„Effective training” – a new concept after the recent decision of the Cluj courts in the Banca Transilvania vs ANSPDCP case

Much has been said about the fine of € 100,000 imposed by the National Authority for the Supervision of Personal Data (ANSPDCP) almost two years ago to sanction the dissemination of personal data belonging to a customer and employees of Banca Transilvania in the public space. It is not our intention to go back over the history of those facts, nor do we intend to analyze it, as we do not have the concrete details of the case at our disposal.

However, it is relevant that in the meantime all the procedural steps have been completed and that the sanction imposed by the ANSPDCP was considered by two courts (Cluj Tribunal and Cluj Court of Appeal) as fair. What we intend to do is to summarize the arguments on which the sanctioning authority, then the courts, based their decision and to extract some important ideas for future approaches.

Following the appellate court’s considerations, as published by the ANSPDCP in its Press Release of 14.04.2022 – Final judgment on €100,000 finehttps://www.dataprotection.ro/? page=Comunicat_Presa_14_04_2022&lang=ro), we understand that the essential and decisive argument that led to the decision to maintain the sanction, repeated in different forms in several paragraphs of the recitals, was that the lack of effective training of staff led totheir (nn – employees’) inability to identify and qualify the data to which they have access as personal data„, which thus made possible the uncontrolled dissemination of personal data in the public space.

From the summary quoted in the ANSPDCP press release, we understand that the solution and the final outcome of this case would have been different if the operator (in this case the bank) had been able to prove that it had effectively trained its staff, in particular the staff involved in the incident. It is also the court that provides the elements for a correct definition of the concept of „actual training” – we quote: „although the plaintiff has submitted copies of excerpts from various internal procedures, it has not proved, on the one hand, that it effectively trained the three employees who caused the security incident, and on the other hand, that it applied the control and evaluation mechanisms developed to ensure that its employees had mastered the said internal regulations (…) but it is important to emphasize that it has not been proved that the staff actually attended these courses, nor that it actually applied any means of verifying the mastery of this knowledge and information.

It is again relevant that the penalty imposed was individualized and, although significant, was set well below the maximum amount provided by law. What the court tells us, upholding the Authority’s decision: that, although the infringement is qualified as „serious”, the small amount of the fine compared to the maximum provided by law is in turn qualified as fair because the operator met the conditions for the application of the criteria for individualization of the penalty in art. 83 para 2 lit c-k of Regulation 679/2016 (GDPR). We reproduce below those that we consider relevant to our conclusions:

  • Actions taken by the controller (bank) to mitigate the harm suffered by the data subject;
  • the degree of responsibility of the controller taking into account the technical and organizational measures implemented by them pursuant to Articles 25 and 32
  • any relevant previous breaches committed by the controller or processor;
  • the degree of cooperation with the supervisory authority to remedy the breach and mitigate possible negative effects of the breach;
  • the categories of personal data affected by the breach;
  • how the breach was brought to the attention of the supervisory authority, in particular whether and to what extent the controller or processor notified the breach;
  • any other aggravating or mitigating factors applicable to the circumstances of the case, such as financial benefits gained or losses avoided directly or indirectly as a result of the breach.

Based on the above, we conclude that:

  1. It is good to have internal procedures in place, but it is not enough – compiling a „GDPR dossier” with procedures, policies and forms is not enough, even if from a content perspective they are impeccable;
  2. It is good that internal procedures and GDPR policies are made known to employees, but it is not enough – sending them by e-mail, posting them in a public place, even acknowledgement by employees attested by a collective or individual minute with their signatures, is not an effective organizational measure because it does not provide any guarantee that those employees have also read what they have received. Let’s not forget that the purpose of the procedures communicated to employees is to raise awareness of GDPR;
  3. It is all well and good to organize courses for employees, but it is not enough – attending courses without a mechanism to actually check the participants’ understanding and ownership of the content taught has already been qualified by the court as not being an effective measure;
  4. all employees who have access to and use personal data in their work should be trained on recruitment and periodically on the personal data protection issues specific to their post
  5. There should be a mandatory test and a minimum pass mark after each training session. If we reread the arguments of the Cluj courts in the case from which we started, we believe that the existence of a system of periodic verification of knowledge of personal data protection is the element that could make the difference between training and actual training, between a sanctioning decision and no decision.

In conclusion: no remedy is healthier than prevention. And in light of the above, we believe that effective employee training is, of all the organizational measures a bona fide and well-intentioned operator could take, the one measure that can make the difference between having or not having a breach, between receiving a fine or remedial measures without financial impact.

Do you want to ensure that staff in your companies are trained but understand, adopt and apply the information communicated? Contact us now