ANSPDCP (Romania) - 07.12.2023: Difference between revisions

From GDPRhub
(Created page with "{{DPAdecisionBOX |Jurisdiction=Romania |DPA-BG-Color=background-color:#ffffff; |DPAlogo=LogoRO.jpg |DPA_Abbrevation=ANSPDCP |DPA_With_Country=ANSPDCP (Romania) |Case_Number_Name=07.12.2023 |ECLI= |Original_Source_Name_1=Romanian DPA |Original_Source_Link_1=https://www.dataprotection.ro/?page=Comunicat_Presa_07_12_2023&lang=ro |Original_Source_Language_1=Romanian |Original_Source_Language__Code_1=RO |Original_Source_Name_2= |Original_Source_Link_2= |Original_Source_Lan...")
 
No edit summary
Line 67: Line 67:
}}
}}


Hora Credit IFN SA, a non-financial institution, was sanctioned with fines of EUR 24,000 for a data breach consisting in sending documents containing personal data of another client of the controller to the wrongful recipient.
Hora Credit IFN SA, a non-financial institution, was fined €24,000 following a data breach. The DPA found a violation of [[Article 32 GDPR]], among others, since the institution sent documents containing the personal data of another client to the wrongful recipient.


== English Summary ==
== English Summary ==


=== Facts ===
=== Facts ===
The DPA initiated this investigation following the receiving of a complaint claiming that the controller sent by e-mail documents containing personal data of another person, also a client of the same controller.
The Romanian DPA initiated an investigation regarding the practices of the non-financial institution Hora Credit IFN SA (the controller).
Although the person receiving the e-mails notified the controller about the error occurred, Hora Credit IFN SA did not remedy the respective error and continued to send messages to the wrongful recipient, using the same e-mail address.
 
During the investigation, it was found that Hora Credit IFN SA failed to present evidence regarding the communication of the source of collection of personal data in its response to the petitioner’s right of access request, in accordance with Article 15 (1) GDPR and also failed to observe the timeframe provided under Article 12 (3) and (4) GDPR.
The investigation followed a complaint brought by a complainant, a client of the controller, claiming that the controller sent him by e-mail documents containing the personal data of another person, another client of the same controller.
Following the investigation, the DPA assessed that the controller did not adopt sufficient security measure in line with [[Article 32 GDPR|Article 32 GDPR]], so as to prevent unauthorized and accessible disclosure of the petitioner’s personal data to third parties. Furthermore, it was found that the controller did not notify the data breach to the DPA with the observance of Article 33 (1) GDPR, respectively within 72 hours of having became aware of it.
 
Although the person receiving the e-mails notified the controller about the error that occurred, the controller did not remedy the respective error and continued to send messages to the wrongful recipient using the same e-mail address.


=== Holding ===
=== Holding ===
The DPA assessed that the controller did not adopt sufficient security measure in line with [[Article 32 GDPR|Article 32 GDPR]], so as to prevent unauthorized and accessible disclosure of the petitioner’s personal data to third parties. Furthermore, it was found that the controller did not notify the data breach to the DPA with the observance of Article 33 (1) GDPR, respectively within 72 hours of having become aware of it.
During the investigation, the Romanian DPA found that the controller failed to present evidence regarding the communication of the source of collection of personal data in its response to the petitioner’s right of access request, in accordance with [[Article 15 GDPR|Article 15(1) GDPR]] and also failed to observe the timeframe to answer to the request, as provided under [[Article 12 GDPR|Article 12 (3) and (4) GDPR]].
The DPA found a violation of the provisions of Article 32, Article 33 (1), Article 15 (1) and Article 12 (3) and (4) of GDPR and sanctioned the controller with fines amounting to EUR 24,000.  
 
The DPA also imposed following corrective measures:
Following the investigation, the DPA assessed that the controller did not adopt sufficient security measures in line with [[Article 32 GDPR]] to prevent unauthorized and accessible disclosure of the petitioner’s personal data to third parties. Furthermore, it was found that the controller did not notify the data breach to the DPA with the observance of [[Article 33 GDPR#1|Article 33(1) GDPR]], respectively within 72 hours of having become aware of it.
- ensure compliance with GDPR of personal data processing operations pertaining to the purpose of concluding and execution of loan agreements, in order to respect professional secrecy and confidentiality of personal data of the controller’s clients, in particular, in case of transmission of documents and messages containing personal data at a distance, by implementing appropriate and effective security measures,  both from a technical point of view, including in terms of certain validation of collected e-mail addresses, password in case of documents transmitted, storage and monitoring of logs in its database, as well as from an organizational point of view, by training persons acting under the authority of the controller, in order to identify and immediately limit the risks that may affect the data subjects, and for the proper management of incoming requests and referrals;
 
