When use of chat apps and social media platforms backfire on companies and data subjects' rights


On 17 December 2020, the Romanian Data Protection Authority (ANSPDCP) has published on its website a new administrative sanction in amount of EUR 100,000 against Banca Transilvania, a Romanian bank, grounded on the failure of the controller to observe the principle of integrity and confidentiality of personal data and to implement adequate technical and organizational measures in order to secure the processed data.

In terms of underlying facts: a declaration issuing from a client of the bank whereby the respective client was explaining how he intends to use the amount to be withdrawn, as well as the correspondence between the bank's employees related to this declaration, were processed via WhatsApp and published on Facebook (and on another website).

This led to the unauthorized disclosure and access to personal data, such as: name and surname, e-mail addresses, behavioral data, personal preferences, financial transaction value, job title and place of work, as well as telephone number of 4 data subjects (one client and 3 employees).

ANSPDCP has emphasized that the unauthorized disclosure of personal data produced in the public space demonstrates the inefficiency of the internal training regarding protection of personal data at the level of the controller. Moreover, the supervisory authority seems to have considered in determining the value of the sanction the moral and social damage caused to the bank's client by the unauthorized disclosure.

This relatively high value fine follows the precedent set by the sanction imposed against Raiffeisen Bank, which is still the biggest fine imposed by the Romanian Data Protection Authority so far.

Specifically, last year, ANSPDCP sanctioned Raiffeisen Bank by imposing a fine in amount of EUR 150,000 for its failure to implement appropriate organizational and technical measures to ensure that all individuals acting under its authority and who have access to personal data will processes such data only in line with the requests and instructions of the controller.

In this case, personal data related to 1177 individuals, such as credit scoring information, was exchanged via WhatsApp platform between Raiffeisen Bank's employees and employees of another financial institution.

Social media platforms and apps have gained increased popularity and individuals rather often forget to apply a borderline between their personal life and habits and their professional ones. Moreover, for some companies these apps become the tool of choice for corporate communication. While encryption mechanisms and advanced features may make social media platforms and apps easy and secure to use within companies or among companies, in most of the cases this is not applicable.

Therefore, the danger of confidential data and personal data leakage via apps and social media is constantly increasing, especially in the new home office environment. Needless to say that, apartfrom regulatory sanctions such as the one that generated this article, the highest exposure comes from the potential reputational and business loss.

While technical measures may be extremely costly or even impossible to implement (e.g. disabling the use of smartphones or cameras during work in order to prevent screen capture), training and testing intended to raise awareness among employees should be on the priority list of most companies.


Article provided by: Adelina Iftime-Blagean and Nina Lazar (Wolf Theiss, Romania)



Discover more about INPLP, the INPLP-Members and the GDPR-FINE database

Dr. Tobias Höllwarth (Managing Director INPLP)

What is the INPLP?

INPLP is a not-for-profit international network of qualified professionals providing expert counsel on legal and compliance issues relating to data privacy and associated matters. INPLP provides targeted and concise guidance, multi-jurisdictional views and practical information to address the ever-increasing and intensifying field of data protection challenges. INPLP fulfils its mission by sharing know-how, conducting joint research into data processing practices and engaging proactively in international cooperation in both the private and public sectors.