Banner2.png

ANSPDCP (Romania) - Medstar SRL: Difference between revisions

From GDPRhub
(Created page with "{{DPAdecisionBOX |Jurisdiction=Romania |DPA-BG-Color=background-color:#ffffff; |DPAlogo=LogoRO.jpg |DPA_Abbrevation=ANSPDCP |DPA_With_Country=ANSPDCP (Romania) |Case_Number_Name=Medstar SRL |ECLI= |Original_Source_Name_1=Autoritatea Naţională de Supraveghere a Prelucrării Datelor cu Caracter Personal |Original_Source_Link_1=https://www.dataprotection.ro/?page=Comunicat_Presa_20_02_2025&lang=ro |Original_Source_Language_1=Romanian |Original_Source_Language__Code_1=R...")
 
mNo edit summary
Line 81: Line 81:
The DPA also considered that the controller did not notify the data breach and thus issued two warnings to the controller about the violations of [[Article 33 GDPR|Article 33 GDPR]] and [[Article 34 GDPR|Article 34 GDPR]].  
The DPA also considered that the controller did not notify the data breach and thus issued two warnings to the controller about the violations of [[Article 33 GDPR|Article 33 GDPR]] and [[Article 34 GDPR|Article 34 GDPR]].  


Due to the breaches of Article 32, Article 33 and [[Article 34 GDPR|Article 34 GDPR]], the DPA deemed it appropriate to fine the controller RON 9,946.2 (€2,000).
Due to the breaches of [[Article 32 GDPR|Article 32]], [[Article 33 GDPR|Article 33]] and [[Article 34 GDPR|Article 34 GDPR]], the DPA deemed it appropriate to fine the controller RON 9,946.2 (€2,000).


Additionally, the DPA recommended the controller to take the following actions:  
Additionally, the DPA recommended the controller to take the following actions:  


Ensure GDPR compliance in relation to the processing of personal data collection and processing, throughout the data processing cycle, in particular in terms of verifying the accuracy of the personal data processed, establishing appropriate rules related to electronic (remote) communication, training of data-processing persons under the authority of the controller;
* Ensure GDPR compliance in relation to the processing of personal data collection and processing, throughout the data processing cycle, in particular in terms of verifying the accuracy of the personal data processed, establishing appropriate rules related to electronic (remote) communication, training of data-processing persons under the authority of the controller;
 
* Ensure GDPR compliance by adopting internal measures necessary for the rapid detection, management and reporting of personal data breaches;
Ensure GDPR compliance by adopting internal measures necessary for the rapid detection, management and reporting of personal data breaches;
* Inform the persons to whom the personal data have been disclosed about the data breach, as per [[Article 34 GDPR]];
 
* Ensure that the third parties, to which the data has been sent to, delete the data.
Inform the persons to whom the personal data have been disclosed about the data breach, as per [[Article 34 GDPR|Article 34 GDPR]];
 
Ensure that the third parties, to which the data has been sent to, delete the data.


== Comment ==
== Comment ==

Revision as of 12:22, 21 February 2025

ANSPDCP - Medstar SRL
LogoRO.jpg
Authority: ANSPDCP (Romania)
Jurisdiction: Romania
Relevant Law: Article 32 GDPR
Article 33 GDPR
Article 34 GDPR
Type: Complaint
Outcome: Upheld
Started:
Decided:
Published: 20.02.2025
Fine: 9,946.2 RON
Parties: Medstar SRL
National Case Number/Name: Medstar SRL
European Case Law Identifier: n/a
Appeal: Unknown
Original Language(s): Romanian
Original Source: Autoritatea Naţională de Supraveghere a Prelucrării Datelor cu Caracter Personal (in RO)
Initial Contributor: elu

The DPA fined a medical clinic RON 9,946 (€2,000) due to the mistaken disclosure of sensitive patient data to a third party via unsecured email. The DPA found a violation of Article 32, 33 and 34 GDPR.

English Summary

Facts

The data subject advanced a complaint before the DPA against a medical clinic, the controller. The complaint alleged that the data subject’s data was disclosed by the controller to a third party.

The data disclosed was: name, surname, personal numerical code, age, gender, locality, mobile phone number, e-mail addresses, medical data from the patient’s history, type of analyses performed, the name of the doctor who made his recommendation and specialty, the name of the doctor who performed the tests and his specialty, results analyzes, medical recommendation, payment name, prescribed treatment.

