ANSPDCP (Romania) - 26.09.2023: Difference between revisions

From GDPRhub
No edit summary
mNo edit summary
 
(6 intermediate revisions by 2 users not shown)
Line 25: Line 25:
|Date_Published=
|Date_Published=
|Year=
|Year=
|Fine=32000
|Fine=33000
|Currency=EUR
|Currency=EUR


Line 63: Line 63:
}}
}}


An energy company was fined €25,000 for the failure to implement the appropriate technical and organizational measures, following a data breach affecting at least 750 data subjects, in violation of [[Article 32 GDPR|Articles 32(1)(b)]] and [[Article 32 GDPR|32(1)(d) GDPR]]. Also, the company was sanctioned with a fine of 8,000 EUR for the failure to comply with cookies requirements under Law 506/2004 (implementing ePrivacy Directive).
An energy company, Restart Energy One S.A., failed to implement the appropriate technical and organisational measures leading to a data breach affecting at least 750 data subjects, in violation of [[Article 32 GDPR|Articles 32(1)(b)]] and [[Article 32 GDPR|32(1)(d) GDPR]]. The Romanian DPA fined the controller €25,000 as a result. In addition, the company was fined €8,000 for failing to comply with cookie requirements under Law 506/2004 (implementing the ePrivacy Directive).


== English Summary ==
== English Summary ==


=== Facts ===
=== Facts ===
The DPA initiated an investigation upon receiving a complaint regarding a potential breach of personal data security on an energy company website.
The DPA opened an investigation against an energy company, Restart Energy One S.A. (the controller), after receiving a complaint regarding a data breach on the company's website. A file on the controller’s website was publicly accessible, which contained personal data of at least 750 data subjects, including data relating to subjects' name, surname, address, telephone numbers, e-mail address, contract number and date whereby subjects concluded their contract with the energy company. The file was publicly accessible for two and a half years.
The data breach consisted in the fact that a file of the controller’s website containing personal data including name, surname, address, telephone numbers, e-mail address, contract number and date of concluding the contract pertaining to a number of at least 750 data subjects was publicly accessible by accessible, by accessing a link generated by search engines. The accessibility of the file lasted for a period of about 2 years and a half.
 
During the investigation, DPA also assessed that during the accession of the website by users, it also employed cookies which were not necessary from a technical perspective for the operation of the website. The cookies were installed before the user was asked to grant the consent button. Also, even if the user was not agreeing with the cookies employment and accessed the Refuse button, this option was not actually observed by the controller, as the cookies remained installed for a certain period of time, on the user’s device, irrespective of the user’s choice.
During its investigation, the DPA also assessed that when users accessed the website, the controller employed cookies which were unnecessary for the operation of the website. The cookies were installed before the user was given the option to consent or refuse cookies. Even in instances where the user refused cookies, they were nonetheless installed on their device, irrespective of the user’s choice.
 
Article 4(5) of Law 506/2004, implementing Article 5(3) of the ePrivacy Directive, outlines how the use of an electronic communications network to store information or to gain access to information stored in the terminal equipment of a user is allowed. One of the conditions notes that users must be offered the possibility to refuse such storage or access to information stored.


=== Holding ===
=== Holding ===
The DPA assessed a violation of Article 32 (1) (b) and (d) GDPR, as well as a breach of Article 4 (5) of Law 506/2004. In addition to the sanctions imposed, the DPA has also imposed corrective measures, ordering the controller to implement a procedural plan including a process of periodic testing, evaluation and reassessment of all systems and their subsequent changes made by the controller or its service providers (processors), in particular with respect to the website managed by the controller.
The DPA found violations of [[Article 32 GDPR|Articles 32(1)(b)]] and [[Article 32 GDPR|32(1)(d) GDPR]], as well as a breach of Article 4(5) of Law 506/2004.  
 
In regards to Article 32 GDPR, the DPA found that the controller had failed to  implement the appropriate technical and organisational measures to safeguard data subjects' personal data, as the file had been publicly accessible for over two years, to the controller's knowledge. 
 
