ANSPDCP (Romania) - 24.10.2023

From GDPRhub
Revision as of 18:50, 30 October 2023 by Maxinescu (talk | contribs) (Created page with "{{DPAdecisionBOX |Jurisdiction=Romania |DPA-BG-Color=background-color:#ffffff; |DPAlogo=LogoRO.jpg |DPA_Abbrevation=ANSPDCP |DPA_With_Country=ANSPDCP (Romania) |Case_Number_Name=24.10.2023 |ECLI= |Original_Source_Name_1=Romanian DPA |Original_Source_Link_1=https://www.dataprotection.ro/?page=Comunicat_Presa_24_10_2023&lang=ro |Original_Source_Language_1=Romanian |Original_Source_Language__Code_1=RO |Original_Source_Name_2= |Original_Source_Link_2= |Original_Source_Lan...")
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
ANSPDCP - 24.10.2023
LogoRO.jpg
Authority: ANSPDCP (Romania)
Jurisdiction: Romania
Relevant Law: Article 32(1)(b) GDPR
Article 32(1)(d) GDPR
Article 32(2) GDPR
Type: Complaint
Outcome: Upheld
Started:
Decided:
Published:
Fine: 3000 EUR
Parties: n/a
National Case Number/Name: 24.10.2023
European Case Law Identifier: n/a
Appeal: n/a
Original Language(s): Romanian
Original Source: Romanian DPA (in RO)
Initial Contributor: maxinescu

An online trading platform specialized on sale of IT products was sanctioned in relation to a data breach which led to unauthorized disclosure of personal data pertaining to its clients.

English Summary

Facts

The Romanian DPA initiated an investigation following the receiving of a complaint with respect to a data breach occurred on the platform of the controller.

During the investigation, the DPA found that the breach occurred consisted through accessing of a a link which led to public disclosure of a list of various downloadable files which includes invoices and certificates for the products purchased by the clients on the controller’s platform.

Access to such link led to unauthorized disclosure of personal data of the controllers’ clients, both consumers and business entities and included the following data: name, surname, address, e-mail address, invoice number and date, products purchased and their value.

Holding

The Romanian DPA assessed a violation of art 32 (1) (b) and (d) and 32 (2) GDPR, as the controller failed to implement adequate technical and organizational measures to ensure a level of security appropriate to the risk taken, and imposed a fine of 3000 EUR.

Comment

Unfortunately, the Romanian DPA does not publish its full decisions.

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Romanian original. Please refer to the Romanian original for more details.

24.10.2023

A new penalty for breaching GDPR



In October of the current year, the National Supervisory Authority completed an investigation at the operator Mensajero SRL in which it found a violation of the provisions of art. 32 para. (1) lit. b) and d) in conjunction with art. 32 para. (2) of the General Data Protection Regulation.

As such, the operator was fined 14,925.6 lei, the equivalent of 3,000 EURO.

The sanction was applied as a result of a notification claiming a possible violation of the security of personal data on the website of the operator Mensajero SRL.

During the investigation, it was found that the breach of data processing security occurred by accessing a link that displayed a list of numerous downloadable files that mostly contained invoices and warranty certificates for the products purchased by the operator's customers.

This situation led to the unauthorized disclosure of personal data of the operator's customers (natural and legal persons), such as: name, surname, address, e-mail address, no. and invoice date, purchased products and their value.

Thus, the operator Mensajero SRL was fined for violating the provisions of art. 32 para. (1) lit. b) and d) in conjunction with art. 32 para. (2) of the General Data Protection Regulation, as it did not implement adequate technical and organizational measures to ensure a level of security corresponding to the processing risk.

Legal and Communication Department

A.N.S.P.D.C.P.