ANSPDCP (Romania) - Vodafone România SA: Difference between revisions

From GDPRhub
(Created page with "{{DPAdecisionBOX |Jurisdiction=Romania |DPA-BG-Color=background-color:#ffffff; |DPAlogo=LogoRO.jpg |DPA_Abbrevation=ANSPDCP |DPA_With_Country=ANSPDCP (Romania) |Case_Number_...")
 
mNo edit summary
 
(5 intermediate revisions by 2 users not shown)
Line 67: Line 67:
}}
}}


The Romanian DPA fined a telecommunications operator for failing to verify compliance with the caller identification procedure by its processors that allowed third parties to fraudulently purchase phones on behalf of the controller's customers.
A Romanian telecommunications operator suffered data breaches due to their lacking security procedure in verifying callers' identities. Consequently, the Romanian DPA fined it €2,000 for violating [[Article 29 GDPR]] and [[Article 32 GDPR]].  


== English Summary ==
== English Summary ==


=== Facts ===
=== Facts ===
The Romanian DPA has completed an investigation at Vodafone Romania SA started as a result of the transmission by the controller of two security data breach notifications.
The company Vodafone Romania SA, the data controller, notified the Romanian DPA of two personal data breaches. In its subsequent investigation, the DPA found that the data controller failed to comply with the applicable procedure to ensure that its processors adequately verify the identity of callers. Third parties were able to fraudulently purchase new phones on behalf of some of the data controller's customers and acquired access to their personal data, such as: name, surname, address, personal identification number, contact phone number, PUK code, contact number of the account holder, the SIM series of the original card, the amount of the last unpaid bill, and the data traffic.  
During the investigation, ANSPDCP found that the controller failed to check the procedure applicable for verifying the caller identification by the processors.
 
This situation allowed third parties to access data from contracts concluded by customers with the controller and data from personal My Vodafone accounts, such as: name, surname, address, personal identification number, contact phone number, PUK code, contact number of the account holder, the SIM series of the original card, the amount of the last unpaid bill and the data traffic.
 


The DPA found that the data controller did not adopt sufficient measures to ensure that any natural persons acting under its authority and who have access to the personal data of its costumers only process the personal data under its requests. The data controller lacked appropriate technical and organizational measures to ensure that its personal data processing had an appropriate level of confidentiality and security.
=== Holding ===
=== Holding ===
The Romanian DPA completed an investigation at Vodafone Romania SA and found a violation of the provisions of [[Article 29 GDPR|Article 29 GDPR]], [[Article 32 GDPR#1b|Article 32(1)(b) GDPR]], [[Article 32 GDPR#2|Article 32(2) GDPR]], [[Article 32 GDPR#4|Article 32(4) GDPR]]
As a result of its investigation, the Romanian DPA found that the company Vodafone Romania SA, the data controller, violation [[Article 29 GDPR|Article 29 GDPR]], [[Article 32 GDPR#1b|Article 32(1)(b) GDPR]], [[Article 32 GDPR#2|Article 32(2) GDPR]], [[Article 32 GDPR#4|Article 32(4) GDPR]] The DPA fined the data controller €2,000.  
Consequently, the DPA fined the controller €2,000.  
The telecom operator failed to adopt sufficient guarantees to ensure that any individual acting on behalf of the controller having access to personal data only processes them upon the instructions of the controller and failed to implement adequate technical and organizational measures  to ensure an adequate level of protection.
 
 
== Comment ==
== Comment ==
This summary is based on a press release of the Romanian DPA.
This summary is based on a press release of the Romanian DPA.

Latest revision as of 18:47, 21 September 2022

ANSPDCP - Vodafone România SA
LogoRO.jpg
Authority: ANSPDCP (Romania)
Jurisdiction: Romania
Relevant Law: Article 29 GDPR
Article 32(1)(b) GDPR
Article 32(2) GDPR
Article 32(4) GDPR
Type: Investigation
Outcome: Violation Found
Started:
Decided:
Published: 19.09.2022
Fine: 2,000 EUR
Parties: Vodafone România SA
National Case Number/Name: Vodafone România SA
European Case Law Identifier: n/a
Appeal: Unknown
Original Language(s): Romanian
Original Source: ANSPDCP (in RO)
Initial Contributor: Daniela Duta

A Romanian telecommunications operator suffered data breaches due to their lacking security procedure in verifying callers' identities. Consequently, the Romanian DPA fined it €2,000 for violating Article 29 GDPR and Article 32 GDPR.

English Summary

Facts

The company Vodafone Romania SA, the data controller, notified the Romanian DPA of two personal data breaches. In its subsequent investigation, the DPA found that the data controller failed to comply with the applicable procedure to ensure that its processors adequately verify the identity of callers. Third parties were able to fraudulently purchase new phones on behalf of some of the data controller's customers and acquired access to their personal data, such as: name, surname, address, personal identification number, contact phone number, PUK code, contact number of the account holder, the SIM series of the original card, the amount of the last unpaid bill, and the data traffic.

The DPA found that the data controller did not adopt sufficient measures to ensure that any natural persons acting under its authority and who have access to the personal data of its costumers only process the personal data under its requests. The data controller lacked appropriate technical and organizational measures to ensure that its personal data processing had an appropriate level of confidentiality and security.

Holding

As a result of its investigation, the Romanian DPA found that the company Vodafone Romania SA, the data controller, violation Article 29 GDPR, Article 32(1)(b) GDPR, Article 32(2) GDPR, Article 32(4) GDPR The DPA fined the data controller €2,000.

Comment

This summary is based on a press release of the Romanian DPA.

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Romanian original. Please refer to the Romanian original for more details.

19.09.2022

A new penalty for breaching GDPR



The National Supervisory Authority completed an investigation at the Vodafone Romania SA operator and found a violation of the provisions of art. 29 and art. 32 para. (1) lit. b), paragraph (2) and para. (4) of the General Data Protection Regulation.

The Vodafone Romania SA operator was fined 9,890.8 lei (the equivalent of 2000 EURO).

The investigation was started as a result of the transmission by the operator of two notifications of a breach of the security of personal data under the General Data Protection Regulation.

During the investigation, it was found that the operator Vodafone Romania SA did not check compliance with the caller identification procedure by its representatives, which allowed third parties to fraudulently purchase new phones on behalf of some of the operator's customers.

Also, this situation allowed third parties to access data from contracts concluded by customers with the operator and data from My Vodafone personal accounts, such as: name, first name, address, personal code, contact phone number, PUK code, the contact number of the account holder, the SIM series of the original card, the amount of the last unpaid bill and the data traffic.

At the same time, the National Supervisory Authority found that Vodafone Romania SA did not adopt sufficient measures to ensure that any natural person who acts under the authority of the operator and who has access to personal data only processes them at the request of the operator and did not implement appropriate technical and organizational measures to ensure a level of confidentiality and security corresponding to the risk of processing.

As such, the operator Vodafone Romania SA was fined for violating the provisions of art. 29 and art. 32 para. (1) lit. b) and para. (2) of the General Data Protection Regulation.



Legal and Communication Department

A.N.S.P.D.C.P.