Home » Comunicat_Presa_09_05_2024
 Română | English | Francais

sigla_anspdcp_2.png

The new Regulation 2016/679 applicable from 25th of May 2018

 

Complaints

GDPR Complaints

 

Procedure for complaints

Information on the payment of fine by legal entities

Controllers

Data Protection Officer Form

 

GDPR Breach Notification

 

Law nr. 506/2004 Breach Notification

 

GDPR Sanctions

Schengen

 

Schengen

News

Useful Information

 

F.A.Q.

Guidelines Q&A Regulation (EU) 2016/679

Indicative guidelines GDPR

Guidelines on the application of Law no. 363/2018

Useful Links

 

TFTP - Terrorist Finance Tracking Program

 

 

 

Procedure

Forms

Contact

Contact us

Data Protection

Information on the processing of personal data carried out by ANSPDCP

 

Cookies policy

09.05.2024

Sanctions for GDPR infringement

 

The National Supervisory Authority for Personal Data Processing closed two investigations on two data controllers and found an infringement on the provisions of Article 32(1)(b), Article 32(2) and Article 32(4) of Regulation (EU) 2016/679.

  1. The controller MEDICOVER SRL was sanctioned with a fine in the amount of 4,970.30 lei (the equivalent of 1,000 EUR).

The investigation was launched following a notification on personal data breach sent by the controller,

The personal data breach was the result of unauthorised personal data disclosure of a medical consult report to a different patient.

During the investigation, it was found that the controller has not put in place measures to ensure that any natural person under its authority who has access to personal data may only processes those personal data only at the request of the controller, and that it has not implemented adequate technical and organisational measures to ensure a level of security appropriate to the risk of processing, including the capacity to ensure the confidentiality and integrity of the processing services and systems.

As such, this situation led to the loss of confidentiality of the personal data processed through unauthorised disclosure and access to personal data (such as: name, surname, date of birth, age, reason for visit, personal pathological history, diagnosis, conclusions and recommendations, prescribed medication, hospitalisation, referrals for analysis/consultation) of a patient by giving the medical report of the consultation to another patient.

  1. The controller IRIDEX GROUP SALUBRIZARE SRL was sanctioned with a fine in the amount of 9,951.80 Lei (the equivalent of 2,000 EUR)

The investigation was launched following a complaint submitted by a natural person.

The data breach was a result of sending a collective electronic message to all clients’ email addresses, which were visible to all recipients.

During the investigation it was found that the controller had not taken measures to ensure that any natural person under its authority who has access to personal data may only processes those personal data only at the request of the controller and it has not implemented adequate technical and organisational measures to ensure a level of security appropriate to the risk of processing, including the capacity to ensure continuous confidentiality, integrity, availability and resistance of processing systems and services.

 

 

Legal and Communication Department

A.N.S.P.D.C.P.