ANSPDCP (Romania) - 12.01.2023

From GDPRhub
Revision as of 11:08, 17 January 2023 by Fz (talk | contribs) (Created page with "{{DPAdecisionBOX |Jurisdiction=Romania |DPA-BG-Color=background-color:#ffffff; |DPAlogo=LogoRO.jpg |DPA_Abbrevation=ANSPDCP |DPA_With_Country=ANSPDCP (Romania) |Case_Number_...")
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
ANSPDCP - Press Communication 12/01/2023
LogoRO.jpg
Authority: ANSPDCP (Romania)
Jurisdiction: Romania
Relevant Law: Article 32(1)(b) GDPR
Article 32(2) GDPR
Article 33 GDPR
Type: Investigation
Outcome: Violation Found
Started:
Decided:
Published: 12.01.2023
Fine: 9,828 RON
Parties: Bristol Logistics SA
National Case Number/Name: Press Communication 12/01/2023
European Case Law Identifier: n/a
Appeal: Unknown
Original Language(s): Romanian
Original Source: Romanian DPA (in RO)
Initial Contributor: n/a

The Romanian DPA imposed a fine equivalent to €2000 on a logistics company for failing to implement adequate security measures, as required by Article 32, to safeguard its employees' personal data against a data breach by a bookshelf theft.

English Summary

Facts

On an unspecified date, a controller, a logistics firm, notified the Romanian DPA of two security data breaches as foreseen by Article 33 GDPR. The notification resulted in an investigation by the DPA which found that the security breaches were caused by the theft of a bookshelf containing the files of 12 employees, which led to the access of personal data by unauthorized third parties. The breach occurred on 3 June 2021 and included data concerning contact information, academic and professional training, employment details, information on tax deductions and dependents, and employees health status. The investigation was concluded in December 2022.

Holding

The DPA held that the controller, in violation of Articles 32(1)(b) and 32(2) GDPR, did not implement adequate technical and organizational measures in order to ensure a level of security corresponding to the processing risk generated in particular, accidentally or illegally, by the destruction, loss, modification, unauthorized disclosure or unauthorized access to personal data.

Pursuant to its Article 58(2) GDPR statutory powers, the DPA ordered the controller to implement corrective measures and to review and update the technical and organizational measures implemented as a result of the risk assessment for the rights and freedoms of individuals, including the work procedures related to the protection of personal data personal, as well as to carry out a training for all individuals authorized to process personal data on the risks and consequences that the disclosure of personal data implies.

The DPA fined the controller 9,828.00 lei (€2000) for its violation.

Comment

Unfortunately, the Romanian DPA is only publishing abridged Press Releases and not its full decisions.

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Romanian original. Please refer to the Romanian original for more details.

12.01.2023

Penalty for GDPR violation



The National Supervisory Authority completed an investigation at BRISTOL LOGISTICS SA in December 2022 and found a violation of the provisions of art. 32 para. (1) lit. b) and para. (2) from Regulation (EU) no. 2016/679.

As such, the operator BRISTOL LOGISTICS SA was fined 9,828.00 lei (equivalent to 2000 EURO) for contravention.

The investigation was started as a result of the transmission by the operator of two data security breach notifications, based on the provisions of art. 33 of Regulation (EU) 2016/679.

During the investigation, it was found that the security breach incident consisted in the theft of a biblioraft containing the personnel files of 12 employees, which led to the access of personal data by unauthorized persons.

As such, it was held that the operator Bristol Logistics SA did not implement adequate technical and organizational measures in order to ensure a level of security corresponding to the risk of processing generated in particular, accidentally or illegally, by destruction, loss, modification, unauthorized disclosure or unauthorized access to personal data, on 03.06.2021, personal data being accessed without authorization (contact/identification data, academic and professional training, employment details, information on tax deductions and dependents, qualification labor medicine).

At the same time, under the provisions of art. 58 para. (2) of Regulation (EU) 2016/679, the operator was ordered and the corrective measure to review and update the technical and organizational measures implemented as a result of the risk assessment for the rights and freedoms of individuals, including the work procedures related to the protection of personal data personal, as well as carrying out a training for the persons authorized to process data on the risks and consequences that the disclosure of personal data implies.



Legal and Communication Department

A.N.S.P.D.C.P