ANSPDCP (Romania) - 26.09.2023: Difference between revisions
mNo edit summary |
(Well done! Super summary, I just made some small changes and expanded on the wording of Law 506/2004.) |
||
Line 25: | Line 25: | ||
|Date_Published= | |Date_Published= | ||
|Year= | |Year= | ||
|Fine= | |Fine=33000 | ||
|Currency=EUR | |Currency=EUR | ||
Line 75: | Line 75: | ||
The DPA found violations of [[Article 32 GDPR|Articles 32(1)(b)]] and [[Article 32 GDPR|32(1)(d) GDPR]], as well as a breach of Article 4(5) of Law 506/2004. | The DPA found violations of [[Article 32 GDPR|Articles 32(1)(b)]] and [[Article 32 GDPR|32(1)(d) GDPR]], as well as a breach of Article 4(5) of Law 506/2004. | ||
In regards to Article 32 GDPR, the DPA found that the controller had failed to implement the appropriate technical and organisational measures to safeguard data subjects' personal data | In regards to Article 32 GDPR, the DPA found that the controller had failed to implement the appropriate technical and organisational measures to safeguard data subjects' personal data, as the file had been publicly accessible for over two years, to the controller's knowledge. | ||
In addition to the sanctions imposed, the DPA | In addition, the DPA found a violation of Article 4(5) of Law 506/2004 (implementing the ePrivacy Directive). This provision notes the conditions by which the use of an electronic communications network to store information or to gain access to information stored in the terminal equipment of a subscriber or user is allowed. One of the conditions notes that users must be offered the possibility to refuse such storage or access to information stored. Given that the controller's website installed cookies regardless of a user's refusal and before users were given the option to consent, the DPA found a violation of Article 4(5) of Law 506/2004. | ||
In response to the GDPR violations the controller was fined €25,000, and in response to the ePrivacy violations (Article 4(5) of Law 506/2004), the controller was fined €8,000. In total, the fines amounted to €33,000. | |||
In addition to the sanctions imposed, the DPA also imposed corrective measures. The DPA ordered the controller to bring its processing operations into compliance by implementing the appropriate security measures to ensure that data subjects' information is no longer publicly accessible. It also ordered the controller to bring its cookie system into compliance with Law 506/2004. | |||
== Comment == | == Comment == |
Revision as of 12:56, 16 October 2023
ANSPDCP - 26.09.2023 | |
---|---|
Authority: | ANSPDCP (Romania) |
Jurisdiction: | Romania |
Relevant Law: | Article 32(1)(b) GDPR Article 32(1)(d) GDPR Article 4 (5) Law 506/2004 (implementing ePrivacy Directive) |
Type: | Investigation |
Outcome: | Violation Found |
Started: | |
Decided: | |
Published: | |
Fine: | 33000 EUR |
Parties: | n/a |
National Case Number/Name: | 26.09.2023 |
European Case Law Identifier: | n/a |
Appeal: | n/a |
Original Language(s): | Romanian |
Original Source: | Romanian DPA (in RO) |
Initial Contributor: | maxinescu |
An energy company was fined €25,000 for failing to implement the appropriate technical and organisational measures, following a data breach affecting at least 750 data subjects, in violation of Articles 32(1)(b) and 32(1)(d) GDPR. In addition, the company was fined €8,000 for failing to comply with cookie requirements under Law 506/2004 (implementing the ePrivacy Directive).
English Summary
Facts
The DPA opened an investigation against an energy company (the controller), after receiving a complaint regarding a data breach on the company's website. A file on the controller’s website was publicly accessible, which contained personal data of at least 750 data subjects, including data relating to subjects' name, surname, address, telephone numbers, e-mail address, contract number and date whereby subjects concluded their contract with the energy company. The file was publicly accessible for two and a half years.
During its investigation, the DPA also assessed that during the accession of the website by users, the controller employed cookies which were unnecessary for the operation of the website. The cookies were installed before the user was given the option to consent or refuse cookies. Even in instances where the user refused cookies, they were nonetheless installed on their device, irrespective of the user’s choice.
Holding
The DPA found violations of Articles 32(1)(b) and 32(1)(d) GDPR, as well as a breach of Article 4(5) of Law 506/2004.
In regards to Article 32 GDPR, the DPA found that the controller had failed to implement the appropriate technical and organisational measures to safeguard data subjects' personal data, as the file had been publicly accessible for over two years, to the controller's knowledge.
In addition, the DPA found a violation of Article 4(5) of Law 506/2004 (implementing the ePrivacy Directive). This provision notes the conditions by which the use of an electronic communications network to store information or to gain access to information stored in the terminal equipment of a subscriber or user is allowed. One of the conditions notes that users must be offered the possibility to refuse such storage or access to information stored. Given that the controller's website installed cookies regardless of a user's refusal and before users were given the option to consent, the DPA found a violation of Article 4(5) of Law 506/2004.
In response to the GDPR violations the controller was fined €25,000, and in response to the ePrivacy violations (Article 4(5) of Law 506/2004), the controller was fined €8,000. In total, the fines amounted to €33,000.
In addition to the sanctions imposed, the DPA also imposed corrective measures. The DPA ordered the controller to bring its processing operations into compliance by implementing the appropriate security measures to ensure that data subjects' information is no longer publicly accessible. It also ordered the controller to bring its cookie system into compliance with Law 506/2004.
Comment
Unfortunately, the Romanian DPA does not publish its full decisions. This summary is based on a press release.
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Romanian original. Please refer to the Romanian original for more details.
https://www.dataprotection.ro/?page=Comunicat_Presa_26_09_2023&lang=ro