Home » Comunicat_Presa_20_01_2025
 Română | English | Francais

sigla_anspdcp_2.png

The new Regulation 2016/679 applicable from 25th of May 2018

 

Complaints

GDPR Complaints

 

Procedure for complaints

Information on the payment of fine by legal entities

Controllers

Data Protection Officer Form

 

GDPR Breach Notification

 

Law nr. 506/2004 Breach Notification

 

GDPR Sanctions

Schengen

 

Schengen

News

Useful Information

 

F.A.Q.

Guidelines Q&A Regulation (EU) 2016/679

Indicative guidelines GDPR

Guidelines on the application of Law no. 363/2018

Useful Links

 

TFTP - Terrorist Finance Tracking Program

 

 

 

Procedure

Forms

Contact

Contact us

Data Protection

Information on the processing of personal data carried out by ANSPDCP

 

Cookies policy

20.01.2025

Sanction for GDPR violation

 

The National Supervisory Authority for Personal Data Processing finalised, in December 2024, several investigations at controller Vodafone Romania S.A. and found the breach of Article 32 paragraph (4) in conjunction with Article 32 paragraph (1) letter b) of Regulation (EU) 2016/679.

As such, the controller was sanctioned with a fine of 74.526 lei (the equivalent of 15000 euros).

The investigations were started as a result of the transmission by the controller of several notifications of a personal data breach, pursuant to the provisions of Article 33 of Regulation (EU) 2016/679, but also following the receipt of several intimations.

As part of the investigations, it resulted that the controller Vodafone Romania S.A., repeatedly did not ensure the confidentiality of data belonging to several data subjects, customers of the company (name, surname, e-mail addresses, personal identification number, customer code and customer address), as a result of non-compliance with the policies and work procedure regarding the personal data processing by its employees or by its processors.

The breach of data security was determined by situations such as:

  • the unauthorised transmission of a photo of a data subject’s invoice details to a third party;
  • not hiding the e-mail addresses of the recipients and not selecting the “BCC” (blind carbon copy) option when informing some data subject about the changes regarding their account manager;
  • the transmission, by the processor’s employee, of a photo containing a screenshot of data displayed in the interface of the controller’s application, via WhatsApp;
  • the transmission, by error, to a third party of an invoice belonging to a data subject.

The incidents produced led to the disclosure and unauthorised access to personal data of several data subjects.

Thus, it was found that the controller did not take adequate technical and organisational measures to ensure that any natural persons, who acts under its authority and has access to personal data, does not process them except following its request, not did it implement adequate technical and organisational measures in order to ensure a level of security corresponding to the risk of data processing including the ability to ensure their confidentiality and integrity.

For these deeds, the controller was fined by infringing the provisions of Article 32 paragraph (4) in conjunction with Article 32 paragraph (1) letter b) of Regulation (EU) 2016/679.

The controller has paid the established fine.

 

Legal and Communication Department

A.N.S.P.D.C.P