ANSPDCP (Romania) - Fine against E Software Concept SRL

From GDPRhub
ANSPDCP - Fine against E Software Concept SRL
LogoRO.jpg
Authority: ANSPDCP (Romania)
Jurisdiction: Romania
Relevant Law: Article 32(1)(b) GDPR
Article 32(2) GDPR
Article 58(1)(a) GDPR
Article 58(1)(e) GDPR
Type: Investigation
Outcome: Violation Found
Started:
Decided:
Published: 07.07.2022
Fine: 4000 EUR
Parties: E Software Concept SRL
National Case Number/Name: Fine against E Software Concept SRL
European Case Law Identifier: n/a
Appeal: Unknown
Original Language(s): Romanian
Original Source: ANSPDCP (in RO)
Initial Contributor: Diana Rosu

The Romanian DPA fined a controller approximately €4,000 for not implementing appropriate technical and organisational measures, and for not replying to the DPA's inquiries during its investigation.

English Summary[edit | edit source]

Facts[edit | edit source]

The controller is E Software Concept SRL. The data subjects are its customers.

In May 2022, the Romanian DPA completed an investigation against the controller concerning a data breach.

The controller published several documents on their website, including client invoices and tracking numbers for the parcels sent to their clients. These documents disclosed the personal data of their clients, including names, surnames, delivery addresses, phone numbers, usernames, passwords and email addresses.

Holding[edit | edit source]

The DPA held that the controller failed to implement the appropriate technical and organizational measures to ensure a proper level of security and confidentiality for personal data, in breach of Article 32(1)(b) and Article 32(2) GDPR. The DPA further noted that the controller did not reply to the formal request for information submitted by the Authority.

The DPA fined the controller € 3,000 (RON 14,837.10) for not implementing appropriate technical and organizational measures.

The DPA also fined the controller €1,000 (RON 4,945.54) for not answering the Authority's request, in breach of GDPR Article 58(1)(a) and (e).

Comment[edit | edit source]

Share your comments here!

Further Resources[edit | edit source]

Share blogs or news articles here!

English Machine Translation of the Decision[edit | edit source]

The decision below is a machine translation of the Romanian original. Please refer to the Romanian original for more details.

07.07.2022

Fine for violation of RGPD



The National Supervisory Authority completed in May of this year an investigation at the operator E Software Concept SRL and found a violation of the provisions of art. 58 para. (1) lit. a) and e) and of art. 32 para. (1) lit. b) and para. (2) of the General Data Protection Regulation.

As such, the company E Software Concept SRL was sanctioned for minor offenses as follows:

fine in the amount of 4,945.54 lei, the equivalent of 1000 EURO, as the operator did not provide the information requested by the Supervisory Authority; fine in the amount of 14,837.10 lei, the equivalent of 3000 EURO, as the operator did not implement adequate technical and organizational measures in order to ensure a level of security corresponding to the processing risk.

During the investigation, it was found that, on the operator's website, at certain links, certain documents were publicly available (such as invoices issued by E SOFTWARE CONCEPT SRL to its customers, individuals and legal entities, and AWBs - transport documents that must accompany the sending of parcels, issued by courier service applicants) by which the following personal data were revealed: name, surname, sender and consignee address, telephone number, username and password, e-mail addresses . This situation has led to the loss of confidentiality of personal data of the operator's customers (individuals and legal entities).

Thus, the company E SOFTWARE CONCEPT SRL was sanctioned with a fine for violating the provisions of art. 32 para. (1) lit. b) and para. (2) of the General Data Protection Regulation, as it has not implemented adequate technical and organizational measures to ensure a level of security appropriate to the risk of processing.

At the same time, the operator was fined for failing to comply with the request for information addressed by the National Supervisory Authority in the exercise of its powers.



Legal and Communication Department

A.N.S.P.D.C.P.