23/03/2021
Sanction for the infringement of GDPR
The National Supervisory Authority finalized in February an investigation at Medicover S.R.L. and found the violation of the provisions of Article 32 paragraph (1) letter b) and of paragraphs (2) and (4) from the General Data Protection Regulation.
Therefore, the controller Medicover S.R.L. was sanctioned with a fine in amount of Lei 9,749.6 (the equivalent of Eur 2,000).
The investigation was started following the submission by the controller of successive notifications for personal data breaches, that signalled the unauthorised disclosure and unauthorised access to personal data such as: first name and last name, personal identification number, ID series and number, ID address, correspondence address, contact phone and e-mail, respectively name and data regarding the health transmitted to other natural persons than the recipients, at the e-mail address or post address.
Following the investigation, the supervisory authority found that the controller did not implement appropriate technical and organisational measures to ensure that any natural person acting under the authority of the controller and which has access to personal data processes them solely at the request of the controller, fact that resulted in the unauthorised disclosure and access to the personal data sent to other natural persons than the recipients, at the e-mail address of post address.
Also, the following corrective measures were imposed to the controller:
- the review and update of the technical and organisational measures implemented following the evaluation regarding the risk for the rights and freedoms of the persons, including the work procedures regarding the personal data, as well as the implementation of some measures regarding the periodic training of the persons acting under its authority, regarding the obligations incumbent on it according to the GDPR provisions, inclusively in relation to the risks that the personal data processing involves, depending on the specific of the activity, inclusively of the work procedure regarding the protection of personal data and training of its own personnel;
- the identification and implementation of some measures to ensure that the personal data processed are accurate and kept up to date, considering the purposes for which they are processed, and the inaccurate ones to be erased or rectified without delay (for example, a mechanism for the verification and validation of the e-mail address at the time of data collection).
Legal and Communication Department
ANSPDCP