The National Supervisory Authority for Personal Data Processing completed an investigation at the controller United Business Solutions SRL and found the breach of Article 32 paragraph (1) letters b) and d), paragraph (2) and paragraph (4) of Regulation (EU) 2016/679.

As such, the controller was sanctioned with a fine in the amount of 9,954 lei, the equivalent of 2,000 euros.

The investigation was initiated following a complaint from an individual, who claimed that the controller United Business Solutions S.R.L., following the provision of accommodation services, sent a fiscal document containing his personal data to a third party without his consent.

During the investigation, it was found that the controller communicated the personal data of the petitioner to a third party by e-mail.

It was also found that the controller did not implement sufficient technical and organizational measures to ensure the confidentiality of the personal data of its client, as a beneficiary of accommodation services, which led to the disclosure to a third party of his personal data, namely: name, surname, series and number of the identity card, information related to the petitioner’s accommodation.

At the same time, the investigation found that the controller did not take measures to ensure that any natural person acting under its authority and having access to personal data only processes them at the request of the controller.

At the same time, pursuant to the provisions of Article 58 paragraph (2) letter b) of Regulation (EU) 2016/679, the corrective measure consisting of developing/revising internal procedures and periodically training all persons who process data under its authority (employees or collaborators), so as to avoid the illegal or unauthorized disclosure of data of data subjects, customers, to third parties was ordered against the controller.

Legal and Communication Department

A.N.S.P.D.C.P