 2016/679.

• “During the investigation conducted by the supervisory body, the investigation conducted on the basis of the complaint, it was established that the operator did not take sufficient security measures in accordance with Art. 32 of the Criminal Procedure Code, which led to a security incident, by sending the applicant’s personal data to another person by e-mail.
• At the same time, it was established that OTP Bank România SA did not notify the National Authority for the Supervision of Personal Data Processing about a security incident that affected the applicant’s personal data, thereby violating Art. 33 of the Criminal Procedure Code,” the agency said in a statement.

The authority also notes that it has also applied corrective measures to the bank, such as verifying the accuracy of the personal data being processed, establishing appropriate rules related to the creation and management of files that can be transmitted by electronic means of communication (remotely), training people who process data or automating certain processes to reduce the risks of illegal or unauthorized processing of personal data.

Photo source: Fizkes / Dreamstime.com