ANSPDCP (Romania) - 04.01.2023

From GDPRhub
ANSPDCP - Press Release 04/01/2023
LogoRO.jpg
Authority: ANSPDCP (Romania)
Jurisdiction: Romania
Relevant Law: Article 32(1)(b) GDPR
Article 32(2) GDPR
Article 32(4) GDPR
Type: Investigation
Outcome: Violation Found
Started:
Decided:
Published: 04.01.2023
Fine: 14,757.60 RON
Parties: n/a
National Case Number/Name: Press Release 04/01/2023
European Case Law Identifier: n/a
Appeal: Unknown
Original Language(s): Romanian
Original Source: Romanian DPA (in RO)
Initial Contributor: n/a

The Romanian DPA fined a controller €3000 for publishing the email addresses of a significant number of data subjects by putting the addresses in the "To" section instead of the "BBC" section while sending an email.

English Summary

Facts

At an unspecified time, the controller, a Romanian water supplier, incurred a data security breach by erroneously putting data subjects' email addresses in the "To" section instead of the "BCC" section of its email client before sending off an email. The controller subsequently notified the breach to the Romanian DPA, prompting it to launch an investigation. The investigation concluded in December 2022.

Holding

The DSA's investigation found that the breach led to the unauthorized disclosure of the email addresses of a significant number of data subjects. In its assessment, the DPA argued that the controller did not implement adequate technical and organizational measures in order to ensure a level of security corresponding to its processing risk.

Consequently, the DSA held that the controller's conduct constituted a violation of Article 32 GDPR, the "Security of processing". More specifically, the controller violated Article 32(1)(b), 32(2), and 32(4) GDPR.

For its breaches of the GDPR, the controller was fined 14,757.60 RON (the equivalent to €3000) by the DSA.

Comment

Unfortunately, at the time of writing, the Romanian DPA did not publish its full decision. The above summary is based on a press release.

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Romanian original. Please refer to the Romanian original for more details.

04.01.2023

Penalty for GDPR violation



In December 2022, the National Supervisory Authority completed an investigation at the operator Water Canal Ilfov SA and found a violation of the provisions of art. 32 para. (1) lit. b), art. 32 para. (2) and and art. 32 para. (4) of Regulation (EU) 2016/679.

As such, the operator was fined 14,757.60 RON (equivalent to 3000 EURO).

The investigation was started as a result of a data security breach notification that was sent by the operator Apă Canal Ilfov SA.

During the investigation, it was found that the violation of data processing security occurred as a result of the fact that, in order to send an electronic message to the users registered on the company's online portal, the operator erroneously entered the e-mail addresses in the "To" section, in instead of "BCC".

As a result, it turned out that this breach led to the unauthorized disclosure or unauthorized access to personal data (e-mail address), so that a significant number of individuals were affected.

It was found that the operator Apa Canal Ilfov SA did not implement adequate technical and organizational measures in order to ensure a level of security corresponding to the processing risk.



Legal and Communication Department

A.N.S.P.D.C.P