Unicredit Receives a €130k Fine in Romania For Failing to Safeguard User Data

On May 2018, the European Union (EU) member states started implementing the General Data Protection Regulation (GDPR) regulations. These regulations were meant to safeguard data from website and app users. Under these regulations, companies that fail to meet the various data protections safeguards will attract fines that are set by the local regulators.

This month, Unicredit Bank became the first major recipient of the fine, which was issued in Romania. This is after the bank breached the provisions of Article 25 (1) of the GDPR regulations. In the accompanying statement, the Romanian regulators said that the bank failed to implement the needed technical and organizational measures in the processing of the user data. This mistake led to the illegal disclosure of data related to the personal identity number and address of more than 300k clients. In response, the Romanian National Supervisory Authority imposed a fine of 613k lei, which is equivalent to about EUR 130k. While this amount is large, it is peanuts to Unicredit, which is valued at almost $15 billion.

In all parts of Europe, companies have started paying close attention to how they treat customer data. This is because they want to stay in line with the GDPR regulations, avoid the long litigation period, and also avoid the fines. With the new GDPR regulations, companies can be fined up to EUR 20 million for not following the law. Alternatively, the regulators can fine them 4% of their annual global turnover. This amount depends on the size of the company and the severity of the breach. Already, companies have already started receiving the fines. This year, British Airways (BA) received a GBP 183 million fine for a data bleach that exposed personal data of more than 500k customers. This amount totaled 1.5% of the company’s global turnover. Marriot, the hotel chain received a GBP 113 fine for exposing user data. Before the GDPR came into effect, Facebook was fined GBP 500k for leaking data of more than 87 million users. If the GDPR regulations were effective, the company would have paid more than GBP 1.26 billion.

Therefore, given the severity of these fines and the longevity of the litigation process, companies are investing a lot in technology and in compliance officers. At IFSA, we are experts in compliance and helping companies stay on the right side of the law. This is as Europe continues coming up with strict regulations such as the MIFID regulations.