In addition, the DPA found a violation of Article 4(5) of Law 506/2004 (implementing the ePrivacy Directive), as the controller's website installed cookies regardless of a user's refusal and before users were given the option to consent.
 
In response to the GDPR violations the controller was fined €25,000, and in response to the ePrivacy violations (Article 4(5) of Law 506/2004), the controller was fined €8,000. In total, the fines amounted to €33,000.
 
In addition to the above-mentioned fines, the DPA also imposed corrective measures. In particular, it ordered the controller to bring its processing operations into compliance by implementing the appropriate security standards to ensure that data subjects' information is no longer publicly accessible. It also ordered the controller to bring its cookie system into compliance with Law 506/2004.


== Comment ==
== Comment ==

Latest revision as of 14:07, 18 October 2023

ANSPDCP - 26.09.2023
LogoRO.jpg
Authority: ANSPDCP (Romania)
Jurisdiction: Romania
Relevant Law: Article 32(1)(b) GDPR
Article 32(1)(d) GDPR
Article 4 (5) Law 506/2004 (implementing ePrivacy Directive)
Type: Investigation
Outcome: Violation Found
Started:
Decided:
Published:
Fine: 33000 EUR
Parties: n/a
National Case Number/Name: 26.09.2023
European Case Law Identifier: n/a
Appeal: n/a
Original Language(s): Romanian
Original Source: Romanian DPA (in RO)
Initial Contributor: maxinescu

An energy company, Restart Energy One S.A., failed to implement the appropriate technical and organisational measures leading to a data breach affecting at least 750 data subjects, in violation of Articles 32(1)(b) and 32(1)(d) GDPR. The Romanian DPA fined the controller €25,000 as a result. In addition, the company was fined €8,000 for failing to comply with cookie requirements under Law 506/2004 (implementing the ePrivacy Directive).

English Summary

Facts

The DPA opened an investigation against an energy company, Restart Energy One S.A. (the controller), after receiving a complaint regarding a data breach on the company's website. A file on the controller’s website was publicly accessible, which contained personal data of at least 750 data subjects, including data relating to subjects' name, surname, address, telephone numbers, e-mail address, contract number and date whereby subjects concluded their contract with the energy company. The file was publicly accessible for two and a half years.

During its investigation, the DPA also assessed that when users accessed the website, the controller employed cookies which were unnecessary for the operation of the website. The cookies were installed before the user was given the option to consent or refuse cookies. Even in instances where the user refused cookies, they were nonetheless installed on their device, irrespective of the user’s choice.

Article 4(5) of Law 506/2004, implementing Article 5(3) of the ePrivacy Directive, outlines how the use of an electronic communications network to store information or to gain access to information stored in the terminal equipment of a user is allowed. One of the conditions notes that users must be offered the possibility to refuse such storage or access to information stored.

Holding

The DPA found violations of Articles 32(1)(b) and 32(1)(d) GDPR, as well as a breach of Article 4(5) of Law 506/2004.

In regards to Article 32 GDPR, the DPA found that the controller had failed to implement the appropriate technical and organisational measures to safeguard data subjects' personal data, as the file had been publicly accessible for over two years, to the controller's knowledge.

In addition, the DPA found a violation of Article 4(5) of Law 506/2004 (implementing the ePrivacy Directive), as the controller's website installed cookies regardless of a user's refusal and before users were given the option to consent.

In response to the GDPR violations the controller was fined €25,000, and in response to the ePrivacy violations (Article 4(5) of Law 506/2004), the controller was fined €8,000. In total, the fines amounted to €33,000.

In addition to the above-mentioned fines, the DPA also imposed corrective measures. In particular, it ordered the controller to bring its processing operations into compliance by implementing the appropriate security standards to ensure that data subjects' information is no longer publicly accessible. It also ordered the controller to bring its cookie system into compliance with Law 506/2004.

Comment

Unfortunately, the Romanian DPA does not publish its full decisions. This summary is based on a press release.

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Romanian original. Please refer to the Romanian original for more details.

https://www.dataprotection.ro/?page=Comunicat_Presa_26_09_2023&lang=ro