ANSPDCP (Romania) - 13.11.2023: Difference between revisions

From GDPRhub
(Created page with "{{DPAdecisionBOX |Jurisdiction=Romania |DPA-BG-Color=background-color:#ffffff; |DPAlogo=LogoRO.jpg |DPA_Abbrevation=ANSPDCP |DPA_With_Country=ANSPDCP (Romania) |Case_Number_Name=13.11.2023 |ECLI= |Original_Source_Name_1=Romanian DPA |Original_Source_Link_1=https://www.dataprotection.ro/?page=Comunicat_Presa_13_11_2023&lang=ro |Original_Source_Language_1=Romanian |Original_Source_Language__Code_1=RO |Original_Source_Name_2= |Original_Source_Link_2= |Original_Source_Lan...")
 
mNo edit summary
Line 47: Line 47:
|National_Law_Link_2=
|National_Law_Link_2=


|Party_Name_1=
|Party_Name_1=https://www.rompetrol.com/
|Party_Link_1=
|Party_Link_1=
|Party_Name_2=
|Party_Name_2=
Line 61: Line 61:
}}
}}


Rompetrol Downstream SRL, a downstream gas operator was sanctioned with a fine of EUR 110,000 for a serious data breach affecting personal data of customer data which were accessed in an unauthorized manner and further disclosed.
Rompetrol Downstream SRL, a downstream gas operator was fined €110,000 (546,073 RON) for a data breach affecting customer personal data, where customer personal data was accessed in an unauthorised manner and further used to fraudulently obtain loans.


== English Summary ==
== English Summary ==


=== Facts ===
=== Facts ===
The DPA initiated this investigation following the transmission by the controller of several data breach notifications during 20.07.2021-03.02.2022, in accordance with [[Article 33 GDPR|Article 33 GDPR]].
Between 27 July 2021 and 3 January 2022, Rompetrol Downstream SRL (the controller) notified the Romanian DPA of several data breaches, in accordance with [[Article 33 GDPR|Article 33 GDPR]]. Following these notifications, the DPA opened an investigation against the controller.  


During the investigation, the DPA found that internal access and unauthorized use were repeatedly made of customer data from the software owned by the company and personal data of some customers were unlawfully disclosed in order to obtain loans from non-banking financial companies on their behalf.
During the investigation, the DPA found that customer data from the company's own software was repeatedly accessed internally and used in an unauthorised manner. The personal data of customers was illegally disclosed for the purpose of fraudulently obtaining loans in the data subject's name.


More specifically, as a result of the data breach, personal data pertaining to controller’s customer data including data from the identity card (such as: name, surname, series and number of the identity card, personal numerical code, address, place of birth, photo) and data from the salary certificate (such as: name and surname of the employee, date, signature, income achieved, length of service) were unlawfully accessed and further disclosed for the above mentioned illicit purposes.
More specifically, as a result of the data breach, personal data pertaining to controller’s customer data including data from the identity card (such as: name, surname, series and number of the identity card, personal numerical code, address, place of birth, photo) and data subject's income statements (such as: name and surname of the employee, date, signature, income achieved, length of service) were unlawfully accessed and further disclosed for the above mentioned illicit purposes.


=== Holding ===
=== Holding ===
The DPA assessed that the controller did not take sufficient measures to ensure that any individual acting under its authority and having access to personal data processes them only upon controller’s request. Furthermore, the DPA found that the controller has not implemented adequate technical and organizational measures to ensure a level of security appropriate to the risk of processing.
The DPA held that the controller was in breach of Articles 32(1)(b), 32(2) and 32(4) GDPR.
 
Firstly, the DPA held that the controller had breached Article 32(1)(b) GDPR (confidentiality, integrity, availability and resilience of processing systems and services) and Article 32(4) GDPR, which provides that the controller must ensure that that any natural person acting under their authority who has access to personal data does not process them except on their instruction. The DPA found a violation of these provisions as the controller did not take sufficient measures to ensure that individuals acting under its authority only had access to personal data processes at their request.  
 
Secondly, the DPA found a breach of Article 32(2) GDPR. The controller had not appropriately assessed the risks of processing and had not implemented adequate technical and organizational measures to ensure a level of security appropriate to the risk of processing, which resulted in their customers' personal data being unlawfully disclosed and used to fraudulently obtain loans in the data subjects' name.
 
As a result of the violations, the DPA imposed a fine €110,000 (546,073 RON) on the controller.  