- contact the petitioner and request to take measures to delete, destroy, as the case may be, the personal information to which he had access following the receipt of messages and notifications targeting the client of Hora Credit IFN SA;
Therefore, the DPA found the controller violated [[Article 32 GDPR]], [[Article 33 GDPR#1|Article 33(1) GDPR]], [[Article 15 GDPR#1|Article 15(1) GDPR]] and [[Article 12 GDPR|Article 12(3) and (4) GDPR]] and issued the controller a €24,000 fine.
- implement an adequate internal policy for identifying risks, analyzing them and notify the DPA in case of a data breach, in accordance with the provisions of Article 33 (1) GDPR, including in terms of appropriate training of persons processing data under the authority or on behalf of Hora Credit IFN SA (employees, collaborators, empowered persons, etc.);
 
- inform its client of the breach of security of his data by transmitting them to the petitioner erroneously.
The DPA also imposed the following corrective measures. Firstly, it requested the controller to ensure compliance with the GDPR and implement appropriate and effective security measures when dealing with data processing operations pertaining to the purpose of concluding and executing loan agreements, in order to respect professional secrecy and confidentiality of the personal data of the controller’s clients, as well as identify and limit the risks that may affect the data subjects. Secondly, the DPA asked the controller to contact the complainant and request the deletion of the personal information he received of the client. Additionally, it mandated the controller to implement an adequate internal policy for identifying risks, analyzing them and notifying the DPA in case of a data breach, in accordance with [[Article 33 GDPR#1|Article 33(1) GDPR]]. Lastly, the DPA requested the controller to inform its client of the breach of security of his data by transmitting them to the complainant erroneously.


== Comment ==
== Comment ==

Revision as of 13:37, 12 January 2024

ANSPDCP - 07.12.2023
LogoRO.jpg
Authority: ANSPDCP (Romania)
Jurisdiction: Romania
Relevant Law: Article 12(3) GDPR
Article 12(4) GDPR
Article 15(1) GDPR
Article 32 GDPR
Article 33(1) GDPR
Type: Complaint
Outcome: Other Outcome
Started:
Decided:
Published:
Fine: 24000 EUR
Parties: n/a
National Case Number/Name: 07.12.2023
European Case Law Identifier: n/a
Appeal: n/a
Original Language(s): Romanian
Original Source: Romanian DPA (in RO)
Initial Contributor: maxinescu

Hora Credit IFN SA, a non-financial institution, was fined €24,000 following a data breach. The DPA found a violation of Article 32 GDPR, among others, since the institution sent documents containing the personal data of another client to the wrongful recipient.

English Summary

Facts

The Romanian DPA initiated an investigation regarding the practices of the non-financial institution Hora Credit IFN SA (the controller).

The investigation followed a complaint brought by a complainant, a client of the controller, claiming that the controller sent him by e-mail documents containing the personal data of another person, another client of the same controller.

Although the person receiving the e-mails notified the controller about the error that occurred, the controller did not remedy the respective error and continued to send messages to the wrongful recipient using the same e-mail address.

Holding

During the investigation, the Romanian DPA found that the controller failed to present evidence regarding the communication of the source of collection of personal data in its response to the petitioner’s right of access request, in accordance with Article 15(1) GDPR and also failed to observe the timeframe to answer to the request, as provided under Article 12 (3) and (4) GDPR.

Following the investigation, the DPA assessed that the controller did not adopt sufficient security measures in line with Article 32 GDPR to prevent unauthorized and accessible disclosure of the petitioner’s personal data to third parties. Furthermore, it was found that the controller did not notify the data breach to the DPA with the observance of Article 33(1) GDPR, respectively within 72 hours of having become aware of it.

Therefore, the DPA found the controller violated Article 32 GDPR, Article 33(1) GDPR, Article 15(1) GDPR and Article 12(3) and (4) GDPR and issued the controller a €24,000 fine.

The DPA also imposed the following corrective measures. Firstly, it requested the controller to ensure compliance with the GDPR and implement appropriate and effective security measures when dealing with data processing operations pertaining to the purpose of concluding and executing loan agreements, in order to respect professional secrecy and confidentiality of the personal data of the controller’s clients, as well as identify and limit the risks that may affect the data subjects. Secondly, the DPA asked the controller to contact the complainant and request the deletion of the personal information he received of the client. Additionally, it mandated the controller to implement an adequate internal policy for identifying risks, analyzing them and notifying the DPA in case of a data breach, in accordance with Article 33(1) GDPR. Lastly, the DPA requested the controller to inform its client of the breach of security of his data by transmitting them to the complainant erroneously.

Comment

Unfortunately, the Romanian DPA does not publish its full decisions.

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Romanian original. Please refer to the Romanian original for more details.

https://www.dataprotection.ro/?page=Comunicat_Presa_07_12_2023&lang=ro