Home » Comunicat_presa_28_05_2024
 Română | English | Francais

sigla_anspdcp_2.png

The new Regulation 2016/679 applicable from 25th of May 2018

 

Complaints

GDPR Complaints

 

Procedure for complaints

Information on the payment of fine by legal entities

Controllers

Data Protection Officer Form

 

GDPR Breach Notification

 

Law nr. 506/2004 Breach Notification

 

GDPR Sanctions

Schengen

 

Schengen

News

Useful Information

 

F.A.Q.

Guidelines Q&A Regulation (EU) 2016/679

Indicative guidelines GDPR

Guidelines on the application of Law no. 363/2018

Useful Links

 

TFTP - Terrorist Finance Tracking Program

 

 

 

Procedure

Forms

Contact

Contact us

Data Protection

Information on the processing of personal data carried out by ANSPDCP

 

Cookies policy

28.05.2024

A new sanction for GDPR infringement

 

In April 2024 the National Supervisory Authority for Personal Data Processing closed an investigation on the S.C. Rompetrol Downstream S.R.L.  data controller and found an infringement on Article 29, Article 32 (1) (b) and Article 32 (2) and (4) of Regulation (EU) 2016/679 (GDPR).

In conclusion, the controller was sanctioned with a fine in the amount of Lei 9,935.60, the equivalent of EUR 2,000 EURO.

The investigation was launched following two notifications sent by the controller to the National Supervisory Authority for Personal Data Processing regarding the occurrence of personal data breaches related to the processing via the WhatsApp messaging application and subsequent unauthorised disclosure on two social media networks of customer data (images of the data subjects, their license plate numbers and car brands) recorded by video surveillance systems in two S.C. Rompetrol Downstream S.R.L. fuel stations.

During the investigation, it was found that the controller S.C. Rompetrol Downstream S.R.L. has not put in place adequate technical and organizational measures to ensure a level of security suitable to the risk of processing, which resulted in compromising the confidentiality of its customers’ personal data by unauthorised disclosure on social networks. The controller had an obligation to take measures to ensure that any natural person acting under its authority or that of its processor having access to personal data processes them only at the controller’s request, so as to ensure that the data are continuously protected against unauthorised processing, given that S.C. Rompetrol Downstream S.R.L. has the responsibility to respect the integrity and confidentiality of the data, pursuant to Article (1) (2) of Regulation (EU) 2016/679.

At the same time, in line with Article 58 (2) (d) of Regulation (EU) 679/2016, the following corrective measure was ordered against Rompetrol Downstream S.R.L.:

To implement mechanisms/tools to verify/monitor the personal data protection instructions/working procedures/policies, during the course of the contractual relations with the processors, to ensure compliance with GDPR, in order to avoid similar incidents.

Legal and Communication Department

A.N.S.P.D.C.P.