Statistics - 1 year of GDPR
Given that a year has passed since the application of the provisions of Regulation (EU) 2016/679, we emphasize that at this time, the National Supervisory Authority gave priority to the guidance of the controllers in order to ensure an adequate compliance with the new data protection rules.
In this respect, we present the following statistics on the Authority’s activity from the 25th of May 2018 up to the 24th of May 2019:
- 9439 data protection officers were registered;
- 398 notifications of personal data breaches were registered;
- 5260 complaints and intimations were received;
- 485 ex officio investigations were carried out;
- 496 investigations following the complaints of data subjects were performed.
Following the investigations carried out, 57 corrective measures were ordered and 23 warnings were issued.
The corrective measures aimed in particular at:
- observing the right to information of the data subjects and achieving;
- providing complete and legally valid replies without undue delay to the data subjects’ requests for exercising the right of access;
- observing the data processing principles, in particular the ones referring to the legality, transparency and proportionality;
- implementing adequate technical and organizational measures in order to ensure the security and confidentiality of the data, as well as the observance of these measures;
- erasing the personal data after the fulfillment of the retention period established in relation with the purpose for which they were collected;
- training of the persons working under the authority of the controller (the controller’s employees);
- transmitting commercial message through electronic means of communication only with the prior express consent of the user.
The complaints and intimations received were referring, in particular, to:
- the non-observance of the legal conditions concerning the exercise of the rights of data subjects (e.g.: right to information, right of access, right to objects, right to be forgotten);
- the receiving of unsolicited commercial messages;
- the disclosure of personal data on the Internet;
- the infringement of the personal data processing principles in connection with the data processing in the banking sector;
- the legality conditions relating to the instalment of video surveillance systems;
- the infringement of the confidentiality and security rules for the processing of personal data.
- The most frequently data security breaches were referred to:
- the unauthorised access to personal data processed by the controller;
- the erroneous transmission of invoices to controller’s customers;
- the disclosure of personal data / patients’ data;
- the loss of postal items.
Thus, after a year of application of the new data protection rules, the number of complaints and intimations increased significantly (3734 complaints and intimations were received in 2017), indicating that, with the application of Regulation (EU) 2016/679, the individuals’ awareness in respect of their rights also increased.
Also, following the notifications of the personal data breaches received, it was shown that the controllers were concerned with implementing the obligations under Regulation (EU) 2016/679 and taking appropriate action in case of incidents.
At the same time, we recommend individuals to exercise the rights provided by Regulation (EU) 2016/679 in relation to controllers, namely:
- right of access;
- right to rectification;
- right to erasure - “right to be forgotten”;
- right to restriction of processing;
- right to data portability;
- right to object;
- right not to be subject to a decision based solely on automated processing.
Where the data subjects are not satisfied with the way the request was handled or they have not received an answer from the controller, they have the possibility to lodge a complaint to the National Supervisory Authority, by filling in the electronic complaints form available on the website of the authority https://www.dataprotection.ro/index.jsp?page=Plangeri_RGPD.
Legal and Communication Department
ANSPDCP