ANSPDCP (Romania) - Vodafone România SA: Difference between revisions
(Clarification) |
No edit summary |
||
Line 67: | Line 67: | ||
}} | }} | ||
A Romanian telecommunications operator suffered data breaches | A Romanian telecommunications operator suffered data breaches due to their lacking security procedure in verifying caller identification. Moreover, their general confidentiality and security safeguards for processing personal data were inadequate. Consequently, the Romanian DPA fined them €2,000 for violating [[Article 29 GDPR]] and [[Article 32 GDPR]]. | ||
== English Summary == | == English Summary == |
Revision as of 11:16, 21 September 2022
ANSPDCP - Vodafone România SA | |
---|---|
Authority: | ANSPDCP (Romania) |
Jurisdiction: | Romania |
Relevant Law: | Article 29 GDPR Article 32(1)(b) GDPR Article 32(2) GDPR Article 32(4) GDPR |
Type: | Investigation |
Outcome: | Violation Found |
Started: | |
Decided: | |
Published: | 19.09.2022 |
Fine: | 2,000 EUR |
Parties: | Vodafone România SA |
National Case Number/Name: | Vodafone România SA |
European Case Law Identifier: | n/a |
Appeal: | Unknown |
Original Language(s): | Romanian |
Original Source: | ANSPDCP (in RO) |
Initial Contributor: | Daniela Duta |
A Romanian telecommunications operator suffered data breaches due to their lacking security procedure in verifying caller identification. Moreover, their general confidentiality and security safeguards for processing personal data were inadequate. Consequently, the Romanian DPA fined them €2,000 for violating Article 29 GDPR and Article 32 GDPR.
English Summary
Facts
The company Vodafone Romania SA, the data controller, notified the Romanian DPA of two personal data breaches.
In its subsequent investigation, the DPA found that the data controller failed to comply with the applicable procedure to ensure that its processors adequatly verify the identification of callers. Third parties were able to fraudulently purchase new phones on behalf of some of the data controller's customers and acquired access to their personal data, such as: name, surname, address, personal identification number, contact phone number, PUK code, contact number of the account holder, the SIM series of the original card, the amount of the last unpaid bill, and the data traffic.
Moreover, the DPA also found that the data controller did not adopt sufficient measures to ensure that any natural persons acting under its authority and who have access to the personal data of its constumers only process the personal data under its requests. The data controller lacked appropriate technical and organizational measures to ensure that its personal data processing had an appropriate level of confidentiality and security.
Holding
As a result of its investigation, the Romanian DPA found that the company Vodafone Romania SA, the data controller, violation Article 29 GDPR, Article 32(1)(b) GDPR, Article 32(2) GDPR, Article 32(4) GDPR The DPA fined the data controller €2,000.
The telecom operator failed to adopt sufficient guarantees to ensure that any individual acting on behalf of the controller having access to personal data only processes them upon the instructions of the controller and failed to implement adequate technical and organizational measures to ensure an adequate level of protection.
Comment
This summary is based on a press release of the Romanian DPA.
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Romanian original. Please refer to the Romanian original for more details.
19.09.2022 A new penalty for breaching GDPR The National Supervisory Authority completed an investigation at the Vodafone Romania SA operator and found a violation of the provisions of art. 29 and art. 32 para. (1) lit. b), paragraph (2) and para. (4) of the General Data Protection Regulation. The Vodafone Romania SA operator was fined 9,890.8 lei (the equivalent of 2000 EURO). The investigation was started as a result of the transmission by the operator of two notifications of a breach of the security of personal data under the General Data Protection Regulation. During the investigation, it was found that the operator Vodafone Romania SA did not check compliance with the caller identification procedure by its representatives, which allowed third parties to fraudulently purchase new phones on behalf of some of the operator's customers. Also, this situation allowed third parties to access data from contracts concluded by customers with the operator and data from My Vodafone personal accounts, such as: name, first name, address, personal code, contact phone number, PUK code, the contact number of the account holder, the SIM series of the original card, the amount of the last unpaid bill and the data traffic. At the same time, the National Supervisory Authority found that Vodafone Romania SA did not adopt sufficient measures to ensure that any natural person who acts under the authority of the operator and who has access to personal data only processes them at the request of the operator and did not implement appropriate technical and organizational measures to ensure a level of confidentiality and security corresponding to the risk of processing. As such, the operator Vodafone Romania SA was fined for violating the provisions of art. 29 and art. 32 para. (1) lit. b) and para. (2) of the General Data Protection Regulation. Legal and Communication Department A.N.S.P.D.C.P.