Home » Comunicat_Presa_08_05_2024
 Română | English | Francais

sigla_anspdcp_2.png

The new Regulation 2016/679 applicable from 25th of May 2018

 

Complaints

GDPR Complaints

 

Procedure for complaints

Information on the payment of fine by legal entities

Controllers

Data Protection Officer Form

 

GDPR Breach Notification

 

Law nr. 506/2004 Breach Notification

 

GDPR Sanctions

Schengen

 

Schengen

News

Useful Information

 

F.A.Q.

Guidelines Q&A Regulation (EU) 2016/679

Indicative guidelines GDPR

Guidelines on the application of Law no. 363/2018

Useful Links

 

TFTP - Terrorist Finance Tracking Program

 

 

 

Procedure

Forms

Contact

Contact us

Data Protection

Information on the processing of personal data carried out by ANSPDCP

 

Cookies policy

08.05.2024

Sanctions for GDPR infringement

 

The National Supervisory Authority for Personal Data Processing closed two investigations on two data controllers and found an infringement on the provisions of Article 32(1)(b) and Article 32(2) and Article 32(4) of Regulation (EU) 2016/679.

The investigations were launched following notifications sent by controllers on personal data breach, according to Article 33 of Regulation (EU) 2016/679.

Thus:

         1. The controller CENTRUL MEDICAL UNIREA SRL  was sanctioned with a fine in the amount of 24,856 lei (the equivalent of 5,000 EUR).

The data breach was the result of unauthorised disclosure of personal data online.

During the investigation, it was found that personal data (such as: name, surname, work/personal phone number, work/personal email address, information related to mailing address, profession, position, timesheets, targets and bonuses) of a significant number of data subjects (patients, employees) were disclosed without authorisation.

As such, the investigation found that the controller has not implemented adequate technical and organisational measures to ensure a level of security appropriate to the risk of processing and that it has not put in place measures to ensure that any natural person under its authority who has access to personal data may only processes that personal data only at the request of the controller.

At the same time, in line with Article 58(2)(d) of the GDPR, the controller Centrul Medical Unirea SRL was also ordered the corrective measure to review and update its technical and organisational measures implemented following the risk assessment on the rights and freedoms of individuals, including on the implementation of a process to periodically test, evaluate and asses the efficiency of technical and organisational measures to guarantee the security of the processing activity.

         2. The controller Genpact România SRL was sanctioned with a fine in the amount of 14,913.6 Lei (the equivalent of 5,000 EUR).

The data was breached after a file containing data on staff recruitment was sent to an unauthorised email address of an employee.

During the investigation, it was found that no measures were in place to ensure that any natural person under its authority who has access to personal data may only processes those personal data only at the request of the controller. At the same time, it was found that the controller has not implemented adequate technical and organisational measures to ensure a level of security appropriate to the risk of processing, including the capacity to ensure continuous confidentiality, integrity, availability and resistance of processing systems and services.

Thus, this infringement led to the unauthorised access and disclosure of personal data of data subjects (such as: nume and surname, phone number, email address).

At the same time, according to Article 58(2)(d) of the GDPR, the controller Genpact România SRL was also ordered the corrective measure to review and update the technical and organisational measures implemented, including the working procedures related to the protection of personal data, the implementation and transmission to the responsible persons of instructions on the prohibition of the use of employees’ personal equipment in various activities not authorised by the company and measures to train persons acting under its authority on their obligations under Regulation (EU) 2016/679, including on the risks and consequences of disclosure of personal data.

 

Legal and Communication Department

A.N.S.P.D.C.P.