Home » Comunicat_Presa_20_02_2025
 Română | English | Francais

sigla_anspdcp_2.png

The new Regulation 2016/679 applicable from 25th of May 2018

 

Complaints

GDPR Complaints

 

Procedure for complaints

Information on the payment of fine by legal entities

Controllers

Data Protection Officer Form

 

GDPR Breach Notification

 

Law nr. 506/2004 Breach Notification

 

GDPR Sanctions

Schengen

 

Schengen

Visa Information System

 

 

 

Visa Information System

News

Useful Information

 

F.A.Q.

Guidelines Q&A Regulation (EU) 2016/679

Indicative guidelines GDPR

Guidelines on the application of Law no. 363/2018

Useful Links

 

TFTP - Terrorist Finance Tracking Program

 

 

 

Procedure

Forms

Contact

Contact us

Data Protection

Information on the processing of personal data carried out by ANSPDCP

 

Cookies policy

20.02.2025

Sanction for the breach of the GDPR

 

The National Supervisory Authority for Personal Data Processing completed, in January current year, an investigation at the controller Medstar S.R.L. and found the breach of Articles 32, 33 and 34 of Regulation (EU) 2016/679 (GDPR).

As such, the controller was sanctioned:

  • with fine of 9,946.2 lei (the equivalent of 2,000 euros) for the infringement of Article 32 of Regulation (EU) 2016/679;
  • with reprimand for the infringement of Articles 33 and 34 of Regulation (EU) 2016/679.

The investigation was initiated following a complaint by a data subject, who complained that the controller where he performed his medical tests, the Medstar clinic, disclosed his personal data and that of another data subject.

During the investigation, it was found that the controller disclosed the petitioner’s health data to another person (patient), and another patient’s health data were transmitted to the petitioner erroneously and unsecured by e-mail.

Thus, this situation led to the unauthorised disclosure of personal and sensitive data, which belonged to several data subjects, such as: name, surname, personal identification number, age, sex, locality, mobile phone number, e-mail addresses, medical data from the patient’s history, the type of tests performed, the name of the doctor who made the recommendation and his specialty, the name of the doctor who performed the tests and his specialty, test results, medical recommendation, the name of the payer, the prescribed treatment.

It was also found that the controller did not adopt sufficient technical and organisational security measures according to Article 32 of the GDPR, adapted to the nature of the personal data that were processed, which led to the unauthorised disclosure of the personal data of some data subjects.

As such, the controller Medstar S.R.L. was fined for violating the provisions of Article 32 of Regulation (EU) 2016/679.

At the same time, since the controller did not notify the data breach to the National Supervisory Authority for Personal Data Processing, nor did it inform the data subjects about the unauthorised disclosure of their personal data, two reprimands were issued for infringing the provisions of Article 33 and Article 34 of Regulation (EU) 2016/679.

At the same time, the following corrective measures were ordered against the controller:

  • to ensure compliance of personal data processing operations with the GDPR, by implementing technical and organisational security measures appropriate to the specificity of the processing and the identified risks, throughout the data processing cycle, especially in terms of verifying the accuracy of personal data processed, establishing appropriate rules related to the management of files that can be transmitted using electronic means of communication (remote), training people who process data under the authority of the controller, regular verification of compliance with the instructions sent to them, of the automation of certain processes to reduce the risks of illegal or unauthorised processing of personal data;
  • to ensure compliance of personal data processing operations with the GDPR, by adopting internal measures necessary for the rapid detection, management and reporting of personal data security breaches, regardless of whether or not they require the notification of the supervisory authority and/or the data subjects, as well as the appropriate and regular training of the persons who process data under the authority of the controller, in this context;
  • to inform the persons whose personal data were disclosed regarding the breach of data security, by bringing to their attention the information provided by Article 34 of the GDPR;
  • to ensure compliance of personal data processing operations with the GDPR, through the request addressed to the persons to whom the data were disclosed (data subjects), not to use and to delete the personal data of third parties that were disclosed to them in an unauthorised manner.

 

Legal and Communication Department

A.N.S.P.D.C.P