Home » Comunicat_Presa_18_12_2024
 Română | English | Francais

sigla_anspdcp_2.png

The new Regulation 2016/679 applicable from 25th of May 2018

 

Complaints

GDPR Complaints

 

Procedure for complaints

Information on the payment of fine by legal entities

Controllers

Data Protection Officer Form

 

GDPR Breach Notification

 

Law nr. 506/2004 Breach Notification

 

GDPR Sanctions

Schengen

 

Schengen

News

Useful Information

 

F.A.Q.

Guidelines Q&A Regulation (EU) 2016/679

Indicative guidelines GDPR

Guidelines on the application of Law no. 363/2018

Useful Links

 

TFTP - Terrorist Finance Tracking Program

 

 

 

Procedure

Forms

Contact

Contact us

Data Protection

Information on the processing of personal data carried out by ANSPDCP

 

Cookies policy

18.12.2024

Sanction for the breach of the GDPR

 

The National Supervisory Authority for Personal Data Processing completed, in November 2024, an investigation at the controller Electrica Furnizare S.A. and found the infringement of Article 32 paragraph (1) letter b) and paragraph (2) of Regulation (EU) 2016/679.

As such, the controller was sanctioned with a fine of 14,929.20 (the equivalent of 3,000 euros).

The investigation started as a result of intimations sent by a natural person regarding a possible violation of the provisions of Regulation (EU) 2016/679.

She complained that she received from Electrica Furnizare SA information that contained personal data of a person subscribed to the company and that this information were not intended for her.

During the investigation, the National Supervisory Authority found that the controller, as part of the activity carried out for the management of its customers’ vouchers, registered a request for the refund of an amount from a customer. That request had attached documents of a contract holder that contained personal data from the identity card, bank account, address of the data subject and civil status certificates of the contract holder.

The e-mail address was associated with that of a third party, so the information related to the personal data of a contract holder was transmitted to another customer.

This situation led to the unauthorised disclosure of personal data (surname, first name, address, telephone number, e-mail address, series and number of the identity card, personal identification number, marital status), as a result of the e-mail transmission by the controller to a third party of documents belonging to another customer.

As a result, during the investigation it was found that the controller did not implement adequate technical and organisation measure in order to ensure a level of security corresponding to the risk of the processing, including the ability to ensure the confidentiality and integrity of the processing systems and services, thus violating the provisions of Article 32 paragraph (1) letter b) and paragraph (2) of Regulation (EU) 2016/679.

At the same time, pursuant to Article 58 paragraph (2) letter d) of Regulation (EU) 2016/679, a corrective measure of introducing a solution to monitor the application of the implemented working procedure, in the meaning of verifying the identity of the data subject in order to avoid similar security incidents, was ordered against the controller Electrica Furnizare SA.

 

Legal and Communication Department

A.N.S.P.D.C.P