(022) 820 801 centru@datepersonale.md
DP header logo
img mobile menu img close mobile menu
ROENРу
ico search toggle
datepersonale.md
/
Comunicate
/
Finnish Data Protection Authority imposes administrative fine of €950 000 on Sambla Group for failure to comply with data security measures

Finnish Data Protection Authority imposes administrative fine of €950 000 on Sambla Group for failure to comply with data security measures

img 536 Views

The National Center for Personal Data Protection (NCPDCP), for information and enforcement purposes, informs about the administrative fine of €950 000 imposed by the Finnish Data Protection Authority (SA) on Sambla Group for violation of Article 5 – Principles relating to processing of personal data, Article 25 – Data protection by design and by default and Article 32 – Security of processing of the GDPR.

The Finnish SA launched an investigation based on a complaint filed by a customer. A technical investigation revealed serious data security issues with the controller’s loan comparison services. When the seriousness of the data security problems became apparent in spring of 2024, the company was ordered to immediately cease processing personal data relating to loan applicants in its e-services.

Sambla Group’s loan comparison services did not impose adequate restrictions to prevent third parties from accessing loan application data, thus violating the provisions of Art. 32, Art. 25 and Art. 5(1)(f) of the GDPR. Due to poor data security measures, the content of customer’ loan applications was accessible to third parties through personal customer URLs. Anyone with access to the URL and sufficient technical knowledge to exploit the security vulnerability had direct access to the data. The technical investigation revealed that the URLs had been targeted wit phishing and personal data had been disclosed to third parties. The information available through the links included at least the loan applicant’s contact details, as well as information on their income, housing costs, marital status and possible children.

In this context, the Finnish SA has imposed an administrative fine of €950 000 on the controller, being ordered to notify its customers of the incident. The controller has announced that it has stopped using the vulnerable URLs and has improved data security measures of its services. 

The NCPDP, as the national supervisory authority for the processing of personal data, emphasizes the responsibility of personal data controllers to comply with the provisions of the legal framework for the protection of personal data and to ensure that personal data processing operations comply with the legislation in force.

img
Reprezentanții Direcției Regionale Nord a Inspectoratului General al Poliției de Frontieră instruiți în domeniul protecției datelor cu caracter personal

       La data de 12 martie 2026, Centrul Național pentru Protecția Datelor cu Caracter Personal (CNPDCP) a organizat un curs de instruire în domeniul protecției datelor cu caracter personal destinat reprezentanților Direcției Regionale Nord a Inspectoratului General al Poliției de Frontieră (IGPF). Activitatea s-a desfășurat la sediul acestora din municipiul Edineț.     […]

img 20 Views
img
Mesaj de felicitare din partea echipei CNPDCP, cu prilejul Zilei Internaționale a Femeii – 8 Martie

Anual, la data de 8 Martie, marcăm Ziua Internațională a Femeii – un prilej de a celebra curajul, devotamentul, sensibilitatea și forța care definesc femeile în toate rolurile pe care le îndeplinesc. Cu această ocazie, echipa Centrului Național pentru Protecția Datelor cu Caracter Personal vă adresează cele mai alese gânduri și sincere felicitări. Vă mulțumim […]

img 85 Views
img Video gallery
img Information