Banner2.png

ANSPDCP (Romania) - V&M Contab&Management SRL

From GDPRhub
ANSPDCP - V&M Contab&Management SRL
LogoRO.jpg
Authority: ANSPDCP (Romania)
Jurisdiction: Romania
Relevant Law: Article 32(1)(b) GDPR
Article 32(2) GDPR
Article 32(4) GDPR
Article 58(1)(a) GDPR
Article 58(1)(e) GDPR
Type: Complaint
Outcome: Upheld
Started:
Decided:
Published:
Fine: 9.954 RON
Parties: V&M Contab&Management SRL
National Case Number/Name: V&M Contab&Management SRL
European Case Law Identifier: n/a
Appeal: Unknown
Original Language(s): Romanian
Original Source: Autoritatea Naţională de Supraveghere a Prelucrării Datelor cu Caracter Personal (in RO)
Initial Contributor: elu

The DPA fined a controller RON 9,954 (€10,000) after it failed to provide the DPA with information needed to conduct the investigation and for improperly sharing sensitive personal data via WhatsApp, resulting in the unauthorised access of employees' data.

English Summary

Facts

A complaint was advanced by a data subject alleging possible GDPR violations from V&M Contab&Management SRL, the controller.

The DPA opened an investigation and found that the controller ignored the requests for information from the DPA, even if they have an obligation to allow access to the requested data and to all information necessary to perform their legal duties under Article 58(1)(a) and (e) GDPR.

The investigation also has shown that the controller submitted via WhatsApp a table with access passwords in the general platforms of employees for several legal entities to a third party. This allowed indiscriminate access to the personal data processed by the controller, namely name, surname, nationality, personal identification number and domicile, of employees or former employees.

Holding

The DPA found that a violation of Article 58(1)(a) and (e) GDPR occurred due to the failure of the controller to reply to the order to provide access to the data to the DPA.

In relation to the exchange of the table with access credentials, the DPA found that the controller failed to take measures to ensure that any natural person acting under their authority with access to personal data shall only process them at the request of the controller.

However, this processing of personal data via WhatsApp could have been prevented if the controller implemented appropriate technical and organizational measures to ensure a level of security appropriate to the risk of processing, including the ability to ensure the confidentiality and integrity of processing systems and services, as required by Article 32(1)(b), (2) and (4) GDPR.

The DPA deemed it appropriate to impose a two-fold fine:

- A fine of RON 9,954 (€2,000) for the violation of Article 58(1)(a) and (e) GDPR;

- A fine of RON 39,816 (€8,000) for the violation of Article 32(4) and 32(1)(b) GDPR.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Romanian original. Please refer to the Romanian original for more details. 

   04.02.2025

Sanction for violation of the GDPR

 

The National Supervisory Authority for Personal Data Processing completed an investigation at V&M Contab&Management SRL in December 2024 and found a violation of the provisions of art. 58 para. (1) let. a) and e) and art. 32 para. (4) in conjunction with art. 32 para. (1) let. b) and para. (2) of Regulation (EU) 2016/679.

As such, the operator was sanctioned as a contravention:

1. with a fine in the amount of 9,954.00 lei (equivalent to the amount of 2,000 EURO), for violating the provisions of art. 58 para. (1) let. a) and e) of Regulation (EU) 2016/679 in conjunction with art. 83 paragraph (5) letter e) of Regulation (EU) 2016/679;

2. with a fine of 39,816.00 lei (equivalent to 8,000 EURO), for violating the provisions of art. 32 paragraph (4) in conjunction with art. 32 paragraph (1) letter b) and paragraph (2) of Regulation (EU) 2016/679.

The investigation was initiated following a complaint alleging a possible violation of the provisions of Regulation (EU) 2016/679.

During the investigation, it was found that the operator did not respond to the National Supervisory Authority's requests for information, although it was obliged to allow our institution access to personal data and all information necessary to fulfill its legal duties, thus violating the provisions of art. 58 paragraph (1) letters a) and e) of Regulation (EU) 2016/679.

Also, during the investigation, it was found that the operator had sent via Whatsapp to a third party a table with access passwords to the Revisal platform for several legal entities, through which the personal data of the employees or former employees of these companies could be accessed. This incident led to the unauthorized access and unauthorized disclosure of the personal data (such as name, surname, citizenship, personal identification number, domicile) processed. Therefore, the operator did not take measures to ensure that any natural person acting under its authority and having access to personal data only processes them at the request of the operator. At the same time, the operator did not implement appropriate technical and organizational measures in order to ensure a level of security appropriate to the risk of the processing, including the ability to ensure the confidentiality and integrity of the processing systems and services. Thus, the provisions of art. 32 para. (1) letter b) and para. (2) and para. (4) of Regulation (EU) 2016/679.

At the same time, the operator was ordered to take the corrective measure of changing all access credentials in the Revisal platform available on the website https://reges.inspectiamuncii.ro/ for all legal entities affected by the incident.

Legal and Communication Department

A.N.S.P.D.C.P.   
Retrieved from "https://gdprhub.eu/index.php?title=ANSPDCP_(Romania)_-_V%26M_Contab%26Management_SRL&oldid=45669"
Creative Commons Attribution-NonCommercial-ShareAlike
Powered by MediaWiki