ANSPDCP (Romania) - Fine against Automobile Bavaria SRL

From GDPRhub
Revision as of 13:48, 30 May 2023 by Ls (talk | contribs) (Created page with "{{DPAdecisionBOX |Jurisdiction=Romania |DPA-BG-Color=background-color:#ffffff; |DPAlogo=LogoRO.jpg |DPA_Abbrevation=ANSPDCP |DPA_With_Country=ANSPDCP (Romania) |Case_Number_Name=Fine against Automobile Bavaria SRL |ECLI= |Original_Source_Name_1=ANSPDCP |Original_Source_Link_1=https://www.dataprotection.ro/?page=Comunicat_Presa_18_05_2023&lang=ro |Original_Source_Language_1=Romanian |Original_Source_Language__Code_1=RO |Original_Source_Name_2= |Original_Source_Link_2=...")
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
ANSPDCP - Fine against Automobile Bavaria SRL
LogoRO.jpg
Authority: ANSPDCP (Romania)
Jurisdiction: Romania
Relevant Law: Article 25 GDPR
Article 32 GDPR
Article 58 GDPR
Type: Investigation
Outcome: Violation Found
Started:
Decided:
Published:
Fine: n/a
Parties: Automobile Bavaria SRL
National Case Number/Name: Fine against Automobile Bavaria SRL
European Case Law Identifier: n/a
Appeal: Unknown
Original Language(s): Romanian
Original Source: ANSPDCP (in RO)
Initial Contributor: n/a

Following a data breach which resulted in the unauthorized disclosure of data held by Automobile Bavaria, the Romanian DPA fined the controller €18,000 for lack of security and warned it for a violation of data protection by design and by default.

English Summary

Facts

Automobile Bavaria, a car seller (controller) suffered a data breach which resulted in the unauthorized disclosure of data of 290 data subjects. These data included names, surnames, email addresses, phone numbers, data related to their car, car purchase method and marketing options (telephone, email, newsletter registration…). Between July 2022 and 4 August 2022, due to the data breach, these data were publicly available on the controller’s website.

The controller notified the Romanian DPA of the data breach, which led the DPA to start an investigation. This investigation showed that the controller did not implement nor tested adequate security measures regarding the risk implied by the processing. It also showed that the controller did not implement adequate security measures at the time of establishing the means of the processing (privacy by design) and at the time of the processing itself (privacy by default).

Holding

The Romanian DPA found that the controller did not ensure the security of the data, in violation of Article 32(1) and (2) GDPR and warned the controller for a violation of Article 25(1) GDPR.

The DPA fined the controller LEI88,563.60 (around €18,000) and ordered corrective measures under Article 58 GDPR, including the implementation of a periodic testing, evaluation and assessment of all systems dealing with personal data and subsequent changes to these systems.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Romanian original. Please refer to the Romanian original for more details.

18.05.2023

A new penalty for non-compliance with the GDPR



The National Supervisory Authority completed, in May of this year, an investigation at the operator AUTOMOBILE BAVARIA SRL and found a violation of the provisions of art. 32 para. (1) lit. b) and d), in conjunction with art. 32 para. (2) and of art. 25 para. (1) of the General Data Protection Regulation (RGPD).

As such, the operator was penalized:

with a fine in the amount of 88,563.60 lei, the equivalent of 18,000 EURO, for the violation of art. 32 para. (1) lit. b) and d), in conjunction with art. 32 para. (2) from GDPR; with a warning for violating art. 25 para. (1) of the GDPR.

The investigation was started as a result of the transmission by the operator of a notification of a breach of the security of personal data under the General Data Protection Regulation.

The breach of data security occurred as a result of the unauthorized disclosure of personal data (name, surname, city, email address, phone number, current car model, year of manufacture of the current car, buy-back option, purchase term, purchase method (cash, credit, leasing), approximate available budget, marketing consent options (telephone contact, email contact, SMS contact, newsletter registration)) for a number of 290 customers/potential customers of the operator, in the period July 2022 – 04.08.2022, these data being publicly accessible on the operator's web page.

The investigation found that the operator did not implement adequate technical and organizational measures to ensure a level of security appropriate to the processing risk, including the ability to ensure the confidentiality of processing systems and services and a process for periodic testing, evaluation and assessment of the effectiveness of the measures technical and organizational to guarantee processing security.

It was also found that AUTOMOBILE BAVARIA SRL did not ensure the protection of personal data, starting from the moment of conception (privacy by design) and implicitly (privacy by default), by not complying with the provisions provided for in art. 25 para. (1) of the GDPR, in the sense that it did not implement, both at the time of establishing the means of processing and at the time of the processing itself, adequate technical and organizational measures, intended to effectively implement the principles of data protection and to integrate the necessary guarantees in the processing, to meet the requirements of the GDPR and protect the rights of the data subjects.

At the same time, pursuant to art. 58 para. (2) lit. d) from the RGPD, the corrective measure was ordered to implement a plan that includes a process of periodic testing, evaluation and assessment of all systems and their subsequent modifications carried out by the operator or service providers (authorized persons), through which processing personal data, in order to guarantee the security of the processing, starting from the moment of conception and by default (privacy by design and privacy by default).



Legal and Communication Department

A.N.S.P.D.C.P.