ANSPDCP (Romania) - Fine against Condor SA
ANSPDCP (Romania) - Fine against Condor SA | |
---|---|
Authority: | ANSPDCP (Romania) |
Jurisdiction: | Romania |
Relevant Law: | Article 32(1) GDPR Article 32(2) GDPR Article 32(4) GDPR |
Type: | Investigation |
Outcome: | Violation Found |
Started: | |
Decided: | |
Published: | 28.03.2022 |
Fine: | 2000 EUR |
Parties: | Condor SA |
National Case Number/Name: | Fine against Condor SA |
European Case Law Identifier: | n/a |
Appeal: | Unknown |
Original Language(s): | Romanian |
Original Source: | ANSPDCP (in RO) |
Initial Contributor: | Diana Rosu |
The Romanian DPA fined a controller approx € 2000 for not implementing the necessary security measures, granting unauthorized access to the personal data of its current and former employees.
English Summary
Facts
During an investigation, the Romanian DPA found that a controller, a parachute and military flight equipment manufacturer, did not implement the necessary security measures which led to unauthorized access to personal data. As result, personal data of current and former employees of the controller such as name, role, salary, bank account, personal number etc. were accessed by an unauthorized person.
Holding
The DPA decided that the controller:
- did not prove to have implemented the necessary technical and organisational measures to ensure the confidentiality of its employees' personal data;
- did not prove to have trained its personnel in regards to the protection of personal data.
As such, the controller was found in breach of GDPR Article 32(1), (2) and (4) and was fined approx € 2000 (RON 9.897,4).
Additionally, the controller was applied the following corrective measures:
- it was required to improve its current technical and organisational measures, including training its personnel;
- it was required to contact the person who was granted unauthorized access to the personal data to make sure they will delete or destroy the personal data.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Romanian original. Please refer to the Romanian original for more details.
28.03.2022 Sanction for violating the RGPD The National Supervisory Authority completed in March 2022 an investigation at the operator Condor SA and found the violation of the provisions of art. 32 para. (1), (2) and (4) of the General Data Protection Regulation. As such, the operator was sanctioned with a fine of 9,897.4 lei (equivalent to 2,000 EURO). The investigation was initiated as a result of a complaint alleging that the operator Condor SA disclosed personal data of a salary nature of the employees or former employees of this operator to unauthorized persons. In the investigation, it was found that there was unauthorized access to some unspoken documents containing a number of personal data of employees or former employees, such as: place of work, name, surname, position, salary, amount for advance, bank account, personal numeric codes. Consequently, the National Supervisory Authority found that the operator Condor SA did not present evidence showing that it had adopted sufficient appropriate technical and organizational measures to ensure the confidentiality of the processed personal data of employees or its former employees. At the same time, it was noted that the operator did not present any evidence showing the training of data controllers under his authority, which led to unauthorized access to documents. Thus, the provisions of art. 32 para. (1), (2), (4) of the General Data Protection Regulation. At the same time, during the investigation, two corrective measures were applied to the operator, as follows: the corrective action to ensure compliance with the General Data Protection Regulation of personal data processing operations, by implementing appropriate technical and organizational measures, including the training of data controllers under its authority; corrective action to ensure compliance with the General Data Protection Regulation of personal data processing operations by contacting the person who had unauthorized access to that personal data, with a view to deleting or destroying it, as appropriate. Legal and Communication Department A.N.S.P.D.C.P.