Holding

The DPA confirmed that the controller disclosed the health data of the data subject to another patient, a third party. This disclosure was a mistake and happened through an unsecured email.

The DPA held that the controller did not implement sufficient technical and organisational security measures. Thus, the DPA found a violation of Article 32 GDPR.

The DPA also considered that the controller did not notify the data breach and thus issued two warnings to the controller about the violations of Article 33 GDPR and Article 34 GDPR.

Due to the breaches of Article 32, Article 33 and Article 34 GDPR, the DPA deemed it appropriate to fine the controller RON 9,946.2 (€2,000).

Additionally, the DPA recommended the controller to take the following actions:

  • Ensure GDPR compliance in relation to the processing of personal data collection and processing, throughout the data processing cycle, in particular in terms of verifying the accuracy of the personal data processed, establishing appropriate rules related to electronic (remote) communication, training of data-processing persons under the authority of the controller;
  • Ensure GDPR compliance by adopting internal measures necessary for the rapid detection, management and reporting of personal data breaches;
  • Inform the persons to whom the personal data have been disclosed about the data breach, as per Article 34 GDPR;
  • Ensure that the third parties, to which the data has been sent to, delete the data.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Romanian original. Please refer to the Romanian original for more details.

20.02.2025

Sanction for violation of the GDPR

 

The National Supervisory Authority for Personal Data Processing completed, in January 2025, an investigation at the operator Medstar S.R.L. and found a violation of the provisions of art. 32, 33 and 34 of Regulation (EU) 2016/679 (GDPR).

As such, the operator was sanctioned with:

a fine of 9,946.2 Lei (equivalent to 2,000 Euros) for violating the provisions of art. 32 of Regulation (EU) 2016/679. warning for violating the provisions of art. 33 and art. 34 of Regulation (EU) 2016/679.

The investigation was initiated following a complaint from a data subject, who claimed that the operator where he had his medical tests, the Medstar clinic, had disclosed his personal data and that of another data subject. 

During the investigation, it was found that the operator had disclosed the data regarding the health status of the complainant to another person (patient), and the data regarding the health status of another patient had been transmitted to the complainant, erroneously and unsecuredly by e-mail. 

Thus, this situation led to the unauthorized disclosure of personal and special data belonging to several data subjects, such as: name, surname, personal identification number, age, gender, location, mobile phone number, e-mail addresses, medical data from the patient's history, type of tests performed, name of the doctor who made the recommendation and his specialty, name of the doctor who performed the tests and his specialty, test results, medical recommendation, name of the payer, prescribed treatment. 

It was also found that the operator did not adopt sufficient technical and organizational security measures in accordance with art. 32 of the GDPR, adapted to the nature of the personal data that were processed, which led to the unauthorized disclosure of the personal data of some data subjects.

As such, the operator Medstar S.R.L. was fined for violating the provisions of art. 32 of Regulation (EU) 2016/679.

At the same time, since the operator did not notify the data security breach to the National Supervisory Authority for the Processing of Personal Data nor did it inform the data subjects about the unauthorized disclosure of their personal data, it was issued two warnings, for violating the provisions of art. 33 and art. 34 of Regulation (EU) 2016/679.

At the same time, the operator was also ordered to take the following corrective measures:

to ensure compliance with the GDPR of personal data processing operations, by implementing technical and organizational security measures appropriate to the specifics of the processing and the risks identified, throughout the data processing cycle, in particular in terms of verifying the accuracy of the personal data processed, establishing appropriate rules related to the management of files that can be transmitted using electronic means of communication (remotely), training persons who process data under the authority of the operator, regularly verifying compliance with the instructions sent to them, automating certain processes to reduce the risks of illegal or unauthorized processing of personal data; to ensure compliance with the GDPR of personal data processing operations, by adopting internal measures necessary for the rapid detection, management and reporting of personal data breaches, whether or not they require notification to the supervisory authority and/or data subjects, as well as the appropriate and regular training of persons who process data under the authority of the controller, in this context; to inform the persons to whom the personal data have been disclosed of the data breach, by bringing to their attention the information provided for in art. 34 of the GDPR; to ensure compliance with the GDPR of personal data processing operations, by requesting the persons to whom the data have been disclosed (data subjects) not to use and to delete the personal data of third parties that have been disclosed to them in an unauthorized manner.

 

Legal and Communication Department

A.N.S.P.D.C.P