On December 30, last, the Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP), has issued a sanction in the amount of approximately EUR. 3.000, as it found that the bank continued to process the data of a subject (a former customer), well beyond the termination of the business relation with him and therefore after the data subject had cased to be a client of the bank, violating articles 5 and 6 GDPR. The closing of the account resulted did not produce the effect of terminating the processing, in so far, the systems of the bank maintained the (former) customer in an ´active´ status.
This is not the first fine issued by the Romanian Authority to ING. Last, in November 2019, the same Authority finalized an investigation leading to the application of a fine in the amount of EUR. 80.000, following the infringement of article 25 in conjunction to articles 5 and 32 (1) (c), GDPR, by determining that the bank had failed to ensure the compliance of the principles of privacy by design and privacy by default, as it did not implement adequate safeguards in the automated data processing system of card payments, affecting more than 200.000 customers, whose payments were doubled during a few days in the October of 2018.