22.08.2024
Sanctions for the infringement of the GDPR
The National Supervisory Authority for Personal Data Processing closed, in 2024, investigations on two data controllers.
The investigation was launched following notifications on a personal data breach, as provided by Article 33 of Regulation (EU) 2016/679, which were sent by Kruk România SRL and Kaufland România SCS.
As a result, it was found that:
1. The data controller Kruk România SRL breached the provisions of Article 32 (1) (b) and in conjunction with Article 32 (2) of Regulation (EU) 2016/679 and it was sanctioned with a fine in the amount of 14,922.3 RON (the equivalent of 3000 EUR).
2. The data controller Kaufland România SCS breached the provisions of Article 32 (1) (b) and Article 32 (2) and (4) of Regulation (EU) 2016/679 and it was sanctioned with 3 fines in the total amount of 34,839 RON (the equivalent of 7,000 EUR).
1. During the investigation, the National Supervisory Authority for Personal Data found that, as processor, Kruk România SRL, has incorrectly transmitted a number of notices for the assignment of debt to several addressees and notifications concerning the possibility of entering into a payment undertaking with debtors by carrying out improper manual processing operations on the database transmitted by a contractual partner under an assignment of debt contract.
This led to the unauthorised disclosure and/or unauthorised access to personal data (i.e. name, surname, address, date and number of the contract, the amount owed, the original creditor, the creditor and the claims administrator) contained in those documents.
The investigation found that the processor Kruk România SRL had not implemented the appropriate technical and organisational measures to ensure a level a security suitable to the risk of processing, including the capacity to ensure the continuous confidentiality, integrity, availability and resilience of the processing systems and services.
At the same time, a corrective measure was also imposed on the controller, consisting of revising and updating the technical and organisational measures implemented as a result of the assessment of the risk to the rights and freedoms of individuals, including working procedures relating to the protection of personal data, in order to ensure the protection of (manual) processed data against unauthorised processing, accidental loss, destruction or accidental damage and measures for the training of persons acting under its authority on their obligations under Regulation (EU) 2016/679, including on the risks and consequences of unauthorised disclosure/unauthorised access/loss of personal data.
2. During the investigation at Kaufland România SCS, following several data breach notifications, breaches of data processing were found for the following situations:
As such, a first situation was the recording by the controller’s security guards, on their mobile phones, of images taken by the store’s surveillance cameras of an incident on the premises. This led, to the unauthorised access and disclosure of these images by one of the data subjects, at their request.
During the investigation, it was found that the controller had not implemented the appropriate technical and organisational measures to ensure that any natural person working under the authority of the controller or of the processor who has access to personal data only processes these data at the request of the controller with a view to ensuring a level of security appropriate to the processing risk arising in particular from accidental or unlawful destruction, loss, alteration, unauthorised disclosure of or unauthorised access to personal data transmitted, stored or otherwise processed, thus breaching Article 32 (1)(b) and Article 32 (4) of Regulation (EU) 2016/679.
As such, the controller was sanctioned with a fine in the amount of 9,954 RON (the equivalent of 2,000 EUR).
A second situation refers to the taking of photos, with the cell phone, of images from the surveillance camera of the controller. As such, a customer reported to the controller’s security guard the theft of the phone from her handbag and requested video footage of the incident. The security guard allowed the customer access to the surveillance room. She photographed the images with the alleged person (the data subject) and she later posted them on her Facebook account. The situation led to the unauthorised access of a third party and the unauthorised disclosure of images of a customer in the online space. This could lead especially to physical, material or moral harm of the affected natural person, such as loss of control of their personal data or the loss of confidentiality of personal data protected by professional secrecy or other significant economic or social disadvantage to the natural person concerned.
During the investigation, it was found that the controller had taken measures to ensure that any natural person working under the authority of the controller and has access to personal data does not process them except at the request of the operator and it had not implemented the appropriate technical and organisational measures to ensure a level of security appropriate to the risk of processing, including the capacity to ensure the confidentiality and integrity of processing systems and services, thus breaching Article 32 (1)(b) and Article 32 (2) and (4) of Regulation (EU) 2016/679.
For this breach, the controller was sanctioned with a fine in the amount of 14,931 RON (the equivalent of 3,000 EUR).
The third situation is related to the loss of data confidentiality, as an Kaufland employee involved in the recruitment process of another candidate (data subject) mistakenly sent, an e-mail to another person, owning an internet domain. This led to the unauthorised access and unauthorised disclosure to the owner of the internet domain of personal data (i.e. name, surname, the place of the store where they applied for a job) belonging to a person who applied for a job at the controller.
During the investigation, the National Supervisory Authority for Personal Data found that the controller had not implemented the appropriate technical and organisational measures to ensure that any natural person working under the authority of the controller or of the processor who has access to personal data only processes these data at the request of the controller with a view to ensuring a level of security appropriate to the processing risk arising in particular from accidental or unlawful destruction, loss, alteration, unauthorised disclosure of or unauthorised access to personal data transmitted, stored or otherwise processed, thus breaching Article 32 (1)(b), Article 32 (2) and (4) of Regulation (EU) 2016/679.
As such, the controller was sanctioned with a fine in the amount of 9,954 RON (the equivalent of 2,000 EUR).
Pursuant to Article 58 (2)(d) of the Regulation (EU) 2016/679, the controller was also imposed the corrective measure to designate person(s) at the level of the controller/processor to monitor the performance of personal data processing activities of persons acting under the authority of the controller/ processor in accordance with the working procedures in order to avoid similar security incidents.
We note that the controllers have paid the fines.
Legal and Communication Department
A.N.S.P.D.C.P.