ANSPDCP (Romania) - 06.03.2023: Difference between revisions

From GDPRhub
mNo edit summary
No edit summary
Line 77: Line 77:
The DPA found that both companies had violated [[Article 32 GDPR|Article 32(1)b and c]] and [[Article 32 GDPR|32(2) GDPR]] because they had not implemented adequate technical and organizational measures to ensure a sufficient level of security.  
The DPA found that both companies had violated [[Article 32 GDPR|Article 32(1)b and c]] and [[Article 32 GDPR|32(2) GDPR]] because they had not implemented adequate technical and organizational measures to ensure a sufficient level of security.  


In accordance with Article 83, the DPA therefore imposed a fine of lei11,023.42 (approximately €2,250) on Finopro IFN and lei14,697.90 (approximately €3,000) on Integral Collection.
In accordance with [[Article 83 GDPR]], the DPA therefore imposed a fine of lei11,023.42 (approximately €2,250) on Finopro IFN and lei14,697.90 (approximately €3,000) on Integral Collection.


== Comment ==
== Comment ==

Revision as of 09:53, 14 March 2023

ANSPDCP - 06.03.2023
LogoRO.jpg
Authority: ANSPDCP (Romania)
Jurisdiction: Romania
Relevant Law: Article 32 GDPR
Article 83 GDPR
Type: Investigation
Outcome: Violation Found
Started:
Decided:
Published: 06.03.2023
Fine: 3,000 EUR
Parties: Finopro IFN
Integral Collection
National Case Number/Name: 06.03.2023
European Case Law Identifier: n/a
Appeal: Unknown
Original Language(s): Romanian
Original Source: ANSPDCP (in RO)
Initial Contributor: ls

The Romanian DPA imposed a €2,250 and a €3,000 fines to companies who suffered ransomware attacks, which implied data breaches because they did not ensure a sufficient level of security.

English Summary

Facts

Two companies: Finopro IFN and Integral Collection were victims of ransomware attacks. This implied that data they possessed (from ID cards, phone numbers, account statements...) were accessed without authorization and their security was compromised.

The companies notified the breaches to the DPA, which then opened two investigations.

Holding

The DPA found that both companies had violated Article 32(1)b and c and 32(2) GDPR because they had not implemented adequate technical and organizational measures to ensure a sufficient level of security.

In accordance with Article 83 GDPR, the DPA therefore imposed a fine of lei11,023.42 (approximately €2,250) on Finopro IFN and lei14,697.90 (approximately €3,000) on Integral Collection.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Romanian original. Please refer to the Romanian original for more details.

06.03.2023

Sanctions for GDPR violations

In February of the current year, the National Supervisory Authority completed two investigations at the operators of Finopro IFN SA and Integral Collection SRL and found a violation of the provisions of art. 32 para. (1) lit. b) and c) and para. (2) of the General Data Protection Regulation (RGPD).

As such, the operators were sanctioned as follows:

Finopro IFN SA with a fine of 11,023.42 lei, the equivalent of 2,250 EURO; Integral Collection SRL with a fine of 14,697.90 lei, the equivalent of 3,000 EURO.

The investigations were started as a result of the transmission by the operators of some notifications of breaches of the security of personal data under the RGPD.

During the investigations carried out, it was found that the breach of data processing security occurred as a result of ransomware attacks, a situation that significantly led to unauthorized access and the loss of the integrity and availability of personal data (such as identification data, data from identity cards, addresses, telephone numbers, account statements).

As such, taking into account the measures announced by these operators to remedy the situation, in relation to the criteria for individualizing the sanctions provided for in art. 83 of the RGPD, the penalty for violating the provisions of art. 32 para. (1) lit. b) and c) and para. (2) of the GDPR, as they have not implemented adequate technical and organizational measures to ensure a level of security appropriate to the processing risk, including the ability to ensure the confidentiality, integrity, availability and continued resilience of the processing systems and services.



Legal and Communication Department

A.N.S.P.D.C.P.