Home » Comunicat_Presa_12_05_2023
 Română | English | Francais

sigla_anspdcp_2.png

The new Regulation 2016/679 applicable from 25th of May 2018

 

Complaints

GDPR Complaints

 

Procedure for complaints

Information on the payment of fine by legal entities

Controllers

Data Protection Officer Form

 

GDPR Breach Notification

 

Law nr. 506/2004 Breach Notification

 

GDPR Sanctions

Schengen

 

Schengen

Visa Information System

 

 

 

Visa Information System

News

Useful Information

 

F.A.Q.

Guidelines Q&A Regulation (EU) 2016/679

Indicative guidelines GDPR

Guidelines on the application of Law no. 363/2018

Useful Links

 

TFTP - Terrorist Finance Tracking Program

 

 

 

Procedure

Forms

Contact

Contact us

Data Protection

Information on the processing of personal data carried out by ANSPDCP

 

Cookies policy

11.05.2023

New sanctions

 

The National Supervisory Authority finalised in April 2023 two investigations at controllers from the insurance field.

The investigations were started following some data security breach notifications that have been submitted by NN Pensii Societate de Administrare a unui Fond de Pensii Administrat Privat SA and NN Asigurari de Viata S.A.

Therefore, it was found that:

  • The controller NN Pensii Societate de Administrare a unui Fond de Pensii Administrat Privat SA breached the provisions of Article 32 paragraph (1) letter b) and d) and of Article 32 paragraph (2) from Regulation (EU) 2016/679 and was sanctioned with fine in amount of Lei 7,407 (the equivalent of EUR 1,500).
  • The controller NN Asigurari de Viata SA breached the provisions of Article 32 paragraph (1) letters b) and d) and of Article 32 paragraph (2) from Regulation (EU) 2016/679 and was sanctioned with fine in amount of Lei 4,938 (the equivalent of EUR 1,000).
  1. Within the investigation performed at the controller NN Pensii Societate de Administrare a unui Fond de Pensii Administrat Privat SA it was found that it performed some amendments to the configuration of the equipment that ensures the temporary storage of the web pages of the application NN Direct, made available to the clients, the option to keep the webpages within its memory being activated. Therefore, this situation determined the visualization for a period of time by some users of the application of the controller, of the personal data that did not pertain to them.

From the verifications performed, it resulted that this situation led to the unauthorized access and loss of the confidentiality of the personal data (first name, last name, personal identification code, address from the identity card, e-mail address and telephone number) a number of 2 data subjects being affected by the incident. Also, it resulted that, prior to making the application NNN Direct available to the public, the specific configuration amendments of the equipment that ensures the temporary maintenance of the web pages were not submitted to a testing process at the level of the controller.

The National Supervisory Authority found that the controller NN Pensii Societate de Administrare a unui Fond de Pensii Administrat Privat SA did not implement adequate technical and organizational measures in order to ensure a level of security corresponding to the risk of the processing, including the capacity to ensure the confidentiality, integrity, availability and continuous resistance of the processing systems and services and a process for the testing, evaluation and regular assessment of the efficiency of the technical and organizational measures to ensure the security of the processing.

At the same time, also the corrective measure to implement a procedural testing mechanism promoted at regular time periods through which test on the possible configurations of the applications active and available to the clients of NN Pensii Societate de Administrare a unui Fond de Pensii Administrat Privat SA, respectively the documentation of the results by applying some remedy measures in order to avoid some similar security incidents was ordered to the controller.

  1. Within the investigation performed at the controller NN Asigurari de Viata SA it was found that it performed a series of amendments at the configuration of the equipment that ensures the temporary storage of the web pages of the application NN Direct, made available to the clients, the option to keep the webpages within its memory being activated. Therefore, this situation determined the visualization for a period of time by some users of the application of the controller, of the personal data that did not pertain to them.

From the verifications performed, it resulted that this situation led to the unauthorized access and loss of the confidentiality of the personal data (first name, last name, personal identification code, address from the identity card, e-mail address and telephone number). Also, it resulted that, prior to making the application NN Direct available to the public, its amendments were not submitted to a testing process by the controller.

The National Supervisory Authority found that the controller NN Asigurari de Viata SA did not implement adequate technical and organizational measures in order to ensure a level of security corresponding to the risk of the processing, including the capacity to ensure the confidentiality, integrity, availability and continuous resistance of the processing systems and services and a process for the testing, evaluation and regular assessment of the efficiency of the technical and organizational measures to ensure the security of the processing.

At the same time, also the corrective measure to implement a procedural testing mechanism promoted at regular time periods through which tests on the possible configurations of the applications active and available to the clients of NN Pensii Societate de Administrare a unui Fond de Pensii Administrat Privat SA to be performed, respectively the documentation of the results by applying some remedy measures in order to avoid some similar security incidents was ordered to the controller.

 

Legal and Communication Department

A.N.S.P.D.C.P