== Comment ==
== Comment ==

Revision as of 16:09, 21 November 2023

ANSPDCP - 13.11.2023
LogoRO.jpg
Authority: ANSPDCP (Romania)
Jurisdiction: Romania
Relevant Law: Article 32(1)(b) GDPR
Article 32(2) GDPR
Type: Investigation
Outcome: Violation Found
Started:
Decided:
Published:
Fine: 100,000 EUR
Parties: https://www.rompetrol.com/
National Case Number/Name: 13.11.2023
European Case Law Identifier: n/a
Appeal: n/a
Original Language(s): Romanian
Original Source: Romanian DPA (in RO)
Initial Contributor: maxinescu

Rompetrol Downstream SRL, a downstream gas operator was fined €110,000 (546,073 RON) for a data breach affecting customer personal data, where customer personal data was accessed in an unauthorised manner and further used to fraudulently obtain loans.

English Summary

Facts

Between 27 July 2021 and 3 January 2022, Rompetrol Downstream SRL (the controller) notified the Romanian DPA of several data breaches, in accordance with Article 33 GDPR. Following these notifications, the DPA opened an investigation against the controller.

During the investigation, the DPA found that customer data from the company's own software was repeatedly accessed internally and used in an unauthorised manner. The personal data of customers was illegally disclosed for the purpose of fraudulently obtaining loans in the data subject's name.

More specifically, as a result of the data breach, personal data pertaining to controller’s customer data including data from the identity card (such as: name, surname, series and number of the identity card, personal numerical code, address, place of birth, photo) and data subject's income statements (such as: name and surname of the employee, date, signature, income achieved, length of service) were unlawfully accessed and further disclosed for the above mentioned illicit purposes.

Holding

The DPA held that the controller was in breach of Articles 32(1)(b), 32(2) and 32(4) GDPR.

Firstly, the DPA held that the controller had breached Article 32(1)(b) GDPR (confidentiality, integrity, availability and resilience of processing systems and services) and Article 32(4) GDPR, which provides that the controller must ensure that that any natural person acting under their authority who has access to personal data does not process them except on their instruction. The DPA found a violation of these provisions as the controller did not take sufficient measures to ensure that individuals acting under its authority only had access to personal data processes at their request.

Secondly, the DPA found a breach of Article 32(2) GDPR. The controller had not appropriately assessed the risks of processing and had not implemented adequate technical and organizational measures to ensure a level of security appropriate to the risk of processing, which resulted in their customers' personal data being unlawfully disclosed and used to fraudulently obtain loans in the data subjects' name.

As a result of the violations, the DPA imposed a fine €110,000 (546,073 RON) on the controller.

Comment

Unfortunately, the Romanian DPA does not publish its full decisions. This case presents however critical importance due to the potential criminal activities which were discovered by the DPA in relation to the unauthorized access and misuse of customer information and highlights the need for companies to enforce stringent controls at the internal level.

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Romanian original. Please refer to the Romanian original for more details.

13.11.2023

Fine for violation of art. 32 of the GDPR



The National Supervisory Authority completed, in October 2023, an investigation at the operator Rompetrol Downstream SRL and found a violation of the provisions of art. 32 para. (4) in conjunction with art. 32 para. (1) lit. b) and art. 32 para. (2) of Regulation (EU) 2016/679.

As such, the operator was penalized with a fine of 546,073.00 lei (the equivalent of 110,000 EURO).

The investigation was started as a result of the transmission by the operator of several notifications of violations of the security of personal data, between 20.07.2021 and 3.02.2022, according to art. 33 of Regulation (EU) 2016/679.

As part of the investigation, it turned out that the data of some customers from the computer program owned by the company was accessed from the internal level and used in an unauthorized manner, repeatedly, and the personal data of some customers were illegally disclosed for the purpose of obtaining loans from non-banking financial companies on their behalf.

Through the incident, the personal data of some concerned persons, data from the identity card (such as: name, first name, series and number of the identity card, personal numerical code, address, place of birth, photo) and data were disclosed without authorization from the salary certificate (such as: the employee's name and surname, date, signature, earned income, seniority).

The National Supervisory Authority found that Rompetrol Downstream SRL did not take measures to ensure that any natural person who acts under the authority of the operator and has access to personal data does not process them except at his request, nor did he implement technical and organizational measures adequate in order to ensure a level of security corresponding to the processing risk.



Legal and Communication Department

A.N.S.P.D.C.P