ANSPDCP (Romania) - 02/07/2026
Content
The DPA fined a bank RON 26,172 (€5,000) for failing to implement appropriate technical and organisational measures after an employee unlawfully accessed a customer’s account data for personal purposes. English Summary. Facts. The Romanian DPA (ANSPDCP) launched an investigation into a bank, Banca Transilvania S.A. (the controller), following a data subject’s complaint. The data subject claimed that their personal data associated with their bank account had been processed without their consent. During the investigation the DPA found that an employee of the controller had accessed the data subject's bank account statements without authorisation and outside the scope of their official duties, at the request of a third party. The personal data included the data subject’s surname, first name, IBAN, account type, client code, transaction data and account balances. Holding. The DPA found that the controller had failed to implement appropriate technical and organisational measures to ens