Sanction for the infringement of GDPR
On the 6th of July 2020, the National Supervisory Authority finalised an investigation at the controller SC CNTAR TAROM SA, as a result of the transmission by the controller of a notification regarding the breach of personal data, and found that it infringed the provisions of Article 32 paragraph (4), Article 32 paragraph (1) letter b) and paragraph (2) of the General Data Protection Regulation, which led to the application of a fine in the amount of 24,182.50 lei, the equivalent of 5,000 euros.
The breach of data security consisted in the fact that the controller did not implement adequate technical and organisational measures in order to ensure that any natural person acting under the authority of the controller and who has access to personal data only processes them at the request of the controller, which led to the loss of confidentiality of personal data through the unauthorised access to data belonging to a number of five (5) TAROM passengers, as well as to the unauthorised disclosure of their data.
Also, a corrective measure was applied to the controller to review and update the technical and organisational measures implemented as a result of the risk assessment on the rights and freedoms of individuals, including working procedures on personal data protection, as well as the implementation of measures on the regular training of persons acting under its authority (the employees).
Legal and Communication Department
A.N.S.P.D.C.P.