Home » Comunicat_Presa_20_02_2025
 Română | English | Francais

20.02.2025

Sanction for the breach of the GDPR

 

The National Supervisory Authority for Personal Data Processing completed, in January current year, an investigation at the controller Medstar S.R.L. and found the breach of Articles 32, 33 and 34 of Regulation (EU) 2016/679 (GDPR).

As such, the controller was sanctioned:

  • with fine of 9,946.2 lei (the equivalent of 2,000 euros) for the infringement of Article 32 of Regulation (EU) 2016/679;
  • with reprimand for the infringement of Articles 33 and 34 of Regulation (EU) 2016/679.

The investigation was initiated following a complaint by a data subject, who complained that the controller where he performed his medical tests, the Medstar clinic, disclosed his personal data and that of another data subject.

During the investigation, it was found that the controller disclosed the petitioner’s health data to another person (patient), and another patient’s health data were transmitted to the petitioner erroneously and unsecured by e-mail.

Thus, this situation led to the unauthorised disclosure of personal and sensitive data, which belonged to several data subjects, such as: name, surname, personal identification number, age, sex, locality, mobile phone number, e-mail addresses, medical data from the patient’s history, the type of tests performed, the name of the doctor who made the recommendation and his specialty, the name of the doctor who performed the tests and his specialty, test results, medical recommendation, the name of the payer, the prescribed treatment.

It was also found that the controller did not adopt sufficient technical and organisational security measures according to Article 32 of the GDPR, adapted to the nature of the personal data that were processed, which led to the unauthorised disclosure of the personal data of some data subjects.

As such, the controller Medstar S.R.L. was fined for violating the provisions of Article 32 of Regulation (EU) 2016/679.

At the same time, since the controller did not notify the data breach to the National Supervisory Authority for Personal Data Processing, nor did it inform the data subjects about the unauthorised disclosure of their personal data, two reprimands were issued for infringing the provisions of Article 33 and Article 34 of Regulation (EU) 2016/679.

At the same time, the following corrective measures were ordered against the controller:

  • to ensure compliance of personal data processing operations with the GDPR, by implementing technical and organisational security measures appropriate to the specificity of the processing and the identified risks, throughout the data processing cycle, especially in terms of verifying the accuracy of personal data processed, establishing appropriate rules related to the management of files that can be transmitted using electronic means of communication (remote), training people who process data under the authority of the controller, regular verification of compliance with the instructions sent to them, of the automation of certain processes to reduce the risks of illegal or unauthorised processing of personal data;
  • to ensure compliance of personal data processing operations with the GDPR, by adopting internal measures necessary for the rapid detection, management and reporting of personal data security breaches, regardless of whether or not they require the notification of the supervisory authority and/or the data subjects, as well as the appropriate and regular training of the persons who process data under the authority of the controller, in this context;
  • to inform the persons whose personal data were disclosed regarding the breach of data security, by bringing to their attention the information provided by Article 34 of the GDPR;
  • to ensure compliance of personal data processing operations with the GDPR, through the request addressed to the persons to whom the data were disclosed (data subjects), not to use and to delete the personal data of third parties that were disclosed to them in an unauthorised manner.

 

Legal and Communication Department

A.N.S.P.D.C.P